v23.1.3

changelog.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## 2026-02-12 - 23.1.3 - fix(rustproxy)
+install default rustls crypto provider early; detect and skip raw fast-path for HTTP connections and return proper HTTP 502 when no route matches
+
+- Install ring-based rustls crypto provider at startup to prevent panics from instant-acme/hyper-rustls calling ClientConfig::builder() before TLS listeners are initialized
+- Add a non-blocking 10ms peek to detect HTTP traffic in the TCP passthrough fast-path to avoid misrouting HTTP and ensure HTTP proxy handles CORS, errors, and request-level routing
+- Skip the fast-path and fall back to the HTTP proxy when HTTP is detected (with a debug log)
+- When no route matches for detected HTTP connections, send an HTTP 502 Bad Gateway response and close the connection instead of silently dropping it
+
+## 2026-02-11 - 23.1.2 - fix(core)
+use node: scoped builtin imports and add route unit tests
+
+- Replaced bare Node built-in imports (events, fs, http, https, net, path, tls, url, http2, buffer, crypto) with 'node:' specifiers for ESM/bundler compatibility (files updated include ts/plugins.ts, ts/core/models/socket-types.ts, ts/core/utils/enhanced-connection-pool.ts, ts/core/utils/socket-tracker.ts, ts/protocols/common/fragment-handler.ts, ts/protocols/tls/sni/client-hello-parser.ts, ts/protocols/tls/sni/sni-extraction.ts, ts/protocols/websocket/utils.ts, ts/tls/sni/sni-handler.ts).
+- Added new unit tests (test/test.bun.ts and test/test.deno.ts) covering route helpers, validators, matching, merging and cloning to improve test coverage.
+
+## 2026-02-11 - 23.1.1 - fix(rust-proxy)
+increase rust proxy bridge maxPayloadSize to 100 MB and bump dependencies
+
+- Set maxPayloadSize to 100 * 1024 * 1024 (100 MB) in ts/proxies/smart-proxy/rust-proxy-bridge.ts to support large route configs
+- Bump devDependency @types/node from ^25.2.2 to ^25.2.3
+- Bump dependency @push.rocks/smartrust from ^1.1.1 to ^1.2.0
+
+## 2026-02-10 - 23.1.0 - feat(rust-bridge)
+integrate tsrust to build and locate cross-compiled Rust binaries; refactor rust-proxy bridge to use typed IPC and streamline process handling; add @push.rocks/smartrust and update build/dev dependencies
+
+- Add tsrust to the build script and include dist_rust candidates when locating the Rust binary (enables cross-compiled artifacts produced by tsrust).
+- Remove the old rust-binary-locator and refactor rust-proxy-bridge to use explicit, typed IPC command definitions and improved process spawn/cleanup logic.
+- Introduce @push.rocks/smartrust for type-safe JSON IPC and export it via plugins; update README with expanded metrics documentation and change initialDataTimeout default from 60s to 120s.
+- Add rust/.cargo/config.toml with aarch64 linker configuration to support cross-compilation for arm64.
+- Bump several devDependencies and runtime dependencies (e.g. @git.zone/tsbuild, @git.zone/tstest, @push.rocks/smartserve, @push.rocks/taskbuffer, ws, minimatch, etc.).
+- Update runtime message guiding local builds to use 'pnpm build' (tsrust) instead of direct cargo invocation.
+
+## 2026-02-09 - 23.0.0 - BREAKING CHANGE(proxies/nftables-proxy)
+remove nftables-proxy implementation, models, and utilities from the repository
+
+- Deleted nftables-proxy module files under ts/proxies/nftables-proxy (index, models, utils, command executor, validators, etc.)
+- Removed nftables-proxy exports from ts/index.ts and ts/proxies/index.ts
+- Updated smart-proxy types to drop dependency on nftables proxy models
+- Breaking change: any consumers importing nftables-proxy will no longer find those exports; update imports or install/use the extracted/alternative package if applicable
+
 ## 2026-02-09 - 22.6.0 - feat(smart-proxy)
 add socket-handler relay, fast-path port-only forwarding, metrics and bridge improvements, and various TS/Rust integration fixes
 

npmextra.json

@@ -40,5 +40,8 @@
   },
   "@ship.zone/szci": {
     "npmGlobalTools": []
+  },
+  "@git.zone/tsrust": {
+    "targets": ["linux_amd64", "linux_arm64"]
   }
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "22.6.0",
+  "version": "23.1.3",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -10,16 +10,17 @@
   "license": "MIT",
   "scripts": {
     "test": "(tstest test/**/test*.ts --verbose --timeout 60 --logfile)",
-    "build": "(tsbuild tsfolders --allowimplicitany)",
+    "build": "(tsbuild tsfolders --allowimplicitany) && (tsrust)",
     "format": "(gitzone format)",
     "buildDocs": "tsdoc"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^3.1.2",
-    "@git.zone/tsrun": "^2.0.0",
-    "@git.zone/tstest": "^3.1.3",
-    "@push.rocks/smartserve": "^1.4.0",
-    "@types/node": "^24.10.2",
+    "@git.zone/tsbuild": "^4.1.2",
+    "@git.zone/tsrun": "^2.0.1",
+    "@git.zone/tsrust": "^1.3.0",
+    "@git.zone/tstest": "^3.1.8",
+    "@push.rocks/smartserve": "^2.0.1",
+    "@types/node": "^25.2.3",
     "typescript": "^5.9.3",
     "why-is-node-running": "^3.2.2"
   },
@@ -28,20 +29,21 @@
     "@push.rocks/smartacme": "^8.0.0",
     "@push.rocks/smartcrypto": "^2.0.4",
     "@push.rocks/smartdelay": "^3.0.5",
-    "@push.rocks/smartfile": "^13.1.0",
+    "@push.rocks/smartfile": "^13.1.2",
     "@push.rocks/smartlog": "^3.1.10",
     "@push.rocks/smartnetwork": "^4.4.0",
     "@push.rocks/smartpromise": "^4.2.3",
     "@push.rocks/smartrequest": "^5.0.1",
+    "@push.rocks/smartrust": "^1.2.0",
     "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstring": "^4.1.0",
-    "@push.rocks/taskbuffer": "^3.5.0",
+    "@push.rocks/taskbuffer": "^4.2.0",
     "@tsclass/tsclass": "^9.3.0",
     "@types/minimatch": "^6.0.0",
     "@types/ws": "^8.18.1",
-    "minimatch": "^10.1.1",
+    "minimatch": "^10.1.2",
     "pretty-ms": "^9.3.0",
-    "ws": "^8.18.3"
+    "ws": "^8.19.0"
   },
   "files": [
     "ts/**/*",

readme.md

@@ -378,7 +378,9 @@ await proxy.updateRoutes([...newRoutes]);
 // Get real-time metrics
 const metrics = proxy.getMetrics();
 console.log(`Active connections: ${metrics.connections.active()}`);
-console.log(`Requests/sec: ${metrics.throughput.requestsPerSecond()}`);
+console.log(`Bytes in: ${metrics.totals.bytesIn()}`);
+console.log(`Requests/sec: ${metrics.requests.perSecond()}`);
+console.log(`Throughput in: ${metrics.throughput.instant().in} bytes/sec`);
 
 // Get detailed statistics from the Rust engine
 const stats = await proxy.getStatistics();
@@ -486,8 +488,8 @@ SmartProxy uses a hybrid **Rust + TypeScript** architecture:
 
 - **Rust Engine** handles all networking, TLS, HTTP proxying, connection management, security, and metrics
 - **TypeScript** provides the npm API, configuration types, route helpers, validation, and socket handler callbacks
-- **IPC** — JSON commands/events over stdin/stdout for seamless cross-language communication
-- **Socket Relay** — a Unix domain socket server for routes requiring TypeScript-side handling (socket handlers, dynamic host/port functions)
+- **IPC** — The TypeScript wrapper uses [`@push.rocks/smartrust`](https://code.foss.global/push.rocks/smartrust) for type-safe JSON commands/events over stdin/stdout
+- **Socket Relay** — A Unix domain socket server for routes requiring TypeScript-side handling (socket handlers, dynamic host/port functions)
 
 ## 🎯 Route Configuration Reference
 
@@ -699,7 +701,7 @@ interface ISmartProxyOptions {
 
   // Timeouts
   connectionTimeout?: number;               // Backend connection timeout (default: 30s)
-  initialDataTimeout?: number;              // Initial data/SNI timeout (default: 60s)
+  initialDataTimeout?: number;              // Initial data/SNI timeout (default: 120s)
   socketTimeout?: number;                   // Socket inactivity timeout (default: 1h)
   maxConnectionLifetime?: number;           // Max connection lifetime (default: 24h)
   inactivityTimeout?: number;               // Inactivity timeout (default: 4h)
@@ -724,36 +726,38 @@ interface ISmartProxyOptions {
   // Behavior
   enableDetailedLogging?: boolean;          // Verbose connection logging
   enableTlsDebugLogging?: boolean;          // TLS handshake debug logging
-
-  // Rust binary
-  rustBinaryPath?: string;                  // Custom path to the Rust binary
 }
 ```
 
-### NfTablesProxy Class
+### IMetrics Interface
 
-A standalone class for managing nftables NAT rules directly (Linux only, requires root):
+The `getMetrics()` method returns a cached metrics adapter that polls the Rust engine:
 
 ```typescript
-import { NfTablesProxy } from '@push.rocks/smartproxy';
+const metrics = proxy.getMetrics();
 
-const nftProxy = new NfTablesProxy({
-  fromPort: [80, 443],
-  toPort: [8080, 8443],
-  toHost: 'backend-server',
-  protocol: 'tcp',
-  preserveSourceIP: true,
-  ipv6Support: true,
-  useIPSets: true,
-  qos: {
-    enabled: true,
-    maxRate: '1gbps'
-  }
-});
+// Connection metrics
+metrics.connections.active();              // Current active connections
+metrics.connections.total();               // Total connections since start
+metrics.connections.byRoute();             // Map<routeName, activeCount>
+metrics.connections.byIP();                // Map<ip, activeCount>
+metrics.connections.topIPs(10);            // Top N IPs by connection count
 
-await nftProxy.start();      // Apply nftables rules
-const status = await nftProxy.getStatus();
-await nftProxy.stop();        // Remove rules
+// Throughput (bytes/sec)
+metrics.throughput.instant();              // { in: number, out: number }
+metrics.throughput.recent();               // Recent average
+metrics.throughput.average();              // Overall average
+metrics.throughput.byRoute();              // Map<routeName, { in, out }>
+
+// Request rates
+metrics.requests.perSecond();              // Requests per second
+metrics.requests.perMinute();              // Requests per minute
+metrics.requests.total();                  // Total requests
+
+// Cumulative totals
+metrics.totals.bytesIn();                  // Total bytes received
+metrics.totals.bytesOut();                 // Total bytes sent
+metrics.totals.connections();              // Total connections
 ```
 
 ## 🐛 Troubleshooting
@@ -772,13 +776,13 @@ await nftProxy.stop();        // Remove rules
 - ✅ Enable debug logging with `enableDetailedLogging: true`
 
 ### Rust Binary Not Found
+
 SmartProxy searches for the Rust binary in this order:
 1. `SMARTPROXY_RUST_BINARY` environment variable
 2. Platform-specific npm package (`@push.rocks/smartproxy-linux-x64`, etc.)
-3. Local dev build (`./rust/target/release/rustproxy`)
-4. System PATH (`rustproxy`)
-
-Set `rustBinaryPath` in options to override.
+3. `dist_rust/rustproxy` relative to the package root (built by `tsrust`)
+4. Local dev build (`./rust/target/release/rustproxy`)
+5. System PATH (`rustproxy`)
 
 ### Performance Tuning
 - ✅ Use NFTables forwarding for high-traffic routes (Linux only)

rust/.cargo/config.toml

@@ -0,0 +1,2 @@
+[target.aarch64-unknown-linux-gnu]
+linker = "aarch64-linux-gnu-gcc"

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -364,6 +364,10 @@ impl TcpListenerManager {
         // doesn't send initial data (e.g., SMTP, greeting-based protocols).
         // If a route matches by port alone and doesn't need domain/path/TLS info,
         // we can forward immediately without waiting for client data.
+        //
+        // IMPORTANT: HTTP connections must NOT use this path — they need the HTTP
+        // proxy for proper error responses, CORS handling, and request-level routing.
+        // We detect HTTP via a non-blocking peek before committing to raw forwarding.
         {
             let quick_ctx = rustproxy_routing::MatchContext {
                 port,
@@ -384,7 +388,28 @@ impl TcpListenerManager {
 
                 // Only use fast path for simple port-only forward routes with no TLS
                 if has_no_domain && has_no_path && is_forward && has_no_tls {
-                    if let Some(target) = quick_match.target {
+                    // Non-blocking peek: if client has already sent data that looks
+                    // like HTTP, skip fast path and let the normal path handle it
+                    // through the HTTP proxy (for CORS, error responses, path routing).
+                    let is_likely_http = {
+                        let mut probe = [0u8; 16];
+                        // Brief peek: HTTP clients send data immediately after connect.
+                        // Server-speaks-first protocols (SMTP etc.) send nothing initially.
+                        // 10ms is ample for any HTTP client while negligible for
+                        // server-speaks-first protocols (which wait seconds for greeting).
+                        match tokio::time::timeout(
+                            std::time::Duration::from_millis(10),
+                            stream.peek(&mut probe),
+                        ).await {
+                            Ok(Ok(n)) if n > 0 => sni_parser::is_http(&probe[..n]),
+                            _ => false,
+                        }
+                    };
+
+                    if is_likely_http {
+                        debug!("Fast-path skipped: HTTP detected from {}, using HTTP proxy", peer_addr);
+                        // Fall through to normal path for HTTP proxy handling
+                    } else if let Some(target) = quick_match.target {
                         let target_host = target.host.first().to_string();
                         let target_port = target.port.resolve(port);
                         let route_id = quick_match.route.id.as_deref();
@@ -562,6 +587,17 @@ impl TcpListenerManager {
             Some(rm) => rm,
             None => {
                 debug!("No route matched for port {} domain {:?}", port, domain);
+                if is_http {
+                    // Send a proper HTTP error instead of dropping the connection
+                    use tokio::io::AsyncWriteExt;
+                    let body = "No route matched";
+                    let resp = format!(
+                        "HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+                        body.len(), body
+                    );
+                    let _ = stream.write_all(resp.as_bytes()).await;
+                    let _ = stream.shutdown().await;
+                }
                 return Ok(());
             }
         };

rust/crates/rustproxy/src/main.rs

@@ -29,6 +29,11 @@ struct Cli {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    // Install the default CryptoProvider early, before any TLS or ACME code runs.
+    // This prevents panics from instant-acme/hyper-rustls calling ClientConfig::builder()
+    // before TLS listeners have started. Idempotent — later calls harmlessly return Err.
+    let _ = rustls::crypto::ring::default_provider().install_default();
+
     let cli = Cli::parse();
 
     // Initialize tracing - write to stderr so stdout is reserved for management IPC

test/test.bun.ts

@@ -0,0 +1,123 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+import {
+  createHttpsTerminateRoute,
+  createCompleteHttpsServer,
+  createHttpRoute,
+} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+
+import {
+  mergeRouteConfigs,
+  cloneRoute,
+  routeMatchesPath,
+} from '../ts/proxies/smart-proxy/utils/route-utils.js';
+
+import {
+  validateRoutes,
+  validateRouteConfig,
+} from '../ts/proxies/smart-proxy/utils/route-validator.js';
+
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+tap.test('route creation - createHttpsTerminateRoute produces correct structure', async () => {
+  const route = createHttpsTerminateRoute('secure.example.com', { host: '127.0.0.1', port: 8443 });
+  expect(route).toHaveProperty('match');
+  expect(route).toHaveProperty('action');
+  expect(route.action.type).toEqual('forward');
+  expect(route.action.tls).toBeDefined();
+  expect(route.action.tls!.mode).toEqual('terminate');
+  expect(route.match.domains).toEqual('secure.example.com');
+});
+
+tap.test('route creation - createCompleteHttpsServer returns redirect and main route', async () => {
+  const routes = createCompleteHttpsServer('app.example.com', { host: '127.0.0.1', port: 3000 });
+  expect(routes).toBeArray();
+  expect(routes.length).toBeGreaterThanOrEqual(2);
+  // Should have an HTTP→HTTPS redirect and an HTTPS route
+  const hasRedirect = routes.some((r) => r.action.type === 'forward' && r.action.redirect !== undefined);
+  const hasHttps = routes.some((r) => r.action.tls?.mode === 'terminate');
+  expect(hasRedirect || hasHttps).toBeTrue();
+});
+
+tap.test('route validation - validateRoutes on a set of routes', async () => {
+  const routes: IRouteConfig[] = [
+    createHttpRoute('a.com', { host: '127.0.0.1', port: 3000 }),
+    createHttpRoute('b.com', { host: '127.0.0.1', port: 4000 }),
+  ];
+  const result = validateRoutes(routes);
+  expect(result.valid).toBeTrue();
+  expect(result.errors).toHaveLength(0);
+});
+
+tap.test('route validation - validateRoutes catches invalid route in set', async () => {
+  const routes: any[] = [
+    createHttpRoute('valid.com', { host: '127.0.0.1', port: 3000 }),
+    { match: { ports: 80 } }, // missing action
+  ];
+  const result = validateRoutes(routes);
+  expect(result.valid).toBeFalse();
+  expect(result.errors.length).toBeGreaterThan(0);
+});
+
+tap.test('path matching - routeMatchesPath with exact path', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  route.match.path = '/api';
+  expect(routeMatchesPath(route, '/api')).toBeTrue();
+  expect(routeMatchesPath(route, '/other')).toBeFalse();
+});
+
+tap.test('path matching - route without path matches everything', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  // No path set, should match any path
+  expect(routeMatchesPath(route, '/anything')).toBeTrue();
+  expect(routeMatchesPath(route, '/')).toBeTrue();
+});
+
+tap.test('route merging - mergeRouteConfigs combines routes', async () => {
+  const base = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  base.priority = 10;
+  base.name = 'base-route';
+
+  const merged = mergeRouteConfigs(base, {
+    priority: 50,
+    name: 'merged-route',
+  });
+
+  expect(merged.priority).toEqual(50);
+  expect(merged.name).toEqual('merged-route');
+  // Original route fields should be preserved
+  expect(merged.match.domains).toEqual('example.com');
+  expect(merged.action.targets![0].host).toEqual('127.0.0.1');
+});
+
+tap.test('route merging - mergeRouteConfigs does not mutate original', async () => {
+  const base = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  base.name = 'original';
+
+  const merged = mergeRouteConfigs(base, { name: 'changed' });
+  expect(base.name).toEqual('original');
+  expect(merged.name).toEqual('changed');
+});
+
+tap.test('route cloning - cloneRoute produces independent copy', async () => {
+  const original = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  original.priority = 42;
+  original.name = 'original-route';
+
+  const cloned = cloneRoute(original);
+
+  // Should be equal in value
+  expect(cloned.match.domains).toEqual('example.com');
+  expect(cloned.priority).toEqual(42);
+  expect(cloned.name).toEqual('original-route');
+  expect(cloned.action.targets![0].host).toEqual('127.0.0.1');
+  expect(cloned.action.targets![0].port).toEqual(3000);
+
+  // Should be independent - modifying clone shouldn't affect original
+  cloned.name = 'cloned-route';
+  cloned.priority = 99;
+  expect(original.name).toEqual('original-route');
+  expect(original.priority).toEqual(42);
+});
+
+export default tap.start();

test/test.deno.ts

@@ -0,0 +1,111 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+import {
+  createHttpRoute,
+  createHttpsTerminateRoute,
+  createLoadBalancerRoute,
+} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+
+import {
+  findMatchingRoutes,
+  findBestMatchingRoute,
+  routeMatchesDomain,
+  routeMatchesPort,
+  routeMatchesPath,
+} from '../ts/proxies/smart-proxy/utils/route-utils.js';
+
+import {
+  validateRouteConfig,
+  isValidDomain,
+  isValidPort,
+} from '../ts/proxies/smart-proxy/utils/route-validator.js';
+
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+tap.test('route creation - createHttpRoute produces correct structure', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  expect(route).toHaveProperty('match');
+  expect(route).toHaveProperty('action');
+  expect(route.match.domains).toEqual('example.com');
+  expect(route.action.type).toEqual('forward');
+  expect(route.action.targets).toBeArray();
+  expect(route.action.targets![0].host).toEqual('127.0.0.1');
+  expect(route.action.targets![0].port).toEqual(3000);
+});
+
+tap.test('route creation - createHttpRoute with array of domains', async () => {
+  const route = createHttpRoute(['a.com', 'b.com'], { host: 'localhost', port: 8080 });
+  expect(route.match.domains).toEqual(['a.com', 'b.com']);
+});
+
+tap.test('route validation - validateRouteConfig accepts valid route', async () => {
+  const route = createHttpRoute('valid.example.com', { host: '10.0.0.1', port: 8080 });
+  const result = validateRouteConfig(route);
+  expect(result.valid).toBeTrue();
+  expect(result.errors).toHaveLength(0);
+});
+
+tap.test('route validation - validateRouteConfig rejects missing action', async () => {
+  const badRoute = { match: { ports: 80 } } as any;
+  const result = validateRouteConfig(badRoute);
+  expect(result.valid).toBeFalse();
+  expect(result.errors.length).toBeGreaterThan(0);
+});
+
+tap.test('route validation - isValidDomain checks correctly', async () => {
+  expect(isValidDomain('example.com')).toBeTrue();
+  expect(isValidDomain('*.example.com')).toBeTrue();
+  expect(isValidDomain('')).toBeFalse();
+});
+
+tap.test('route validation - isValidPort checks correctly', async () => {
+  expect(isValidPort(80)).toBeTrue();
+  expect(isValidPort(443)).toBeTrue();
+  expect(isValidPort(0)).toBeFalse();
+  expect(isValidPort(70000)).toBeFalse();
+  expect(isValidPort(-1)).toBeFalse();
+});
+
+tap.test('domain matching - exact domain', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  expect(routeMatchesDomain(route, 'example.com')).toBeTrue();
+  expect(routeMatchesDomain(route, 'other.com')).toBeFalse();
+});
+
+tap.test('domain matching - wildcard domain', async () => {
+  const route = createHttpRoute('*.example.com', { host: '127.0.0.1', port: 3000 });
+  expect(routeMatchesDomain(route, 'sub.example.com')).toBeTrue();
+  expect(routeMatchesDomain(route, 'example.com')).toBeFalse();
+});
+
+tap.test('port matching - single port', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  // createHttpRoute defaults to port 80
+  expect(routeMatchesPort(route, 80)).toBeTrue();
+  expect(routeMatchesPort(route, 443)).toBeFalse();
+});
+
+tap.test('route finding - findBestMatchingRoute selects by priority', async () => {
+  const lowPriority = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  lowPriority.priority = 10;
+
+  const highPriority = createHttpRoute('example.com', { host: '127.0.0.1', port: 4000 });
+  highPriority.priority = 100;
+
+  const routes: IRouteConfig[] = [lowPriority, highPriority];
+  const best = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
+  expect(best).toBeDefined();
+  expect(best!.priority).toEqual(100);
+  expect(best!.action.targets![0].port).toEqual(4000);
+});
+
+tap.test('route finding - findMatchingRoutes returns all matches', async () => {
+  const route1 = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  const route2 = createHttpRoute('example.com', { host: '127.0.0.1', port: 4000 });
+  const route3 = createHttpRoute('other.com', { host: '127.0.0.1', port: 5000 });
+
+  const matches = findMatchingRoutes([route1, route2, route3], { domain: 'example.com', port: 80 });
+  expect(matches).toHaveLength(2);
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '22.6.0',
+  version: '23.1.3',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/core/models/socket-types.ts

@@ -1,4 +1,4 @@
-import * as net from 'net';
+import * as net from 'node:net';
 import { WrappedSocket } from './wrapped-socket.js';
 
 /**

ts/core/utils/enhanced-connection-pool.ts

@@ -1,7 +1,7 @@
 import { LifecycleComponent } from './lifecycle-component.js';
 import { BinaryHeap } from './binary-heap.js';
 import { AsyncMutex } from './async-utils.js';
-import { EventEmitter } from 'events';
+import { EventEmitter } from 'node:events';
 
 /**
  * Interface for pooled connection

ts/core/utils/socket-tracker.ts

@@ -3,7 +3,7 @@
  * Provides standardized socket cleanup with proper listener and timer management
  */
 
-import type { Socket } from 'net';
+import type { Socket } from 'node:net';
 
 export type SocketTracked = {
   cleanup: () => void;

ts/index.ts

@@ -2,9 +2,6 @@
  * SmartProxy main module exports
  */
 
-// NFTables proxy exports
-export * from './proxies/nftables-proxy/index.js';
-
 // Export SmartProxy elements
 export { SmartProxy } from './proxies/smart-proxy/index.js';
 export { SharedRouteManager as RouteManager } from './core/routing/route-manager.js';

ts/plugins.ts

@@ -1,13 +1,13 @@
 // node native scope
-import { EventEmitter } from 'events';
-import * as fs from 'fs';
-import * as http from 'http';
-import * as https from 'https';
-import * as net from 'net';
-import * as path from 'path';
-import * as tls from 'tls';
-import * as url from 'url';
-import * as http2 from 'http2';
+import { EventEmitter } from 'node:events';
+import * as fs from 'node:fs';
+import * as http from 'node:http';
+import * as https from 'node:https';
+import * as net from 'node:net';
+import * as path from 'node:path';
+import * as tls from 'node:tls';
+import * as url from 'node:url';
+import * as http2 from 'node:http2';
 
 export { EventEmitter, fs, http, https, net, path, tls, url, http2 };
 
@@ -31,6 +31,7 @@ import * as smartlog from '@push.rocks/smartlog';
 import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
 import * as taskbuffer from '@push.rocks/taskbuffer';
 import * as smartrx from '@push.rocks/smartrx';
+import * as smartrust from '@push.rocks/smartrust';
 
 export {
   lik,
@@ -47,6 +48,7 @@ export {
   smartlogDestinationLocal,
   taskbuffer,
   smartrx,
+  smartrust,
 };
 
 // third party scope

ts/protocols/common/fragment-handler.ts

@@ -5,7 +5,7 @@
  * that may span multiple TCP packets.
  */
 
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 
 /**
  * Fragment tracking information

ts/protocols/tls/sni/client-hello-parser.ts

@@ -1,4 +1,4 @@
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 import { 
   TlsRecordType,
   TlsHandshakeType,

ts/protocols/tls/sni/sni-extraction.ts

@@ -1,4 +1,4 @@
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 import { TlsExtensionType, TlsUtils } from '../utils/tls-utils.js';
 import {
   ClientHelloParser,

ts/protocols/websocket/utils.ts

@@ -2,7 +2,7 @@
  * WebSocket Protocol Utilities
  */
 
-import * as crypto from 'crypto';
+import * as crypto from 'node:crypto';
 import { WEBSOCKET_MAGIC_STRING } from './constants.js';
 import type { RawData } from './types.js';
 

ts/proxies/index.ts

@@ -8,6 +8,3 @@ export { SharedRouteManager as SmartProxyRouteManager } from '../core/routing/ro
 export * from './smart-proxy/utils/index.js';
 // Export smart-proxy models except IAcmeOptions
 export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './smart-proxy/models/index.js';
-
-// Export NFTables proxy (no conflicts)
-export * from './nftables-proxy/index.js';

ts/proxies/nftables-proxy/index.ts

@@ -1,6 +0,0 @@
-/**
- * NfTablesProxy implementation
- */
-export * from './nftables-proxy.js';
-export * from './models/index.js';
-export * from './utils/index.js';

ts/proxies/nftables-proxy/models/errors.ts

@@ -1,30 +0,0 @@
-/**
- * Custom error classes for better error handling
- */
-export class NftBaseError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = 'NftBaseError';
-  }
-}
-
-export class NftValidationError extends NftBaseError {
-  constructor(message: string) {
-    super(message);
-    this.name = 'NftValidationError';
-  }
-}
-
-export class NftExecutionError extends NftBaseError {
-  constructor(message: string) {
-    super(message);
-    this.name = 'NftExecutionError';
-  }
-}
-
-export class NftResourceError extends NftBaseError {
-  constructor(message: string) {
-    super(message);
-    this.name = 'NftResourceError';
-  }
-}

ts/proxies/nftables-proxy/models/index.ts

@@ -1,5 +0,0 @@
-/**
- * Export all models
- */
-export * from './interfaces.js';
-export * from './errors.js';

ts/proxies/nftables-proxy/models/interfaces.ts

@@ -1,94 +0,0 @@
-/**
- * Interfaces for NfTablesProxy
- */
-
-/**
- * Represents a port range for forwarding
- */
-export interface PortRange {
-  from: number;
-  to: number;
-}
-
-// Legacy interface name for backward compatibility
-export type IPortRange = PortRange;
-
-/**
- * Settings for NfTablesProxy.
- */
-export interface NfTableProxyOptions {
-  // Basic settings
-  fromPort: number | PortRange | Array<number | PortRange>; // Support single port, port range, or multiple ports/ranges
-  toPort: number | PortRange | Array<number | PortRange>;
-  toHost?: string; // Target host for proxying; defaults to 'localhost'
-  
-  // Advanced settings
-  preserveSourceIP?: boolean; // If true, the original source IP is preserved
-  deleteOnExit?: boolean;     // If true, clean up rules before process exit
-  protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
-  enableLogging?: boolean;    // Enable detailed logging
-  ipv6Support?: boolean;      // Enable IPv6 support
-  logFormat?: 'plain' | 'json'; // Format for logs
-  
-  // Source filtering
-  ipAllowList?: string[]; // If provided, only these IPs are allowed
-  ipBlockList?: string[];  // If provided, these IPs are blocked
-  useIPSets?: boolean;        // Use nftables sets for efficient IP management
-  
-  // Rule management
-  forceCleanSlate?: boolean;   // Clear all NfTablesProxy rules before starting
-  tableName?: string;          // Custom table name (defaults to 'portproxy')
-  
-  // Connection management
-  maxRetries?: number;        // Maximum number of retries for failed commands
-  retryDelayMs?: number;      // Delay between retries in milliseconds
-  useAdvancedNAT?: boolean;   // Use connection tracking for stateful NAT
-  
-  // Quality of Service
-  qos?: {
-    enabled: boolean;
-    maxRate?: string;         // e.g. "10mbps"
-    priority?: number;        // 1 (highest) to 10 (lowest)
-    markConnections?: boolean; // Mark connections for easier management
-  };
-  
-  // Integration with PortProxy/NetworkProxy
-  netProxyIntegration?: {
-    enabled: boolean;
-    redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
-    sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
-  };
-}
-
-// Legacy interface name for backward compatibility
-export type INfTableProxySettings = NfTableProxyOptions;
-
-/**
- * Interface for status reporting
- */
-export interface NfTablesStatus {
-  active: boolean;
-  ruleCount: {
-    total: number;
-    added: number;
-    verified: number;
-  };
-  tablesConfigured: { family: string; tableName: string }[];
-  metrics: {
-    forwardedConnections?: number;
-    activeConnections?: number;
-    bytesForwarded?: {
-      sent: number;
-      received: number;
-    };
-  };
-  qosEnabled?: boolean;
-  ipSetsConfigured?: {
-    name: string;
-    elementCount: number;
-    type: string;
-  }[];
-}
-
-// Legacy interface name for backward compatibility
-export type INfTablesStatus = NfTablesStatus;

ts/proxies/nftables-proxy/utils/index.ts

@@ -1,38 +0,0 @@
-/**
- * NFTables Proxy Utilities
- *
- * This module exports utility functions and classes for NFTables operations.
- */
-
-// Command execution
-export { NftCommandExecutor } from './nft-command-executor.js';
-export type { INftLoggerFn, INftExecutorOptions } from './nft-command-executor.js';
-
-// Port specification normalization
-export {
-  normalizePortSpec,
-  validatePorts,
-  formatPortRange,
-  portSpecToNftExpr,
-  rangesOverlap,
-  mergeOverlappingRanges,
-  countPorts,
-  isPortInSpec
-} from './nft-port-spec-normalizer.js';
-
-// Rule validation
-export {
-  isValidIP,
-  isValidIPv4,
-  isValidIPv6,
-  isValidHostname,
-  isValidTableName,
-  isValidRate,
-  validateIPs,
-  validateHost,
-  validateTableName,
-  validateQosSettings,
-  validateSettings,
-  isIPForFamily,
-  filterIPsByFamily
-} from './nft-rule-validator.js';

ts/proxies/nftables-proxy/utils/nft-command-executor.ts

@@ -1,162 +0,0 @@
-/**
- * NFTables Command Executor
- *
- * Handles command execution with retry logic, temp file management,
- * and error handling for nftables operations.
- */
-
-import { exec, execSync } from 'child_process';
-import { promisify } from 'util';
-import { delay } from '../../../core/utils/async-utils.js';
-import { AsyncFileSystem } from '../../../core/utils/fs-utils.js';
-import { NftExecutionError } from '../models/index.js';
-
-const execAsync = promisify(exec);
-
-export interface INftLoggerFn {
-  (level: 'info' | 'warn' | 'error' | 'debug', message: string, data?: Record<string, any>): void;
-}
-
-export interface INftExecutorOptions {
-  maxRetries?: number;
-  retryDelayMs?: number;
-  tempFilePath?: string;
-}
-
-/**
- * NFTables command executor with retry logic and temp file support
- */
-export class NftCommandExecutor {
-  private static readonly NFT_CMD = 'nft';
-  private maxRetries: number;
-  private retryDelayMs: number;
-  private tempFilePath: string;
-
-  constructor(
-    private log: INftLoggerFn,
-    options: INftExecutorOptions = {}
-  ) {
-    this.maxRetries = options.maxRetries || 3;
-    this.retryDelayMs = options.retryDelayMs || 1000;
-    this.tempFilePath = options.tempFilePath || `/tmp/nft-rules-${Date.now()}.nft`;
-  }
-
-  /**
-   * Execute a command with retry capability
-   */
-  async executeWithRetry(command: string, maxRetries?: number, retryDelayMs?: number): Promise<string> {
-    const retries = maxRetries ?? this.maxRetries;
-    const delayMs = retryDelayMs ?? this.retryDelayMs;
-    let lastError: Error | undefined;
-
-    for (let i = 0; i < retries; i++) {
-      try {
-        const { stdout } = await execAsync(command);
-        return stdout;
-      } catch (err) {
-        lastError = err as Error;
-        this.log('warn', `Command failed (attempt ${i+1}/${retries}): ${command}`, { error: lastError.message });
-
-        // Wait before retry, unless it's the last attempt
-        if (i < retries - 1) {
-          await delay(delayMs);
-        }
-      }
-    }
-
-    throw new NftExecutionError(`Failed after ${retries} attempts: ${lastError?.message || 'Unknown error'}`);
-  }
-
-  /**
-   * Execute system command synchronously (single attempt, no retry)
-   * Used only for exit handlers where the process is terminating anyway.
-   */
-  executeSync(command: string): string {
-    try {
-      return execSync(command, { timeout: 5000 }).toString();
-    } catch (err) {
-      this.log('warn', `Sync command failed: ${command}`, { error: (err as Error).message });
-      throw err;
-    }
-  }
-
-  /**
-   * Execute nftables commands with a temporary file
-   */
-  async executeWithTempFile(rulesetContent: string): Promise<void> {
-    await AsyncFileSystem.writeFile(this.tempFilePath, rulesetContent);
-
-    try {
-      await this.executeWithRetry(
-        `${NftCommandExecutor.NFT_CMD} -f ${this.tempFilePath}`,
-        this.maxRetries,
-        this.retryDelayMs
-      );
-    } finally {
-      // Always clean up the temp file
-      await AsyncFileSystem.remove(this.tempFilePath);
-    }
-  }
-
-  /**
-   * Check if nftables is available
-   */
-  async checkAvailability(): Promise<boolean> {
-    try {
-      await this.executeWithRetry(`${NftCommandExecutor.NFT_CMD} --version`, this.maxRetries, this.retryDelayMs);
-      return true;
-    } catch (err) {
-      this.log('error', `nftables is not available: ${(err as Error).message}`);
-      return false;
-    }
-  }
-
-  /**
-   * Check if connection tracking modules are loaded
-   */
-  async checkConntrackModules(): Promise<boolean> {
-    try {
-      await this.executeWithRetry('lsmod | grep nf_conntrack', this.maxRetries, this.retryDelayMs);
-      return true;
-    } catch (err) {
-      this.log('warn', 'Connection tracking modules might not be loaded, advanced NAT features may not work');
-      return false;
-    }
-  }
-
-  /**
-   * Run an nft command directly
-   */
-  async nft(args: string): Promise<string> {
-    return this.executeWithRetry(`${NftCommandExecutor.NFT_CMD} ${args}`, this.maxRetries, this.retryDelayMs);
-  }
-
-  /**
-   * Run an nft command synchronously (for cleanup on exit)
-   */
-  nftSync(args: string): string {
-    return this.executeSync(`${NftCommandExecutor.NFT_CMD} ${args}`);
-  }
-
-  /**
-   * Get the NFT command path
-   */
-  static get nftCmd(): string {
-    return NftCommandExecutor.NFT_CMD;
-  }
-
-  /**
-   * Update the temp file path
-   */
-  setTempFilePath(path: string): void {
-    this.tempFilePath = path;
-  }
-
-  /**
-   * Update retry settings
-   */
-  setRetryOptions(maxRetries: number, retryDelayMs: number): void {
-    this.maxRetries = maxRetries;
-    this.retryDelayMs = retryDelayMs;
-  }
-}

ts/proxies/nftables-proxy/utils/nft-port-spec-normalizer.ts

@@ -1,125 +0,0 @@
-/**
- * NFTables Port Specification Normalizer
- *
- * Handles normalization and validation of port specifications
- * for nftables rules.
- */
-
-import type { PortRange } from '../models/index.js';
-import { NftValidationError } from '../models/index.js';
-
-/**
- * Normalizes port specifications into an array of port ranges
- */
-export function normalizePortSpec(portSpec: number | PortRange | Array<number | PortRange>): PortRange[] {
-  const result: PortRange[] = [];
-
-  if (Array.isArray(portSpec)) {
-    // If it's an array, process each element
-    for (const spec of portSpec) {
-      result.push(...normalizePortSpec(spec));
-    }
-  } else if (typeof portSpec === 'number') {
-    // Single port becomes a range with the same start and end
-    result.push({ from: portSpec, to: portSpec });
-  } else {
-    // Already a range
-    result.push(portSpec);
-  }
-
-  return result;
-}
-
-/**
- * Validates port numbers or ranges
- */
-export function validatePorts(port: number | PortRange | Array<number | PortRange>): void {
-  if (Array.isArray(port)) {
-    port.forEach(p => validatePorts(p));
-    return;
-  }
-
-  if (typeof port === 'number') {
-    if (port < 1 || port > 65535) {
-      throw new NftValidationError(`Invalid port number: ${port}`);
-    }
-  } else if (typeof port === 'object') {
-    if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
-      throw new NftValidationError(`Invalid port range: ${port.from}-${port.to}`);
-    }
-  }
-}
-
-/**
- * Format port range for nftables rule
- */
-export function formatPortRange(range: PortRange): string {
-  if (range.from === range.to) {
-    return String(range.from);
-  }
-  return `${range.from}-${range.to}`;
-}
-
-/**
- * Convert port spec to nftables expression
- */
-export function portSpecToNftExpr(portSpec: number | PortRange | Array<number | PortRange>): string {
-  const ranges = normalizePortSpec(portSpec);
-
-  if (ranges.length === 1) {
-    return formatPortRange(ranges[0]);
-  }
-
-  // Multiple ports/ranges need to use a set
-  const ports = ranges.map(formatPortRange);
-  return `{ ${ports.join(', ')} }`;
-}
-
-/**
- * Check if two port ranges overlap
- */
-export function rangesOverlap(range1: PortRange, range2: PortRange): boolean {
-  return range1.from <= range2.to && range2.from <= range1.to;
-}
-
-/**
- * Merge overlapping port ranges
- */
-export function mergeOverlappingRanges(ranges: PortRange[]): PortRange[] {
-  if (ranges.length <= 1) return ranges;
-
-  // Sort by start port
-  const sorted = [...ranges].sort((a, b) => a.from - b.from);
-  const merged: PortRange[] = [sorted[0]];
-
-  for (let i = 1; i < sorted.length; i++) {
-    const current = sorted[i];
-    const lastMerged = merged[merged.length - 1];
-
-    if (current.from <= lastMerged.to + 1) {
-      // Ranges overlap or are adjacent, merge them
-      lastMerged.to = Math.max(lastMerged.to, current.to);
-    } else {
-      // No overlap, add as new range
-      merged.push(current);
-    }
-  }
-
-  return merged;
-}
-
-/**
- * Calculate the total number of ports in a port specification
- */
-export function countPorts(portSpec: number | PortRange | Array<number | PortRange>): number {
-  const ranges = normalizePortSpec(portSpec);
-  return ranges.reduce((total, range) => total + (range.to - range.from + 1), 0);
-}
-
-/**
- * Check if a port is within the given specification
- */
-export function isPortInSpec(port: number, portSpec: number | PortRange | Array<number | PortRange>): boolean {
-  const ranges = normalizePortSpec(portSpec);
-  return ranges.some(range => port >= range.from && port <= range.to);
-}

ts/proxies/nftables-proxy/utils/nft-rule-validator.ts

@@ -1,156 +0,0 @@
-/**
- * NFTables Rule Validator
- *
- * Handles validation of settings and inputs for nftables operations.
- * Prevents command injection and ensures valid values.
- */
-
-import type { PortRange, NfTableProxyOptions } from '../models/index.js';
-import { NftValidationError } from '../models/index.js';
-import { validatePorts } from './nft-port-spec-normalizer.js';
-
-// IP address validation patterns
-const IPV4_REGEX = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
-const IPV6_REGEX = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
-const HOSTNAME_REGEX = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
-const TABLE_NAME_REGEX = /^[a-zA-Z0-9_]+$/;
-const RATE_REGEX = /^[0-9]+[kKmMgG]?bps$/;
-
-/**
- * Validates an IP address (IPv4 or IPv6)
- */
-export function isValidIP(ip: string): boolean {
-  return IPV4_REGEX.test(ip) || IPV6_REGEX.test(ip);
-}
-
-/**
- * Validates an IPv4 address
- */
-export function isValidIPv4(ip: string): boolean {
-  return IPV4_REGEX.test(ip);
-}
-
-/**
- * Validates an IPv6 address
- */
-export function isValidIPv6(ip: string): boolean {
-  return IPV6_REGEX.test(ip);
-}
-
-/**
- * Validates a hostname
- */
-export function isValidHostname(hostname: string): boolean {
-  return HOSTNAME_REGEX.test(hostname);
-}
-
-/**
- * Validates a table name for nftables
- */
-export function isValidTableName(tableName: string): boolean {
-  return TABLE_NAME_REGEX.test(tableName);
-}
-
-/**
- * Validates a rate specification (e.g., "10mbps")
- */
-export function isValidRate(rate: string): boolean {
-  return RATE_REGEX.test(rate);
-}
-
-/**
- * Validates an array of IP addresses
- */
-export function validateIPs(ips?: string[]): void {
-  if (!ips) return;
-
-  for (const ip of ips) {
-    if (!isValidIP(ip)) {
-      throw new NftValidationError(`Invalid IP address format: ${ip}`);
-    }
-  }
-}
-
-/**
- * Validates a host (can be hostname or IP)
- */
-export function validateHost(host?: string): void {
-  if (!host) return;
-
-  if (!isValidHostname(host) && !isValidIP(host)) {
-    throw new NftValidationError(`Invalid host format: ${host}`);
-  }
-}
-
-/**
- * Validates a table name
- */
-export function validateTableName(tableName?: string): void {
-  if (!tableName) return;
-
-  if (!isValidTableName(tableName)) {
-    throw new NftValidationError(
-      `Invalid table name: ${tableName}. Only alphanumeric characters and underscores are allowed.`
-    );
-  }
-}
-
-/**
- * Validates QoS settings
- */
-export function validateQosSettings(qos?: NfTableProxyOptions['qos']): void {
-  if (!qos?.enabled) return;
-
-  if (qos.maxRate && !isValidRate(qos.maxRate)) {
-    throw new NftValidationError(
-      `Invalid rate format: ${qos.maxRate}. Use format like "10mbps", "1gbps", etc.`
-    );
-  }
-
-  if (qos.priority !== undefined) {
-    if (qos.priority < 1 || qos.priority > 10 || !Number.isInteger(qos.priority)) {
-      throw new NftValidationError(
-        `Invalid priority: ${qos.priority}. Must be an integer between 1 and 10.`
-      );
-    }
-  }
-}
-
-/**
- * Validates all NfTablesProxy settings
- */
-export function validateSettings(settings: NfTableProxyOptions): void {
-  // Validate port numbers
-  validatePorts(settings.fromPort);
-  validatePorts(settings.toPort);
-
-  // Validate IP addresses
-  validateIPs(settings.ipAllowList);
-  validateIPs(settings.ipBlockList);
-
-  // Validate target host
-  validateHost(settings.toHost);
-
-  // Validate table name
-  validateTableName(settings.tableName);
-
-  // Validate QoS settings
-  validateQosSettings(settings.qos);
-}
-
-/**
- * Check if an IP matches the given family (ip or ip6)
- */
-export function isIPForFamily(ip: string, family: 'ip' | 'ip6'): boolean {
-  if (family === 'ip6') {
-    return ip.includes(':');
-  }
-  return ip.includes('.');
-}
-
-/**
- * Filter IPs by family
- */
-export function filterIPsByFamily(ips: string[], family: 'ip' | 'ip6'): string[] {
-  return ips.filter(ip => isIPForFamily(ip, family));
-}

ts/proxies/smart-proxy/models/route-types.ts

@@ -1,6 +1,4 @@
 import * as plugins from '../../../plugins.js';
-// Certificate types removed - use local definition
-import type { PortRange } from '../../../proxies/nftables-proxy/models/interfaces.js';
 import type { IRouteContext } from '../../../core/models/route-context.js';
 
 // Re-export IRouteContext for convenience

ts/proxies/smart-proxy/rust-binary-locator.ts

@@ -1,112 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { logger } from '../../core/utils/logger.js';
-
-/**
- * Locates the RustProxy binary using a priority-ordered search strategy:
- * 1. SMARTPROXY_RUST_BINARY environment variable
- * 2. Platform-specific optional npm package
- * 3. Local development build at ./rust/target/release/rustproxy
- * 4. System PATH
- */
-export class RustBinaryLocator {
-  private cachedPath: string | null = null;
-
-  /**
-   * Find the RustProxy binary path.
-   * Returns null if no binary is available.
-   */
-  public async findBinary(): Promise<string | null> {
-    if (this.cachedPath !== null) {
-      return this.cachedPath;
-    }
-
-    const path = await this.searchBinary();
-    this.cachedPath = path;
-    return path;
-  }
-
-  /**
-   * Clear the cached binary path (e.g., after a failed launch).
-   */
-  public clearCache(): void {
-    this.cachedPath = null;
-  }
-
-  private async searchBinary(): Promise<string | null> {
-    // 1. Environment variable override
-    const envPath = process.env.SMARTPROXY_RUST_BINARY;
-    if (envPath) {
-      if (await this.isExecutable(envPath)) {
-        logger.log('info', `RustProxy binary found via SMARTPROXY_RUST_BINARY: ${envPath}`, { component: 'rust-locator' });
-        return envPath;
-      }
-      logger.log('warn', `SMARTPROXY_RUST_BINARY set but not executable: ${envPath}`, { component: 'rust-locator' });
-    }
-
-    // 2. Platform-specific optional npm package
-    const platformBinary = await this.findPlatformPackageBinary();
-    if (platformBinary) {
-      logger.log('info', `RustProxy binary found in platform package: ${platformBinary}`, { component: 'rust-locator' });
-      return platformBinary;
-    }
-
-    // 3. Local development build
-    const localPaths = [
-      plugins.path.resolve(process.cwd(), 'rust/target/release/rustproxy'),
-      plugins.path.resolve(process.cwd(), 'rust/target/debug/rustproxy'),
-    ];
-    for (const localPath of localPaths) {
-      if (await this.isExecutable(localPath)) {
-        logger.log('info', `RustProxy binary found at local path: ${localPath}`, { component: 'rust-locator' });
-        return localPath;
-      }
-    }
-
-    // 4. System PATH
-    const systemPath = await this.findInPath('rustproxy');
-    if (systemPath) {
-      logger.log('info', `RustProxy binary found in system PATH: ${systemPath}`, { component: 'rust-locator' });
-      return systemPath;
-    }
-
-    logger.log('error', 'No RustProxy binary found. Set SMARTPROXY_RUST_BINARY, install the platform package, or build with: cd rust && cargo build --release', { component: 'rust-locator' });
-    return null;
-  }
-
-  private async findPlatformPackageBinary(): Promise<string | null> {
-    const platform = process.platform;
-    const arch = process.arch;
-    const packageName = `@push.rocks/smartproxy-${platform}-${arch}`;
-
-    try {
-      // Try to resolve the platform-specific package
-      const packagePath = require.resolve(`${packageName}/rustproxy`);
-      if (await this.isExecutable(packagePath)) {
-        return packagePath;
-      }
-    } catch {
-      // Package not installed - expected for development
-    }
-    return null;
-  }
-
-  private async isExecutable(filePath: string): Promise<boolean> {
-    try {
-      await plugins.fs.promises.access(filePath, plugins.fs.constants.X_OK);
-      return true;
-    } catch {
-      return false;
-    }
-  }
-
-  private async findInPath(binaryName: string): Promise<string | null> {
-    const pathDirs = (process.env.PATH || '').split(plugins.path.delimiter);
-    for (const dir of pathDirs) {
-      const fullPath = plugins.path.join(dir, binaryName);
-      if (await this.isExecutable(fullPath)) {
-        return fullPath;
-      }
-    }
-    return null;
-  }
-}

ts/proxies/smart-proxy/rust-proxy-bridge.ts

@@ -1,310 +1,180 @@
 import * as plugins from '../../plugins.js';
 import { logger } from '../../core/utils/logger.js';
-import { RustBinaryLocator } from './rust-binary-locator.js';
 import type { IRouteConfig } from './models/route-types.js';
-import { ChildProcess, spawn } from 'child_process';
-import { createInterface, Interface as ReadlineInterface } from 'readline';
 
 /**
- * Management request sent to the Rust binary via stdin.
+ * Type-safe command definitions for the Rust proxy IPC protocol.
  */
-interface IManagementRequest {
-  id: string;
-  method: string;
-  params: Record<string, any>;
+type TSmartProxyCommands = {
+  start:                 { params: { config: any };              result: void };
+  stop:                  { params: Record<string, never>;        result: void };
+  updateRoutes:          { params: { routes: IRouteConfig[] };   result: void };
+  getMetrics:            { params: Record<string, never>;        result: any };
+  getStatistics:         { params: Record<string, never>;        result: any };
+  provisionCertificate:  { params: { routeName: string };        result: void };
+  renewCertificate:      { params: { routeName: string };        result: void };
+  getCertificateStatus:  { params: { routeName: string };        result: any };
+  getListeningPorts:     { params: Record<string, never>;        result: { ports: number[] } };
+  getNftablesStatus:     { params: Record<string, never>;        result: any };
+  setSocketHandlerRelay: { params: { socketPath: string };       result: void };
+  addListeningPort:      { params: { port: number };             result: void };
+  removeListeningPort:   { params: { port: number };             result: void };
+  loadCertificate:       { params: { domain: string; cert: string; key: string; ca?: string }; result: void };
+};
+
+/**
+ * Get the package root directory using import.meta.url.
+ * This file is at ts/proxies/smart-proxy/, so package root is 3 levels up.
+ */
+function getPackageRoot(): string {
+  const thisDir = plugins.path.dirname(plugins.url.fileURLToPath(import.meta.url));
+  return plugins.path.resolve(thisDir, '..', '..', '..');
 }
 
 /**
- * Management response received from the Rust binary via stdout.
+ * Map Node.js process.platform/process.arch to tsrust's friendly name suffix.
+ * tsrust names cross-compiled binaries as: rustproxy_linux_amd64, rustproxy_linux_arm64, etc.
  */
-interface IManagementResponse {
-  id: string;
-  success: boolean;
-  result?: any;
-  error?: string;
+function getTsrustPlatformSuffix(): string | null {
+  const archMap: Record<string, string> = { x64: 'amd64', arm64: 'arm64' };
+  const osMap: Record<string, string> = { linux: 'linux', darwin: 'macos' };
+  const os = osMap[process.platform];
+  const arch = archMap[process.arch];
+  if (os && arch) {
+    return `${os}_${arch}`;
+  }
+  return null;
 }
 
 /**
- * Management event received from the Rust binary (unsolicited).
+ * Build local search paths for the Rust binary, including dist_rust/ candidates
+ * (built by tsrust) and local development build paths.
  */
-interface IManagementEvent {
-  event: string;
-  data: any;
+function buildLocalPaths(): string[] {
+  const packageRoot = getPackageRoot();
+  const suffix = getTsrustPlatformSuffix();
+  const paths: string[] = [];
+
+  // dist_rust/ candidates (tsrust cross-compiled output)
+  if (suffix) {
+    paths.push(plugins.path.join(packageRoot, 'dist_rust', `rustproxy_${suffix}`));
+  }
+  paths.push(plugins.path.join(packageRoot, 'dist_rust', 'rustproxy'));
+
+  // Local dev build paths
+  paths.push(plugins.path.resolve(process.cwd(), 'rust', 'target', 'release', 'rustproxy'));
+  paths.push(plugins.path.resolve(process.cwd(), 'rust', 'target', 'debug', 'rustproxy'));
+
+  return paths;
 }
 
 /**
  * Bridge between TypeScript SmartProxy and the Rust binary.
- * Communicates via JSON-over-stdin/stdout IPC protocol.
+ * Wraps @push.rocks/smartrust's RustBridge with type-safe command definitions.
  */
 export class RustProxyBridge extends plugins.EventEmitter {
-  private locator = new RustBinaryLocator();
-  private process: ChildProcess | null = null;
-  private readline: ReadlineInterface | null = null;
-  private pendingRequests = new Map<string, {
-    resolve: (value: any) => void;
-    reject: (error: Error) => void;
-    timer: NodeJS.Timeout;
-  }>();
-  private requestCounter = 0;
-  private isRunning = false;
-  private binaryPath: string | null = null;
-  private readonly requestTimeoutMs = 30000;
+  private bridge: plugins.smartrust.RustBridge<TSmartProxyCommands>;
+
+  constructor() {
+    super();
+
+    this.bridge = new plugins.smartrust.RustBridge<TSmartProxyCommands>({
+      binaryName: 'rustproxy',
+      envVarName: 'SMARTPROXY_RUST_BINARY',
+      platformPackagePrefix: '@push.rocks/smartproxy',
+      localPaths: buildLocalPaths(),
+      maxPayloadSize: 100 * 1024 * 1024, // 100 MB – route configs with many entries can be large
+      logger: {
+        log: (level: string, message: string, data?: Record<string, any>) => {
+          logger.log(level as any, message, data);
+        },
+      },
+    });
+
+    // Forward events from the inner bridge
+    this.bridge.on('exit', (code: number | null, signal: string | null) => {
+      this.emit('exit', code, signal);
+    });
+  }
 
   /**
    * Spawn the Rust binary in management mode.
    * Returns true if the binary was found and spawned successfully.
    */
   public async spawn(): Promise<boolean> {
-    this.binaryPath = await this.locator.findBinary();
-    if (!this.binaryPath) {
-      return false;
-    }
-
-    return new Promise<boolean>((resolve) => {
-      try {
-        this.process = spawn(this.binaryPath!, ['--management'], {
-          stdio: ['pipe', 'pipe', 'pipe'],
-          env: { ...process.env },
-        });
-
-        // Handle stderr (logging from Rust goes here)
-        const stderrHandler = (data: Buffer) => {
-          const lines = data.toString().split('\n').filter(l => l.trim());
-          for (const line of lines) {
-            logger.log('debug', `[rustproxy] ${line}`, { component: 'rust-bridge' });
-          }
-        };
-        this.process.stderr?.on('data', stderrHandler);
-
-        // Handle stdout (JSON IPC)
-        this.readline = createInterface({ input: this.process.stdout! });
-        this.readline.on('line', (line: string) => {
-          this.handleLine(line.trim());
-        });
-
-        // Handle process exit
-        this.process.on('exit', (code, signal) => {
-          logger.log('info', `RustProxy process exited (code=${code}, signal=${signal})`, { component: 'rust-bridge' });
-          this.cleanup();
-          this.emit('exit', code, signal);
-        });
-
-        this.process.on('error', (err) => {
-          logger.log('error', `RustProxy process error: ${err.message}`, { component: 'rust-bridge' });
-          this.cleanup();
-          resolve(false);
-        });
-
-        // Wait for the 'ready' event from Rust
-        const readyTimeout = setTimeout(() => {
-          logger.log('error', 'RustProxy did not send ready event within 10s', { component: 'rust-bridge' });
-          this.kill();
-          resolve(false);
-        }, 10000);
-
-        this.once('management:ready', () => {
-          clearTimeout(readyTimeout);
-          this.isRunning = true;
-          logger.log('info', 'RustProxy bridge connected', { component: 'rust-bridge' });
-          resolve(true);
-        });
-      } catch (err: any) {
-        logger.log('error', `Failed to spawn RustProxy: ${err.message}`, { component: 'rust-bridge' });
-        resolve(false);
-      }
-    });
+    return this.bridge.spawn();
   }
 
   /**
-   * Send a management command to the Rust process and wait for the response.
-   */
-  public async sendCommand(method: string, params: Record<string, any> = {}): Promise<any> {
-    if (!this.process || !this.isRunning) {
-      throw new Error('RustProxy bridge is not running');
-    }
-
-    const id = `req_${++this.requestCounter}`;
-    const request: IManagementRequest = { id, method, params };
-
-    return new Promise<any>((resolve, reject) => {
-      const timer = setTimeout(() => {
-        this.pendingRequests.delete(id);
-        reject(new Error(`RustProxy command '${method}' timed out after ${this.requestTimeoutMs}ms`));
-      }, this.requestTimeoutMs);
-
-      this.pendingRequests.set(id, { resolve, reject, timer });
-
-      const json = JSON.stringify(request) + '\n';
-      this.process!.stdin!.write(json, (err) => {
-        if (err) {
-          clearTimeout(timer);
-          this.pendingRequests.delete(id);
-          reject(new Error(`Failed to write to RustProxy stdin: ${err.message}`));
-        }
-      });
-    });
-  }
-
-  // Convenience methods for each management command
-
-  public async startProxy(config: any): Promise<void> {
-    await this.sendCommand('start', { config });
-  }
-
-  public async stopProxy(): Promise<void> {
-    await this.sendCommand('stop');
-  }
-
-  public async updateRoutes(routes: IRouteConfig[]): Promise<void> {
-    await this.sendCommand('updateRoutes', { routes });
-  }
-
-  public async getMetrics(): Promise<any> {
-    return this.sendCommand('getMetrics');
-  }
-
-  public async getStatistics(): Promise<any> {
-    return this.sendCommand('getStatistics');
-  }
-
-  public async provisionCertificate(routeName: string): Promise<void> {
-    await this.sendCommand('provisionCertificate', { routeName });
-  }
-
-  public async renewCertificate(routeName: string): Promise<void> {
-    await this.sendCommand('renewCertificate', { routeName });
-  }
-
-  public async getCertificateStatus(routeName: string): Promise<any> {
-    return this.sendCommand('getCertificateStatus', { routeName });
-  }
-
-  public async getListeningPorts(): Promise<number[]> {
-    const result = await this.sendCommand('getListeningPorts');
-    return result?.ports ?? [];
-  }
-
-  public async getNftablesStatus(): Promise<any> {
-    return this.sendCommand('getNftablesStatus');
-  }
-
-  public async setSocketHandlerRelay(socketPath: string): Promise<void> {
-    await this.sendCommand('setSocketHandlerRelay', { socketPath });
-  }
-
-  public async addListeningPort(port: number): Promise<void> {
-    await this.sendCommand('addListeningPort', { port });
-  }
-
-  public async removeListeningPort(port: number): Promise<void> {
-    await this.sendCommand('removeListeningPort', { port });
-  }
-
-  public async loadCertificate(domain: string, cert: string, key: string, ca?: string): Promise<void> {
-    await this.sendCommand('loadCertificate', { domain, cert, key, ca });
-  }
-
-  /**
-   * Kill the Rust process and clean up all stdio streams.
+   * Kill the Rust process and clean up.
    */
   public kill(): void {
-    if (this.process) {
-      const proc = this.process;
-      this.process = null;
-      this.isRunning = false;
-
-      // Close readline (reads from stdout)
-      if (this.readline) {
-        this.readline.close();
-        this.readline = null;
-      }
-
-      // Reject pending requests
-      for (const [, pending] of this.pendingRequests) {
-        clearTimeout(pending.timer);
-        pending.reject(new Error('RustProxy process killed'));
-      }
-      this.pendingRequests.clear();
-
-      // Remove all listeners so nothing keeps references
-      proc.removeAllListeners();
-      proc.stdout?.removeAllListeners();
-      proc.stderr?.removeAllListeners();
-      proc.stdin?.removeAllListeners();
-
-      // Kill the process
-      try { proc.kill('SIGTERM'); } catch { /* already dead */ }
-
-      // Destroy all stdio pipes to free handles
-      try { proc.stdin?.destroy(); } catch { /* ignore */ }
-      try { proc.stdout?.destroy(); } catch { /* ignore */ }
-      try { proc.stderr?.destroy(); } catch { /* ignore */ }
-
-      // Unref process so Node doesn't wait for it
-      try { proc.unref(); } catch { /* ignore */ }
-
-      // Force kill after 5 seconds
-      setTimeout(() => {
-        try { proc.kill('SIGKILL'); } catch { /* already dead */ }
-      }, 5000).unref();
-    }
+    this.bridge.kill();
   }
 
   /**
    * Whether the bridge is currently running.
    */
   public get running(): boolean {
-    return this.isRunning;
+    return this.bridge.running;
   }
 
-  private handleLine(line: string): void {
-    if (!line) return;
+  // --- Convenience methods for each management command ---
 
-    let parsed: any;
-    try {
-      parsed = JSON.parse(line);
-    } catch {
-      logger.log('warn', `Non-JSON output from RustProxy: ${line}`, { component: 'rust-bridge' });
-      return;
-    }
-
-    // Check if it's an event (has 'event' field)
-    if ('event' in parsed) {
-      const event = parsed as IManagementEvent;
-      this.emit(`management:${event.event}`, event.data);
-      return;
-    }
-
-    // Otherwise it's a response (has 'id' field)
-    if ('id' in parsed) {
-      const response = parsed as IManagementResponse;
-      const pending = this.pendingRequests.get(response.id);
-      if (pending) {
-        clearTimeout(pending.timer);
-        this.pendingRequests.delete(response.id);
-        if (response.success) {
-          pending.resolve(response.result);
-        } else {
-          pending.reject(new Error(response.error || 'Unknown error from RustProxy'));
-        }
-      }
-    }
+  public async startProxy(config: any): Promise<void> {
+    await this.bridge.sendCommand('start', { config });
   }
 
-  private cleanup(): void {
-    this.isRunning = false;
-    this.process = null;
+  public async stopProxy(): Promise<void> {
+    await this.bridge.sendCommand('stop', {} as Record<string, never>);
+  }
 
-    if (this.readline) {
-      this.readline.close();
-      this.readline = null;
-    }
+  public async updateRoutes(routes: IRouteConfig[]): Promise<void> {
+    await this.bridge.sendCommand('updateRoutes', { routes });
+  }
 
-    // Reject all pending requests
-    for (const [id, pending] of this.pendingRequests) {
-      clearTimeout(pending.timer);
-      pending.reject(new Error('RustProxy process exited'));
-    }
-    this.pendingRequests.clear();
+  public async getMetrics(): Promise<any> {
+    return this.bridge.sendCommand('getMetrics', {} as Record<string, never>);
+  }
+
+  public async getStatistics(): Promise<any> {
+    return this.bridge.sendCommand('getStatistics', {} as Record<string, never>);
+  }
+
+  public async provisionCertificate(routeName: string): Promise<void> {
+    await this.bridge.sendCommand('provisionCertificate', { routeName });
+  }
+
+  public async renewCertificate(routeName: string): Promise<void> {
+    await this.bridge.sendCommand('renewCertificate', { routeName });
+  }
+
+  public async getCertificateStatus(routeName: string): Promise<any> {
+    return this.bridge.sendCommand('getCertificateStatus', { routeName });
+  }
+
+  public async getListeningPorts(): Promise<number[]> {
+    const result = await this.bridge.sendCommand('getListeningPorts', {} as Record<string, never>);
+    return result?.ports ?? [];
+  }
+
+  public async getNftablesStatus(): Promise<any> {
+    return this.bridge.sendCommand('getNftablesStatus', {} as Record<string, never>);
+  }
+
+  public async setSocketHandlerRelay(socketPath: string): Promise<void> {
+    await this.bridge.sendCommand('setSocketHandlerRelay', { socketPath });
+  }
+
+  public async addListeningPort(port: number): Promise<void> {
+    await this.bridge.sendCommand('addListeningPort', { port });
+  }
+
+  public async removeListeningPort(port: number): Promise<void> {
+    await this.bridge.sendCommand('removeListeningPort', { port });
+  }
+
+  public async loadCertificate(domain: string, cert: string, key: string, ca?: string): Promise<void> {
+    await this.bridge.sendCommand('loadCertificate', { domain, cert, key, ca });
   }
 }

ts/proxies/smart-proxy/smart-proxy.ts

@@ -3,7 +3,6 @@ import { logger } from '../../core/utils/logger.js';
 
 // Rust bridge and helpers
 import { RustProxyBridge } from './rust-proxy-bridge.js';
-import { RustBinaryLocator } from './rust-binary-locator.js';
 import { RoutePreprocessor } from './route-preprocessor.js';
 import { SocketHandlerServer } from './socket-handler-server.js';
 import { RustMetricsAdapter } from './rust-metrics-adapter.js';
@@ -120,7 +119,7 @@ export class SmartProxy extends plugins.EventEmitter {
     if (!spawned) {
       throw new Error(
         'RustProxy binary not found. Set SMARTPROXY_RUST_BINARY env var, install the platform package, ' +
-        'or build locally with: cd rust && cargo build --release'
+        'or build locally with: pnpm build'
       );
     }
 

ts/tls/sni/sni-handler.ts

@@ -1,4 +1,4 @@
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 import { 
   TlsRecordType,
   TlsHandshakeType,