v25.1.0

assets/certs/cert.pem

@@ -1,19 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIUPU4tviz3ZvsMDjCz1NZRT16b0Y4wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKcHVzaC5yb2NrczAeFw0yNTAyMDMyMzA5MzRaFw0yNjAy
-MDMyMzA5MzRaMBUxEzARBgNVBAMMCnB1c2gucm9ja3MwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCZMkBYD/pYLBv9MiyHTLRT24kQyPeJBtZqryibi1jk
-BT1ZgNl3yo5U6kjj/nYBU/oy7M4OFC0xyaJQ4wpvLHu7xzREqwT9N9WcDcxaahUi
-P8+PsjGyznPrtXa1ASzGAYMNvXyWWp3351UWZHMEs6eY/Y7i8m4+0NwP5h8RNBCF
-KSFS41Ee9rNAMCnQSHZv1vIzKeVYPmYnCVmL7X2kQb+gS6Rvq5sEGLLKMC5QtTwI
-rdkPGpx4xZirIyf8KANbt0sShwUDpiCSuOCtpze08jMzoHLG9Nv97cJQjb/BhiES
-hLL+YjfAUFjq0rQ38zFKLJ87QB9Jym05mY6IadGQLXVXAgMBAAGjUzBRMB0GA1Ud
-DgQWBBQjpowWjrql/Eo2EVjl29xcjuCgkTAfBgNVHSMEGDAWgBQjpowWjrql/Eo2
-EVjl29xcjuCgkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAY
-44vqbaf6ewFrZC0f3Kk4A10lC6qjWkcDFfw+JE8nzt+4+xPqp1eWgZKF2rONyAv2
-nG41Xygt19ByancXLU44KB24LX8F1GV5Oo7CGBA+xtoSPc0JulXw9fGclZDC6XiR
-P/+vhGgCHicbfP2O+N00pOifrTtf2tmOT4iPXRRo4TxmPzuCd+ZJTlBhPlKCmICq
-yGdAiEo6HsSiP+M5qVlNx8s57MhQYk5TpgmI6FU4mO7zfDfSatFonlg+aDbrnaqJ
-v/+km02M+oB460GmKwsSTnThHZgLNCLiKqD8bdziiCQjx5u0GjLI6468o+Aehb8l
-l/x9vWTTk/QKq41X5hFk
+MIIDQTCCAimgAwIBAgIUJm+igT1AVSuwNzjvqjSF6cysw6MwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDIxMzIyMzI1MloXDTM2MDIx
+MTIyMzI1MlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyjitkDd4DdlVk4TfVxKUqdxnJCGj9uyrUPAqR8hB6+bR
++8rW63ryBNYNRizxOGw41E19ascNuyA98mUF4oqjid1K4VqDiKzv1Uq/3NUunCw/
+rEddR5hCoVkTsBJjzNgBJqncS606v0hfA00cCkpGR+Te7Q/E8T8lApioz1zFQ05Y
+C69oeJHIrJcrIkIFAgmXDgRF0Z4ErUeu+wVOWT267uVAYn5AdFMxCSIBsYtPseqy
+cC5EQ6BCBtsIGitlRgzLRg957ZZa+SF38ao+/ijYmOLHpQT0mFaUyLT7BKgxguGs
+8CHcIxN5Qo27J3sC5ymnrv2uk5DcAOUcxklXUbVCeQIDAQABo4GKMIGHMB0GA1Ud
+DgQWBBShZhz7aX/KhleAfYKvTgyG5ANuDjAfBgNVHSMEGDAWgBShZhz7aX/KhleA
+fYKvTgyG5ANuDjAPBgNVHRMBAf8EBTADAQH/MDQGA1UdEQQtMCuCCWxvY2FsaG9z
+dIIKcHVzaC5yb2Nrc4IMKi5wdXNoLnJvY2tzhwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQAyUvjUszQp4riqa3CfBFFtjh+7DKNuQPOlYAwSEis4l+YK06Glx4fJBHcx
+eCPhQ/0wnPzi6CZe3vVRXd5fX27nVs+lMQD6Oc47F8OmTU6NXnb/1AcvrycDsP8D
+9Y9qecekbpegrN1W4D46goBAwvrd6Qy0EHi0Z5z02rfyXAdxm0OmdpuWoIMcEgUQ
+YyXIq3zSFE6uoO61WdLvBcXN6iaiSTVy0605WncDe2+UT9MeNq6zi1JD34jsgUrd
+xq0WRUk2C6C4Irkf00Q12rXeL+Jv5OwyrUUZRvz0gLgG02UUbB/6Ca5GYNXniEuI
+Py/EHTqbtjLIs7HxYjQH86FI9fUj
 -----END CERTIFICATE-----

assets/certs/key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCZMkBYD/pYLBv9
-MiyHTLRT24kQyPeJBtZqryibi1jkBT1ZgNl3yo5U6kjj/nYBU/oy7M4OFC0xyaJQ
-4wpvLHu7xzREqwT9N9WcDcxaahUiP8+PsjGyznPrtXa1ASzGAYMNvXyWWp3351UW
-ZHMEs6eY/Y7i8m4+0NwP5h8RNBCFKSFS41Ee9rNAMCnQSHZv1vIzKeVYPmYnCVmL
-7X2kQb+gS6Rvq5sEGLLKMC5QtTwIrdkPGpx4xZirIyf8KANbt0sShwUDpiCSuOCt
-pze08jMzoHLG9Nv97cJQjb/BhiEShLL+YjfAUFjq0rQ38zFKLJ87QB9Jym05mY6I
-adGQLXVXAgMBAAECggEARGCBBq1PBHbfoUH5TQSIAlvdEEBa9+602lZG7jIioVfT
-W7Uem5Ctuan+kcDcY9hbNsqqZ+9KgsvoJmlIGXoF2jjeE/4vUmRO9AHWoc5yk2Be
-4NjcxN3QMLdEfiLBnLlFCOd4CdX1ZxZ6TG3WRpV3a1pVIeeqHGB1sKT6Xd/atcwG
-RvpiXzu0SutGxVb6WE9r6hovZ4fVERCyCRczUGrUH5ICbxf6E7L4u8xjEYR4uEKK
-/8ZkDqrWdRASDAdPPMNqnHUEAho/WnxpNeb6B4lvvv2QWxIS9H1OikF/NzWPgVNS
-oPpvtJgjyo5xdgLm3zE4lcSPNVSrh1TBXuAn9TG4WQKBgQDScPFkUNBqjC5iPMof
-bqDHlhlptrHmiv9LC0lgjEDPgIEQfjLfdCugwDk32QyAcb5B60upDYeqCFDkfV/C
-T536qxevYPjPAjahLPHqMxkWpjvtY6NOTgbbcpVtblU2Fj8R8qbyPNADG31LicU9
-GVPtQ4YcVaMWCYbg5107+9dFWQKBgQC6XK+foKK+81RFdrqaNNgebTWTsANnBcZe
-xl0bj6oL5yY0IzroxHvgcNS7UMriWCu+K2xfkUBdMmxU773VN5JQ5k15ezjgtrvc
-8oAaEsxYP4su12JSTC/zsBANUgrNbFj8++qqKYWt2aQc2O/kbZ4MNfekIVFc8AjM
-2X9PxvxKLwKBgHXL7QO3TQLnVyt8VbQEjBFMzwriznB7i+4o8jkOKVU93IEr8zQr
-5iQElcLSR3I6uUJTALYvsaoXH5jXKVwujwL69LYiNQRDe+r6qqvrUHbiNJdsd8Rk
-XuhGGqj34tD04Pcd+h+MtO+YWqmHBBZwcA9XBeIkebbjPFH2kLT8AwN5AoGAYQy9
-hMJxnkE3hIkk+gNE/OtgeE20J+Vw/ZANkrnJEzPHyGUEW41e+W2oyvdzAFZsSTdx
-037f5ujIU58Z27x53NliRT4vS4693H0Iyws5EUfeIoGVuUflvODWKymraHjhCrXh
-6cV/0R5DAabTnsCbCr7b/MRBC8YQvyUQ0KnOXo8CgYBQYGpvJnSWyvsCjtb6apTP
-drjcBhVd0aSBpLGtDdtUCV4oLl9HPy+cLzcGaqckBqCwEq5DKruhMEf7on56bUMd
-m/3ItFk1TnhysAeJHb3zLqmJ9CKBitpqLlsOE7MEXVNmbTYeXU10Uo9yOfyt1i7T
-su+nT5VtyPkmF/l4wZl5+g==
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKOK2QN3gN2VWT
+hN9XEpSp3GckIaP27KtQ8CpHyEHr5tH7ytbrevIE1g1GLPE4bDjUTX1qxw27ID3y
+ZQXiiqOJ3UrhWoOIrO/VSr/c1S6cLD+sR11HmEKhWROwEmPM2AEmqdxLrTq/SF8D
+TRwKSkZH5N7tD8TxPyUCmKjPXMVDTlgLr2h4kcislysiQgUCCZcOBEXRngStR677
+BU5ZPbru5UBifkB0UzEJIgGxi0+x6rJwLkRDoEIG2wgaK2VGDMtGD3ntllr5IXfx
+qj7+KNiY4selBPSYVpTItPsEqDGC4azwIdwjE3lCjbsnewLnKaeu/a6TkNwA5RzG
+SVdRtUJ5AgMBAAECggEAEM8piTp9I5yQVxr1RCv+mMiB99BGjHrTij6uawlXxnPJ
+Ol574zbU6Yc/8vh/JB8l0arvzQmHCAoX8B9K4BABZE81X1paYujqJi8ImAMN9Owe
+LlQ/yhjbWAVbJDiBHHjLjrLRpaY8gwQxZqk5FpdiNG1vROIZzypeKZM2PAdke9HA
+PvJtsyfXdEz+jb5EUgaadyn7aquR6y607a8m55y34POLOcssteUOje4GdrTekHK0
+62E+iEnawBjIs7gBzJf0j1XjFNq3aAeLrn8gFCEb+yK7X++8FJ8YjwsqS5V1aMsR
+1PZguW0jCzYHATc2OcIozlvdBriPxy7eX8Y3MFvNMQKBgQD22ReUyKX5TKA/fg3z
+S/QGfYqd4T35jkwK1MaXOuFOBzNyTMT6ZJkbjxPOYPB0uakcfIlva8bI77mE5vRe
+PWYlvitp9Zz3v2kt/WgnwG32ZdVedPjEoi9aitUXmiiIoxdPVAUAgLPFFN65Sr2G
+2NM/vduZcAPUr0UWnFx4dlpo8QKBgQDRuAV44Y+1396511oW4OR8ofWFECMc5uEV
+wQ26EpbilEYhRSBty+1PAK5AcEGybeVtUn9RSmx0Ef1L15wnzP/C886LIzkaig/9
+xs0yudXgOFdBAzYQKnK2lZmSKkzcUFJtifat3E+ZMCo/duhzXpzecg/lVNGh6gcx
+xbtphJCyCQKBgEO8zvvFE8aVgGPr82gQL6aYTLGGXbtdkQBn4xcc0TbYQwXaizMq
+59joKkc30sQ1LnLiudQZfzMklYQi3Gv/7UfuJ3usKqbRn8s+/pXp+ELlLuf8sUdE
+OjpeXptbckQMfRkHtVet+abbU0MFf3zBgza6osg4NNToQ80wmy9zStwBAoGAGLeD
+jZeoBFt6OJT0/TVMOJQuB5y7RrC/Xnz+TSvbtKCdE1a+V7JtKZ5+6wFP/OOO4q+S
+adZHqfZk0Ad9VAOJMUTi1usz07jp4ZMIpC3a0y5QukzSll0qX/KJwvxRSrX8wQQ9
+mogYqYlPsWMmSlKgUmdHEFRK0LZwWqFfUTRaiWECgYEA6KR6KMbqnYn5CglHeD42
+NmOgFYXljRLIxS1coTiWWQZM/nUyx/tSk+MAS7770USHoZhAfh6lmEa/AeKSoLVl
+Su3yzgtKk1/doAtbiWD8TasHAhacwWmzTuZtH5cZUgW3QIVJg6ADi6m8zswqKxIS
+qfU/1N4aHp832v4ggRe/Og0=
 -----END PRIVATE KEY-----

changelog.md

@@ -1,5 +1,60 @@
 # Changelog
 
+## 2026-02-13 - 25.1.0 - feat(metrics)
+add real-time throughput sampling and byte-counting metrics
+
+- Add CountingBody wrapper to count HTTP request and response bytes and report them to MetricsCollector.
+- Implement lock-free hot-path byte recording and a cold-path sampling API (sample_all) in MetricsCollector with throughput history and configurable retention (default 3600s).
+- Spawn a background sampling task in RustProxy (configurable sample_interval_ms) and tear it down on stop so throughput trackers are regularly sampled.
+- Instrument passthrough TCP forwarding and socket-relay paths to record per-chunk bytes (lock-free) so long-lived connections contribute to throughput measurements.
+- Wrap HTTP request/response bodies with CountingBody in proxy_service to capture bytes_in/bytes_out and report on body completion; connection_closed handling updated accordingly.
+- Expose recent throughput metrics to the TypeScript adapter (throughputRecentIn/Out) and pass metrics settings from the TS SmartProxy into Rust.
+- Add http-body dependency and update Cargo.toml/Cargo.lock entries for the new body wrapper usage.
+- Add unit tests for MetricsCollector throughput tracking and a new end-to-end throughput test (test.throughput.ts).
+- Update test certificates (assets/certs cert.pem and key.pem) used by TLS tests.
+
+## 2026-02-13 - 25.0.0 - BREAKING CHANGE(certs)
+accept a second eventComms argument in certProvisionFunction, add cert provisioning event types, and emit certificate lifecycle events
+
+- Breaking API change: certProvisionFunction signature changed from (domain: string) => Promise<TSmartProxyCertProvisionObject> to (domain: string, eventComms: ICertProvisionEventComms) => Promise<TSmartProxyCertProvisionObject>. Custom provisioners must accept (or safely ignore) the new second argument.
+- New types added and exported: ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent.
+- smart-proxy now constructs an eventComms channel that allows provisioners to log/warn/error and set expiry date and source for the issued event.
+- Emits 'certificate-issued' (domain, expiryDate, source, isRenewal?) on successful provisioning and 'certificate-failed' (domain, error, source) on failures.
+- Updated public exports to include the new types so they are available to consumers.
+- Removed readme.byte-counting-audit.md (documentation file deleted).
+
+## 2026-02-13 - 24.0.1 - fix(proxy)
+improve proxy robustness: add connect timeouts, graceful shutdown, WebSocket watchdog, and metrics guard
+
+- Add tokio-util CancellationToken to HTTP handlers to support graceful shutdown (stop accepting new requests while letting in-flight requests finish).
+- Introduce configurable upstream connect timeout (DEFAULT_CONNECT_TIMEOUT) and return 504 Gateway Timeout on connect timeouts to avoid hanging connections.
+- Add WebSocket watchdog with inactivity and max-lifetime checks, activity tracking via AtomicU64, and cancellation-driven tunnel aborts.
+- Add ConnectionGuard RAII in passthrough listener to ensure metrics.connection_closed() is called on all exit paths and disarm the guard when handing off to the HTTP proxy.
+- Expose HttpProxyService::with_connect_timeout and wire connection timeout from ConnectionConfig into listeners.
+- Add tokio-util workspace dependency (CancellationToken) and related code changes across rustproxy-http and rustproxy-passthrough.
+
+## 2026-02-13 - 24.0.0 - BREAKING CHANGE(smart-proxy)
+move certificate persistence to an in-memory store and introduce consumer-managed certStore API; add default self-signed fallback cert and change ACME account handling
+
+- Cert persistence removed from Rust side: CertStore is now an in-memory cache (no filesystem reads/writes). Rust no longer persists or loads certs from disk.
+- ACME account credentials are no longer persisted by the library; AcmeClient uses ephemeral accounts only and account persistence APIs were removed.
+- TypeScript API changes: removed certificateStore option and added ISmartProxyCertStore + certStore option for consumer-provided persistence (loadAll, save, optional remove).
+- Default self-signed fallback certificate added (generateDefaultCertificate) and loaded as '*' unless disableDefaultCert is set.
+- SmartProxy now pre-loads certificates from consumer certStore on startup and persists certificates by calling certStore.save() after provisioning.
+- provisionCertificatesViaCallback signature changed to accept preloaded domains (prevents re-provisioning), and ACME fallback behavior adjusted with clearer logging.
+- Rust cert manager methods made infallible for cache-only operations (load_static/store no longer return errors for cache insertions); removed store-backed load_all/remove/base_dir APIs.
+- TCP listener tls_configs concurrency improved: switched to ArcSwap<HashMap<...>> so accept loops see hot-reloads immediately.
+- Removed dependencies related to filesystem cert persistence from the tls crate (serde_json, tempfile) and corresponding Cargo.lock changes and test updates.
+
+## 2026-02-13 - 23.1.6 - fix(smart-proxy)
+disable built-in Rust ACME when a certProvisionFunction is provided and improve certificate provisioning flow
+
+- Pass an optional ACME override into buildRustConfig so Rust ACME can be disabled per-run
+- Disable Rust ACME when certProvisionFunction is configured to avoid provisioning race conditions
+- Normalize routing glob patterns into concrete domain identifiers for certificate provisioning (expand leading-star globs and warn on unsupported patterns)
+- Deduplicate domains during provisioning to avoid repeated attempts
+- When the callback returns 'http01', explicitly trigger Rust ACME for the route via bridge.provisionCertificate and log success/failure
+
 ## 2026-02-13 - 23.1.5 - fix(smart-proxy)
 provision certificates for wildcard domains instead of skipping them
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "23.1.5",
+  "version": "25.1.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

readme.byte-counting-audit.md

@@ -1,169 +0,0 @@
-# SmartProxy Byte Counting Audit Report
-
-## Executive Summary
-
-After a comprehensive audit of the SmartProxy codebase, I can confirm that **byte counting is implemented correctly** with no instances of double counting. Each byte transferred through the proxy is counted exactly once in each direction.
-
-## Byte Counting Implementation
-
-### 1. Core Tracking Mechanisms
-
-SmartProxy uses two complementary tracking systems:
-
-1. **Connection Records** (`IConnectionRecord`):
-   - `bytesReceived`: Total bytes received from client
-   - `bytesSent`: Total bytes sent to client
-
-2. **MetricsCollector**:
-   - Global throughput tracking via `ThroughputTracker`
-   - Per-connection byte tracking for route/IP metrics
-   - Called via `recordBytes(connectionId, bytesIn, bytesOut)`
-
-### 2. Where Bytes Are Counted
-
-Bytes are counted in only two files:
-
-#### a) `route-connection-handler.ts`
-- **Line 351**: TLS alert bytes when no SNI is provided
-- **Lines 1286-1301**: Data forwarding callbacks in `setupBidirectionalForwarding()`
-
-#### b) `http-proxy-bridge.ts`  
-- **Line 127**: Initial TLS chunk for HttpProxy connections
-- **Lines 142-154**: Data forwarding callbacks in `setupBidirectionalForwarding()`
-
-## Connection Flow Analysis
-
-### 1. Direct TCP Connection (No TLS)
-
-```
-Client → SmartProxy → Target Server
-```
-
-1. Connection arrives at `RouteConnectionHandler.handleConnection()`
-2. For non-TLS ports, immediately routes via `routeConnection()`
-3. `setupDirectConnection()` creates target connection
-4. `setupBidirectionalForwarding()` handles all data transfer:
-   - `onClientData`: `bytesReceived += chunk.length` + `recordBytes(chunk.length, 0)`
-   - `onServerData`: `bytesSent += chunk.length` + `recordBytes(0, chunk.length)`
-
-**Result**: ✅ Each byte counted exactly once
-
-### 2. TLS Passthrough Connection
-
-```
-Client (TLS) → SmartProxy → Target Server (TLS)
-```
-
-1. Connection waits for initial data to detect TLS
-2. TLS handshake detected, SNI extracted
-3. Route matched, `setupDirectConnection()` called
-4. Initial chunk stored in `pendingData` (NOT counted yet)
-5. On target connect, `pendingData` written to target (still not counted)
-6. `setupBidirectionalForwarding()` counts ALL bytes including initial chunk
-
-**Result**: ✅ Each byte counted exactly once
-
-### 3. TLS Termination via HttpProxy
-
-```
-Client (TLS) → SmartProxy → HttpProxy (localhost) → Target Server
-```
-
-1. TLS connection detected with `tls.mode = "terminate"`
-2. `forwardToHttpProxy()` called:
-   - Initial chunk: `bytesReceived += chunk.length` + `recordBytes(chunk.length, 0)`
-3. Proxy connection created to HttpProxy on localhost
-4. `setupBidirectionalForwarding()` handles subsequent data
-
-**Result**: ✅ Each byte counted exactly once
-
-### 4. HTTP Connection via HttpProxy
-
-```
-Client (HTTP) → SmartProxy → HttpProxy (localhost) → Target Server
-```
-
-1. Connection on configured HTTP port (`useHttpProxy` ports)
-2. Same flow as TLS termination
-3. All byte counting identical to TLS termination
-
-**Result**: ✅ Each byte counted exactly once
-
-### 5. NFTables Forwarding
-
-```
-Client → [Kernel NFTables] → Target Server
-```
-
-1. Connection detected, route matched with `forwardingEngine: 'nftables'`
-2. Connection marked as `usingNetworkProxy = true`
-3. NO application-level forwarding (kernel handles packet routing)
-4. NO byte counting in application layer
-
-**Result**: ✅ No counting (correct - kernel handles everything)
-
-## Special Cases
-
-### PROXY Protocol
-- PROXY protocol headers sent to backend servers are NOT counted in client metrics
-- Only actual client data is counted
-- **Correct behavior**: Protocol overhead is not client data
-
-### TLS Alerts
-- TLS alerts (e.g., for missing SNI) are counted as sent bytes
-- **Correct behavior**: Alerts are actual data sent to the client
-
-### Initial Chunks
-- **Direct connections**: Stored in `pendingData`, counted when forwarded
-- **HttpProxy connections**: Counted immediately upon receipt
-- **Both approaches**: Count each byte exactly once
-
-## Verification Methodology
-
-1. **Code Analysis**: Searched for all instances of:
-   - `bytesReceived +=` and `bytesSent +=`
-   - `recordBytes()` calls
-   - Data forwarding implementations
-
-2. **Flow Tracing**: Followed data path for each connection type from entry to exit
-
-3. **Handler Review**: Examined all forwarding handlers to ensure no additional counting
-
-## Findings
-
-### ✅ No Double Counting Detected
-
-- Each byte is counted exactly once in the direction it flows
-- Connection records and metrics are updated consistently
-- No overlapping or duplicate counting logic found
-
-### Areas of Excellence
-
-1. **Centralized Counting**: All byte counting happens in just two files
-2. **Consistent Pattern**: Uses `setupBidirectionalForwarding()` with callbacks
-3. **Clear Separation**: Forwarding handlers don't interfere with proxy metrics
-
-## Recommendations
-
-1. **Debug Logging**: Add optional debug logging to verify byte counts in production:
-   ```typescript
-   if (settings.debugByteCount) {
-     logger.log('debug', `Bytes counted: ${connectionId} +${bytes} (total: ${record.bytesReceived})`);
-   }
-   ```
-
-2. **Unit Tests**: Create specific tests to ensure byte counting accuracy:
-   - Test initial chunk handling
-   - Test PROXY protocol overhead exclusion
-   - Test HttpProxy forwarding accuracy
-
-3. **Protocol Overhead Tracking**: Consider separately tracking:
-   - PROXY protocol headers
-   - TLS handshake bytes
-   - HTTP headers vs body
-
-4. **NFTables Documentation**: Clearly document that NFTables-forwarded connections are not included in application metrics
-
-## Conclusion
-
-SmartProxy's byte counting implementation is **robust and accurate**. The design ensures that each byte is counted exactly once, with clear separation between connection tracking and metrics collection. No remediation is required.

readme.md

@@ -36,6 +36,7 @@ Whether you're building microservices, deploying edge infrastructure, or need a
 | 📊 **Live Metrics** | Real-time throughput, connection counts, and performance data |
 | 🔧 **Dynamic Management** | Add/remove ports and routes at runtime without restarts |
 | 🔄 **PROXY Protocol** | Full PROXY protocol v1/v2 support for preserving client information |
+| 💾 **Consumer Cert Storage** | Bring your own persistence — SmartProxy never writes certs to disk |
 
 ## 🚀 Quick Start
 
@@ -456,6 +457,51 @@ const proxy = new SmartProxy({
 });
 ```
 
+### 💾 Consumer-Managed Certificate Storage
+
+SmartProxy **never writes certificates to disk**. Instead, you own all persistence through the `certStore` interface. This gives you full control — store certs in a database, cloud KMS, encrypted vault, or wherever makes sense for your infrastructure:
+
+```typescript
+const proxy = new SmartProxy({
+  routes: [...],
+
+  certProvisionFunction: async (domain) => myAcme.provision(domain),
+
+  // Your persistence layer — SmartProxy calls these hooks
+  certStore: {
+    // Called once on startup to pre-load persisted certs
+    loadAll: async () => {
+      const certs = await myDb.getAllCerts();
+      return certs.map(c => ({
+        domain: c.domain,
+        publicKey: c.certPem,
+        privateKey: c.keyPem,
+        ca: c.caPem,      // optional
+      }));
+    },
+
+    // Called after each successful cert provision
+    save: async (domain, publicKey, privateKey, ca) => {
+      await myDb.upsertCert({ domain, certPem: publicKey, keyPem: privateKey, caPem: ca });
+    },
+
+    // Optional: called when a cert should be removed
+    remove: async (domain) => {
+      await myDb.deleteCert(domain);
+    },
+  },
+});
+```
+
+**Startup flow:**
+1. Rust engine starts
+2. Default self-signed `*` fallback cert is loaded (unless `disableDefaultCert: true`)
+3. `certStore.loadAll()` is called → all returned certs are loaded into the Rust TLS stack
+4. `certProvisionFunction` runs for any remaining `certificate: 'auto'` routes (skipping domains already loaded from the store)
+5. After each successful provision, `certStore.save()` is called
+
+This means your second startup is instant — no re-provisioning needed for domains that already have valid certs in your store.
+
 ## 🏛️ Architecture
 
 SmartProxy uses a hybrid **Rust + TypeScript** architecture:
@@ -488,7 +534,7 @@ SmartProxy uses a hybrid **Rust + TypeScript** architecture:
 
 - **Rust Engine** handles all networking, TLS, HTTP proxying, connection management, security, and metrics
 - **TypeScript** provides the npm API, configuration types, route helpers, validation, and socket handler callbacks
-- **IPC** — The TypeScript wrapper uses [`@push.rocks/smartrust`](https://code.foss.global/push.rocks/smartrust) for type-safe JSON commands/events over stdin/stdout
+- **IPC** — The TypeScript wrapper uses JSON commands/events over stdin/stdout to communicate with the Rust binary
 - **Socket Relay** — A Unix domain socket server for routes requiring TypeScript-side handling (socket handlers, dynamic host/port functions)
 
 ## 🎯 Route Configuration Reference
@@ -497,7 +543,7 @@ SmartProxy uses a hybrid **Rust + TypeScript** architecture:
 
 ```typescript
 interface IRouteMatch {
-  ports: number | number[] | Array<{ from: number; to: number }>;  // Port(s) to listen on
+  ports: number | number[] | Array<{ from: number; to: number }>;  // Required — port(s) to listen on
   domains?: string | string[];         // 'example.com', '*.example.com'
   path?: string;                       // '/api/*', '/users/:id'
   clientIp?: string[];                 // ['10.0.0.0/8', '192.168.*']
@@ -517,11 +563,16 @@ interface IRouteMatch {
 
 ```typescript
 interface IRouteTarget {
-  host: string | string[] | ((context: IRouteContext) => string);
+  host: string | string[] | ((context: IRouteContext) => string | string[]);
   port: number | 'preserve' | ((context: IRouteContext) => number);
-  tls?: { ... };           // Per-target TLS override
-  priority?: number;        // Target priority
-  match?: ITargetMatch;    // Sub-match within a route (by port, path, headers, method)
+  tls?: IRouteTls;           // Per-target TLS override
+  priority?: number;          // Target priority
+  match?: ITargetMatch;       // Sub-match within a route (by port, path, headers, method)
+  websocket?: IRouteWebSocket;
+  loadBalancing?: IRouteLoadBalancing;
+  sendProxyProtocol?: boolean;
+  headers?: IRouteHeaders;
+  advanced?: IRouteAdvanced;
 }
 ```
 
@@ -613,6 +664,7 @@ import {
   createPortMappingRoute,          // Port mapping with context
   createOffsetPortMappingRoute,    // Simple port offset
   createDynamicRoute,              // Dynamic host/port via functions
+  createPortOffset,                // Port offset factory
 
   // Security Modifiers
   addRateLimiting,                 // Add rate limiting to any route
@@ -680,7 +732,6 @@ interface ISmartProxyOptions {
     port?: number;                          // HTTP-01 challenge port (default: 80)
     renewThresholdDays?: number;            // Days before expiry to renew (default: 30)
     autoRenew?: boolean;                    // Enable auto-renewal (default: true)
-    certificateStore?: string;              // Directory to store certs (default: './certs')
     renewCheckIntervalHours?: number;       // Renewal check interval (default: 24)
   };
 
@@ -688,6 +739,12 @@ interface ISmartProxyOptions {
   certProvisionFunction?: (domain: string) => Promise<ICert | 'http01'>;
   certProvisionFallbackToAcme?: boolean;    // Fall back to ACME on failure (default: true)
 
+  // Consumer-managed certificate persistence (see "Consumer-Managed Certificate Storage")
+  certStore?: ISmartProxyCertStore;
+
+  // Self-signed fallback
+  disableDefaultCert?: boolean;             // Disable '*' self-signed fallback (default: false)
+
   // Global defaults
   defaults?: {
     target?: { host: string; port: number };
@@ -729,6 +786,26 @@ interface ISmartProxyOptions {
 }
 ```
 
+### ISmartProxyCertStore Interface
+
+```typescript
+interface ISmartProxyCertStore {
+  /** Called once on startup to pre-load persisted certs */
+  loadAll: () => Promise<Array<{
+    domain: string;
+    publicKey: string;
+    privateKey: string;
+    ca?: string;
+  }>>;
+
+  /** Called after each successful cert provision */
+  save: (domain: string, publicKey: string, privateKey: string, ca?: string) => Promise<void>;
+
+  /** Optional: remove a cert from storage */
+  remove?: (domain: string) => Promise<void>;
+}
+```
+
 ### IMetrics Interface
 
 The `getMetrics()` method returns a cached metrics adapter that polls the Rust engine:
@@ -758,6 +835,10 @@ metrics.requests.total();                  // Total requests
 metrics.totals.bytesIn();                  // Total bytes received
 metrics.totals.bytesOut();                 // Total bytes sent
 metrics.totals.connections();              // Total connections
+
+// Percentiles
+metrics.percentiles.connectionDuration();  // { p50, p95, p99 }
+metrics.percentiles.bytesTransferred();    // { in: { p50, p95, p99 }, out: { p50, p95, p99 } }
 ```
 
 ## 🐛 Troubleshooting
@@ -802,6 +883,7 @@ SmartProxy searches for the Rust binary in this order:
 7. **✅ Validate Routes** — Use `RouteValidator.validateRoutes()` to catch config errors before deployment
 8. **🔀 Atomic Updates** — Use `updateRoutes()` for hot-reloading routes (mutex-locked, no downtime)
 9. **🎮 Use Socket Handlers** — For protocols beyond HTTP, implement custom socket handlers instead of fighting the proxy model
+10. **💾 Use `certStore`** — Persist certs in your own storage to avoid re-provisioning on every restart
 
 ## License and Legal Information
 

rust/Cargo.lock

@@ -285,12 +285,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "fastrand"
-version = "2.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
-
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -618,12 +612,6 @@ version = "0.2.180"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
 
-[[package]]
-name = "linux-raw-sys"
-version = "0.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
-
 [[package]]
 name = "lock_api"
 version = "0.4.14"
@@ -866,19 +854,6 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
-[[package]]
-name = "rustix"
-version = "1.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34"
-dependencies = [
- "bitflags",
- "errno",
- "libc",
- "linux-raw-sys",
- "windows-sys 0.61.2",
-]
-
 [[package]]
 name = "rustls"
 version = "0.23.36"
@@ -986,6 +961,7 @@ dependencies = [
  "arc-swap",
  "bytes",
  "dashmap",
+ "http-body",
  "http-body-util",
  "hyper",
  "hyper-util",
@@ -996,6 +972,7 @@ dependencies = [
  "rustproxy-security",
  "thiserror 2.0.18",
  "tokio",
+ "tokio-util",
  "tracing",
 ]
 
@@ -1084,8 +1061,6 @@ dependencies = [
  "rustls",
  "rustproxy-config",
  "serde",
- "serde_json",
- "tempfile",
  "thiserror 2.0.18",
  "tokio",
  "tracing",
@@ -1260,19 +1235,6 @@ dependencies = [
  "unicode-ident",
 ]
 
-[[package]]
-name = "tempfile"
-version = "3.24.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c"
-dependencies = [
- "fastrand",
- "getrandom 0.3.4",
- "once_cell",
- "rustix",
- "windows-sys 0.61.2",
-]
-
 [[package]]
 name = "thiserror"
 version = "1.0.69"

rust/Cargo.toml

@@ -29,6 +29,7 @@ serde_json = "1"
 # HTTP proxy engine (hyper-based)
 hyper = { version = "1", features = ["http1", "http2", "server", "client"] }
 hyper-util = { version = "0.1", features = ["tokio", "http1", "http2", "client-legacy", "server-auto"] }
+http-body = "1"
 http-body-util = "0.1"
 bytes = "1"
 

rust/crates/rustproxy-config/src/proxy_options.rs

@@ -29,9 +29,6 @@ pub struct AcmeOptions {
     /// Enable automatic renewal (default: true)
     #[serde(skip_serializing_if = "Option::is_none")]
     pub auto_renew: Option<bool>,
-    /// Directory to store certificates (default: './certs')
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub certificate_store: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub skip_configured_certs: Option<bool>,
     /// How often to check for renewals (default: 24)
@@ -361,7 +358,6 @@ mod tests {
                 use_production: None,
                 renew_threshold_days: None,
                 auto_renew: None,
-                certificate_store: None,
                 skip_configured_certs: None,
                 renew_check_interval_hours: None,
             }),

rust/crates/rustproxy-http/Cargo.toml

@@ -14,6 +14,7 @@ rustproxy-metrics = { workspace = true }
 hyper = { workspace = true }
 hyper-util = { workspace = true }
 regex = { workspace = true }
+http-body = { workspace = true }
 http-body-util = { workspace = true }
 bytes = { workspace = true }
 tokio = { workspace = true }
@@ -22,3 +23,4 @@ thiserror = { workspace = true }
 anyhow = { workspace = true }
 arc-swap = { workspace = true }
 dashmap = { workspace = true }
+tokio-util = { workspace = true }

rust/crates/rustproxy-http/src/counting_body.rs

@@ -0,0 +1,122 @@
+//! A body wrapper that counts bytes flowing through and reports them to MetricsCollector.
+
+use std::pin::Pin;
+use std::sync::Arc;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::task::{Context, Poll};
+
+use bytes::Bytes;
+use http_body::Frame;
+use rustproxy_metrics::MetricsCollector;
+
+/// Wraps any `http_body::Body` and counts data bytes passing through.
+///
+/// When the body is fully consumed or dropped, accumulated byte counts
+/// are reported to the `MetricsCollector`.
+///
+/// The inner body is pinned on the heap to support `!Unpin` types like `hyper::body::Incoming`.
+pub struct CountingBody<B> {
+    inner: Pin<Box<B>>,
+    counted_bytes: AtomicU64,
+    metrics: Arc<MetricsCollector>,
+    route_id: Option<String>,
+    /// Whether we count bytes as "in" (request body) or "out" (response body).
+    direction: Direction,
+    /// Whether we've already reported the bytes (to avoid double-reporting on drop).
+    reported: bool,
+}
+
+/// Which direction the bytes flow.
+#[derive(Clone, Copy)]
+pub enum Direction {
+    /// Request body: bytes flowing from client → upstream (counted as bytes_in)
+    In,
+    /// Response body: bytes flowing from upstream → client (counted as bytes_out)
+    Out,
+}
+
+impl<B> CountingBody<B> {
+    /// Create a new CountingBody wrapping an inner body.
+    pub fn new(
+        inner: B,
+        metrics: Arc<MetricsCollector>,
+        route_id: Option<String>,
+        direction: Direction,
+    ) -> Self {
+        Self {
+            inner: Box::pin(inner),
+            counted_bytes: AtomicU64::new(0),
+            metrics,
+            route_id,
+            direction,
+            reported: false,
+        }
+    }
+
+    /// Report accumulated bytes to the metrics collector.
+    fn report(&mut self) {
+        if self.reported {
+            return;
+        }
+        self.reported = true;
+
+        let bytes = self.counted_bytes.load(Ordering::Relaxed);
+        if bytes == 0 {
+            return;
+        }
+
+        let route_id = self.route_id.as_deref();
+        match self.direction {
+            Direction::In => self.metrics.record_bytes(bytes, 0, route_id),
+            Direction::Out => self.metrics.record_bytes(0, bytes, route_id),
+        }
+    }
+}
+
+impl<B> Drop for CountingBody<B> {
+    fn drop(&mut self) {
+        self.report();
+    }
+}
+
+// CountingBody is Unpin because inner is Pin<Box<B>> (always Unpin).
+impl<B> Unpin for CountingBody<B> {}
+
+impl<B> http_body::Body for CountingBody<B>
+where
+    B: http_body::Body<Data = Bytes>,
+{
+    type Data = Bytes;
+    type Error = B::Error;
+
+    fn poll_frame(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+    ) -> Poll<Option<Result<Frame<Self::Data>, Self::Error>>> {
+        let this = self.get_mut();
+
+        match this.inner.as_mut().poll_frame(cx) {
+            Poll::Ready(Some(Ok(frame))) => {
+                if let Some(data) = frame.data_ref() {
+                    this.counted_bytes.fetch_add(data.len() as u64, Ordering::Relaxed);
+                }
+                Poll::Ready(Some(Ok(frame)))
+            }
+            Poll::Ready(Some(Err(e))) => Poll::Ready(Some(Err(e))),
+            Poll::Ready(None) => {
+                // Body is fully consumed — report now
+                this.report();
+                Poll::Ready(None)
+            }
+            Poll::Pending => Poll::Pending,
+        }
+    }
+
+    fn is_end_stream(&self) -> bool {
+        self.inner.is_end_stream()
+    }
+
+    fn size_hint(&self) -> http_body::SizeHint {
+        self.inner.size_hint()
+    }
+}

rust/crates/rustproxy-http/src/lib.rs

@@ -3,12 +3,14 @@
 //! Hyper-based HTTP proxy service for RustProxy.
 //! Handles HTTP request parsing, route-based forwarding, and response filtering.
 
+pub mod counting_body;
 pub mod proxy_service;
 pub mod request_filter;
 pub mod response_filter;
 pub mod template;
 pub mod upstream_selector;
 
+pub use counting_body::*;
 pub use proxy_service::*;
 pub use template::*;
 pub use upstream_selector::*;

rust/crates/rustproxy-http/src/proxy_service.rs

@@ -6,6 +6,7 @@
 
 use std::collections::HashMap;
 use std::sync::Arc;
+use std::sync::atomic::{AtomicU64, Ordering};
 
 use bytes::Bytes;
 use http_body_util::{BodyExt, Full, combinators::BoxBody};
@@ -14,20 +15,33 @@ use hyper::{Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
 use regex::Regex;
 use tokio::net::TcpStream;
+use tokio_util::sync::CancellationToken;
 use tracing::{debug, error, info, warn};
 
 use rustproxy_routing::RouteManager;
 use rustproxy_metrics::MetricsCollector;
 
+use crate::counting_body::{CountingBody, Direction};
 use crate::request_filter::RequestFilter;
 use crate::response_filter::ResponseFilter;
 use crate::upstream_selector::UpstreamSelector;
 
+/// Default upstream connect timeout (30 seconds).
+const DEFAULT_CONNECT_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(30);
+
+/// Default WebSocket inactivity timeout (1 hour).
+const DEFAULT_WS_INACTIVITY_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(3600);
+
+/// Default WebSocket max lifetime (24 hours).
+const DEFAULT_WS_MAX_LIFETIME: std::time::Duration = std::time::Duration::from_secs(86400);
+
 /// HTTP proxy service that processes HTTP traffic.
 pub struct HttpProxyService {
     route_manager: Arc<RouteManager>,
     metrics: Arc<MetricsCollector>,
     upstream_selector: UpstreamSelector,
+    /// Timeout for connecting to upstream backends.
+    connect_timeout: std::time::Duration,
 }
 
 impl HttpProxyService {
@@ -36,6 +50,21 @@ impl HttpProxyService {
             route_manager,
             metrics,
             upstream_selector: UpstreamSelector::new(),
+            connect_timeout: DEFAULT_CONNECT_TIMEOUT,
+        }
+    }
+
+    /// Create with a custom connect timeout.
+    pub fn with_connect_timeout(
+        route_manager: Arc<RouteManager>,
+        metrics: Arc<MetricsCollector>,
+        connect_timeout: std::time::Duration,
+    ) -> Self {
+        Self {
+            route_manager,
+            metrics,
+            upstream_selector: UpstreamSelector::new(),
+            connect_timeout,
         }
     }
 
@@ -45,41 +74,59 @@ impl HttpProxyService {
         stream: TcpStream,
         peer_addr: std::net::SocketAddr,
         port: u16,
+        cancel: CancellationToken,
     ) {
-        self.handle_io(stream, peer_addr, port).await;
+        self.handle_io(stream, peer_addr, port, cancel).await;
     }
 
     /// Handle an incoming HTTP connection on any IO type (plain TCP or TLS-terminated).
     ///
-    /// Uses HTTP/1.1 with upgrade support. For clients that negotiate HTTP/2,
-    /// use `handle_io_auto` instead.
+    /// Uses HTTP/1.1 with upgrade support. Responds to graceful shutdown via the
+    /// cancel token — in-flight requests complete, but no new requests are accepted.
     pub async fn handle_io<I>(
         self: Arc<Self>,
         stream: I,
         peer_addr: std::net::SocketAddr,
         port: u16,
+        cancel: CancellationToken,
     )
     where
         I: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin + Send + 'static,
     {
         let io = TokioIo::new(stream);
 
+        let cancel_inner = cancel.clone();
         let service = hyper::service::service_fn(move |req: Request<Incoming>| {
             let svc = Arc::clone(&self);
             let peer = peer_addr;
+            let cn = cancel_inner.clone();
             async move {
-                svc.handle_request(req, peer, port).await
+                svc.handle_request(req, peer, port, cn).await
             }
         });
 
         // Use http1::Builder with upgrades for WebSocket support
-        let conn = hyper::server::conn::http1::Builder::new()
+        let mut conn = hyper::server::conn::http1::Builder::new()
             .keep_alive(true)
             .serve_connection(io, service)
             .with_upgrades();
 
-        if let Err(e) = conn.await {
-            debug!("HTTP connection error from {}: {}", peer_addr, e);
+        // Use select to support graceful shutdown via cancellation token
+        let conn_pin = std::pin::Pin::new(&mut conn);
+        tokio::select! {
+            result = conn_pin => {
+                if let Err(e) = result {
+                    debug!("HTTP connection error from {}: {}", peer_addr, e);
+                }
+            }
+            _ = cancel.cancelled() => {
+                // Graceful shutdown: let in-flight request finish, stop accepting new ones
+                let conn_pin = std::pin::Pin::new(&mut conn);
+                conn_pin.graceful_shutdown();
+                if let Err(e) = conn.await {
+                    debug!("HTTP connection error during shutdown from {}: {}", peer_addr, e);
+                }
+            }
         }
     }
 
@@ -89,6 +136,7 @@ impl HttpProxyService {
         req: Request<Incoming>,
         peer_addr: std::net::SocketAddr,
         port: u16,
+        cancel: CancellationToken,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         let host = req.headers()
             .get("host")
@@ -184,7 +232,7 @@ impl HttpProxyService {
 
         if is_websocket {
             let result = self.handle_websocket_upgrade(
-                req, peer_addr, &upstream, route_match.route, route_id, &upstream_key,
+                req, peer_addr, &upstream, route_match.route, route_id, &upstream_key, cancel,
             ).await;
             // Note: for WebSocket, connection_ended is called inside
             // the spawned tunnel task when the connection closes.
@@ -223,15 +271,24 @@ impl HttpProxyService {
             }
         }
 
-        // Connect to upstream
-        let upstream_stream = match TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)).await {
-            Ok(s) => s,
-            Err(e) => {
+        // Connect to upstream with timeout
+        let upstream_stream = match tokio::time::timeout(
+            self.connect_timeout,
+            TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
+        ).await {
+            Ok(Ok(s)) => s,
+            Ok(Err(e)) => {
                 error!("Failed to connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
                 self.upstream_selector.connection_ended(&upstream_key);
                 self.metrics.connection_closed(route_id);
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
             }
+            Err(_) => {
+                error!("Upstream connect timeout for {}:{}", upstream.host, upstream.port);
+                self.upstream_selector.connection_ended(&upstream_key);
+                self.metrics.connection_closed(route_id);
+                return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
+            }
         };
         upstream_stream.set_nodelay(true).ok();
 
@@ -289,8 +346,16 @@ impl HttpProxyService {
             }
         }
 
+        // Wrap the request body in CountingBody to track bytes_in
+        let counting_req_body = CountingBody::new(
+            body,
+            Arc::clone(&self.metrics),
+            route_id.map(|s| s.to_string()),
+            Direction::In,
+        );
+
         // Stream the request body through to upstream
-        let upstream_req = upstream_req.body(body).unwrap();
+        let upstream_req = upstream_req.body(counting_req_body).unwrap();
 
         let upstream_response = match sender.send_request(upstream_req).await {
             Ok(resp) => resp,
@@ -345,8 +410,16 @@ impl HttpProxyService {
             }
         }
 
+        // Wrap the request body in CountingBody to track bytes_in
+        let counting_req_body = CountingBody::new(
+            body,
+            Arc::clone(&self.metrics),
+            route_id.map(|s| s.to_string()),
+            Direction::In,
+        );
+
         // Stream the request body through to upstream
-        let upstream_req = upstream_req.body(body).unwrap();
+        let upstream_req = upstream_req.body(counting_req_body).unwrap();
 
         let upstream_response = match sender.send_request(upstream_req).await {
             Ok(resp) => resp,
@@ -361,6 +434,10 @@ impl HttpProxyService {
     }
 
     /// Build the client-facing response from an upstream response, streaming the body.
+    ///
+    /// The response body is wrapped in a `CountingBody` that counts bytes as they
+    /// stream from upstream to client. When the body is fully consumed (or dropped),
+    /// it reports byte counts to the metrics collector and calls `connection_closed`.
     async fn build_streaming_response(
         &self,
         upstream_response: Response<Incoming>,
@@ -377,10 +454,22 @@ impl HttpProxyService {
             ResponseFilter::apply_headers(route, headers, None);
         }
 
+        // Wrap the response body in CountingBody to track bytes_out.
+        // CountingBody will report bytes and we close the connection metric
+        // after the body stream completes (not before it even starts).
+        let counting_body = CountingBody::new(
+            resp_body,
+            Arc::clone(&self.metrics),
+            route_id.map(|s| s.to_string()),
+            Direction::Out,
+        );
+
+        // Close the connection metric now — the HTTP request/response cycle is done
+        // from the proxy's perspective once we hand the streaming body to hyper.
+        // Bytes will still be counted as they flow.
         self.metrics.connection_closed(route_id);
 
-        // Stream the response body directly from upstream to client
-        let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(resp_body);
+        let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_body);
 
         Ok(response.body(body).unwrap())
     }
@@ -394,6 +483,7 @@ impl HttpProxyService {
         route: &rustproxy_config::RouteConfig,
         route_id: Option<&str>,
         upstream_key: &str,
+        cancel: CancellationToken,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         use tokio::io::{AsyncReadExt, AsyncWriteExt};
 
@@ -417,16 +507,24 @@ impl HttpProxyService {
 
         info!("WebSocket upgrade from {} -> {}:{}", peer_addr, upstream.host, upstream.port);
 
-        let mut upstream_stream = match TcpStream::connect(
-            format!("{}:{}", upstream.host, upstream.port)
+        // Connect to upstream with timeout
+        let mut upstream_stream = match tokio::time::timeout(
+            self.connect_timeout,
+            TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
         ).await {
-            Ok(s) => s,
-            Err(e) => {
+            Ok(Ok(s)) => s,
+            Ok(Err(e)) => {
                 error!("WebSocket: failed to connect upstream {}:{}: {}", upstream.host, upstream.port, e);
                 self.upstream_selector.connection_ended(upstream_key);
                 self.metrics.connection_closed(route_id);
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
             }
+            Err(_) => {
+                error!("WebSocket: upstream connect timeout for {}:{}", upstream.host, upstream.port);
+                self.upstream_selector.connection_ended(upstream_key);
+                self.metrics.connection_closed(route_id);
+                return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
+            }
         };
         upstream_stream.set_nodelay(true).ok();
 
@@ -591,6 +689,11 @@ impl HttpProxyService {
             let (mut cr, mut cw) = tokio::io::split(client_io);
             let (mut ur, mut uw) = tokio::io::split(upstream_stream);
 
+            // Shared activity tracker for the watchdog
+            let last_activity = Arc::new(AtomicU64::new(0));
+            let start = std::time::Instant::now();
+
+            let la1 = Arc::clone(&last_activity);
             let c2u = tokio::spawn(async move {
                 let mut buf = vec![0u8; 65536];
                 let mut total = 0u64;
@@ -603,11 +706,13 @@ impl HttpProxyService {
                         break;
                     }
                     total += n as u64;
+                    la1.store(start.elapsed().as_millis() as u64, Ordering::Relaxed);
                 }
                 let _ = uw.shutdown().await;
                 total
             });
 
+            let la2 = Arc::clone(&last_activity);
             let u2c = tokio::spawn(async move {
                 let mut buf = vec![0u8; 65536];
                 let mut total = 0u64;
@@ -620,13 +725,59 @@ impl HttpProxyService {
                         break;
                     }
                     total += n as u64;
+                    la2.store(start.elapsed().as_millis() as u64, Ordering::Relaxed);
                 }
                 let _ = cw.shutdown().await;
                 total
             });
 
+            // Watchdog: monitors inactivity, max lifetime, and cancellation
+            let la_watch = Arc::clone(&last_activity);
+            let c2u_handle = c2u.abort_handle();
+            let u2c_handle = u2c.abort_handle();
+            let inactivity_timeout = DEFAULT_WS_INACTIVITY_TIMEOUT;
+            let max_lifetime = DEFAULT_WS_MAX_LIFETIME;
+
+            let watchdog = tokio::spawn(async move {
+                let check_interval = std::time::Duration::from_secs(5);
+                let mut last_seen = 0u64;
+                loop {
+                    tokio::select! {
+                        _ = tokio::time::sleep(check_interval) => {}
+                        _ = cancel.cancelled() => {
+                            debug!("WebSocket tunnel cancelled by shutdown");
+                            c2u_handle.abort();
+                            u2c_handle.abort();
+                            break;
+                        }
+                    }
+
+                    // Check max lifetime
+                    if start.elapsed() >= max_lifetime {
+                        debug!("WebSocket tunnel exceeded max lifetime, closing");
+                        c2u_handle.abort();
+                        u2c_handle.abort();
+                        break;
+                    }
+
+                    // Check inactivity
+                    let current = la_watch.load(Ordering::Relaxed);
+                    if current == last_seen {
+                        let elapsed_since_activity = start.elapsed().as_millis() as u64 - current;
+                        if elapsed_since_activity >= inactivity_timeout.as_millis() as u64 {
+                            debug!("WebSocket tunnel inactive for {}ms, closing", elapsed_since_activity);
+                            c2u_handle.abort();
+                            u2c_handle.abort();
+                            break;
+                        }
+                    }
+                    last_seen = current;
+                }
+            });
+
             let bytes_in = c2u.await.unwrap_or(0);
             let bytes_out = u2c.await.unwrap_or(0);
+            watchdog.abort();
 
             debug!("WebSocket tunnel closed: {} bytes in, {} bytes out", bytes_in, bytes_out);
 
@@ -812,6 +963,7 @@ impl Default for HttpProxyService {
             route_manager: Arc::new(RouteManager::new(vec![])),
             metrics: Arc::new(MetricsCollector::new()),
             upstream_selector: UpstreamSelector::new(),
+            connect_timeout: DEFAULT_CONNECT_TIMEOUT,
         }
     }
 }

rust/crates/rustproxy-metrics/src/collector.rs

@@ -1,6 +1,9 @@
 use dashmap::DashMap;
 use serde::{Deserialize, Serialize};
 use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::Mutex;
+
+use crate::throughput::ThroughputTracker;
 
 /// Aggregated metrics snapshot.
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -12,6 +15,8 @@ pub struct Metrics {
     pub bytes_out: u64,
     pub throughput_in_bytes_per_sec: u64,
     pub throughput_out_bytes_per_sec: u64,
+    pub throughput_recent_in_bytes_per_sec: u64,
+    pub throughput_recent_out_bytes_per_sec: u64,
     pub routes: std::collections::HashMap<String, RouteMetrics>,
 }
 
@@ -25,6 +30,8 @@ pub struct RouteMetrics {
     pub bytes_out: u64,
     pub throughput_in_bytes_per_sec: u64,
     pub throughput_out_bytes_per_sec: u64,
+    pub throughput_recent_in_bytes_per_sec: u64,
+    pub throughput_recent_out_bytes_per_sec: u64,
 }
 
 /// Statistics snapshot.
@@ -38,7 +45,15 @@ pub struct Statistics {
     pub uptime_seconds: u64,
 }
 
+/// Default retention for throughput samples (1 hour).
+const DEFAULT_RETENTION_SECONDS: usize = 3600;
+
 /// Metrics collector tracking connections and throughput.
+///
+/// Design: The hot path (`record_bytes`) is entirely lock-free — it only touches
+/// `AtomicU64` counters. The cold path (`sample_all`, called at 1Hz) drains
+/// those atomics and feeds the throughput trackers under a Mutex. This avoids
+/// contention when `record_bytes` is called per-chunk in the TCP copy loop.
 pub struct MetricsCollector {
     active_connections: AtomicU64,
     total_connections: AtomicU64,
@@ -51,10 +66,25 @@ pub struct MetricsCollector {
     /// Per-route byte counters
     route_bytes_in: DashMap<String, AtomicU64>,
     route_bytes_out: DashMap<String, AtomicU64>,
+
+    // ── Lock-free pending throughput counters (hot path) ──
+    global_pending_tp_in: AtomicU64,
+    global_pending_tp_out: AtomicU64,
+    route_pending_tp: DashMap<String, (AtomicU64, AtomicU64)>,
+
+    // ── Throughput history — only locked during sampling (cold path) ──
+    global_throughput: Mutex<ThroughputTracker>,
+    route_throughput: DashMap<String, Mutex<ThroughputTracker>>,
+    retention_seconds: usize,
 }
 
 impl MetricsCollector {
     pub fn new() -> Self {
+        Self::with_retention(DEFAULT_RETENTION_SECONDS)
+    }
+
+    /// Create a MetricsCollector with a custom retention period for throughput history.
+    pub fn with_retention(retention_seconds: usize) -> Self {
         Self {
             active_connections: AtomicU64::new(0),
             total_connections: AtomicU64::new(0),
@@ -64,6 +94,12 @@ impl MetricsCollector {
             route_total_connections: DashMap::new(),
             route_bytes_in: DashMap::new(),
             route_bytes_out: DashMap::new(),
+            global_pending_tp_in: AtomicU64::new(0),
+            global_pending_tp_out: AtomicU64::new(0),
+            route_pending_tp: DashMap::new(),
+            global_throughput: Mutex::new(ThroughputTracker::new(retention_seconds)),
+            route_throughput: DashMap::new(),
+            retention_seconds,
         }
     }
 
@@ -98,11 +134,18 @@ impl MetricsCollector {
         }
     }
 
-    /// Record bytes transferred.
+    /// Record bytes transferred (lock-free hot path).
+    ///
+    /// Called per-chunk in the TCP copy loop. Only touches AtomicU64 counters —
+    /// no Mutex is taken. The throughput trackers are fed during `sample_all()`.
     pub fn record_bytes(&self, bytes_in: u64, bytes_out: u64, route_id: Option<&str>) {
         self.total_bytes_in.fetch_add(bytes_in, Ordering::Relaxed);
         self.total_bytes_out.fetch_add(bytes_out, Ordering::Relaxed);
 
+        // Accumulate into lock-free pending throughput counters
+        self.global_pending_tp_in.fetch_add(bytes_in, Ordering::Relaxed);
+        self.global_pending_tp_out.fetch_add(bytes_out, Ordering::Relaxed);
+
         if let Some(route_id) = route_id {
             self.route_bytes_in
                 .entry(route_id.to_string())
@@ -112,6 +155,63 @@ impl MetricsCollector {
                 .entry(route_id.to_string())
                 .or_insert_with(|| AtomicU64::new(0))
                 .fetch_add(bytes_out, Ordering::Relaxed);
+
+            // Accumulate into per-route pending throughput counters (lock-free)
+            let entry = self.route_pending_tp
+                .entry(route_id.to_string())
+                .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+            entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+            entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+        }
+    }
+
+    /// Take a throughput sample on all trackers (cold path, call at 1Hz or configured interval).
+    ///
+    /// Drains the lock-free pending counters and feeds the accumulated bytes
+    /// into the throughput trackers (under Mutex). This is the only place
+    /// the Mutex is locked.
+    pub fn sample_all(&self) {
+        // Drain global pending bytes and feed into the tracker
+        let global_in = self.global_pending_tp_in.swap(0, Ordering::Relaxed);
+        let global_out = self.global_pending_tp_out.swap(0, Ordering::Relaxed);
+        if let Ok(mut tracker) = self.global_throughput.lock() {
+            tracker.record_bytes(global_in, global_out);
+            tracker.sample();
+        }
+
+        // Drain per-route pending bytes; collect into a Vec to avoid holding DashMap shards
+        let mut route_samples: Vec<(String, u64, u64)> = Vec::new();
+        for entry in self.route_pending_tp.iter() {
+            let route_id = entry.key().clone();
+            let pending_in = entry.value().0.swap(0, Ordering::Relaxed);
+            let pending_out = entry.value().1.swap(0, Ordering::Relaxed);
+            route_samples.push((route_id, pending_in, pending_out));
+        }
+
+        // Feed pending bytes into route trackers and sample
+        let retention = self.retention_seconds;
+        for (route_id, pending_in, pending_out) in &route_samples {
+            // Ensure the tracker exists
+            self.route_throughput
+                .entry(route_id.clone())
+                .or_insert_with(|| Mutex::new(ThroughputTracker::new(retention)));
+            // Now get a separate ref and lock it
+            if let Some(tracker_ref) = self.route_throughput.get(route_id) {
+                if let Ok(mut tracker) = tracker_ref.value().lock() {
+                    tracker.record_bytes(*pending_in, *pending_out);
+                    tracker.sample();
+                }
+            }
+        }
+
+        // Also sample any route trackers that had no new pending bytes
+        // (to keep their sample window advancing)
+        for entry in self.route_throughput.iter() {
+            if !self.route_pending_tp.contains_key(entry.key()) {
+                if let Ok(mut tracker) = entry.value().lock() {
+                    tracker.sample();
+                }
+            }
         }
     }
 
@@ -139,6 +239,16 @@ impl MetricsCollector {
     pub fn snapshot(&self) -> Metrics {
         let mut routes = std::collections::HashMap::new();
 
+        // Get global throughput (instant = last 1 sample, recent = last 10 samples)
+        let (global_tp_in, global_tp_out, global_recent_in, global_recent_out) = self.global_throughput
+            .lock()
+            .map(|t| {
+                let (i_in, i_out) = t.instant();
+                let (r_in, r_out) = t.recent();
+                (i_in, i_out, r_in, r_out)
+            })
+            .unwrap_or((0, 0, 0, 0));
+
         // Collect per-route metrics
         for entry in self.route_total_connections.iter() {
             let route_id = entry.key().clone();
@@ -156,13 +266,24 @@ impl MetricsCollector {
                 .map(|c| c.load(Ordering::Relaxed))
                 .unwrap_or(0);
 
+            let (route_tp_in, route_tp_out, route_recent_in, route_recent_out) = self.route_throughput
+                .get(&route_id)
+                .and_then(|entry| entry.value().lock().ok().map(|t| {
+                    let (i_in, i_out) = t.instant();
+                    let (r_in, r_out) = t.recent();
+                    (i_in, i_out, r_in, r_out)
+                }))
+                .unwrap_or((0, 0, 0, 0));
+
             routes.insert(route_id, RouteMetrics {
                 active_connections: active,
                 total_connections: total,
                 bytes_in,
                 bytes_out,
-                throughput_in_bytes_per_sec: 0,
-                throughput_out_bytes_per_sec: 0,
+                throughput_in_bytes_per_sec: route_tp_in,
+                throughput_out_bytes_per_sec: route_tp_out,
+                throughput_recent_in_bytes_per_sec: route_recent_in,
+                throughput_recent_out_bytes_per_sec: route_recent_out,
             });
         }
 
@@ -171,8 +292,10 @@ impl MetricsCollector {
             total_connections: self.total_connections(),
             bytes_in: self.total_bytes_in(),
             bytes_out: self.total_bytes_out(),
-            throughput_in_bytes_per_sec: 0,
-            throughput_out_bytes_per_sec: 0,
+            throughput_in_bytes_per_sec: global_tp_in,
+            throughput_out_bytes_per_sec: global_tp_out,
+            throughput_recent_in_bytes_per_sec: global_recent_in,
+            throughput_recent_out_bytes_per_sec: global_recent_out,
             routes,
         }
     }
@@ -248,4 +371,40 @@ mod tests {
         let route_in = collector.route_bytes_in.get("route-a").unwrap();
         assert_eq!(route_in.load(Ordering::Relaxed), 150);
     }
+
+    #[test]
+    fn test_throughput_tracking() {
+        let collector = MetricsCollector::with_retention(60);
+
+        // Open a connection so the route appears in the snapshot
+        collector.connection_opened(Some("route-a"));
+
+        // Record some bytes
+        collector.record_bytes(1000, 2000, Some("route-a"));
+        collector.record_bytes(500, 750, None);
+
+        // Take a sample (simulates the 1Hz tick)
+        collector.sample_all();
+
+        // Check global throughput
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.throughput_in_bytes_per_sec, 1500);
+        assert_eq!(snapshot.throughput_out_bytes_per_sec, 2750);
+
+        // Check per-route throughput
+        let route_a = snapshot.routes.get("route-a").unwrap();
+        assert_eq!(route_a.throughput_in_bytes_per_sec, 1000);
+        assert_eq!(route_a.throughput_out_bytes_per_sec, 2000);
+    }
+
+    #[test]
+    fn test_throughput_zero_before_sampling() {
+        let collector = MetricsCollector::with_retention(60);
+        collector.record_bytes(1000, 2000, None);
+
+        // Without sampling, throughput should be 0
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.throughput_in_bytes_per_sec, 0);
+        assert_eq!(snapshot.throughput_out_bytes_per_sec, 0);
+    }
 }

rust/crates/rustproxy-passthrough/src/forwarder.rs

@@ -5,14 +5,7 @@ use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
 use tracing::debug;
 
-use super::connection_record::ConnectionRecord;
-
-/// Statistics for a forwarded connection.
-#[derive(Debug, Default)]
-pub struct ForwardStats {
-    pub bytes_in: AtomicU64,
-    pub bytes_out: AtomicU64,
-}
+use rustproxy_metrics::MetricsCollector;
 
 /// Perform bidirectional TCP forwarding between client and backend.
 ///
@@ -68,6 +61,10 @@ pub async fn forward_bidirectional(
 
 /// Perform bidirectional TCP forwarding with inactivity and max lifetime timeouts.
 ///
+/// When `metrics` is provided, bytes are reported to the MetricsCollector
+/// per-chunk (lock-free) as they flow through the copy loops, enabling
+/// real-time throughput sampling for long-lived connections.
+///
 /// Returns (bytes_from_client, bytes_from_backend) when the connection closes or times out.
 pub async fn forward_bidirectional_with_timeouts(
     client: TcpStream,
@@ -76,10 +73,14 @@ pub async fn forward_bidirectional_with_timeouts(
     inactivity_timeout: std::time::Duration,
     max_lifetime: std::time::Duration,
     cancel: CancellationToken,
+    metrics: Option<(Arc<MetricsCollector>, Option<String>)>,
 ) -> std::io::Result<(u64, u64)> {
     // Send initial data (peeked bytes) to backend
     if let Some(data) = initial_data {
         backend.write_all(data).await?;
+        if let Some((ref m, ref rid)) = metrics {
+            m.record_bytes(data.len() as u64, 0, rid.as_deref());
+        }
     }
 
     let (mut client_read, mut client_write) = client.into_split();
@@ -90,6 +91,7 @@ pub async fn forward_bidirectional_with_timeouts(
 
     let la1 = Arc::clone(&last_activity);
     let initial_len = initial_data.map_or(0u64, |d| d.len() as u64);
+    let metrics_c2b = metrics.clone();
     let c2b = tokio::spawn(async move {
         let mut buf = vec![0u8; 65536];
         let mut total = initial_len;
@@ -103,12 +105,16 @@ pub async fn forward_bidirectional_with_timeouts(
             }
             total += n as u64;
             la1.store(start.elapsed().as_millis() as u64, Ordering::Relaxed);
+            if let Some((ref m, ref rid)) = metrics_c2b {
+                m.record_bytes(n as u64, 0, rid.as_deref());
+            }
         }
         let _ = backend_write.shutdown().await;
         total
     });
 
     let la2 = Arc::clone(&last_activity);
+    let metrics_b2c = metrics;
     let b2c = tokio::spawn(async move {
         let mut buf = vec![0u8; 65536];
         let mut total = 0u64;
@@ -122,6 +128,9 @@ pub async fn forward_bidirectional_with_timeouts(
             }
             total += n as u64;
             la2.store(start.elapsed().as_millis() as u64, Ordering::Relaxed);
+            if let Some((ref m, ref rid)) = metrics_b2c {
+                m.record_bytes(0, n as u64, rid.as_deref());
+            }
         }
         let _ = client_write.shutdown().await;
         total
@@ -174,152 +183,3 @@ pub async fn forward_bidirectional_with_timeouts(
     Ok((bytes_in, bytes_out))
 }
 
-/// Forward bidirectional with a callback for byte counting.
-pub async fn forward_bidirectional_with_stats(
-    client: TcpStream,
-    backend: TcpStream,
-    initial_data: Option<&[u8]>,
-    stats: Arc<ForwardStats>,
-) -> std::io::Result<()> {
-    let (bytes_in, bytes_out) = forward_bidirectional(client, backend, initial_data).await?;
-    stats.bytes_in.fetch_add(bytes_in, Ordering::Relaxed);
-    stats.bytes_out.fetch_add(bytes_out, Ordering::Relaxed);
-    Ok(())
-}
-
-/// Perform bidirectional TCP forwarding with inactivity / lifetime timeouts,
-/// updating a `ConnectionRecord` with byte counts and activity timestamps
-/// in real time for zombie detection.
-///
-/// When `record` is `None`, this behaves identically to
-/// `forward_bidirectional_with_timeouts`.
-///
-/// The record's `client_closed` / `backend_closed` flags are set when the
-/// respective copy loop terminates, giving the zombie scanner visibility
-/// into half-open connections.
-pub async fn forward_bidirectional_with_record(
-    client: TcpStream,
-    mut backend: TcpStream,
-    initial_data: Option<&[u8]>,
-    inactivity_timeout: std::time::Duration,
-    max_lifetime: std::time::Duration,
-    cancel: CancellationToken,
-    record: Option<Arc<ConnectionRecord>>,
-) -> std::io::Result<(u64, u64)> {
-    // Send initial data (peeked bytes) to backend
-    if let Some(data) = initial_data {
-        backend.write_all(data).await?;
-        if let Some(ref r) = record {
-            r.record_bytes_in(data.len() as u64);
-        }
-    }
-
-    let (mut client_read, mut client_write) = client.into_split();
-    let (mut backend_read, mut backend_write) = backend.into_split();
-
-    let last_activity = Arc::new(AtomicU64::new(0));
-    let start = std::time::Instant::now();
-
-    let la1 = Arc::clone(&last_activity);
-    let initial_len = initial_data.map_or(0u64, |d| d.len() as u64);
-    let rec1 = record.clone();
-    let c2b = tokio::spawn(async move {
-        let mut buf = vec![0u8; 65536];
-        let mut total = initial_len;
-        loop {
-            let n = match client_read.read(&mut buf).await {
-                Ok(0) | Err(_) => break,
-                Ok(n) => n,
-            };
-            if backend_write.write_all(&buf[..n]).await.is_err() {
-                break;
-            }
-            total += n as u64;
-            let now_ms = start.elapsed().as_millis() as u64;
-            la1.store(now_ms, Ordering::Relaxed);
-            if let Some(ref r) = rec1 {
-                r.record_bytes_in(n as u64);
-            }
-        }
-        let _ = backend_write.shutdown().await;
-        // Mark client side as closed
-        if let Some(ref r) = rec1 {
-            r.client_closed.store(true, Ordering::Relaxed);
-        }
-        total
-    });
-
-    let la2 = Arc::clone(&last_activity);
-    let rec2 = record.clone();
-    let b2c = tokio::spawn(async move {
-        let mut buf = vec![0u8; 65536];
-        let mut total = 0u64;
-        loop {
-            let n = match backend_read.read(&mut buf).await {
-                Ok(0) | Err(_) => break,
-                Ok(n) => n,
-            };
-            if client_write.write_all(&buf[..n]).await.is_err() {
-                break;
-            }
-            total += n as u64;
-            let now_ms = start.elapsed().as_millis() as u64;
-            la2.store(now_ms, Ordering::Relaxed);
-            if let Some(ref r) = rec2 {
-                r.record_bytes_out(n as u64);
-            }
-        }
-        let _ = client_write.shutdown().await;
-        // Mark backend side as closed
-        if let Some(ref r) = rec2 {
-            r.backend_closed.store(true, Ordering::Relaxed);
-        }
-        total
-    });
-
-    // Watchdog: inactivity, max lifetime, and cancellation
-    let la_watch = Arc::clone(&last_activity);
-    let c2b_handle = c2b.abort_handle();
-    let b2c_handle = b2c.abort_handle();
-    let watchdog = tokio::spawn(async move {
-        let check_interval = std::time::Duration::from_secs(5);
-        let mut last_seen = 0u64;
-        loop {
-            tokio::select! {
-                _ = cancel.cancelled() => {
-                    debug!("Connection cancelled by shutdown");
-                    c2b_handle.abort();
-                    b2c_handle.abort();
-                    break;
-                }
-                _ = tokio::time::sleep(check_interval) => {
-                    // Check max lifetime
-                    if start.elapsed() >= max_lifetime {
-                        debug!("Connection exceeded max lifetime, closing");
-                        c2b_handle.abort();
-                        b2c_handle.abort();
-                        break;
-                    }
-
-                    // Check inactivity
-                    let current = la_watch.load(Ordering::Relaxed);
-                    if current == last_seen {
-                        let elapsed_since_activity = start.elapsed().as_millis() as u64 - current;
-                        if elapsed_since_activity >= inactivity_timeout.as_millis() as u64 {
-                            debug!("Connection inactive for {}ms, closing", elapsed_since_activity);
-                            c2b_handle.abort();
-                            b2c_handle.abort();
-                            break;
-                        }
-                    }
-                    last_seen = current;
-                }
-            }
-        }
-    });
-
-    let bytes_in = c2b.await.unwrap_or(0);
-    let bytes_out = b2c.await.unwrap_or(0);
-    watchdog.abort();
-    Ok((bytes_in, bytes_out))
-}

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -15,6 +15,38 @@ use crate::forwarder;
 use crate::tls_handler;
 use crate::connection_tracker::ConnectionTracker;
 
+/// RAII guard that decrements the active connection metric on drop.
+/// Ensures connection_closed is called on ALL exit paths — normal, error, or panic.
+struct ConnectionGuard {
+    metrics: Arc<MetricsCollector>,
+    route_id: Option<String>,
+    disarmed: bool,
+}
+
+impl ConnectionGuard {
+    fn new(metrics: Arc<MetricsCollector>, route_id: Option<&str>) -> Self {
+        Self {
+            metrics,
+            route_id: route_id.map(|s| s.to_string()),
+            disarmed: false,
+        }
+    }
+
+    /// Disarm the guard — prevents the Drop from running.
+    /// Use when handing off to a path that manages its own cleanup (e.g., HTTP proxy).
+    fn disarm(mut self) {
+        self.disarmed = true;
+    }
+}
+
+impl Drop for ConnectionGuard {
+    fn drop(&mut self) {
+        if !self.disarmed {
+            self.metrics.connection_closed(self.route_id.as_deref());
+        }
+    }
+}
+
 #[derive(Debug, Error)]
 pub enum ListenerError {
     #[error("Failed to bind port {port}: {source}")]
@@ -88,8 +120,8 @@ pub struct TcpListenerManager {
     route_manager: Arc<ArcSwap<RouteManager>>,
     /// Shared metrics collector
     metrics: Arc<MetricsCollector>,
-    /// TLS acceptors indexed by domain
-    tls_configs: Arc<HashMap<String, TlsCertConfig>>,
+    /// TLS acceptors indexed by domain (ArcSwap for hot-reload visibility in accept loops)
+    tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
     /// HTTP proxy service for HTTP-level forwarding
     http_proxy: Arc<HttpProxyService>,
     /// Connection configuration
@@ -105,11 +137,12 @@ pub struct TcpListenerManager {
 impl TcpListenerManager {
     pub fn new(route_manager: Arc<RouteManager>) -> Self {
         let metrics = Arc::new(MetricsCollector::new());
-        let http_proxy = Arc::new(HttpProxyService::new(
+        let conn_config = ConnectionConfig::default();
+        let http_proxy = Arc::new(HttpProxyService::with_connect_timeout(
             Arc::clone(&route_manager),
             Arc::clone(&metrics),
+            std::time::Duration::from_millis(conn_config.connection_timeout_ms),
         ));
-        let conn_config = ConnectionConfig::default();
         let conn_tracker = Arc::new(ConnectionTracker::new(
             conn_config.max_connections_per_ip,
             conn_config.connection_rate_limit_per_minute,
@@ -118,7 +151,7 @@ impl TcpListenerManager {
             listeners: HashMap::new(),
             route_manager: Arc::new(ArcSwap::from(route_manager)),
             metrics,
-            tls_configs: Arc::new(HashMap::new()),
+            tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
             http_proxy,
             conn_config: Arc::new(conn_config),
             conn_tracker,
@@ -129,11 +162,12 @@ impl TcpListenerManager {
 
     /// Create with a metrics collector.
     pub fn with_metrics(route_manager: Arc<RouteManager>, metrics: Arc<MetricsCollector>) -> Self {
-        let http_proxy = Arc::new(HttpProxyService::new(
+        let conn_config = ConnectionConfig::default();
+        let http_proxy = Arc::new(HttpProxyService::with_connect_timeout(
             Arc::clone(&route_manager),
             Arc::clone(&metrics),
+            std::time::Duration::from_millis(conn_config.connection_timeout_ms),
         ));
-        let conn_config = ConnectionConfig::default();
         let conn_tracker = Arc::new(ConnectionTracker::new(
             conn_config.max_connections_per_ip,
             conn_config.connection_rate_limit_per_minute,
@@ -142,7 +176,7 @@ impl TcpListenerManager {
             listeners: HashMap::new(),
             route_manager: Arc::new(ArcSwap::from(route_manager)),
             metrics,
-            tls_configs: Arc::new(HashMap::new()),
+            tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
             http_proxy,
             conn_config: Arc::new(conn_config),
             conn_tracker,
@@ -161,8 +195,9 @@ impl TcpListenerManager {
     }
 
     /// Set TLS certificate configurations.
-    pub fn set_tls_configs(&mut self, configs: HashMap<String, TlsCertConfig>) {
-        self.tls_configs = Arc::new(configs);
+    /// Uses ArcSwap so running accept loops immediately see the new certs.
+    pub fn set_tls_configs(&self, configs: HashMap<String, TlsCertConfig>) {
+        self.tls_configs.store(Arc::new(configs));
     }
 
     /// Set the shared socket-handler relay path.
@@ -284,7 +319,7 @@ impl TcpListenerManager {
         port: u16,
         route_manager_swap: Arc<ArcSwap<RouteManager>>,
         metrics: Arc<MetricsCollector>,
-        tls_configs: Arc<HashMap<String, TlsCertConfig>>,
+        tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
         http_proxy: Arc<HttpProxyService>,
         conn_config: Arc<ConnectionConfig>,
         conn_tracker: Arc<ConnectionTracker>,
@@ -314,7 +349,8 @@ impl TcpListenerManager {
                             // Load the latest route manager from ArcSwap on each connection
                             let rm = route_manager_swap.load_full();
                             let m = Arc::clone(&metrics);
-                            let tc = Arc::clone(&tls_configs);
+                            // Load the latest TLS configs from ArcSwap on each connection
+                            let tc = tls_configs.load_full();
                             let hp = Arc::clone(&http_proxy);
                             let cc = Arc::clone(&conn_config);
                             let ct = Arc::clone(&conn_tracker);
@@ -425,6 +461,7 @@ impl TcpListenerManager {
                         }
 
                         metrics.connection_opened(route_id);
+                        let _fast_guard = ConnectionGuard::new(Arc::clone(&metrics), route_id);
 
                         let connect_timeout = std::time::Duration::from_millis(conn_config.connection_timeout_ms);
                         let inactivity_timeout = std::time::Duration::from_millis(conn_config.socket_timeout_ms);
@@ -440,14 +477,8 @@ impl TcpListenerManager {
                             tokio::net::TcpStream::connect(format!("{}:{}", target_host, target_port)),
                         ).await {
                             Ok(Ok(s)) => s,
-                            Ok(Err(e)) => {
-                                metrics.connection_closed(route_id);
-                                return Err(e.into());
-                            }
-                            Err(_) => {
-                                metrics.connection_closed(route_id);
-                                return Err("Backend connection timeout".into());
-                            }
+                            Ok(Err(e)) => return Err(e.into()),
+                            Err(_) => return Err("Backend connection timeout".into()),
                         };
                         backend.set_nodelay(true)?;
 
@@ -465,20 +496,19 @@ impl TcpListenerManager {
                             let mut backend_w = backend;
                             backend_w.write_all(header.as_bytes()).await?;
 
-                            let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                            let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                                 stream, backend_w, None,
                                 inactivity_timeout, max_lifetime, cancel,
+                                Some((Arc::clone(&metrics), route_id.map(|s| s.to_string()))),
                             ).await?;
-                            metrics.record_bytes(bytes_in, bytes_out, route_id);
                         } else {
-                            let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                            let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                                 stream, backend, None,
                                 inactivity_timeout, max_lifetime, cancel,
+                                Some((Arc::clone(&metrics), route_id.map(|s| s.to_string()))),
                             ).await?;
-                            metrics.record_bytes(bytes_in, bytes_out, route_id);
                         }
 
-                        metrics.connection_closed(route_id);
                         return Ok(());
                     }
                 }
@@ -615,8 +645,9 @@ impl TcpListenerManager {
             }
         }
 
-        // Track connection in metrics
+        // Track connection in metrics — guard ensures connection_closed on all exit paths
         metrics.connection_opened(route_id);
+        let _conn_guard = ConnectionGuard::new(Arc::clone(&metrics), route_id);
 
         // Check if this is a socket-handler route that should be relayed to TypeScript
         if route_match.route.action.action_type == RouteActionType::SocketHandler {
@@ -626,16 +657,14 @@ impl TcpListenerManager {
             };
 
             if let Some(relay_socket_path) = relay_path {
-                let result = Self::relay_to_socket_handler(
+                return Self::relay_to_socket_handler(
                     stream, n, port, peer_addr,
                     &route_match, domain.as_deref(), is_tls,
                     &relay_socket_path,
+                    &metrics, route_id,
                 ).await;
-                metrics.connection_closed(route_id);
-                return result;
             } else {
                 debug!("Socket-handler route matched but no relay path configured");
-                metrics.connection_closed(route_id);
                 return Ok(());
             }
         }
@@ -644,7 +673,6 @@ impl TcpListenerManager {
             Some(t) => t,
             None => {
                 debug!("Route matched but no target available");
-                metrics.connection_closed(route_id);
                 return Ok(());
             }
         };
@@ -724,11 +752,11 @@ impl TcpListenerManager {
                 let mut actual_buf = vec![0u8; n];
                 stream.read_exact(&mut actual_buf).await?;
 
-                let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                     stream, backend, Some(&actual_buf),
                     inactivity_timeout, max_lifetime, cancel,
+                    Some((Arc::clone(&metrics), route_id.map(|s| s.to_string()))),
                 ).await?;
-                metrics.record_bytes(bytes_in, bytes_out, route_id);
                 Ok(())
             }
             Some(rustproxy_config::TlsMode::Terminate) => {
@@ -763,7 +791,9 @@ impl TcpListenerManager {
                         "TLS Terminate + HTTP: {} -> {}:{} (domain: {:?})",
                         peer_addr, target_host, target_port, domain
                     );
-                    http_proxy.handle_io(buf_stream, peer_addr, port).await;
+                    // HTTP proxy manages its own per-request metrics — disarm TCP-level guard
+                    _conn_guard.disarm();
+                    http_proxy.handle_io(buf_stream, peer_addr, port, cancel.clone()).await;
                 } else {
                     debug!(
                         "TLS Terminate + TCP: {} -> {}:{} (domain: {:?})",
@@ -783,12 +813,11 @@ impl TcpListenerManager {
                     let (tls_read, tls_write) = tokio::io::split(buf_stream);
                     let (backend_read, backend_write) = tokio::io::split(backend);
 
-                    let (bytes_in, bytes_out) = Self::forward_bidirectional_split_with_timeouts(
+                    let (_bytes_in, _bytes_out) = Self::forward_bidirectional_split_with_timeouts(
                         tls_read, tls_write, backend_read, backend_write,
                         inactivity_timeout, max_lifetime,
+                        Some((Arc::clone(&metrics), route_id.map(|s| s.to_string()))),
                     ).await;
-
-                    metrics.record_bytes(bytes_in, bytes_out, route_id);
                 }
                 Ok(())
             }
@@ -796,14 +825,16 @@ impl TcpListenerManager {
                 let route_tls = route_match.route.action.tls.as_ref();
                 Self::handle_tls_terminate_reencrypt(
                     stream, n, &domain, &target_host, target_port,
-                    peer_addr, &tls_configs, &metrics, route_id, &conn_config, route_tls,
+                    peer_addr, &tls_configs, Arc::clone(&metrics), route_id, &conn_config, route_tls,
                 ).await
             }
             None => {
                 if is_http {
                     // Plain HTTP - use HTTP proxy for request-level routing
                     debug!("HTTP proxy: {} on port {}", peer_addr, port);
-                    http_proxy.handle_connection(stream, peer_addr, port).await;
+                    // HTTP proxy manages its own per-request metrics — disarm TCP-level guard
+                    _conn_guard.disarm();
+                    http_proxy.handle_connection(stream, peer_addr, port, cancel.clone()).await;
                     Ok(())
                 } else {
                     // Plain TCP forwarding (non-HTTP)
@@ -831,17 +862,17 @@ impl TcpListenerManager {
                     let mut actual_buf = vec![0u8; n];
                     stream.read_exact(&mut actual_buf).await?;
 
-                    let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                    let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                         stream, backend, Some(&actual_buf),
                         inactivity_timeout, max_lifetime, cancel,
+                        Some((Arc::clone(&metrics), route_id.map(|s| s.to_string()))),
                     ).await?;
-                    metrics.record_bytes(bytes_in, bytes_out, route_id);
                     Ok(())
                 }
             }
         };
 
-        metrics.connection_closed(route_id);
+        // ConnectionGuard handles metrics.connection_closed() on drop
         result
     }
 
@@ -861,6 +892,8 @@ impl TcpListenerManager {
         domain: Option<&str>,
         is_tls: bool,
         relay_path: &str,
+        metrics: &MetricsCollector,
+        route_id: Option<&str>,
     ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
         use tokio::io::{AsyncReadExt, AsyncWriteExt};
         use tokio::net::UnixStream;
@@ -901,12 +934,20 @@ impl TcpListenerManager {
         unix_stream.write_all(&initial_buf).await?;
 
         // Bidirectional relay between TCP client and Unix socket handler
+        let initial_len = initial_buf.len() as u64;
         match tokio::io::copy_bidirectional(&mut stream, &mut unix_stream).await {
             Ok((c2s, s2c)) => {
+                // Include initial data bytes that were forwarded before copy_bidirectional
+                let total_in = c2s + initial_len;
                 debug!("Socket handler relay complete for {}: {} bytes in, {} bytes out",
-                    route_key, c2s, s2c);
+                    route_key, total_in, s2c);
+                metrics.record_bytes(total_in, s2c, route_id);
             }
             Err(e) => {
+                // Still record the initial data even on error
+                if initial_len > 0 {
+                    metrics.record_bytes(initial_len, 0, route_id);
+                }
                 debug!("Socket handler relay ended for {}: {}", route_key, e);
             }
         }
@@ -923,7 +964,7 @@ impl TcpListenerManager {
         target_port: u16,
         peer_addr: std::net::SocketAddr,
         tls_configs: &HashMap<String, TlsCertConfig>,
-        metrics: &MetricsCollector,
+        metrics: Arc<MetricsCollector>,
         route_id: Option<&str>,
         conn_config: &ConnectionConfig,
         route_tls: Option<&rustproxy_config::RouteTls>,
@@ -988,12 +1029,12 @@ impl TcpListenerManager {
             }
         };
 
-        let (bytes_in, bytes_out) = Self::forward_bidirectional_split_with_timeouts(
+        let (_bytes_in, _bytes_out) = Self::forward_bidirectional_split_with_timeouts(
             client_read, client_write, backend_read, backend_write,
             inactivity_timeout, max_lifetime,
+            Some((metrics, route_id.map(|s| s.to_string()))),
         ).await;
 
-        metrics.record_bytes(bytes_in, bytes_out, route_id);
         Ok(())
     }
 
@@ -1027,6 +1068,9 @@ impl TcpListenerManager {
     }
 
     /// Forward bidirectional between two split streams with inactivity and lifetime timeouts.
+    ///
+    /// When `metrics` is provided, bytes are reported per-chunk (lock-free) for
+    /// real-time throughput measurement.
     async fn forward_bidirectional_split_with_timeouts<R1, W1, R2, W2>(
         mut client_read: R1,
         mut client_write: W1,
@@ -1034,6 +1078,7 @@ impl TcpListenerManager {
         mut backend_write: W2,
         inactivity_timeout: std::time::Duration,
         max_lifetime: std::time::Duration,
+        metrics: Option<(Arc<MetricsCollector>, Option<String>)>,
     ) -> (u64, u64)
     where
         R1: tokio::io::AsyncRead + Unpin + Send + 'static,
@@ -1049,6 +1094,7 @@ impl TcpListenerManager {
         let start = std::time::Instant::now();
 
         let la1 = Arc::clone(&last_activity);
+        let metrics_c2b = metrics.clone();
         let c2b = tokio::spawn(async move {
             let mut buf = vec![0u8; 65536];
             let mut total = 0u64;
@@ -1065,12 +1111,16 @@ impl TcpListenerManager {
                     start.elapsed().as_millis() as u64,
                     Ordering::Relaxed,
                 );
+                if let Some((ref m, ref rid)) = metrics_c2b {
+                    m.record_bytes(n as u64, 0, rid.as_deref());
+                }
             }
             let _ = backend_write.shutdown().await;
             total
         });
 
         let la2 = Arc::clone(&last_activity);
+        let metrics_b2c = metrics;
         let b2c = tokio::spawn(async move {
             let mut buf = vec![0u8; 65536];
             let mut total = 0u64;
@@ -1087,6 +1137,9 @@ impl TcpListenerManager {
                     start.elapsed().as_millis() as u64,
                     Ordering::Relaxed,
                 );
+                if let Some((ref m, ref rid)) = metrics_b2c {
+                    m.record_bytes(0, n as u64, rid.as_deref());
+                }
             }
             let _ = client_write.shutdown().await;
             total

rust/crates/rustproxy-tls/Cargo.toml

@@ -15,8 +15,6 @@ tracing = { workspace = true }
 thiserror = { workspace = true }
 anyhow = { workspace = true }
 serde = { workspace = true }
-serde_json = { workspace = true }
 rcgen = { workspace = true }
 
 [dev-dependencies]
-tempfile = { workspace = true }

rust/crates/rustproxy-tls/src/acme.rs

@@ -1,16 +1,15 @@
 //! ACME (Let's Encrypt) integration using instant-acme.
 //!
 //! This module handles HTTP-01 challenge creation and certificate provisioning.
-//! Supports persisting ACME account credentials to disk for reuse across restarts.
+//! Account credentials are ephemeral — the consumer owns all persistence.
 
-use std::path::{Path, PathBuf};
 use instant_acme::{
     Account, NewAccount, NewOrder, Identifier, ChallengeType, OrderStatus,
     AccountCredentials,
 };
 use rcgen::{CertificateParams, KeyPair};
 use thiserror::Error;
-use tracing::{debug, info, warn};
+use tracing::{debug, info};
 
 #[derive(Debug, Error)]
 pub enum AcmeError {
@@ -26,8 +25,6 @@ pub enum AcmeError {
     NoHttp01Challenge,
     #[error("Timeout waiting for order: {0}")]
     Timeout(String),
-    #[error("Account persistence error: {0}")]
-    Persistence(String),
 }
 
 /// Pending HTTP-01 challenge that needs to be served.
@@ -41,8 +38,6 @@ pub struct PendingChallenge {
 pub struct AcmeClient {
     use_production: bool,
     email: String,
-    /// Optional directory where account.json is persisted.
-    account_dir: Option<PathBuf>,
 }
 
 impl AcmeClient {
@@ -50,56 +45,15 @@ impl AcmeClient {
         Self {
             use_production,
             email,
-            account_dir: None,
         }
     }
 
-    /// Create a new client with account persistence at the given directory.
-    pub fn with_persistence(email: String, use_production: bool, account_dir: impl AsRef<Path>) -> Self {
-        Self {
-            use_production,
-            email,
-            account_dir: Some(account_dir.as_ref().to_path_buf()),
-        }
-    }
-
-    /// Get or create an ACME account, persisting credentials if account_dir is set.
+    /// Create a new ACME account (ephemeral — not persisted).
     async fn get_or_create_account(&self) -> Result<Account, AcmeError> {
         let directory_url = self.directory_url();
 
-        // Try to restore from persisted credentials
-        if let Some(ref dir) = self.account_dir {
-            let account_file = dir.join("account.json");
-            if account_file.exists() {
-                match std::fs::read_to_string(&account_file) {
-                    Ok(json) => {
-                        match serde_json::from_str::<AccountCredentials>(&json) {
-                            Ok(credentials) => {
-                                match Account::from_credentials(credentials).await {
-                                    Ok(account) => {
-                                        debug!("Restored ACME account from {}", account_file.display());
-                                        return Ok(account);
-                                    }
-                                    Err(e) => {
-                                        warn!("Failed to restore ACME account, creating new: {}", e);
-                                    }
-                                }
-                            }
-                            Err(e) => {
-                                warn!("Invalid account.json, creating new account: {}", e);
-                            }
-                        }
-                    }
-                    Err(e) => {
-                        warn!("Could not read account.json: {}", e);
-                    }
-                }
-            }
-        }
-
-        // Create a new account
         let contact = format!("mailto:{}", self.email);
-        let (account, credentials) = Account::create(
+        let (account, _credentials) = Account::create(
             &NewAccount {
                 contact: &[&contact],
                 terms_of_service_agreed: true,
@@ -113,27 +67,6 @@ impl AcmeClient {
 
         debug!("ACME account created");
 
-        // Persist credentials if we have a directory
-        if let Some(ref dir) = self.account_dir {
-            if let Err(e) = std::fs::create_dir_all(dir) {
-                warn!("Failed to create account directory {}: {}", dir.display(), e);
-            } else {
-                let account_file = dir.join("account.json");
-                match serde_json::to_string_pretty(&credentials) {
-                    Ok(json) => {
-                        if let Err(e) = std::fs::write(&account_file, &json) {
-                            warn!("Failed to persist ACME account to {}: {}", account_file.display(), e);
-                        } else {
-                            info!("ACME account credentials persisted to {}", account_file.display());
-                        }
-                    }
-                    Err(e) => {
-                        warn!("Failed to serialize account credentials: {}", e);
-                    }
-                }
-            }
-        }
-
         Ok(account)
     }
 
@@ -158,7 +91,7 @@ impl AcmeClient {
     {
         info!("Starting ACME provisioning for {} via {}", domain, self.directory_url());
 
-        // 1. Get or create ACME account (with persistence)
+        // 1. Get or create ACME account
         let account = self.get_or_create_account().await?;
 
         // 2. Create order
@@ -339,22 +272,4 @@ mod tests {
         assert!(!client.directory_url().contains("staging"));
         assert!(client.is_production());
     }
-
-    #[test]
-    fn test_with_persistence_sets_account_dir() {
-        let tmp = tempfile::tempdir().unwrap();
-        let client = AcmeClient::with_persistence(
-            "test@example.com".to_string(),
-            false,
-            tmp.path(),
-        );
-        assert!(client.account_dir.is_some());
-        assert_eq!(client.account_dir.unwrap(), tmp.path());
-    }
-
-    #[test]
-    fn test_without_persistence_no_account_dir() {
-        let client = AcmeClient::new("test@example.com".to_string(), false);
-        assert!(client.account_dir.is_none());
-    }
 }

rust/crates/rustproxy-tls/src/cert_manager.rs

@@ -9,8 +9,6 @@ use crate::acme::AcmeClient;
 pub enum CertManagerError {
     #[error("ACME provisioning failed for {domain}: {message}")]
     AcmeFailure { domain: String, message: String },
-    #[error("Certificate store error: {0}")]
-    Store(#[from] crate::cert_store::CertStoreError),
     #[error("No ACME email configured")]
     NoEmail,
 }
@@ -46,25 +44,19 @@ impl CertManager {
 
     /// Create an ACME client using this manager's configuration.
     /// Returns None if no ACME email is configured.
-    /// Account credentials are persisted in the cert store base directory.
     pub fn acme_client(&self) -> Option<AcmeClient> {
         self.acme_email.as_ref().map(|email| {
-            AcmeClient::with_persistence(
-                email.clone(),
-                self.use_production,
-                self.store.base_dir(),
-            )
+            AcmeClient::new(email.clone(), self.use_production)
         })
     }
 
-    /// Load a static certificate into the store.
+    /// Load a static certificate into the store (infallible — pure cache insert).
     pub fn load_static(
         &mut self,
         domain: String,
         bundle: CertBundle,
-    ) -> Result<(), CertManagerError> {
-        self.store.store(domain, bundle)?;
-        Ok(())
+    ) {
+        self.store.store(domain, bundle);
     }
 
     /// Check and return domains that need certificate renewal.
@@ -153,19 +145,12 @@ impl CertManager {
             },
         };
 
-        self.store.store(domain.to_string(), bundle.clone())?;
+        self.store.store(domain.to_string(), bundle.clone());
         info!("Certificate renewed and stored for {}", domain);
 
         Ok(bundle)
     }
 
-    /// Load all certificates from disk.
-    pub fn load_all(&mut self) -> Result<usize, CertManagerError> {
-        let loaded = self.store.load_all()?;
-        info!("Loaded {} certificates from store", loaded);
-        Ok(loaded)
-    }
-
     /// Whether this manager has an ACME email configured.
     pub fn has_acme(&self) -> bool {
         self.acme_email.is_some()

rust/crates/rustproxy-tls/src/cert_store.rs

@@ -1,21 +1,7 @@
 use std::collections::HashMap;
-use std::path::{Path, PathBuf};
 use serde::{Deserialize, Serialize};
-use thiserror::Error;
 
-#[derive(Debug, Error)]
-pub enum CertStoreError {
-    #[error("Certificate not found for domain: {0}")]
-    NotFound(String),
-    #[error("IO error: {0}")]
-    Io(#[from] std::io::Error),
-    #[error("Invalid certificate: {0}")]
-    Invalid(String),
-    #[error("JSON error: {0}")]
-    Json(#[from] serde_json::Error),
-}
-
-/// Certificate metadata stored alongside certs on disk.
+/// Certificate metadata stored alongside certs.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct CertMetadata {
@@ -45,27 +31,18 @@ pub struct CertBundle {
     pub metadata: CertMetadata,
 }
 
-/// Filesystem-backed certificate store.
+/// In-memory certificate store.
 ///
-/// File layout per domain:
-/// ```text
-/// {base_dir}/{domain}/
-///   key.pem
-///   cert.pem
-///   ca.pem       (optional)
-///   metadata.json
-/// ```
+/// All persistence is owned by the consumer (TypeScript side).
+/// This struct is a thin HashMap wrapper used as a runtime cache.
 pub struct CertStore {
-    base_dir: PathBuf,
-    /// In-memory cache of loaded certs
     cache: HashMap<String, CertBundle>,
 }
 
 impl CertStore {
-    /// Create a new cert store at the given directory.
-    pub fn new(base_dir: impl AsRef<Path>) -> Self {
+    /// Create a new empty cert store.
+    pub fn new() -> Self {
         Self {
-            base_dir: base_dir.as_ref().to_path_buf(),
             cache: HashMap::new(),
         }
     }
@@ -75,33 +52,9 @@ impl CertStore {
         self.cache.get(domain)
     }
 
-    /// Store a certificate to both cache and filesystem.
-    pub fn store(&mut self, domain: String, bundle: CertBundle) -> Result<(), CertStoreError> {
-        // Sanitize domain for directory name (replace wildcards)
-        let dir_name = domain.replace('*', "_wildcard_");
-        let cert_dir = self.base_dir.join(&dir_name);
-
-        // Create directory
-        std::fs::create_dir_all(&cert_dir)?;
-
-        // Write key
-        std::fs::write(cert_dir.join("key.pem"), &bundle.key_pem)?;
-
-        // Write cert
-        std::fs::write(cert_dir.join("cert.pem"), &bundle.cert_pem)?;
-
-        // Write CA cert if present
-        if let Some(ref ca) = bundle.ca_pem {
-            std::fs::write(cert_dir.join("ca.pem"), ca)?;
-        }
-
-        // Write metadata
-        let metadata_json = serde_json::to_string_pretty(&bundle.metadata)?;
-        std::fs::write(cert_dir.join("metadata.json"), metadata_json)?;
-
-        // Update cache
+    /// Store a certificate in the cache.
+    pub fn store(&mut self, domain: String, bundle: CertBundle) {
         self.cache.insert(domain, bundle);
-        Ok(())
     }
 
     /// Check if a certificate exists for a domain.
@@ -109,68 +62,6 @@ impl CertStore {
         self.cache.contains_key(domain)
     }
 
-    /// Load all certificates from the base directory.
-    pub fn load_all(&mut self) -> Result<usize, CertStoreError> {
-        if !self.base_dir.exists() {
-            return Ok(0);
-        }
-
-        let entries = std::fs::read_dir(&self.base_dir)?;
-        let mut loaded = 0;
-
-        for entry in entries {
-            let entry = entry?;
-            let path = entry.path();
-
-            if !path.is_dir() {
-                continue;
-            }
-
-            let metadata_path = path.join("metadata.json");
-            let key_path = path.join("key.pem");
-            let cert_path = path.join("cert.pem");
-
-            // All three files must exist
-            if !metadata_path.exists() || !key_path.exists() || !cert_path.exists() {
-                continue;
-            }
-
-            // Load metadata
-            let metadata_str = std::fs::read_to_string(&metadata_path)?;
-            let metadata: CertMetadata = serde_json::from_str(&metadata_str)?;
-
-            // Load key and cert
-            let key_pem = std::fs::read_to_string(&key_path)?;
-            let cert_pem = std::fs::read_to_string(&cert_path)?;
-
-            // Load CA cert if present
-            let ca_path = path.join("ca.pem");
-            let ca_pem = if ca_path.exists() {
-                Some(std::fs::read_to_string(&ca_path)?)
-            } else {
-                None
-            };
-
-            let domain = metadata.domain.clone();
-            let bundle = CertBundle {
-                key_pem,
-                cert_pem,
-                ca_pem,
-                metadata,
-            };
-
-            self.cache.insert(domain, bundle);
-            loaded += 1;
-        }
-
-        Ok(loaded)
-    }
-
-    /// Get the base directory.
-    pub fn base_dir(&self) -> &Path {
-        &self.base_dir
-    }
-
     /// Get the number of cached certificates.
     pub fn count(&self) -> usize {
         self.cache.len()
@@ -181,17 +72,15 @@ impl CertStore {
         self.cache.iter()
     }
 
-    /// Remove a certificate from cache and filesystem.
-    pub fn remove(&mut self, domain: &str) -> Result<bool, CertStoreError> {
-        let removed = self.cache.remove(domain).is_some();
-        if removed {
-            let dir_name = domain.replace('*', "_wildcard_");
-            let cert_dir = self.base_dir.join(&dir_name);
-            if cert_dir.exists() {
-                std::fs::remove_dir_all(&cert_dir)?;
-            }
-        }
-        Ok(removed)
+    /// Remove a certificate from the cache.
+    pub fn remove(&mut self, domain: &str) -> bool {
+        self.cache.remove(domain).is_some()
+    }
+}
+
+impl Default for CertStore {
+    fn default() -> Self {
+        Self::new()
     }
 }
 
@@ -215,100 +104,71 @@ mod tests {
     }
 
     #[test]
-    fn test_store_and_load_roundtrip() {
-        let tmp = tempfile::tempdir().unwrap();
-        let mut store = CertStore::new(tmp.path());
+    fn test_store_and_get() {
+        let mut store = CertStore::new();
 
         let bundle = make_test_bundle("example.com");
-        store.store("example.com".to_string(), bundle.clone()).unwrap();
+        store.store("example.com".to_string(), bundle.clone());
 
-        // Verify files exist
-        let cert_dir = tmp.path().join("example.com");
-        assert!(cert_dir.join("key.pem").exists());
-        assert!(cert_dir.join("cert.pem").exists());
-        assert!(cert_dir.join("metadata.json").exists());
-        assert!(!cert_dir.join("ca.pem").exists()); // No CA cert
-
-        // Load into a fresh store
-        let mut store2 = CertStore::new(tmp.path());
-        let loaded = store2.load_all().unwrap();
-        assert_eq!(loaded, 1);
-
-        let loaded_bundle = store2.get("example.com").unwrap();
-        assert_eq!(loaded_bundle.key_pem, bundle.key_pem);
-        assert_eq!(loaded_bundle.cert_pem, bundle.cert_pem);
-        assert_eq!(loaded_bundle.metadata.domain, "example.com");
-        assert_eq!(loaded_bundle.metadata.source, CertSource::Static);
+        let loaded = store.get("example.com").unwrap();
+        assert_eq!(loaded.key_pem, bundle.key_pem);
+        assert_eq!(loaded.cert_pem, bundle.cert_pem);
+        assert_eq!(loaded.metadata.domain, "example.com");
+        assert_eq!(loaded.metadata.source, CertSource::Static);
     }
 
     #[test]
     fn test_store_with_ca_cert() {
-        let tmp = tempfile::tempdir().unwrap();
-        let mut store = CertStore::new(tmp.path());
+        let mut store = CertStore::new();
 
         let mut bundle = make_test_bundle("secure.com");
         bundle.ca_pem = Some("-----BEGIN CERTIFICATE-----\nca-cert\n-----END CERTIFICATE-----\n".to_string());
-        store.store("secure.com".to_string(), bundle).unwrap();
+        store.store("secure.com".to_string(), bundle);
 
-        let cert_dir = tmp.path().join("secure.com");
-        assert!(cert_dir.join("ca.pem").exists());
-
-        let mut store2 = CertStore::new(tmp.path());
-        store2.load_all().unwrap();
-        let loaded = store2.get("secure.com").unwrap();
+        let loaded = store.get("secure.com").unwrap();
         assert!(loaded.ca_pem.is_some());
     }
 
     #[test]
-    fn test_load_all_multiple_certs() {
-        let tmp = tempfile::tempdir().unwrap();
-        let mut store = CertStore::new(tmp.path());
+    fn test_multiple_certs() {
+        let mut store = CertStore::new();
 
-        store.store("a.com".to_string(), make_test_bundle("a.com")).unwrap();
-        store.store("b.com".to_string(), make_test_bundle("b.com")).unwrap();
-        store.store("c.com".to_string(), make_test_bundle("c.com")).unwrap();
+        store.store("a.com".to_string(), make_test_bundle("a.com"));
+        store.store("b.com".to_string(), make_test_bundle("b.com"));
+        store.store("c.com".to_string(), make_test_bundle("c.com"));
 
-        let mut store2 = CertStore::new(tmp.path());
-        let loaded = store2.load_all().unwrap();
-        assert_eq!(loaded, 3);
-        assert!(store2.has("a.com"));
-        assert!(store2.has("b.com"));
-        assert!(store2.has("c.com"));
-    }
-
-    #[test]
-    fn test_load_all_missing_directory() {
-        let mut store = CertStore::new("/nonexistent/path/to/certs");
-        let loaded = store.load_all().unwrap();
-        assert_eq!(loaded, 0);
+        assert_eq!(store.count(), 3);
+        assert!(store.has("a.com"));
+        assert!(store.has("b.com"));
+        assert!(store.has("c.com"));
     }
 
     #[test]
     fn test_remove_cert() {
-        let tmp = tempfile::tempdir().unwrap();
-        let mut store = CertStore::new(tmp.path());
+        let mut store = CertStore::new();
 
-        store.store("remove-me.com".to_string(), make_test_bundle("remove-me.com")).unwrap();
+        store.store("remove-me.com".to_string(), make_test_bundle("remove-me.com"));
         assert!(store.has("remove-me.com"));
 
-        let removed = store.remove("remove-me.com").unwrap();
+        let removed = store.remove("remove-me.com");
         assert!(removed);
         assert!(!store.has("remove-me.com"));
-        assert!(!tmp.path().join("remove-me.com").exists());
     }
 
     #[test]
-    fn test_wildcard_domain_storage() {
-        let tmp = tempfile::tempdir().unwrap();
-        let mut store = CertStore::new(tmp.path());
+    fn test_remove_nonexistent() {
+        let mut store = CertStore::new();
+        assert!(!store.remove("nonexistent.com"));
+    }
 
-        store.store("*.example.com".to_string(), make_test_bundle("*.example.com")).unwrap();
+    #[test]
+    fn test_wildcard_domain() {
+        let mut store = CertStore::new();
 
-        // Directory should use sanitized name
-        assert!(tmp.path().join("_wildcard_.example.com").exists());
+        store.store("*.example.com".to_string(), make_test_bundle("*.example.com"));
+        assert!(store.has("*.example.com"));
 
-        let mut store2 = CertStore::new(tmp.path());
-        store2.load_all().unwrap();
-        assert!(store2.has("*.example.com"));
+        let loaded = store.get("*.example.com").unwrap();
+        assert_eq!(loaded.metadata.domain, "*.example.com");
     }
 }

rust/crates/rustproxy/src/lib.rs

@@ -71,6 +71,7 @@ pub struct RustProxy {
     cert_manager: Option<Arc<tokio::sync::Mutex<CertManager>>>,
     challenge_server: Option<challenge_server::ChallengeServer>,
     renewal_handle: Option<tokio::task::JoinHandle<()>>,
+    sampling_handle: Option<tokio::task::JoinHandle<()>>,
     nft_manager: Option<NftManager>,
     started: bool,
     started_at: Option<Instant>,
@@ -100,14 +101,19 @@ impl RustProxy {
         let cert_manager = Self::build_cert_manager(&options)
             .map(|cm| Arc::new(tokio::sync::Mutex::new(cm)));
 
+        let retention = options.metrics.as_ref()
+            .and_then(|m| m.retention_seconds)
+            .unwrap_or(3600) as usize;
+
         Ok(Self {
             options,
             route_table: ArcSwap::from(Arc::new(route_manager)),
             listener_manager: None,
-            metrics: Arc::new(MetricsCollector::new()),
+            metrics: Arc::new(MetricsCollector::with_retention(retention)),
             cert_manager,
             challenge_server: None,
             renewal_handle: None,
+            sampling_handle: None,
             nft_manager: None,
             started: false,
             started_at: None,
@@ -184,15 +190,12 @@ impl RustProxy {
             return None;
         }
 
-        let store_path = acme.certificate_store
-            .as_deref()
-            .unwrap_or("./certs");
         let email = acme.email.clone()
             .or_else(|| acme.account_email.clone());
         let use_production = acme.use_production.unwrap_or(false);
         let renew_before_days = acme.renew_threshold_days.unwrap_or(30);
 
-        let store = CertStore::new(store_path);
+        let store = CertStore::new();
         Some(CertManager::new(store, email, use_production, renew_before_days))
     }
 
@@ -222,19 +225,6 @@ impl RustProxy {
 
         info!("Starting RustProxy...");
 
-        // Load persisted certificates
-        if let Some(ref cm) = self.cert_manager {
-            let mut cm = cm.lock().await;
-            match cm.load_all() {
-                Ok(count) => {
-                    if count > 0 {
-                        info!("Loaded {} persisted certificates", count);
-                    }
-                }
-                Err(e) => warn!("Failed to load persisted certificates: {}", e),
-            }
-        }
-
         // Auto-provision certificates for routes with certificate: 'auto'
         self.auto_provision_certificates().await;
 
@@ -292,6 +282,21 @@ impl RustProxy {
         self.started = true;
         self.started_at = Some(Instant::now());
 
+        // Start the throughput sampling task
+        let metrics = Arc::clone(&self.metrics);
+        let interval_ms = self.options.metrics.as_ref()
+            .and_then(|m| m.sample_interval_ms)
+            .unwrap_or(1000);
+        self.sampling_handle = Some(tokio::spawn(async move {
+            let mut interval = tokio::time::interval(
+                std::time::Duration::from_millis(interval_ms)
+            );
+            loop {
+                interval.tick().await;
+                metrics.sample_all();
+            }
+        }));
+
         // Apply NFTables rules for routes using nftables forwarding engine
         self.apply_nftables_rules(&self.options.routes.clone()).await;
 
@@ -396,9 +401,7 @@ impl RustProxy {
                         };
 
                         let mut cm = cm_arc.lock().await;
-                        if let Err(e) = cm.load_static(domain.clone(), bundle) {
-                            error!("Failed to store certificate for {}: {}", domain, e);
-                        }
+                        cm.load_static(domain.clone(), bundle);
 
                         info!("Certificate provisioned for {}", domain);
                     }
@@ -496,6 +499,11 @@ impl RustProxy {
 
         info!("Stopping RustProxy...");
 
+        // Stop sampling task
+        if let Some(handle) = self.sampling_handle.take() {
+            handle.abort();
+        }
+
         // Stop renewal timer
         if let Some(handle) = self.renewal_handle.take() {
             handle.abort();
@@ -775,8 +783,7 @@ impl RustProxy {
             };
 
             let mut cm = cm_arc.lock().await;
-            cm.load_static(domain.to_string(), bundle)
-                .map_err(|e| anyhow::anyhow!("Failed to store certificate: {}", e))?;
+            cm.load_static(domain.to_string(), bundle);
         }
 
         // Hot-swap TLS config on the listener

test/test.throughput.ts

@@ -0,0 +1,636 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import type { IRouteConfig } from '../ts/index.js';
+import * as net from 'net';
+import * as http from 'http';
+import * as tls from 'tls';
+import * as https from 'https';
+import * as fs from 'fs';
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// ────────────────────────────────────────────────────────────────────────────
+// Port assignments (unique to avoid conflicts with other tests)
+// ────────────────────────────────────────────────────────────────────────────
+const TCP_ECHO_PORT = 47500;
+const HTTP_ECHO_PORT = 47501;
+const TLS_ECHO_PORT = 47502;
+const PROXY_TCP_PORT = 47510;
+const PROXY_HTTP_PORT = 47511;
+const PROXY_TLS_PASS_PORT = 47512;
+const PROXY_TLS_TERM_PORT = 47513;
+const PROXY_SOCKET_PORT = 47514;
+const PROXY_MULTI_A_PORT = 47515;
+const PROXY_MULTI_B_PORT = 47516;
+const PROXY_TP_HTTP_PORT = 47517;
+
+// ────────────────────────────────────────────────────────────────────────────
+// Test certificates
+// ────────────────────────────────────────────────────────────────────────────
+const CERT_PEM = fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'cert.pem'), 'utf8');
+const KEY_PEM = fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'key.pem'), 'utf8');
+
+// ────────────────────────────────────────────────────────────────────────────
+// Backend servers
+// ────────────────────────────────────────────────────────────────────────────
+let tcpEchoServer: net.Server;
+let httpEchoServer: http.Server;
+let tlsEchoServer: tls.Server;
+
+// Helper: force-poll the metrics adapter
+async function pollMetrics(proxy: SmartProxy): Promise<void> {
+  await (proxy as any).metricsAdapter.poll();
+}
+
+// ════════════════════════════════════════════════════════════════════════════
+// Setup: backend servers
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('setup - TCP echo server', async () => {
+  tcpEchoServer = net.createServer((socket) => {
+    socket.on('data', (data) => socket.write(data));
+    socket.on('error', () => {});
+  });
+  await new Promise<void>((resolve) => {
+    tcpEchoServer.listen(TCP_ECHO_PORT, () => {
+      console.log(`TCP echo server on port ${TCP_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+tap.test('setup - HTTP echo server', async () => {
+  httpEchoServer = http.createServer((req, res) => {
+    let body = '';
+    req.on('data', (chunk) => (body += chunk));
+    req.on('end', () => {
+      res.writeHead(200, { 'Content-Type': 'text/plain' });
+      res.end(`echo:${body}`);
+    });
+  });
+  await new Promise<void>((resolve) => {
+    httpEchoServer.listen(HTTP_ECHO_PORT, () => {
+      console.log(`HTTP echo server on port ${HTTP_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+tap.test('setup - TLS echo server', async () => {
+  tlsEchoServer = tls.createServer(
+    { cert: CERT_PEM, key: KEY_PEM },
+    (socket) => {
+      socket.on('data', (data) => socket.write(data));
+      socket.on('error', () => {});
+    },
+  );
+  await new Promise<void>((resolve) => {
+    tlsEchoServer.listen(TLS_ECHO_PORT, () => {
+      console.log(`TLS echo server on port ${TLS_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 1: TCP Forward (plain TCP passthrough — no domain, no TLS)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('TCP forward - real-time byte tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'tcp-forward',
+        name: 'tcp-forward',
+        match: { ports: PROXY_TCP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+
+  // Connect and send data
+  const client = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    client.connect(PROXY_TCP_PORT, 'localhost', () => resolve());
+    client.on('error', reject);
+  });
+
+  let received = 0;
+  client.on('data', (data) => (received += data.length));
+
+  // Send 10 KB in chunks over 1 second
+  const chunk = Buffer.alloc(1024, 'A');
+  for (let i = 0; i < 10; i++) {
+    client.write(chunk);
+    await tools.delayFor(100);
+  }
+
+  // Wait for echo data and sampling to accumulate
+  await tools.delayFor(500);
+
+  // === Key assertion: metrics visible WHILE the connection is still open ===
+  // Before this change, TCP bytes were only reported after connection close.
+  // Now bytes are reported per-chunk in real-time.
+  await pollMetrics(proxy);
+
+  const mDuring = proxy.getMetrics();
+  const bytesInDuring = mDuring.totals.bytesIn();
+  const bytesOutDuring = mDuring.totals.bytesOut();
+  console.log(`TCP forward (during) — bytesIn: ${bytesInDuring}, bytesOut: ${bytesOutDuring}`);
+  expect(bytesInDuring).toBeGreaterThan(0);
+  expect(bytesOutDuring).toBeGreaterThan(0);
+
+  // Check that throughput is non-zero during active TCP traffic
+  const tpDuring = mDuring.throughput.recent();
+  console.log(`TCP forward (during) — recent throughput: in=${tpDuring.in}, out=${tpDuring.out}`);
+  expect(tpDuring.in + tpDuring.out).toBeGreaterThan(0);
+
+  // Close connection
+  client.destroy();
+  await tools.delayFor(500);
+
+  // Final check
+  await pollMetrics(proxy);
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`TCP forward (final) — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+  expect(bytesIn).toBeGreaterThanOrEqual(bytesInDuring);
+  expect(bytesOut).toBeGreaterThanOrEqual(bytesOutDuring);
+
+  // Check per-route tracking
+  const byRoute = m.throughput.byRoute();
+  console.log('TCP forward — throughput byRoute:', Array.from(byRoute.entries()));
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 2: HTTP Forward (plain HTTP proxy)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('HTTP forward - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'http-forward',
+        name: 'http-forward',
+        match: { ports: PROXY_HTTP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send 10 HTTP requests with 1 KB body each
+  for (let i = 0; i < 10; i++) {
+    const body = 'X'.repeat(1024);
+    await new Promise<void>((resolve, reject) => {
+      const req = http.request(
+        {
+          hostname: 'localhost',
+          port: PROXY_HTTP_PORT,
+          path: '/echo',
+          method: 'POST',
+          headers: { 'Content-Type': 'text/plain', 'Content-Length': String(body.length) },
+        },
+        (res) => {
+          let data = '';
+          res.on('data', (chunk) => (data += chunk));
+          res.on('end', () => resolve());
+        },
+      );
+      req.on('error', reject);
+      req.setTimeout(5000, () => {
+        req.destroy();
+        reject(new Error('HTTP request timeout'));
+      });
+      req.end(body);
+    });
+  }
+
+  // Wait for sampling + poll
+  await tools.delayFor(500);
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`HTTP forward — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // Both directions should have bytes (CountingBody tracks request + response)
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 3: TLS Passthrough (SNI-based, Rust passes encrypted data through)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('TLS passthrough - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'tls-passthrough',
+        name: 'tls-passthrough',
+        match: { ports: PROXY_TLS_PASS_PORT, domains: 'localhost' },
+        action: {
+          type: 'forward',
+          tls: { mode: 'passthrough' },
+          targets: [{ host: 'localhost', port: TLS_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Connect via TLS through the proxy (SNI: localhost)
+  const tlsClient = tls.connect(
+    {
+      host: 'localhost',
+      port: PROXY_TLS_PASS_PORT,
+      servername: 'localhost',
+      rejectUnauthorized: false,
+    },
+  );
+
+  await new Promise<void>((resolve, reject) => {
+    tlsClient.on('secureConnect', () => resolve());
+    tlsClient.on('error', reject);
+  });
+
+  // Send some data
+  const data = Buffer.alloc(2048, 'B');
+  tlsClient.write(data);
+
+  // Wait for echo
+  let received = 0;
+  tlsClient.on('data', (chunk) => (received += chunk.length));
+  await tools.delayFor(1000);
+
+  console.log(`TLS passthrough — received ${received} bytes back`);
+  expect(received).toBeGreaterThan(0);
+
+  tlsClient.destroy();
+  await tools.delayFor(500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`TLS passthrough — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // TLS passthrough tracks encrypted bytes flowing through
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 4: TLS Terminate + HTTP (Rust terminates TLS, forwards to HTTP backend)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('TLS terminate + HTTP forward - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'tls-terminate',
+        name: 'tls-terminate',
+        match: { ports: PROXY_TLS_TERM_PORT, domains: 'localhost' },
+        action: {
+          type: 'forward',
+          tls: {
+            mode: 'terminate',
+            certificate: {
+              cert: CERT_PEM,
+              key: KEY_PEM,
+            },
+          },
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+    disableDefaultCert: true,
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send HTTPS request through the proxy
+  const body = 'Z'.repeat(2048);
+  await new Promise<void>((resolve, reject) => {
+    const req = https.request(
+      {
+        hostname: 'localhost',
+        port: PROXY_TLS_TERM_PORT,
+        path: '/echo',
+        method: 'POST',
+        headers: { 'Content-Type': 'text/plain', 'Content-Length': String(body.length) },
+        rejectUnauthorized: false,
+      },
+      (res) => {
+        let data = '';
+        res.on('data', (chunk) => (data += chunk));
+        res.on('end', () => {
+          console.log(`TLS terminate — response: ${data.slice(0, 50)}...`);
+          resolve();
+        });
+      },
+    );
+    req.on('error', reject);
+    req.setTimeout(5000, () => {
+      req.destroy();
+      reject(new Error('HTTPS request timeout'));
+    });
+    req.end(body);
+  });
+
+  await tools.delayFor(500);
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`TLS terminate — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // TLS terminate: request body (bytesIn) and response body (bytesOut) via CountingBody
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 5: Socket Handler (JS callback handling)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('Socket handler - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'socket-handler',
+        name: 'socket-handler',
+        match: { ports: PROXY_SOCKET_PORT },
+        action: {
+          type: 'socket-handler',
+          socketHandler: (socket, _context) => {
+            socket.on('data', (data) => socket.write(data)); // echo
+            socket.on('error', () => {});
+          },
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Connect and send data
+  const client = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    client.connect(PROXY_SOCKET_PORT, 'localhost', () => resolve());
+    client.on('error', reject);
+  });
+
+  const data = Buffer.alloc(4096, 'C');
+  client.write(data);
+
+  let received = 0;
+  client.on('data', (chunk) => (received += chunk.length));
+  await tools.delayFor(500);
+
+  console.log(`Socket handler — received ${received} bytes back`);
+
+  client.destroy();
+  await tools.delayFor(500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`Socket handler — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // Socket handler relay now records bytes after copy_bidirectional completes
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 6: Multi-route throughput isolation
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('Multi-route throughput isolation', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'route-alpha',
+        name: 'route-alpha',
+        match: { ports: PROXY_MULTI_A_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+      {
+        id: 'route-beta',
+        name: 'route-beta',
+        match: { ports: PROXY_MULTI_B_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send different amounts to each route
+  // Route alpha: 8 KB
+  const clientA = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    clientA.connect(PROXY_MULTI_A_PORT, 'localhost', () => resolve());
+    clientA.on('error', reject);
+  });
+  clientA.on('data', () => {}); // drain
+  for (let i = 0; i < 8; i++) {
+    clientA.write(Buffer.alloc(1024, 'A'));
+    await tools.delayFor(50);
+  }
+
+  // Route beta: 2 KB
+  const clientB = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    clientB.connect(PROXY_MULTI_B_PORT, 'localhost', () => resolve());
+    clientB.on('error', reject);
+  });
+  clientB.on('data', () => {}); // drain
+  for (let i = 0; i < 2; i++) {
+    clientB.write(Buffer.alloc(1024, 'B'));
+    await tools.delayFor(50);
+  }
+
+  await tools.delayFor(500);
+
+  // Close both
+  clientA.destroy();
+  clientB.destroy();
+  await tools.delayFor(500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+
+  // Check per-route throughput exists for both
+  const byRoute = m.throughput.byRoute();
+  console.log('Multi-route — throughput byRoute:', Array.from(byRoute.entries()));
+
+  // Check per-route connection counts
+  const connByRoute = m.connections.byRoute();
+  console.log('Multi-route — connections byRoute:', Array.from(connByRoute.entries()));
+
+  // Both routes should have tracked data
+  const totalIn = m.totals.bytesIn();
+  const totalOut = m.totals.bytesOut();
+  console.log(`Multi-route — total bytesIn: ${totalIn}, bytesOut: ${totalOut}`);
+
+  expect(totalIn).toBeGreaterThan(0);
+  expect(totalOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 7: Throughput sampling over time (HTTP-based for real-time tracking)
+//
+// Uses HTTP proxy path where CountingBody reports bytes incrementally
+// as each request/response body completes. This allows the sampling task
+// to capture non-zero throughput during active traffic.
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('Throughput sampling - values appear during active HTTP traffic', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'sampling-test',
+        name: 'sampling-test',
+        match: { ports: PROXY_TP_HTTP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send HTTP requests continuously for ~2 seconds
+  let sending = true;
+  let requestCount = 0;
+  const sendLoop = (async () => {
+    while (sending) {
+      const body = 'D'.repeat(5120); // 5 KB per request
+      try {
+        await new Promise<void>((resolve, reject) => {
+          const req = http.request(
+            {
+              hostname: 'localhost',
+              port: PROXY_TP_HTTP_PORT,
+              path: '/echo',
+              method: 'POST',
+              headers: { 'Content-Type': 'text/plain', 'Content-Length': String(body.length) },
+            },
+            (res) => {
+              res.on('data', () => {});
+              res.on('end', () => resolve());
+            },
+          );
+          req.on('error', reject);
+          req.setTimeout(3000, () => {
+            req.destroy();
+            reject(new Error('timeout'));
+          });
+          req.end(body);
+        });
+        requestCount++;
+      } catch {
+        // Ignore errors during shutdown
+        break;
+      }
+    }
+  })();
+
+  // After 1.5 seconds of active traffic, check throughput
+  await tools.delayFor(1500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const tp = m.throughput.instant();
+  const totalIn = m.totals.bytesIn();
+  const totalOut = m.totals.bytesOut();
+  console.log(`Sampling test — after 1.5s of traffic: instant in=${tp.in}, out=${tp.out}`);
+  console.log(`Sampling test — totals: bytesIn=${totalIn}, bytesOut=${totalOut}, requests=${requestCount}`);
+
+  // Totals should definitely be non-zero after 1.5s of HTTP requests
+  expect(totalIn + totalOut).toBeGreaterThan(0);
+
+  // Throughput instant should be non-zero during active traffic.
+  // The sampling interval is 100ms, so we've had ~15 samples by now.
+  // Each sample captures bytes from completed HTTP request/response bodies.
+  // Note: this can occasionally be 0 if sample boundaries don't align, so we
+  // also check that at least the throughput was non-zero for *some* recent window.
+  const tpRecent = m.throughput.recent();
+  console.log(`Sampling test — recent throughput: in=${tpRecent.in}, out=${tpRecent.out}`);
+  expect(tpRecent.in + tpRecent.out).toBeGreaterThan(0);
+
+  // Stop sending
+  sending = false;
+  await sendLoop;
+
+  // After traffic stops, wait for metrics to settle
+  await tools.delayFor(500);
+  await pollMetrics(proxy);
+
+  const mAfter = proxy.getMetrics();
+  const tpAfter = mAfter.throughput.instant();
+  console.log(`Sampling test — after traffic stops: instant in=${tpAfter.in}, out=${tpAfter.out}`);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Cleanup
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('cleanup - close backend servers', async () => {
+  await new Promise<void>((resolve) => tcpEchoServer.close(() => resolve()));
+  await new Promise<void>((resolve) => httpEchoServer.close(() => resolve()));
+  await new Promise<void>((resolve) => tlsEchoServer.close(() => resolve()));
+  console.log('All backend servers closed');
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '23.1.5',
+  version: '25.1.0',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/core/models/common-types.ts

@@ -85,7 +85,6 @@ export interface IAcmeOptions {
   renewThresholdDays?: number;    // Days before expiry to renew certificates
   renewCheckIntervalHours?: number; // How often to check for renewals (in hours)
   autoRenew?: boolean;            // Whether to automatically renew certificates
-  certificateStore?: string;      // Directory to store certificates
   skipConfiguredCerts?: boolean;  // Skip domains with existing certificates
   domainForwards?: IDomainForwardConfig[]; // Domain-specific forwarding configs
 }

ts/index.ts

@@ -8,7 +8,7 @@ export { SharedRouteManager as RouteManager } from './core/routing/route-manager
 
 // Export smart-proxy models
 export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './proxies/smart-proxy/models/index.js';
-export type { TSmartProxyCertProvisionObject } from './proxies/smart-proxy/models/interfaces.js';
+export type { TSmartProxyCertProvisionObject, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './proxies/smart-proxy/models/interfaces.js';
 export * from './proxies/smart-proxy/utils/index.js';
 
 // Original: export * from './smartproxy/classes.pp.snihandler.js'

ts/proxies/smart-proxy/models/index.ts

@@ -2,6 +2,6 @@
  * SmartProxy models
  */
 // Export everything except IAcmeOptions from interfaces
-export type { ISmartProxyOptions, IConnectionRecord, TSmartProxyCertProvisionObject } from './interfaces.js';
+export type { ISmartProxyOptions, ISmartProxyCertStore, IConnectionRecord, TSmartProxyCertProvisionObject, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './interfaces.js';
 export * from './route-types.js';
 export * from './metrics-types.js';

ts/proxies/smart-proxy/models/interfaces.ts

@@ -10,11 +10,23 @@ export interface IAcmeOptions {
   useProduction?: boolean; // Use Let's Encrypt production (default: false)
   renewThresholdDays?: number; // Days before expiry to renew (default: 30)
   autoRenew?: boolean; // Enable automatic renewal (default: true)
-  certificateStore?: string; // Directory to store certificates (default: './certs')
   skipConfiguredCerts?: boolean;
   renewCheckIntervalHours?: number; // How often to check for renewals (default: 24)
   routeForwards?: any[];
 }
+
+/**
+ * Consumer-provided certificate storage.
+ * SmartProxy never writes certs to disk — the consumer owns all persistence.
+ */
+export interface ISmartProxyCertStore {
+  /** Load all stored certs on startup (called once before cert provisioning) */
+  loadAll: () => Promise<Array<{ domain: string; publicKey: string; privateKey: string; ca?: string }>>;
+  /** Save a cert after successful provisioning */
+  save: (domain: string, publicKey: string, privateKey: string, ca?: string) => Promise<void>;
+  /** Remove a cert (optional) */
+  remove?: (domain: string) => Promise<void>;
+}
 import type { IRouteConfig } from './route-types.js';
 
 /**
@@ -22,6 +34,38 @@ import type { IRouteConfig } from './route-types.js';
  */
 export type TSmartProxyCertProvisionObject = plugins.tsclass.network.ICert | 'http01';
 
+/**
+ * Communication channel passed as second argument to certProvisionFunction.
+ * Allows the callback to report metadata back to SmartProxy for event emission.
+ */
+export interface ICertProvisionEventComms {
+  /** Informational log */
+  log: (message: string) => void;
+  /** Warning (non-fatal) */
+  warn: (message: string) => void;
+  /** Error */
+  error: (message: string) => void;
+  /** Set the certificate expiry date (for the issued event) */
+  setExpiryDate: (date: Date) => void;
+  /** Set the source/method used for provisioning (e.g. 'smartacme-dns-01') */
+  setSource: (source: string) => void;
+}
+
+/** Payload for 'certificate-issued' and 'certificate-renewed' events */
+export interface ICertificateIssuedEvent {
+  domain: string;
+  expiryDate?: string;   // ISO 8601
+  source: string;        // e.g. 'certProvisionFunction', 'smartacme-dns-01'
+  isRenewal?: boolean;
+}
+
+/** Payload for 'certificate-failed' event */
+export interface ICertificateFailedEvent {
+  domain: string;
+  error: string;
+  source: string;
+}
+
 // Legacy options and type checking functions have been removed
 
 /**
@@ -128,7 +172,7 @@ export interface ISmartProxyOptions {
    * Optional certificate provider callback. Return 'http01' to use HTTP-01 challenges,
    * or a static certificate object for immediate provisioning.
    */
-  certProvisionFunction?: (domain: string) => Promise<TSmartProxyCertProvisionObject>;
+  certProvisionFunction?: (domain: string, eventComms: ICertProvisionEventComms) => Promise<TSmartProxyCertProvisionObject>;
   
   /**
    * Whether to fallback to ACME if custom certificate provision fails.
@@ -136,6 +180,20 @@ export interface ISmartProxyOptions {
    */
   certProvisionFallbackToAcme?: boolean;
 
+  /**
+   * Disable the default self-signed fallback certificate.
+   * When false (default), a self-signed cert is generated at startup and loaded
+   * as '*' so TLS handshakes never fail due to missing certs.
+   */
+  disableDefaultCert?: boolean;
+
+  /**
+   * Consumer-provided cert storage. SmartProxy never writes certs to disk.
+   * On startup, loadAll() is called to pre-load persisted certs.
+   * After each successful cert provision, save() is called.
+   */
+  certStore?: ISmartProxyCertStore;
+
   /**
    * Path to the RustProxy binary. If not set, the binary is located
    * automatically via env var, platform package, local build, or PATH.

ts/proxies/smart-proxy/rust-metrics-adapter.ts

@@ -89,7 +89,10 @@ export class RustMetricsAdapter implements IMetrics {
       };
     },
     recent: (): IThroughputData => {
-      return this.throughput.instant();
+      return {
+        in: this.cache?.throughputRecentInBytesPerSec ?? 0,
+        out: this.cache?.throughputRecentOutBytesPerSec ?? 0,
+      };
     },
     average: (): IThroughputData => {
       return this.throughput.instant();

ts/proxies/smart-proxy/smart-proxy.ts

@@ -10,10 +10,11 @@ import { RustMetricsAdapter } from './rust-metrics-adapter.js';
 // Route management
 import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { RouteValidator } from './utils/route-validator.js';
+import { generateDefaultCertificate } from './utils/default-cert-generator.js';
 import { Mutex } from './utils/mutex.js';
 
 // Types
-import type { ISmartProxyOptions, TSmartProxyCertProvisionObject } from './models/interfaces.js';
+import type { ISmartProxyOptions, TSmartProxyCertProvisionObject, IAcmeOptions, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './models/interfaces.js';
 import type { IRouteConfig } from './models/route-types.js';
 import type { IMetrics } from './models/metrics-types.js';
 
@@ -68,7 +69,6 @@ export class SmartProxy extends plugins.EventEmitter {
         useProduction: this.settings.acme.useProduction || false,
         renewThresholdDays: this.settings.acme.renewThresholdDays || 30,
         autoRenew: this.settings.acme.autoRenew !== false,
-        certificateStore: this.settings.acme.certificateStore || './certs',
         skipConfiguredCerts: this.settings.acme.skipConfiguredCerts || false,
         renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours || 24,
         routeForwards: this.settings.acme.routeForwards || [],
@@ -146,8 +146,16 @@ export class SmartProxy extends plugins.EventEmitter {
     // Preprocess routes (strip JS functions, convert socket-handler routes)
     const rustRoutes = this.preprocessor.preprocessForRust(this.settings.routes);
 
+    // When certProvisionFunction handles cert provisioning,
+    // disable Rust's built-in ACME to prevent race condition.
+    let acmeForRust = this.settings.acme;
+    if (this.settings.certProvisionFunction && acmeForRust?.enabled) {
+      acmeForRust = { ...acmeForRust, enabled: false };
+      logger.log('info', 'Rust ACME disabled — certProvisionFunction will handle certificate provisioning', { component: 'smart-proxy' });
+    }
+
     // Build Rust config
-    const config = this.buildRustConfig(rustRoutes);
+    const config = this.buildRustConfig(rustRoutes, acmeForRust);
 
     // Start the Rust proxy
     await this.bridge.startProxy(config);
@@ -157,8 +165,34 @@ export class SmartProxy extends plugins.EventEmitter {
       await this.bridge.setSocketHandlerRelay(this.socketHandlerServer.getSocketPath());
     }
 
+    // Load default self-signed fallback certificate (domain: '*')
+    if (!this.settings.disableDefaultCert) {
+      try {
+        const defaultCert = generateDefaultCertificate();
+        await this.bridge.loadCertificate('*', defaultCert.cert, defaultCert.key);
+        logger.log('info', 'Default self-signed fallback certificate loaded', { component: 'smart-proxy' });
+      } catch (err: any) {
+        logger.log('warn', `Failed to generate default certificate: ${err.message}`, { component: 'smart-proxy' });
+      }
+    }
+
+    // Load consumer-stored certificates
+    const preloadedDomains = new Set<string>();
+    if (this.settings.certStore) {
+      try {
+        const stored = await this.settings.certStore.loadAll();
+        for (const entry of stored) {
+          await this.bridge.loadCertificate(entry.domain, entry.publicKey, entry.privateKey, entry.ca);
+          preloadedDomains.add(entry.domain);
+        }
+        logger.log('info', `Loaded ${stored.length} certificate(s) from consumer store`, { component: 'smart-proxy' });
+      } catch (err: any) {
+        logger.log('warn', `Failed to load certificates from consumer store: ${err.message}`, { component: 'smart-proxy' });
+      }
+    }
+
     // Handle certProvisionFunction
-    await this.provisionCertificatesViaCallback();
+    await this.provisionCertificatesViaCallback(preloadedDomains);
 
     // Start metrics polling
     this.metricsAdapter.startPolling();
@@ -334,20 +368,20 @@ export class SmartProxy extends plugins.EventEmitter {
   /**
    * Build the Rust configuration object from TS settings.
    */
-  private buildRustConfig(routes: IRouteConfig[]): any {
+  private buildRustConfig(routes: IRouteConfig[], acmeOverride?: IAcmeOptions): any {
+    const acme = acmeOverride !== undefined ? acmeOverride : this.settings.acme;
     return {
       routes,
       defaults: this.settings.defaults,
-      acme: this.settings.acme
+      acme: acme
         ? {
-            enabled: this.settings.acme.enabled,
-            email: this.settings.acme.email,
-            useProduction: this.settings.acme.useProduction,
-            port: this.settings.acme.port,
-            renewThresholdDays: this.settings.acme.renewThresholdDays,
-            autoRenew: this.settings.acme.autoRenew,
-            certificateStore: this.settings.acme.certificateStore,
-            renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours,
+            enabled: acme.enabled,
+            email: acme.email,
+            useProduction: acme.useProduction,
+            port: acme.port,
+            renewThresholdDays: acme.renewThresholdDays,
+            autoRenew: acme.autoRenew,
+            renewCheckIntervalHours: acme.renewCheckIntervalHours,
           }
         : undefined,
       connectionTimeout: this.settings.connectionTimeout,
@@ -362,6 +396,7 @@ export class SmartProxy extends plugins.EventEmitter {
       extendedKeepAliveLifetime: this.settings.extendedKeepAliveLifetime,
       acceptProxyProtocol: this.settings.acceptProxyProtocol,
       sendProxyProtocol: this.settings.sendProxyProtocol,
+      metrics: this.settings.metrics,
     };
   }
 
@@ -370,22 +405,49 @@ export class SmartProxy extends plugins.EventEmitter {
    * If the callback returns a cert object, load it into Rust.
    * If it returns 'http01', let Rust handle ACME.
    */
-  private async provisionCertificatesViaCallback(): Promise<void> {
+  private async provisionCertificatesViaCallback(skipDomains: Set<string> = new Set()): Promise<void> {
     const provisionFn = this.settings.certProvisionFunction;
     if (!provisionFn) return;
 
+    const provisionedDomains = new Set<string>(skipDomains);
+
     for (const route of this.settings.routes) {
       if (route.action.tls?.certificate !== 'auto') continue;
       if (!route.match.domains) continue;
 
-      const domains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+      const rawDomains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+      const certDomains = this.normalizeDomainsForCertProvisioning(rawDomains);
+
+      for (const domain of certDomains) {
+        if (provisionedDomains.has(domain)) continue;
+        provisionedDomains.add(domain);
+
+        // Build eventComms channel for this domain
+        let expiryDate: string | undefined;
+        let source = 'certProvisionFunction';
+
+        const eventComms: ICertProvisionEventComms = {
+          log: (msg) => logger.log('info', `[certProvision ${domain}] ${msg}`, { component: 'smart-proxy' }),
+          warn: (msg) => logger.log('warn', `[certProvision ${domain}] ${msg}`, { component: 'smart-proxy' }),
+          error: (msg) => logger.log('error', `[certProvision ${domain}] ${msg}`, { component: 'smart-proxy' }),
+          setExpiryDate: (date) => { expiryDate = date.toISOString(); },
+          setSource: (s) => { source = s; },
+        };
 
-      for (const domain of domains) {
         try {
-          const result: TSmartProxyCertProvisionObject = await provisionFn(domain);
+          const result: TSmartProxyCertProvisionObject = await provisionFn(domain, eventComms);
 
           if (result === 'http01') {
-            // Rust handles ACME for this domain
+            // Callback wants HTTP-01 for this domain — trigger Rust ACME explicitly
+            if (route.name) {
+              try {
+                await this.bridge.provisionCertificate(route.name);
+                logger.log('info', `Triggered Rust ACME for ${domain} (route: ${route.name})`, { component: 'smart-proxy' });
+              } catch (provisionErr: any) {
+                logger.log('warn', `Cannot provision cert for ${domain} — callback returned 'http01' but Rust ACME failed: ${provisionErr.message}. ` +
+                  'Note: Rust ACME is disabled when certProvisionFunction is set.', { component: 'smart-proxy' });
+              }
+            }
             continue;
           }
 
@@ -398,19 +460,87 @@ export class SmartProxy extends plugins.EventEmitter {
               certObj.privateKey,
             );
             logger.log('info', `Certificate loaded via provision function for ${domain}`, { component: 'smart-proxy' });
+
+            // Persist to consumer store
+            if (this.settings.certStore?.save) {
+              try {
+                await this.settings.certStore.save(domain, certObj.publicKey, certObj.privateKey);
+              } catch (storeErr: any) {
+                logger.log('warn', `certStore.save() failed for ${domain}: ${storeErr.message}`, { component: 'smart-proxy' });
+              }
+            }
+
+            // Emit certificate-issued event
+            this.emit('certificate-issued', {
+              domain,
+              expiryDate: expiryDate || (certObj.validUntil ? new Date(certObj.validUntil).toISOString() : undefined),
+              source,
+            } satisfies ICertificateIssuedEvent);
           }
         } catch (err: any) {
           logger.log('warn', `certProvisionFunction failed for ${domain}: ${err.message}`, { component: 'smart-proxy' });
 
-          // Fallback to ACME if enabled
-          if (this.settings.certProvisionFallbackToAcme !== false) {
-            logger.log('info', `Falling back to ACME for ${domain}`, { component: 'smart-proxy' });
+          // Emit certificate-failed event
+          this.emit('certificate-failed', {
+            domain,
+            error: err.message,
+            source,
+          } satisfies ICertificateFailedEvent);
+
+          // Fallback to ACME if enabled and route has a name
+          if (this.settings.certProvisionFallbackToAcme !== false && route.name) {
+            try {
+              await this.bridge.provisionCertificate(route.name);
+              logger.log('info', `Falling back to Rust ACME for ${domain} (route: ${route.name})`, { component: 'smart-proxy' });
+            } catch (acmeErr: any) {
+              logger.log('warn', `ACME fallback also failed for ${domain}: ${acmeErr.message}` +
+                (this.settings.disableDefaultCert
+                  ? ' — TLS will fail for this domain (disableDefaultCert is true)'
+                  : ' — default self-signed fallback cert will be used'), { component: 'smart-proxy' });
+            }
           }
         }
       }
     }
   }
 
+  /**
+   * Normalize routing glob patterns into valid domain identifiers for cert provisioning.
+   * - `*nevermind.cloud` → `['nevermind.cloud', '*.nevermind.cloud']`
+   * - `*.lossless.digital` → `['*.lossless.digital']` (already valid wildcard)
+   * - `code.foss.global` → `['code.foss.global']` (plain domain)
+   * - `*mid*.example.com` → skipped with warning (unsupported glob)
+   */
+  private normalizeDomainsForCertProvisioning(rawDomains: string[]): string[] {
+    const result: string[] = [];
+    for (const raw of rawDomains) {
+      // Plain domain — no glob characters
+      if (!raw.includes('*')) {
+        result.push(raw);
+        continue;
+      }
+
+      // Valid wildcard: *.example.com
+      if (raw.startsWith('*.') && !raw.slice(2).includes('*')) {
+        result.push(raw);
+        continue;
+      }
+
+      // Routing glob like *example.com (leading star, no dot after it)
+      // Convert to bare domain + wildcard pair
+      if (raw.startsWith('*') && !raw.startsWith('*.') && !raw.slice(1).includes('*')) {
+        const baseDomain = raw.slice(1); // Remove leading *
+        result.push(baseDomain);
+        result.push(`*.${baseDomain}`);
+        continue;
+      }
+
+      // Unsupported glob pattern (e.g. *mid*.example.com)
+      logger.log('warn', `Skipping unsupported glob pattern for cert provisioning: ${raw}`, { component: 'smart-proxy' });
+    }
+    return result;
+  }
+
   private isValidDomain(domain: string): boolean {
     if (!domain || domain.length === 0) return false;
     if (domain.includes('*')) return false;

ts/proxies/smart-proxy/utils/default-cert-generator.ts

@@ -0,0 +1,36 @@
+import * as plugins from '../../../plugins.js';
+
+/**
+ * Generate a self-signed fallback certificate (CN=SmartProxy Default Certificate, SAN=*).
+ * Used as the '*' wildcard fallback so TLS handshakes never reset due to missing certs.
+ */
+export function generateDefaultCertificate(): { cert: string; key: string } {
+  const forge = plugins.smartcrypto.nodeForge;
+
+  // Generate 2048-bit RSA keypair
+  const keypair = forge.pki.rsa.generateKeyPair({ bits: 2048 });
+
+  // Create self-signed X.509 certificate
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keypair.publicKey;
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+
+  const attrs = [{ name: 'commonName', value: 'SmartProxy Default Certificate' }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+
+  // Add wildcard SAN
+  cert.setExtensions([
+    { name: 'subjectAltName', altNames: [{ type: 2 /* DNS */, value: '*' }] },
+  ]);
+
+  cert.sign(keypair.privateKey, forge.md.sha256.create());
+
+  return {
+    cert: forge.pki.certificateToPem(cert),
+    key: forge.pki.privateKeyToPem(keypair.privateKey),
+  };
+}

ts/proxies/smart-proxy/utils/index.ts

@@ -14,6 +14,9 @@ export * from './route-validator.js';
 // Export route utilities for route operations
 export * from './route-utils.js';
 
+// Export default certificate generator
+export { generateDefaultCertificate } from './default-cert-generator.js';
+
 // Export additional functions from route-helpers that weren't already exported
 export {
   createApiGatewayRoute,