v25.6.0

assets/certs/cert.pem

@@ -1,19 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDCzCCAfOgAwIBAgIUPU4tviz3ZvsMDjCz1NZRT16b0Y4wDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKcHVzaC5yb2NrczAeFw0yNTAyMDMyMzA5MzRaFw0yNjAy
-MDMyMzA5MzRaMBUxEzARBgNVBAMMCnB1c2gucm9ja3MwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCZMkBYD/pYLBv9MiyHTLRT24kQyPeJBtZqryibi1jk
-BT1ZgNl3yo5U6kjj/nYBU/oy7M4OFC0xyaJQ4wpvLHu7xzREqwT9N9WcDcxaahUi
-P8+PsjGyznPrtXa1ASzGAYMNvXyWWp3351UWZHMEs6eY/Y7i8m4+0NwP5h8RNBCF
-KSFS41Ee9rNAMCnQSHZv1vIzKeVYPmYnCVmL7X2kQb+gS6Rvq5sEGLLKMC5QtTwI
-rdkPGpx4xZirIyf8KANbt0sShwUDpiCSuOCtpze08jMzoHLG9Nv97cJQjb/BhiES
-hLL+YjfAUFjq0rQ38zFKLJ87QB9Jym05mY6IadGQLXVXAgMBAAGjUzBRMB0GA1Ud
-DgQWBBQjpowWjrql/Eo2EVjl29xcjuCgkTAfBgNVHSMEGDAWgBQjpowWjrql/Eo2
-EVjl29xcjuCgkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAY
-44vqbaf6ewFrZC0f3Kk4A10lC6qjWkcDFfw+JE8nzt+4+xPqp1eWgZKF2rONyAv2
-nG41Xygt19ByancXLU44KB24LX8F1GV5Oo7CGBA+xtoSPc0JulXw9fGclZDC6XiR
-P/+vhGgCHicbfP2O+N00pOifrTtf2tmOT4iPXRRo4TxmPzuCd+ZJTlBhPlKCmICq
-yGdAiEo6HsSiP+M5qVlNx8s57MhQYk5TpgmI6FU4mO7zfDfSatFonlg+aDbrnaqJ
-v/+km02M+oB460GmKwsSTnThHZgLNCLiKqD8bdziiCQjx5u0GjLI6468o+Aehb8l
-l/x9vWTTk/QKq41X5hFk
+MIIDQTCCAimgAwIBAgIUJm+igT1AVSuwNzjvqjSF6cysw6MwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDIxMzIyMzI1MloXDTM2MDIx
+MTIyMzI1MlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyjitkDd4DdlVk4TfVxKUqdxnJCGj9uyrUPAqR8hB6+bR
++8rW63ryBNYNRizxOGw41E19ascNuyA98mUF4oqjid1K4VqDiKzv1Uq/3NUunCw/
+rEddR5hCoVkTsBJjzNgBJqncS606v0hfA00cCkpGR+Te7Q/E8T8lApioz1zFQ05Y
+C69oeJHIrJcrIkIFAgmXDgRF0Z4ErUeu+wVOWT267uVAYn5AdFMxCSIBsYtPseqy
+cC5EQ6BCBtsIGitlRgzLRg957ZZa+SF38ao+/ijYmOLHpQT0mFaUyLT7BKgxguGs
+8CHcIxN5Qo27J3sC5ymnrv2uk5DcAOUcxklXUbVCeQIDAQABo4GKMIGHMB0GA1Ud
+DgQWBBShZhz7aX/KhleAfYKvTgyG5ANuDjAfBgNVHSMEGDAWgBShZhz7aX/KhleA
+fYKvTgyG5ANuDjAPBgNVHRMBAf8EBTADAQH/MDQGA1UdEQQtMCuCCWxvY2FsaG9z
+dIIKcHVzaC5yb2Nrc4IMKi5wdXNoLnJvY2tzhwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQAyUvjUszQp4riqa3CfBFFtjh+7DKNuQPOlYAwSEis4l+YK06Glx4fJBHcx
+eCPhQ/0wnPzi6CZe3vVRXd5fX27nVs+lMQD6Oc47F8OmTU6NXnb/1AcvrycDsP8D
+9Y9qecekbpegrN1W4D46goBAwvrd6Qy0EHi0Z5z02rfyXAdxm0OmdpuWoIMcEgUQ
+YyXIq3zSFE6uoO61WdLvBcXN6iaiSTVy0605WncDe2+UT9MeNq6zi1JD34jsgUrd
+xq0WRUk2C6C4Irkf00Q12rXeL+Jv5OwyrUUZRvz0gLgG02UUbB/6Ca5GYNXniEuI
+Py/EHTqbtjLIs7HxYjQH86FI9fUj
 -----END CERTIFICATE-----

assets/certs/key.pem

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCZMkBYD/pYLBv9
-MiyHTLRT24kQyPeJBtZqryibi1jkBT1ZgNl3yo5U6kjj/nYBU/oy7M4OFC0xyaJQ
-4wpvLHu7xzREqwT9N9WcDcxaahUiP8+PsjGyznPrtXa1ASzGAYMNvXyWWp3351UW
-ZHMEs6eY/Y7i8m4+0NwP5h8RNBCFKSFS41Ee9rNAMCnQSHZv1vIzKeVYPmYnCVmL
-7X2kQb+gS6Rvq5sEGLLKMC5QtTwIrdkPGpx4xZirIyf8KANbt0sShwUDpiCSuOCt
-pze08jMzoHLG9Nv97cJQjb/BhiEShLL+YjfAUFjq0rQ38zFKLJ87QB9Jym05mY6I
-adGQLXVXAgMBAAECggEARGCBBq1PBHbfoUH5TQSIAlvdEEBa9+602lZG7jIioVfT
-W7Uem5Ctuan+kcDcY9hbNsqqZ+9KgsvoJmlIGXoF2jjeE/4vUmRO9AHWoc5yk2Be
-4NjcxN3QMLdEfiLBnLlFCOd4CdX1ZxZ6TG3WRpV3a1pVIeeqHGB1sKT6Xd/atcwG
-RvpiXzu0SutGxVb6WE9r6hovZ4fVERCyCRczUGrUH5ICbxf6E7L4u8xjEYR4uEKK
-/8ZkDqrWdRASDAdPPMNqnHUEAho/WnxpNeb6B4lvvv2QWxIS9H1OikF/NzWPgVNS
-oPpvtJgjyo5xdgLm3zE4lcSPNVSrh1TBXuAn9TG4WQKBgQDScPFkUNBqjC5iPMof
-bqDHlhlptrHmiv9LC0lgjEDPgIEQfjLfdCugwDk32QyAcb5B60upDYeqCFDkfV/C
-T536qxevYPjPAjahLPHqMxkWpjvtY6NOTgbbcpVtblU2Fj8R8qbyPNADG31LicU9
-GVPtQ4YcVaMWCYbg5107+9dFWQKBgQC6XK+foKK+81RFdrqaNNgebTWTsANnBcZe
-xl0bj6oL5yY0IzroxHvgcNS7UMriWCu+K2xfkUBdMmxU773VN5JQ5k15ezjgtrvc
-8oAaEsxYP4su12JSTC/zsBANUgrNbFj8++qqKYWt2aQc2O/kbZ4MNfekIVFc8AjM
-2X9PxvxKLwKBgHXL7QO3TQLnVyt8VbQEjBFMzwriznB7i+4o8jkOKVU93IEr8zQr
-5iQElcLSR3I6uUJTALYvsaoXH5jXKVwujwL69LYiNQRDe+r6qqvrUHbiNJdsd8Rk
-XuhGGqj34tD04Pcd+h+MtO+YWqmHBBZwcA9XBeIkebbjPFH2kLT8AwN5AoGAYQy9
-hMJxnkE3hIkk+gNE/OtgeE20J+Vw/ZANkrnJEzPHyGUEW41e+W2oyvdzAFZsSTdx
-037f5ujIU58Z27x53NliRT4vS4693H0Iyws5EUfeIoGVuUflvODWKymraHjhCrXh
-6cV/0R5DAabTnsCbCr7b/MRBC8YQvyUQ0KnOXo8CgYBQYGpvJnSWyvsCjtb6apTP
-drjcBhVd0aSBpLGtDdtUCV4oLl9HPy+cLzcGaqckBqCwEq5DKruhMEf7on56bUMd
-m/3ItFk1TnhysAeJHb3zLqmJ9CKBitpqLlsOE7MEXVNmbTYeXU10Uo9yOfyt1i7T
-su+nT5VtyPkmF/l4wZl5+g==
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKOK2QN3gN2VWT
+hN9XEpSp3GckIaP27KtQ8CpHyEHr5tH7ytbrevIE1g1GLPE4bDjUTX1qxw27ID3y
+ZQXiiqOJ3UrhWoOIrO/VSr/c1S6cLD+sR11HmEKhWROwEmPM2AEmqdxLrTq/SF8D
+TRwKSkZH5N7tD8TxPyUCmKjPXMVDTlgLr2h4kcislysiQgUCCZcOBEXRngStR677
+BU5ZPbru5UBifkB0UzEJIgGxi0+x6rJwLkRDoEIG2wgaK2VGDMtGD3ntllr5IXfx
+qj7+KNiY4selBPSYVpTItPsEqDGC4azwIdwjE3lCjbsnewLnKaeu/a6TkNwA5RzG
+SVdRtUJ5AgMBAAECggEAEM8piTp9I5yQVxr1RCv+mMiB99BGjHrTij6uawlXxnPJ
+Ol574zbU6Yc/8vh/JB8l0arvzQmHCAoX8B9K4BABZE81X1paYujqJi8ImAMN9Owe
+LlQ/yhjbWAVbJDiBHHjLjrLRpaY8gwQxZqk5FpdiNG1vROIZzypeKZM2PAdke9HA
+PvJtsyfXdEz+jb5EUgaadyn7aquR6y607a8m55y34POLOcssteUOje4GdrTekHK0
+62E+iEnawBjIs7gBzJf0j1XjFNq3aAeLrn8gFCEb+yK7X++8FJ8YjwsqS5V1aMsR
+1PZguW0jCzYHATc2OcIozlvdBriPxy7eX8Y3MFvNMQKBgQD22ReUyKX5TKA/fg3z
+S/QGfYqd4T35jkwK1MaXOuFOBzNyTMT6ZJkbjxPOYPB0uakcfIlva8bI77mE5vRe
+PWYlvitp9Zz3v2kt/WgnwG32ZdVedPjEoi9aitUXmiiIoxdPVAUAgLPFFN65Sr2G
+2NM/vduZcAPUr0UWnFx4dlpo8QKBgQDRuAV44Y+1396511oW4OR8ofWFECMc5uEV
+wQ26EpbilEYhRSBty+1PAK5AcEGybeVtUn9RSmx0Ef1L15wnzP/C886LIzkaig/9
+xs0yudXgOFdBAzYQKnK2lZmSKkzcUFJtifat3E+ZMCo/duhzXpzecg/lVNGh6gcx
+xbtphJCyCQKBgEO8zvvFE8aVgGPr82gQL6aYTLGGXbtdkQBn4xcc0TbYQwXaizMq
+59joKkc30sQ1LnLiudQZfzMklYQi3Gv/7UfuJ3usKqbRn8s+/pXp+ELlLuf8sUdE
+OjpeXptbckQMfRkHtVet+abbU0MFf3zBgza6osg4NNToQ80wmy9zStwBAoGAGLeD
+jZeoBFt6OJT0/TVMOJQuB5y7RrC/Xnz+TSvbtKCdE1a+V7JtKZ5+6wFP/OOO4q+S
+adZHqfZk0Ad9VAOJMUTi1usz07jp4ZMIpC3a0y5QukzSll0qX/KJwvxRSrX8wQQ9
+mogYqYlPsWMmSlKgUmdHEFRK0LZwWqFfUTRaiWECgYEA6KR6KMbqnYn5CglHeD42
+NmOgFYXljRLIxS1coTiWWQZM/nUyx/tSk+MAS7770USHoZhAfh6lmEa/AeKSoLVl
+Su3yzgtKk1/doAtbiWD8TasHAhacwWmzTuZtH5cZUgW3QIVJg6ADi6m8zswqKxIS
+qfU/1N4aHp832v4ggRe/Og0=
 -----END PRIVATE KEY-----

changelog.md

@@ -1,5 +1,95 @@
 # Changelog
 
+## 2026-02-16 - 25.6.0 - feat(rustproxy)
+add protocol-based routing and backend TLS re-encryption support
+
+- Introduce optional route_match.protocol ("http" | "tcp") in Rust and TypeScript route types to allow protocol-restricted routing.
+- RouteManager: respect protocol field during matching and treat TLS connections without SNI as not matching domain-restricted routes (except wildcard-only routes).
+- HTTP proxy: add BackendStream abstraction to unify plain TCP and tokio-rustls TLS backend streams, and support connecting to upstreams over TLS (upstream.use_tls) with an InsecureBackendVerifier for internal/self-signed backends.
+- WebSocket and HTTP forwarding updated to use BackendStream so upstream TLS is handled transparently.
+- Passthrough listener: perform post-termination protocol detection for TerminateAndReencrypt; route HTTP flows into HttpProxyService and handle non-HTTP as TLS-to-TLS tunnel.
+- Add tests for protocol matching, TLS/no-SNI behavior, and other routing edge cases.
+- Add rustls and tokio-rustls dependencies (Cargo.toml/Cargo.lock updates).
+
+## 2026-02-16 - 25.5.0 - feat(tls)
+add shared TLS acceptor with SNI resolver and session resumption; prefer shared acceptor and fall back to per-connection when routes specify custom TLS versions
+
+- Add CertResolver that pre-parses PEM certs/keys into CertifiedKey instances for SNI-based lookup and cheap runtime resolution
+- Introduce build_shared_tls_acceptor to create a shared ServerConfig with session cache (4096) and Ticketer for session ticket resumption
+- Add ArcSwap<Option<TlsAcceptor>> shared_tls_acceptor to tcp_listener for hot-reloadable, pre-built acceptor and update accept loop/handlers to use it
+- set_tls_configs now attempts to build and store the shared TLS acceptor, falling back to per-connection acceptors on failure; raw PEM configs are still retained for route-level fallbacks
+- Add get_tls_acceptor helper: prefer shared acceptor for performance and session resumption, but build per-connection acceptor when a route requests custom TLS versions
+
+## 2026-02-16 - 25.4.0 - feat(rustproxy)
+support dynamically loaded TLS certificates via loadCertificate IPC and include them in listener TLS configs for rebuilds and hot-swap
+
+- Adds loaded_certs: HashMap<String, TlsCertConfig> to RustProxy to store certificates loaded at runtime
+- Merge loaded_certs into tls_configs in rebuild and listener hot-swap paths so dynamically loaded certs are served immediately
+- Persist loaded certificates on loadCertificate so future rebuilds include them
+
+## 2026-02-15 - 25.3.1 - fix(plugins)
+remove unused dependencies and simplify plugin exports
+
+- Removed multiple dependencies from package.json to reduce dependency footprint: @push.rocks/lik, @push.rocks/smartacme, @push.rocks/smartdelay, @push.rocks/smartfile, @push.rocks/smartnetwork, @push.rocks/smartpromise, @push.rocks/smartrequest, @push.rocks/smartrx, @push.rocks/smartstring, @push.rocks/taskbuffer, @types/minimatch, @types/ws, pretty-ms, ws
+- ts/plugins.ts: stopped importing/exporting node:https and many push.rocks and third-party modules; plugins now only re-export core node modules (without https), tsclass, smartcrypto, smartlog (+ destination-local), smartrust, and minimatch
+- Intended effect: trim surface area and remove unused/optional integrations; patch-level change (no feature/API additions)
+
+## 2026-02-14 - 25.3.0 - feat(smart-proxy)
+add background concurrent certificate provisioning with per-domain timeouts and concurrency control
+
+- Add ISmartProxyOptions settings: certProvisionTimeout (ms) and certProvisionConcurrency (default 4)
+- Run certProvisionFunction as fire-and-forget background tasks (stores promise on start/route-update and awaited on stop)
+- Provision certificates in parallel with a concurrency limit using a new ConcurrencySemaphore utility
+- Introduce per-domain timeout handling (default 300000ms) via withTimeout and surface timeout errors as certificate-failed events
+- Refactor provisioning into provisionSingleDomain to isolate domain handling, ACME fallback preserved
+- Run provisioning outside route update mutex so route updates are not blocked by slow provisioning
+
+## 2026-02-14 - 25.2.2 - fix(smart-proxy)
+start metrics polling before certificate provisioning to avoid blocking metrics collection
+
+- Start metrics polling immediately after Rust engine startup so metrics are available without waiting for certificate provisioning.
+- Run certProvisionFunction after startup because ACME/DNS-01 provisioning can hang or be slow and must not block observability.
+- Code change in ts/proxies/smart-proxy/smart-proxy.ts: metricsAdapter.startPolling() moved to run before provisionCertificatesViaCallback().
+
+## 2026-02-14 - 25.2.1 - fix(smartproxy)
+no changes detected in git diff
+
+- The provided diff contains no file changes; no code or documentation updates to release.
+
+## 2026-02-14 - 25.2.0 - feat(metrics)
+add per-IP and HTTP-request metrics, propagate source IP through proxy paths, and expose new metrics to the TS adapter
+
+- Add per-IP tracking and IpMetrics in MetricsCollector (active/total connections, bytes, throughput).
+- Add HTTP request counters and tracking (total_http_requests, http_requests_per_sec, recent counters and tests).
+- Include throughput history (ThroughputSample serialization, retention and snapshotting) and expose history in snapshots.
+- Propagate source IP through HTTP and passthrough code paths: CountingBody.record_bytes and MetricsCollector methods now accept source_ip; connection_opened/closed calls include source IP.
+- Introduce ForwardMetricsCtx to carry metrics context (collector, route_id, source_ip) into passthrough forwarding routines; update ConnectionGuard to include source_ip.
+- TypeScript adapter (rust-metrics-adapter.ts) updated to return per-IP counts, top IPs, per-IP throughput, throughput history mapping, and HTTP request rates/total where available.
+- Numerous unit tests added for per-IP tracking, HTTP request tracking, throughput history and ThroughputTracker.history behavior.
+
+## 2026-02-13 - 25.1.0 - feat(metrics)
+add real-time throughput sampling and byte-counting metrics
+
+- Add CountingBody wrapper to count HTTP request and response bytes and report them to MetricsCollector.
+- Implement lock-free hot-path byte recording and a cold-path sampling API (sample_all) in MetricsCollector with throughput history and configurable retention (default 3600s).
+- Spawn a background sampling task in RustProxy (configurable sample_interval_ms) and tear it down on stop so throughput trackers are regularly sampled.
+- Instrument passthrough TCP forwarding and socket-relay paths to record per-chunk bytes (lock-free) so long-lived connections contribute to throughput measurements.
+- Wrap HTTP request/response bodies with CountingBody in proxy_service to capture bytes_in/bytes_out and report on body completion; connection_closed handling updated accordingly.
+- Expose recent throughput metrics to the TypeScript adapter (throughputRecentIn/Out) and pass metrics settings from the TS SmartProxy into Rust.
+- Add http-body dependency and update Cargo.toml/Cargo.lock entries for the new body wrapper usage.
+- Add unit tests for MetricsCollector throughput tracking and a new end-to-end throughput test (test.throughput.ts).
+- Update test certificates (assets/certs cert.pem and key.pem) used by TLS tests.
+
+## 2026-02-13 - 25.0.0 - BREAKING CHANGE(certs)
+accept a second eventComms argument in certProvisionFunction, add cert provisioning event types, and emit certificate lifecycle events
+
+- Breaking API change: certProvisionFunction signature changed from (domain: string) => Promise<TSmartProxyCertProvisionObject> to (domain: string, eventComms: ICertProvisionEventComms) => Promise<TSmartProxyCertProvisionObject>. Custom provisioners must accept (or safely ignore) the new second argument.
+- New types added and exported: ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent.
+- smart-proxy now constructs an eventComms channel that allows provisioners to log/warn/error and set expiry date and source for the issued event.
+- Emits 'certificate-issued' (domain, expiryDate, source, isRenewal?) on successful provisioning and 'certificate-failed' (domain, error, source) on failures.
+- Updated public exports to include the new types so they are available to consumers.
+- Removed readme.byte-counting-audit.md (documentation file deleted).
+
 ## 2026-02-13 - 24.0.1 - fix(proxy)
 improve proxy robustness: add connect timeouts, graceful shutdown, WebSocket watchdog, and metrics guard
 

deno.lock

@@ -5,29 +5,15 @@
     "npm:@git.zone/tsrun@^2.0.1": "2.0.1",
     "npm:@git.zone/tsrust@^1.3.0": "1.3.0",
     "npm:@git.zone/tstest@^3.1.8": "3.1.8_@push.rocks+smartserve@2.0.1_typescript@5.9.3",
-    "npm:@push.rocks/lik@^6.2.2": "6.2.2",
-    "npm:@push.rocks/smartacme@8": "8.0.0_@push.rocks+smartserve@2.0.1",
     "npm:@push.rocks/smartcrypto@^2.0.4": "2.0.4",
-    "npm:@push.rocks/smartdelay@^3.0.5": "3.0.5",
-    "npm:@push.rocks/smartfile@^13.1.2": "13.1.2",
     "npm:@push.rocks/smartlog@^3.1.10": "3.1.10",
-    "npm:@push.rocks/smartnetwork@^4.4.0": "4.4.0",
-    "npm:@push.rocks/smartpromise@^4.2.3": "4.2.3",
-    "npm:@push.rocks/smartrequest@^5.0.1": "5.0.1",
     "npm:@push.rocks/smartrust@^1.2.1": "1.2.1",
-    "npm:@push.rocks/smartrx@^3.0.10": "3.0.10",
     "npm:@push.rocks/smartserve@^2.0.1": "2.0.1",
-    "npm:@push.rocks/smartstring@^4.1.0": "4.1.0",
-    "npm:@push.rocks/taskbuffer@^4.2.0": "4.2.0",
     "npm:@tsclass/tsclass@^9.3.0": "9.3.0",
-    "npm:@types/minimatch@6": "6.0.0",
     "npm:@types/node@^25.2.3": "25.2.3",
-    "npm:@types/ws@^8.18.1": "8.18.1",
     "npm:minimatch@^10.2.0": "10.2.0",
-    "npm:pretty-ms@^9.3.0": "9.3.0",
     "npm:typescript@^5.9.3": "5.9.3",
-    "npm:why-is-node-running@^3.2.2": "3.2.2",
-    "npm:ws@^8.19.0": "8.19.0"
+    "npm:why-is-node-running@^3.2.2": "3.2.2"
   },
   "npm": {
     "@api.global/typedrequest-interfaces@2.0.2": {
@@ -117,7 +103,7 @@
         "@push.rocks/smartsitemap",
         "@push.rocks/smartstream",
         "@push.rocks/smarttime",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
         "@push.rocks/webrequest@3.0.37",
         "@push.rocks/webstore",
         "@tsclass/tsclass@9.3.0",
@@ -164,19 +150,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@api.global/typedsocket/-/typedsocket-3.1.1.tgz"
     },
-    "@apiclient.xyz/cloudflare@6.4.3": {
-      "integrity": "sha512-ztegUdUO3Zd4mUoTSylKlCEKPBMHEcggrLelR+7CiblM4beHMwopMVlryBmiCY7bOVbUSPoK0xsVTF7VIy3p/A==",
-      "dependencies": [
-        "@push.rocks/smartdelay",
-        "@push.rocks/smartlog",
-        "@push.rocks/smartpromise",
-        "@push.rocks/smartrequest@5.0.1",
-        "@push.rocks/smartstring",
-        "@tsclass/tsclass@9.3.0",
-        "cloudflare"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@apiclient.xyz/cloudflare/-/cloudflare-6.4.3.tgz"
-    },
     "@aws-crypto/crc32@5.2.0": {
       "integrity": "sha512-nLbCWqQNgUiwwtFsen1AdzAtvuLRsQS8rYgMuxCrdKf9kOssamGLuPwyTY9wyYblNr9+1XM8v6zoDTPPSIeANg==",
       "dependencies": [
@@ -1590,7 +1563,7 @@
         "@push.rocks/smartpromise",
         "@push.rocks/smartstring",
         "@push.rocks/smartunique",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
         "@tsclass/tsclass@9.3.0"
       ],
       "tarball": "https://verdaccio.lossless.digital/@push.rocks/levelcache/-/levelcache-3.2.0.tgz"
@@ -1603,7 +1576,7 @@
         "@push.rocks/smartpromise",
         "@push.rocks/smartrx",
         "@push.rocks/smarttime",
-        "@types/minimatch@5.1.2",
+        "@types/minimatch",
         "@types/symbol-tree",
         "symbol-tree"
       ],
@@ -1632,7 +1605,7 @@
         "@push.rocks/smartpath@6.0.0",
         "@push.rocks/smartpromise",
         "@push.rocks/smartrx",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
         "@tsclass/tsclass@9.3.0"
       ],
       "tarball": "https://verdaccio.lossless.digital/@push.rocks/npmextra/-/npmextra-5.3.3.tgz"
@@ -1648,28 +1621,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@push.rocks/qenv/-/qenv-6.1.3.tgz"
     },
-    "@push.rocks/smartacme@8.0.0_@push.rocks+smartserve@2.0.1": {
-      "integrity": "sha512-Oq+m+LX4IG0p4qCGZLEwa6UlMo5Hfq7paRjpREwQNsaGSKl23xsjsEJLxjxkePwaXnaIkHEwU/5MtrEkg2uKEQ==",
-      "dependencies": [
-        "@api.global/typedserver@3.0.80_@push.rocks+smartserve@2.0.1",
-        "@apiclient.xyz/cloudflare",
-        "@push.rocks/lik",
-        "@push.rocks/smartdata",
-        "@push.rocks/smartdelay",
-        "@push.rocks/smartdns@6.2.2",
-        "@push.rocks/smartfile@11.2.7",
-        "@push.rocks/smartlog",
-        "@push.rocks/smartnetwork",
-        "@push.rocks/smartpromise",
-        "@push.rocks/smartrequest@2.1.0",
-        "@push.rocks/smartstring",
-        "@push.rocks/smarttime",
-        "@push.rocks/smartunique",
-        "@tsclass/tsclass@9.3.0",
-        "acme-client"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@push.rocks/smartacme/-/smartacme-8.0.0.tgz"
-    },
     "@push.rocks/smartarchive@4.2.4": {
       "integrity": "sha512-uiqVAXPxmr8G5rv3uZvZFMOCt8l7cZC3nzvsy4YQqKf/VkPhKIEX+b7LkAeNlxPSYUiBQUkNRoawg9+5BaMcHg==",
       "dependencies": [
@@ -1805,7 +1756,7 @@
         "@push.rocks/smartstring",
         "@push.rocks/smarttime",
         "@push.rocks/smartunique",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
         "@tsclass/tsclass@9.3.0",
         "mongodb"
       ],
@@ -1818,23 +1769,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@push.rocks/smartdelay/-/smartdelay-3.0.5.tgz"
     },
-    "@push.rocks/smartdns@6.2.2": {
-      "integrity": "sha512-MhJcHujbyIuwIIFdnXb2OScGtRjNsliLUS8GoAurFsKtcCOaA0ytfP+PNzkukyBufjb1nMiJF3rjhswXdHakAQ==",
-      "dependencies": [
-        "@push.rocks/smartdelay",
-        "@push.rocks/smartenv@5.0.13",
-        "@push.rocks/smartpromise",
-        "@push.rocks/smartrequest@2.1.0",
-        "@tsclass/tsclass@5.0.0",
-        "@types/dns-packet",
-        "@types/elliptic",
-        "acme-client",
-        "dns-packet",
-        "elliptic",
-        "minimatch@10.2.0"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@push.rocks/smartdns/-/smartdns-6.2.2.tgz"
-    },
     "@push.rocks/smartdns@7.8.0": {
       "integrity": "sha512-5FX74AAgQSqWPZkpTsI/BbUKBQpZKSvs+UdX9IZpwcuPldI+K7D1WeE02mMAGd1Ncd/sYAMor5CTlhnG6L+QhQ==",
       "dependencies": [
@@ -2095,7 +2029,7 @@
     "@push.rocks/smartnetwork@4.4.0": {
       "integrity": "sha512-OvFtz41cvQ7lcXwaIOhghNUUlNoMxvwKDctbDvMyuZyEH08SpLjhyv2FuKbKL/mgwA/WxakTbohoC8SW7t+kiw==",
       "dependencies": [
-        "@push.rocks/smartdns@7.8.0",
+        "@push.rocks/smartdns",
         "@push.rocks/smartping",
         "@push.rocks/smartpromise",
         "@push.rocks/smartstring",
@@ -2449,20 +2383,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@push.rocks/taskbuffer/-/taskbuffer-3.5.0.tgz"
     },
-    "@push.rocks/taskbuffer@4.2.0": {
-      "integrity": "sha512-ttoBe5y/WXkAo5/wSMcC/Y4Zbyw4XG8kwAsEaqnAPCxa3M9MI1oV/yM1e9gU1IH97HVPidzbTxRU5/PcHDdUsg==",
-      "dependencies": [
-        "@design.estate/dees-element",
-        "@push.rocks/lik",
-        "@push.rocks/smartdelay",
-        "@push.rocks/smartlog",
-        "@push.rocks/smartpromise",
-        "@push.rocks/smartrx",
-        "@push.rocks/smarttime",
-        "@push.rocks/smartunique"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@push.rocks/taskbuffer/-/taskbuffer-4.2.0.tgz"
-    },
     "@push.rocks/webrequest@3.0.37": {
       "integrity": "sha512-fLN7kP6GeHFxE4UH4r9C9pjcQb0QkJxHeAMwXvbOqB9hh0MFNKhtGU7GoaTn8SVRGRMPc9UqZVNwo6u5l8Wn0A==",
       "dependencies": [
@@ -3317,13 +3237,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@tsclass/tsclass/-/tsclass-4.4.4.tgz"
     },
-    "@tsclass/tsclass@5.0.0": {
-      "integrity": "sha512-2X66VCk0Oe1L01j6GQHC6F9Gj7lpZPPSUTDNax7e29lm4OqBTyAzTR3ePR8coSbWBwsmRV8awLRSrSI+swlqWA==",
-      "dependencies": [
-        "type-fest@4.41.0"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@tsclass/tsclass/-/tsclass-5.0.0.tgz"
-    },
     "@tsclass/tsclass@9.3.0": {
       "integrity": "sha512-KD3oTUN3RGu67tgjNHgWWZGsdYipr1RUDxQ9MMKSgIJ6oNZ4q5m2rg0ibrgyHWkAjTPlHVa6kHP3uVOY+8bnHw==",
       "dependencies": [
@@ -3338,13 +3251,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@tybys/wasm-util/-/wasm-util-0.10.1.tgz"
     },
-    "@types/bn.js@5.2.0": {
-      "integrity": "sha512-DLbJ1BPqxvQhIGbeu8VbUC1DiAiahHtAYvA0ZEAa4P31F7IaArc8z3C3BRQdWX4mtLQuABG4yzp76ZrS02Ui1Q==",
-      "dependencies": [
-        "@types/node@24.2.0"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@types/bn.js/-/bn.js-5.2.0.tgz"
-    },
     "@types/body-parser@1.19.6": {
       "integrity": "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==",
       "dependencies": [
@@ -3393,13 +3299,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@types/dns-packet/-/dns-packet-5.6.5.tgz"
     },
-    "@types/elliptic@6.4.18": {
-      "integrity": "sha512-UseG6H5vjRiNpQvrhy4VF/JXdA3V/Fp5amvveaL+fs28BZ6xIKJBPnUPRlEaZpysD9MbpfaLi8lbl7PGUAkpWw==",
-      "dependencies": [
-        "@types/bn.js"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@types/elliptic/-/elliptic-6.4.18.tgz"
-    },
     "@types/express-serve-static-core@5.1.1": {
       "integrity": "sha512-v4zIMr/cX7/d2BpAEX3KNKL/JrT1s43s96lLvvdTmza1oEvDudCqK9aF/djc/SWgy8Yh0h30TZx5VpzqFCxk5A==",
       "dependencies": [
@@ -3481,14 +3380,6 @@
       "integrity": "sha512-K0VQKziLUWkVKiRVrx4a40iPaxTUefQmjtkQofBkYRcoaaL/8rhwDWww9qWbrgicNOgnpIsMxyNIUM4+n6dUIA==",
       "tarball": "https://verdaccio.lossless.digital/@types/minimatch/-/minimatch-5.1.2.tgz"
     },
-    "@types/minimatch@6.0.0": {
-      "integrity": "sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA==",
-      "dependencies": [
-        "minimatch@10.2.0"
-      ],
-      "deprecated": true,
-      "tarball": "https://verdaccio.lossless.digital/@types/minimatch/-/minimatch-6.0.0.tgz"
-    },
     "@types/ms@2.1.0": {
       "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
       "tarball": "https://verdaccio.lossless.digital/@types/ms/-/ms-2.1.0.tgz"
@@ -3500,14 +3391,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@types/mute-stream/-/mute-stream-0.0.4.tgz"
     },
-    "@types/node-fetch@2.6.13": {
-      "integrity": "sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==",
-      "dependencies": [
-        "@types/node@24.2.0",
-        "form-data"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@types/node-fetch/-/node-fetch-2.6.13.tgz"
-    },
     "@types/node-forge@1.3.14": {
       "integrity": "sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==",
       "dependencies": [
@@ -3515,13 +3398,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/@types/node-forge/-/node-forge-1.3.14.tgz"
     },
-    "@types/node@18.19.130": {
-      "integrity": "sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==",
-      "dependencies": [
-        "undici-types@5.26.5"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/@types/node/-/node-18.19.130.tgz"
-    },
     "@types/node@22.19.11": {
       "integrity": "sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==",
       "dependencies": [
@@ -3660,13 +3536,6 @@
       "integrity": "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==",
       "tarball": "https://verdaccio.lossless.digital/@ungap/structured-clone/-/structured-clone-1.3.0.tgz"
     },
-    "abort-controller@3.0.0": {
-      "integrity": "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==",
-      "dependencies": [
-        "event-target-shim"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/abort-controller/-/abort-controller-3.0.0.tgz"
-    },
     "accepts@1.3.8": {
       "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
       "dependencies": [
@@ -3849,10 +3718,6 @@
       "integrity": "sha512-RkaJzeJKDbaDWTIPiJwubyljaEPwpVWkm9Rt5h9Nd6h7tEXTJ3VB4qxdZBioV7JO5yLUaOKwz7vDOzlncUsegw==",
       "tarball": "https://verdaccio.lossless.digital/basic-ftp/-/basic-ftp-5.1.0.tgz"
     },
-    "bn.js@4.12.2": {
-      "integrity": "sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw==",
-      "tarball": "https://verdaccio.lossless.digital/bn.js/-/bn.js-4.12.2.tgz"
-    },
     "body-parser@2.2.2": {
       "integrity": "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==",
       "dependencies": [
@@ -3904,10 +3769,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/broadcast-channel/-/broadcast-channel-7.3.0.tgz"
     },
-    "brorand@1.1.0": {
-      "integrity": "12c25efe40a45e3c323eb8675a0a0ce57b22371f",
-      "tarball": "https://verdaccio.lossless.digital/brorand/-/brorand-1.1.0.tgz"
-    },
     "bson@6.10.4": {
       "integrity": "sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng==",
       "tarball": "https://verdaccio.lossless.digital/bson/-/bson-6.10.4.tgz"
@@ -4051,19 +3912,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/cliui/-/cliui-8.0.1.tgz"
     },
-    "cloudflare@5.2.0": {
-      "integrity": "sha512-dVzqDpPFYR9ApEC9e+JJshFJZXcw4HzM8W+3DHzO5oy9+8rLC53G7x6fEf9A7/gSuSCxuvndzui5qJKftfIM9A==",
-      "dependencies": [
-        "@types/node@18.19.130",
-        "@types/node-fetch",
-        "abort-controller",
-        "agentkeepalive",
-        "form-data-encoder@1.7.2",
-        "formdata-node",
-        "node-fetch"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/cloudflare/-/cloudflare-5.2.0.tgz"
-    },
     "color-convert@2.0.1": {
       "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
       "dependencies": [
@@ -4286,19 +4134,6 @@
       "integrity": "590c61156b0ae2f4f0255732a158b266bc56b21d",
       "tarball": "https://verdaccio.lossless.digital/ee-first/-/ee-first-1.1.1.tgz"
     },
-    "elliptic@6.6.1": {
-      "integrity": "sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g==",
-      "dependencies": [
-        "bn.js",
-        "brorand",
-        "hash.js",
-        "hmac-drbg",
-        "inherits",
-        "minimalistic-assert",
-        "minimalistic-crypto-utils"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/elliptic/-/elliptic-6.6.1.tgz"
-    },
     "emoji-regex@8.0.0": {
       "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
       "tarball": "https://verdaccio.lossless.digital/emoji-regex/-/emoji-regex-8.0.0.tgz"
@@ -4464,10 +4299,6 @@
       "integrity": "41ae2eeb65efa62268aebfea83ac7d79299b0887",
       "tarball": "https://verdaccio.lossless.digital/etag/-/etag-1.8.1.tgz"
     },
-    "event-target-shim@5.0.1": {
-      "integrity": "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==",
-      "tarball": "https://verdaccio.lossless.digital/event-target-shim/-/event-target-shim-5.0.1.tgz"
-    },
     "eventemitter3@4.0.7": {
       "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==",
       "tarball": "https://verdaccio.lossless.digital/eventemitter3/-/eventemitter3-4.0.7.tgz"
@@ -4684,10 +4515,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/foreground-child/-/foreground-child-3.3.1.tgz"
     },
-    "form-data-encoder@1.7.2": {
-      "integrity": "sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==",
-      "tarball": "https://verdaccio.lossless.digital/form-data-encoder/-/form-data-encoder-1.7.2.tgz"
-    },
     "form-data-encoder@2.1.4": {
       "integrity": "sha512-yDYSgNMraqvnxiEXO4hi88+YZxaHC6QKzb5N84iRCTDeRO7ZALpir/lVmf/uXUhnwUr2O4HU8s/n6x+yNjQkHw==",
       "tarball": "https://verdaccio.lossless.digital/form-data-encoder/-/form-data-encoder-2.1.4.tgz"
@@ -4707,14 +4534,6 @@
       "integrity": "d6170107e9efdc4ed30c9dc39016df942b5cb58b",
       "tarball": "https://verdaccio.lossless.digital/format/-/format-0.2.2.tgz"
     },
-    "formdata-node@4.4.1": {
-      "integrity": "sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==",
-      "dependencies": [
-        "node-domexception",
-        "web-streams-polyfill"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/formdata-node/-/formdata-node-4.4.1.tgz"
-    },
     "forwarded@0.2.0": {
       "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
       "tarball": "https://verdaccio.lossless.digital/forwarded/-/forwarded-0.2.0.tgz"
@@ -4846,7 +4665,7 @@
         "cacheable-lookup",
         "cacheable-request",
         "decompress-response",
-        "form-data-encoder@2.1.4",
+        "form-data-encoder",
         "get-stream@6.0.1",
         "http2-wrapper",
         "lowercase-keys",
@@ -4863,7 +4682,7 @@
       "integrity": "sha512-KyrFvnl+J9US63TEzwoiJOQzZBJY7KgBushJA8X61DMbNsH+2ONkDuLDnCnwUiPTF42tLoEmrPyoqbenVA5zrg==",
       "dependencies": [
         "entities",
-        "webidl-conversions@7.0.0",
+        "webidl-conversions",
         "whatwg-mimetype"
       ],
       "tarball": "https://verdaccio.lossless.digital/happy-dom/-/happy-dom-15.11.7.tgz"
@@ -4886,14 +4705,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/has-tostringtag/-/has-tostringtag-1.0.2.tgz"
     },
-    "hash.js@1.1.7": {
-      "integrity": "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==",
-      "dependencies": [
-        "inherits",
-        "minimalistic-assert"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/hash.js/-/hash.js-1.1.7.tgz"
-    },
     "hasown@2.0.2": {
       "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
       "dependencies": [
@@ -4939,15 +4750,6 @@
       "bin": true,
       "tarball": "https://verdaccio.lossless.digital/he/-/he-1.2.0.tgz"
     },
-    "hmac-drbg@1.0.1": {
-      "integrity": "d2745701025a6c775a6c545793ed502fc0c649a1",
-      "dependencies": [
-        "hash.js",
-        "minimalistic-assert",
-        "minimalistic-crypto-utils"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/hmac-drbg/-/hmac-drbg-1.0.1.tgz"
-    },
     "html-minifier@4.0.0": {
       "integrity": "sha512-aoGxanpFPLg7MkIl/DDFYtb0iWz7jMFGqFhvEDZga6/4QTjneiD8I/NXL1x5aaoCp7FSIT6h/OhykDdPsbtMig==",
       "dependencies": [
@@ -5845,14 +5647,6 @@
       "integrity": "sha512-UeX942qZpofn5L97h295SkS7j/ADf7Qac8gdRCMBPxi0/1m70aeB2owLFvWbyuMj1dowonlivlVRQVDx+6h+7Q==",
       "tarball": "https://verdaccio.lossless.digital/mingo/-/mingo-7.2.0.tgz"
     },
-    "minimalistic-assert@1.0.1": {
-      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
-      "tarball": "https://verdaccio.lossless.digital/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz"
-    },
-    "minimalistic-crypto-utils@1.0.1": {
-      "integrity": "f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a",
-      "tarball": "https://verdaccio.lossless.digital/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz"
-    },
     "minimatch@10.2.0": {
       "integrity": "sha512-ugkC31VaVg9cF0DFVoADH12k6061zNZkZON+aX8AWsR9GhPcErkcMBceb6znR8wLERM2AkkOxy2nWRLpT9Jq5w==",
       "dependencies": [
@@ -5890,7 +5684,7 @@
       "integrity": "sha512-rMO7CGo/9BFwyZABcKAWL8UJwH/Kc2x0g72uhDWzG48URRax5TCIcJ7Rc3RZqffZzO/Gwff/jyKwCU9TN8gehA==",
       "dependencies": [
         "@types/whatwg-url",
-        "whatwg-url@14.2.0"
+        "whatwg-url"
       ],
       "tarball": "https://verdaccio.lossless.digital/mongodb-connection-string-url/-/mongodb-connection-string-url-3.0.2.tgz"
     },
@@ -5969,17 +5763,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/no-case/-/no-case-2.3.2.tgz"
     },
-    "node-domexception@1.0.0": {
-      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
-      "tarball": "https://verdaccio.lossless.digital/node-domexception/-/node-domexception-1.0.0.tgz"
-    },
-    "node-fetch@2.7.0": {
-      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
-      "dependencies": [
-        "whatwg-url@5.0.0"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/node-fetch/-/node-fetch-2.7.0.tgz"
-    },
     "node-forge@1.3.3": {
       "integrity": "sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==",
       "tarball": "https://verdaccio.lossless.digital/node-forge/-/node-forge-1.3.3.tgz"
@@ -6913,10 +6696,6 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/token-types/-/token-types-6.1.2.tgz"
     },
-    "tr46@0.0.3": {
-      "integrity": "8184fd347dac9cdc185992f3a6622e14b9d9ab6a",
-      "tarball": "https://verdaccio.lossless.digital/tr46/-/tr46-0.0.3.tgz"
-    },
     "tr46@5.1.1": {
       "integrity": "sha512-hdF5ZgjTqgAntKkklYw0R03MG2x/bSzTtkxmIRw/sTNV8YXsCJ1tfLAX23lhxhHJlEf3CRCOCGGWw3vI3GaSPw==",
       "dependencies": [
@@ -7014,10 +6793,6 @@
       "integrity": "sha512-rvKSBiC5zqCCiDZ9kAOszZcDvdAHwwIKJG33Ykj43OKcWsnmcBRL09YTU4nOeHZ8Y2a7l1MgTd08SBe9A8Qj6A==",
       "tarball": "https://verdaccio.lossless.digital/uint8array-extras/-/uint8array-extras-1.5.0.tgz"
     },
-    "undici-types@5.26.5": {
-      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
-      "tarball": "https://verdaccio.lossless.digital/undici-types/-/undici-types-5.26.5.tgz"
-    },
     "undici-types@6.21.0": {
       "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
       "tarball": "https://verdaccio.lossless.digital/undici-types/-/undici-types-6.21.0.tgz"
@@ -7134,18 +6909,10 @@
       ],
       "tarball": "https://verdaccio.lossless.digital/vfile/-/vfile-6.0.3.tgz"
     },
-    "web-streams-polyfill@4.0.0-beta.3": {
-      "integrity": "sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==",
-      "tarball": "https://verdaccio.lossless.digital/web-streams-polyfill/-/web-streams-polyfill-4.0.0-beta.3.tgz"
-    },
     "webdriver-bidi-protocol@0.4.0": {
       "integrity": "sha512-U9VIlNRrq94d1xxR9JrCEAx5Gv/2W7ERSv8oWRoNe/QYbfccS0V3h/H6qeNeCRJxXGMhhnkqvwNrvPAYeuP9VA==",
       "tarball": "https://verdaccio.lossless.digital/webdriver-bidi-protocol/-/webdriver-bidi-protocol-0.4.0.tgz"
     },
-    "webidl-conversions@3.0.1": {
-      "integrity": "24534275e2a7bc6be7bc86611cc16ae0a5654871",
-      "tarball": "https://verdaccio.lossless.digital/webidl-conversions/-/webidl-conversions-3.0.1.tgz"
-    },
     "webidl-conversions@7.0.0": {
       "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==",
       "tarball": "https://verdaccio.lossless.digital/webidl-conversions/-/webidl-conversions-7.0.0.tgz"
@@ -7157,19 +6924,11 @@
     "whatwg-url@14.2.0": {
       "integrity": "sha512-De72GdQZzNTUBBChsXueQUnPKDkg/5A5zp7pFDuQAj5UFoENpiACU0wlCvzpAGnTkj++ihpKwKyYewn/XNUbKw==",
       "dependencies": [
-        "tr46@5.1.1",
-        "webidl-conversions@7.0.0"
+        "tr46",
+        "webidl-conversions"
       ],
       "tarball": "https://verdaccio.lossless.digital/whatwg-url/-/whatwg-url-14.2.0.tgz"
     },
-    "whatwg-url@5.0.0": {
-      "integrity": "966454e8765462e37644d3626f6742ce8b70965d",
-      "dependencies": [
-        "tr46@0.0.3",
-        "webidl-conversions@3.0.1"
-      ],
-      "tarball": "https://verdaccio.lossless.digital/whatwg-url/-/whatwg-url-5.0.0.tgz"
-    },
     "which@2.0.2": {
       "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
       "dependencies": [
@@ -7295,29 +7054,15 @@
         "npm:@git.zone/tsrun@^2.0.1",
         "npm:@git.zone/tsrust@^1.3.0",
         "npm:@git.zone/tstest@^3.1.8",
-        "npm:@push.rocks/lik@^6.2.2",
-        "npm:@push.rocks/smartacme@8",
         "npm:@push.rocks/smartcrypto@^2.0.4",
-        "npm:@push.rocks/smartdelay@^3.0.5",
-        "npm:@push.rocks/smartfile@^13.1.2",
         "npm:@push.rocks/smartlog@^3.1.10",
-        "npm:@push.rocks/smartnetwork@^4.4.0",
-        "npm:@push.rocks/smartpromise@^4.2.3",
-        "npm:@push.rocks/smartrequest@^5.0.1",
         "npm:@push.rocks/smartrust@^1.2.1",
-        "npm:@push.rocks/smartrx@^3.0.10",
         "npm:@push.rocks/smartserve@^2.0.1",
-        "npm:@push.rocks/smartstring@^4.1.0",
-        "npm:@push.rocks/taskbuffer@^4.2.0",
         "npm:@tsclass/tsclass@^9.3.0",
-        "npm:@types/minimatch@6",
         "npm:@types/node@^25.2.3",
-        "npm:@types/ws@^8.18.1",
         "npm:minimatch@^10.2.0",
-        "npm:pretty-ms@^9.3.0",
         "npm:typescript@^5.9.3",
-        "npm:why-is-node-running@^3.2.2",
-        "npm:ws@^8.19.0"
+        "npm:why-is-node-running@^3.2.2"
       ]
     }
   }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "24.0.1",
+  "version": "25.6.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -25,25 +25,11 @@
     "why-is-node-running": "^3.2.2"
   },
   "dependencies": {
-    "@push.rocks/lik": "^6.2.2",
-    "@push.rocks/smartacme": "^8.0.0",
     "@push.rocks/smartcrypto": "^2.0.4",
-    "@push.rocks/smartdelay": "^3.0.5",
-    "@push.rocks/smartfile": "^13.1.2",
     "@push.rocks/smartlog": "^3.1.10",
-    "@push.rocks/smartnetwork": "^4.4.0",
-    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrust": "^1.2.1",
-    "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstring": "^4.1.0",
-    "@push.rocks/taskbuffer": "^4.2.0",
     "@tsclass/tsclass": "^9.3.0",
-    "@types/minimatch": "^6.0.0",
-    "@types/ws": "^8.18.1",
-    "minimatch": "^10.2.0",
-    "pretty-ms": "^9.3.0",
-    "ws": "^8.19.0"
+    "minimatch": "^10.2.0"
   },
   "files": [
     "ts/**/*",

pnpm-lock.yaml

@@ -8,63 +8,21 @@ importers:
 
   .:
     dependencies:
-      '@push.rocks/lik':
-        specifier: ^6.2.2
-        version: 6.2.2
-      '@push.rocks/smartacme':
-        specifier: ^8.0.0
-        version: 8.0.0(socks@2.8.7)
       '@push.rocks/smartcrypto':
         specifier: ^2.0.4
         version: 2.0.4
-      '@push.rocks/smartdelay':
-        specifier: ^3.0.5
-        version: 3.0.5
-      '@push.rocks/smartfile':
-        specifier: ^13.1.2
-        version: 13.1.2
       '@push.rocks/smartlog':
         specifier: ^3.1.10
         version: 3.1.10
-      '@push.rocks/smartnetwork':
-        specifier: ^4.4.0
-        version: 4.4.0
-      '@push.rocks/smartpromise':
-        specifier: ^4.2.3
-        version: 4.2.3
-      '@push.rocks/smartrequest':
-        specifier: ^5.0.1
-        version: 5.0.1
       '@push.rocks/smartrust':
         specifier: ^1.2.1
         version: 1.2.1
-      '@push.rocks/smartrx':
-        specifier: ^3.0.10
-        version: 3.0.10
-      '@push.rocks/smartstring':
-        specifier: ^4.1.0
-        version: 4.1.0
-      '@push.rocks/taskbuffer':
-        specifier: ^4.2.0
-        version: 4.2.0
       '@tsclass/tsclass':
         specifier: ^9.3.0
         version: 9.3.0
-      '@types/minimatch':
-        specifier: ^6.0.0
-        version: 6.0.0
-      '@types/ws':
-        specifier: ^8.18.1
-        version: 8.18.1
       minimatch:
         specifier: ^10.2.0
         version: 10.2.0
-      pretty-ms:
-        specifier: ^9.3.0
-        version: 9.3.0
-      ws:
-        specifier: ^8.19.0
-        version: 8.19.0
     devDependencies:
       '@git.zone/tsbuild':
         specifier: ^4.1.2
@@ -113,9 +71,6 @@ packages:
       '@push.rocks/smartserve':
         optional: true
 
-  '@apiclient.xyz/cloudflare@6.4.3':
-    resolution: {integrity: sha512-ztegUdUO3Zd4mUoTSylKlCEKPBMHEcggrLelR+7CiblM4beHMwopMVlryBmiCY7bOVbUSPoK0xsVTF7VIy3p/A==}
-
   '@aws-crypto/crc32@5.2.0':
     resolution: {integrity: sha512-nLbCWqQNgUiwwtFsen1AdzAtvuLRsQS8rYgMuxCrdKf9kOssamGLuPwyTY9wyYblNr9+1XM8v6zoDTPPSIeANg==}
     engines: {node: '>=16.0.0'}
@@ -312,15 +267,9 @@ packages:
   '@design.estate/dees-domtools@2.3.6':
     resolution: {integrity: sha512-cKaPNtSpp/ZuuXVx2dXO3K2FU3/HjC4ZkqtXb8Kl6yy9rNDbgtjcI4PuOk9Ux1SJzw7FgcxqVh7OSEV60htbmg==}
 
-  '@design.estate/dees-domtools@2.3.8':
-    resolution: {integrity: sha512-jUG9GMvPxKMwmRIZ9oLTL3c8hHvHuiwIk8cTrYnuZzGO/uJJ5/czk9o6LRXUuCOOG7TRLtqgOpK8EEQgaadfZA==}
-
   '@design.estate/dees-element@2.1.3':
     resolution: {integrity: sha512-TjXWxVcdSPaT1IOk31ckfxvAZnJLuTxhFGsNCKoh63/UE2FVf6slp8//UFvN+ADigiA9ZsY0azkY99XbJCwDDA==}
 
-  '@design.estate/dees-element@2.1.6':
-    resolution: {integrity: sha512-7zyHkUjB8UEQgT9VbB2IJtc/yuPt9CI5JGel3b6BxA1kecY64ceIjFvof1uIkc0QP8q2fMLLY45r1c+9zDTjzg==}
-
   '@emnapi/core@1.8.1':
     resolution: {integrity: sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==}
 
@@ -580,15 +529,9 @@ packages:
   '@lit-labs/ssr-dom-shim@1.4.0':
     resolution: {integrity: sha512-ficsEARKnmmW5njugNYKipTm4SFnbik7CXtoencDZzmzo/dQ+2Q0bgkzJuoJP20Aj0F+izzJjOqsnkd6F/o1bw==}
 
-  '@lit-labs/ssr-dom-shim@1.5.1':
-    resolution: {integrity: sha512-Aou5UdlSpr5whQe8AA/bZG0jMj96CoJIWbGfZ91qieWu5AWUMKw8VR/pAkQkJYvBNhmCcWnZlyyk5oze8JIqYA==}
-
   '@lit/reactive-element@2.1.1':
     resolution: {integrity: sha512-N+dm5PAYdQ8e6UlywyyrgI2t++wFGXfHx+dSJ1oBrg6FAxUj40jId++EaRm80MKX5JnlH1sBsyZ5h0bcZKemCg==}
 
-  '@lit/reactive-element@2.1.2':
-    resolution: {integrity: sha512-pbCDiVMnne1lYUIaYNN5wrwQXDtHaYtg7YEFPeW+hws6U47WeFvISGUWekPGKWOP1ygrs0ef0o1VJMk1exos5A==}
-
   '@mixmark-io/domino@2.2.0':
     resolution: {integrity: sha512-Y28PR25bHXUg88kCV7nivXrP2Nj2RueZ3/l/jdx6J9f8J4nsEGcgX0Qe6lt7Pa+J79+kPiJU3LguR6O/6zrLOw==}
 
@@ -706,9 +649,6 @@ packages:
   '@push.rocks/qenv@6.1.3':
     resolution: {integrity: sha512-+z2hsAU/7CIgpYLFqvda8cn9rUBMHqLdQLjsFfRn5jPoD7dJ5rFlpkbhfM4Ws8mHMniwWaxGKo+q/YBhtzRBLg==}
 
-  '@push.rocks/smartacme@8.0.0':
-    resolution: {integrity: sha512-Oq+m+LX4IG0p4qCGZLEwa6UlMo5Hfq7paRjpREwQNsaGSKl23xsjsEJLxjxkePwaXnaIkHEwU/5MtrEkg2uKEQ==}
-
   '@push.rocks/smartarchive@4.2.4':
     resolution: {integrity: sha512-uiqVAXPxmr8G5rv3uZvZFMOCt8l7cZC3nzvsy4YQqKf/VkPhKIEX+b7LkAeNlxPSYUiBQUkNRoawg9+5BaMcHg==}
 
@@ -746,9 +686,6 @@ packages:
   '@push.rocks/smartdelay@3.0.5':
     resolution: {integrity: sha512-mUuI7kj2f7ztjpic96FvRIlf2RsKBa5arw81AHNsndbxO6asRcxuWL8dTVxouEIK8YsBUlj0AsrCkHhMbLQdHw==}
 
-  '@push.rocks/smartdns@6.2.2':
-    resolution: {integrity: sha512-MhJcHujbyIuwIIFdnXb2OScGtRjNsliLUS8GoAurFsKtcCOaA0ytfP+PNzkukyBufjb1nMiJF3rjhswXdHakAQ==}
-
   '@push.rocks/smartdns@7.6.1':
     resolution: {integrity: sha512-nnP5+A2GOt0WsHrYhtKERmjdEHUchc+QbCCBEqlyeQTn+mNfx2WZvKVI1DFRJt8lamvzxP6Hr/BSe3WHdh4Snw==}
 
@@ -797,9 +734,6 @@ packages:
   '@push.rocks/smartjson@5.2.0':
     resolution: {integrity: sha512-710e8UwovRfPgUtaBHcd6unaODUjV5fjxtGcGCqtaTcmvOV6VpasdVfT66xMDzQmWH2E9ZfHDJeso9HdDQzNQA==}
 
-  '@push.rocks/smartjson@6.0.0':
-    resolution: {integrity: sha512-FYfJnmukt66WePn6xrVZ3BLmRQl9W82LcsICK3VU9sGW7kasig090jKXPm+yX8ibQcZAO/KyR/Q8tMIYZNxGew==}
-
   '@push.rocks/smartlog-destination-devtools@1.0.12':
     resolution: {integrity: sha512-zvsIkrqByc0JRaBgIyhh+PSz2SY/e/bmhZdUcr/OW6pudgAcqe2sso68EzrKux0w9OMl1P9ZnzF3FpCZPFWD/A==}
 
@@ -902,9 +836,6 @@ packages:
   '@push.rocks/smartstate@2.0.27':
     resolution: {integrity: sha512-q4UKir7GV3hakJWXQR4DoA4tUVwT5GRkJ/MtanHYF0wZLHfS19+nGmyO9y974zk3eT9hmy3+Lq5cKtU2W6+Y3w==}
 
-  '@push.rocks/smartstate@2.0.30':
-    resolution: {integrity: sha512-IuNW8XtSumXIr7g7MIFyWg5PBwLF2mwsymTJbSEycK2Pa9ZLk4yjRHnR907xCilxgiMU9ixQZyNdpa5MMF999A==}
-
   '@push.rocks/smartstream@3.2.5':
     resolution: {integrity: sha512-PLGGIFDy8JLNVUnnntMSIYN4W081YSbNC7Y/sWpvUT8PAXtbEXXUiDFgK5o3gcI0ptpKQxHAwxhzNlPj0sbFVg==}
 
@@ -935,9 +866,6 @@ packages:
   '@push.rocks/taskbuffer@3.5.0':
     resolution: {integrity: sha512-Y9WwIEIyp6oVFdj06j84tfrZIvjhbMb3DF52rYxlTeYLk3W7RPhSg1bGPCbtkXWeKdBrSe37V90BkOG7Qq8Pqg==}
 
-  '@push.rocks/taskbuffer@4.2.0':
-    resolution: {integrity: sha512-ttoBe5y/WXkAo5/wSMcC/Y4Zbyw4XG8kwAsEaqnAPCxa3M9MI1oV/yM1e9gU1IH97HVPidzbTxRU5/PcHDdUsg==}
-
   '@push.rocks/webrequest@3.0.37':
     resolution: {integrity: sha512-fLN7kP6GeHFxE4UH4r9C9pjcQb0QkJxHeAMwXvbOqB9hh0MFNKhtGU7GoaTn8SVRGRMPc9UqZVNwo6u5l8Wn0A==}
 
@@ -1368,20 +1296,6 @@ packages:
   '@tempfix/idb@8.0.3':
     resolution: {integrity: sha512-hPJQKO7+oAIY+pDNImrZ9QAINbz9KmwT+yO4iRVwdPanok2YKpaUxdJzIvCUwY0YgAawlvYdffbLvRLV5hbs2g==}
 
-  '@tempfix/lenis@1.3.20':
-    resolution: {integrity: sha512-ypeB0FuHLHOCQXW4d0RQ69txPJJH+1CHcpsZIUdcv2t1vR0IVyQr2vHihtde9UOXhjzqEnUphWon/UcJNsa0YA==}
-    peerDependencies:
-      '@nuxt/kit': '>=3.0.0'
-      react: '>=17.0.0'
-      vue: '>=3.0.0'
-    peerDependenciesMeta:
-      '@nuxt/kit':
-        optional: true
-      react:
-        optional: true
-      vue:
-        optional: true
-
   '@tokenizer/inflate@0.4.1':
     resolution: {integrity: sha512-2mAv+8pkG6GIZiF1kNg1jAjh27IDxEPKwdGul3snfztFerfPGI1LjDezZp3i7BElXompqEtPmoPx6c2wgtWsOA==}
     engines: {node: '>=18'}
@@ -1395,9 +1309,6 @@ packages:
   '@tsclass/tsclass@4.4.4':
     resolution: {integrity: sha512-YZOAF+u+r4u5rCev2uUd1KBTBdfyFdtDmcv4wuN+864lMccbdfRICR3SlJwCfYS1lbeV3QNLYGD30wjRXgvCJA==}
 
-  '@tsclass/tsclass@5.0.0':
-    resolution: {integrity: sha512-2X66VCk0Oe1L01j6GQHC6F9Gj7lpZPPSUTDNax7e29lm4OqBTyAzTR3ePR8coSbWBwsmRV8awLRSrSI+swlqWA==}
-
   '@tsclass/tsclass@9.3.0':
     resolution: {integrity: sha512-KD3oTUN3RGu67tgjNHgWWZGsdYipr1RUDxQ9MMKSgIJ6oNZ4q5m2rg0ibrgyHWkAjTPlHVa6kHP3uVOY+8bnHw==}
 
@@ -1470,25 +1381,15 @@ packages:
   '@types/minimatch@5.1.2':
     resolution: {integrity: sha512-K0VQKziLUWkVKiRVrx4a40iPaxTUefQmjtkQofBkYRcoaaL/8rhwDWww9qWbrgicNOgnpIsMxyNIUM4+n6dUIA==}
 
-  '@types/minimatch@6.0.0':
-    resolution: {integrity: sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA==}
-    deprecated: This is a stub types definition. minimatch provides its own type definitions, so you do not need this installed.
-
   '@types/ms@2.1.0':
     resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
 
   '@types/mute-stream@0.0.4':
     resolution: {integrity: sha512-CPM9nzrCPPJHQNA9keH9CVkVI+WR5kMa+7XEs5jcGQ0VoAGnLv242w8lIVgwAEfmE4oufJRaTc9PNLQl0ioAow==}
 
-  '@types/node-fetch@2.6.13':
-    resolution: {integrity: sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==}
-
   '@types/node-forge@1.3.14':
     resolution: {integrity: sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==}
 
-  '@types/node@18.19.130':
-    resolution: {integrity: sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==}
-
   '@types/node@22.19.11':
     resolution: {integrity: sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==}
 
@@ -1564,10 +1465,6 @@ packages:
   '@ungap/structured-clone@1.3.0':
     resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==}
 
-  abort-controller@3.0.0:
-    resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
-    engines: {node: '>=6.5'}
-
   accepts@1.3.8:
     resolution: {integrity: sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==}
     engines: {node: '>= 0.6'}
@@ -1808,9 +1705,6 @@ packages:
     resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
     engines: {node: '>=12'}
 
-  cloudflare@5.2.0:
-    resolution: {integrity: sha512-dVzqDpPFYR9ApEC9e+JJshFJZXcw4HzM8W+3DHzO5oy9+8rLC53G7x6fEf9A7/gSuSCxuvndzui5qJKftfIM9A==}
-
   color-convert@2.0.1:
     resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
     engines: {node: '>=7.0.0'}
@@ -2059,10 +1953,6 @@ packages:
     resolution: {integrity: sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=}
     engines: {node: '>= 0.6'}
 
-  event-target-shim@5.0.1:
-    resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
-    engines: {node: '>=6'}
-
   eventemitter3@4.0.7:
     resolution: {integrity: sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==}
 
@@ -2168,9 +2058,6 @@ packages:
     resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==}
     engines: {node: '>=14'}
 
-  form-data-encoder@1.7.2:
-    resolution: {integrity: sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==}
-
   form-data-encoder@2.1.4:
     resolution: {integrity: sha512-yDYSgNMraqvnxiEXO4hi88+YZxaHC6QKzb5N84iRCTDeRO7ZALpir/lVmf/uXUhnwUr2O4HU8s/n6x+yNjQkHw==}
     engines: {node: '>= 14.17'}
@@ -2183,10 +2070,6 @@ packages:
     resolution: {integrity: sha1-1hcBB+nv3E7TDJ3DkBbflCtctYs=}
     engines: {node: '>=0.4.x'}
 
-  formdata-node@4.4.1:
-    resolution: {integrity: sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==}
-    engines: {node: '>= 12.20'}
-
   forwarded@0.2.0:
     resolution: {integrity: sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==}
     engines: {node: '>= 0.6'}
@@ -2478,21 +2361,12 @@ packages:
   lit-element@4.2.1:
     resolution: {integrity: sha512-WGAWRGzirAgyphK2urmYOV72tlvnxw7YfyLDgQ+OZnM9vQQBQnumQ7jUJe6unEzwGU3ahFOjuz1iz1jjrpCPuw==}
 
-  lit-element@4.2.2:
-    resolution: {integrity: sha512-aFKhNToWxoyhkNDmWZwEva2SlQia+jfG0fjIWV//YeTaWrVnOxD89dPKfigCUspXFmjzOEUQpOkejH5Ly6sG0w==}
-
   lit-html@3.3.1:
     resolution: {integrity: sha512-S9hbyDu/vs1qNrithiNyeyv64c9yqiW9l+DBgI18fL+MTvOtWoFR0FWiyq1TxaYef5wNlpEmzlXoBlZEO+WjoA==}
 
-  lit-html@3.3.2:
-    resolution: {integrity: sha512-Qy9hU88zcmaxBXcc10ZpdK7cOLXvXpRoBxERdtqV9QOrfpMZZ6pSYP91LhpPtap3sFMUiL7Tw2RImbe0Al2/kw==}
-
   lit@3.3.1:
     resolution: {integrity: sha512-Ksr/8L3PTapbdXJCk+EJVB78jDodUMaP54gD24W186zGRARvwrsPfS60wae/SSCTCNZVPd1chXqio1qHQmu4NA==}
 
-  lit@3.3.2:
-    resolution: {integrity: sha512-NF9zbsP79l4ao2SNrH3NkfmFgN/hBYSQo90saIVI1o5GpjAdCPVstVzO1MrLOakHoEhYkrtRjPK6Ob521aoYWQ==}
-
   locate-path@5.0.0:
     resolution: {integrity: sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==}
     engines: {node: '>=8'}
@@ -2848,19 +2722,6 @@ packages:
   no-case@2.3.2:
     resolution: {integrity: sha512-rmTZ9kz+f3rCvK2TD1Ue/oZlns7OGoIWP4fc3llxxRXlOkHKoWPPWJOfFYpITabSow43QJbRIoHQXtt10VldyQ==}
 
-  node-domexception@1.0.0:
-    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
-    engines: {node: '>=10.5.0'}
-
-  node-fetch@2.7.0:
-    resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
-    engines: {node: 4.x || >=6.0.0}
-    peerDependencies:
-      encoding: ^0.1.0
-    peerDependenciesMeta:
-      encoding:
-        optional: true
-
   node-forge@1.3.3:
     resolution: {integrity: sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==}
     engines: {node: '>= 6.13.0'}
@@ -3383,9 +3244,6 @@ packages:
     resolution: {integrity: sha512-dRXchy+C0IgK8WPC6xvCHFRIWYUbqqdEIKPaKo/AcTUNzwLTK6AH7RjdLWsEZcAN/TBdtfUw3PYEgPr5VPr6ww==}
     engines: {node: '>=14.16'}
 
-  tr46@0.0.3:
-    resolution: {integrity: sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o=}
-
   tr46@5.1.1:
     resolution: {integrity: sha512-hdF5ZgjTqgAntKkklYw0R03MG2x/bSzTtkxmIRw/sTNV8YXsCJ1tfLAX23lhxhHJlEf3CRCOCGGWw3vI3GaSPw==}
     engines: {node: '>=18'}
@@ -3454,9 +3312,6 @@ packages:
     resolution: {integrity: sha512-rvKSBiC5zqCCiDZ9kAOszZcDvdAHwwIKJG33Ykj43OKcWsnmcBRL09YTU4nOeHZ8Y2a7l1MgTd08SBe9A8Qj6A==}
     engines: {node: '>=18'}
 
-  undici-types@5.26.5:
-    resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==}
-
   undici-types@6.21.0:
     resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
 
@@ -3516,16 +3371,9 @@ packages:
   vfile@6.0.3:
     resolution: {integrity: sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==}
 
-  web-streams-polyfill@4.0.0-beta.3:
-    resolution: {integrity: sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==}
-    engines: {node: '>= 14'}
-
   webdriver-bidi-protocol@0.4.0:
     resolution: {integrity: sha512-U9VIlNRrq94d1xxR9JrCEAx5Gv/2W7ERSv8oWRoNe/QYbfccS0V3h/H6qeNeCRJxXGMhhnkqvwNrvPAYeuP9VA==}
 
-  webidl-conversions@3.0.1:
-    resolution: {integrity: sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE=}
-
   webidl-conversions@7.0.0:
     resolution: {integrity: sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==}
     engines: {node: '>=12'}
@@ -3538,9 +3386,6 @@ packages:
     resolution: {integrity: sha512-De72GdQZzNTUBBChsXueQUnPKDkg/5A5zp7pFDuQAj5UFoENpiACU0wlCvzpAGnTkj++ihpKwKyYewn/XNUbKw==}
     engines: {node: '>=18'}
 
-  whatwg-url@5.0.0:
-    resolution: {integrity: sha1-lmRU6HZUYuN2RNNib2dCzotwll0=}
-
   which@2.0.2:
     resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==}
     engines: {node: '>= 8'}
@@ -3719,18 +3564,6 @@ snapshots:
       - utf-8-validate
       - vue
 
-  '@apiclient.xyz/cloudflare@6.4.3':
-    dependencies:
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartlog': 3.1.10
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrequest': 5.0.1
-      '@push.rocks/smartstring': 4.1.0
-      '@tsclass/tsclass': 9.3.0
-      cloudflare: 5.2.0
-    transitivePeerDependencies:
-      - encoding
-
   '@aws-crypto/crc32@5.2.0':
     dependencies:
       '@aws-crypto/util': 5.2.0
@@ -4271,32 +4104,6 @@ snapshots:
       - supports-color
       - vue
 
-  '@design.estate/dees-domtools@2.3.8':
-    dependencies:
-      '@api.global/typedrequest': 3.2.5
-      '@design.estate/dees-comms': 1.0.30
-      '@push.rocks/lik': 6.2.2
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartjson': 5.2.0
-      '@push.rocks/smartmarkdown': 3.0.3
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrouter': 1.3.3
-      '@push.rocks/smartrx': 3.0.10
-      '@push.rocks/smartstate': 2.0.30
-      '@push.rocks/smartstring': 4.1.0
-      '@push.rocks/smarturl': 3.1.0
-      '@push.rocks/webrequest': 3.0.37
-      '@push.rocks/websetup': 3.0.19
-      '@push.rocks/webstore': 2.0.20
-      '@tempfix/lenis': 1.3.20
-      lit: 3.3.2
-      sweet-scroll: 4.0.0
-    transitivePeerDependencies:
-      - '@nuxt/kit'
-      - react
-      - supports-color
-      - vue
-
   '@design.estate/dees-element@2.1.3':
     dependencies:
       '@design.estate/dees-domtools': 2.3.6
@@ -4309,18 +4116,6 @@ snapshots:
       - supports-color
       - vue
 
-  '@design.estate/dees-element@2.1.6':
-    dependencies:
-      '@design.estate/dees-domtools': 2.3.8
-      '@push.rocks/isounique': 1.0.5
-      '@push.rocks/smartrx': 3.0.10
-      lit: 3.3.2
-    transitivePeerDependencies:
-      - '@nuxt/kit'
-      - react
-      - supports-color
-      - vue
-
   '@emnapi/core@1.8.1':
     dependencies:
       '@emnapi/wasi-threads': 1.1.0
@@ -4660,16 +4455,10 @@ snapshots:
 
   '@lit-labs/ssr-dom-shim@1.4.0': {}
 
-  '@lit-labs/ssr-dom-shim@1.5.1': {}
-
   '@lit/reactive-element@2.1.1':
     dependencies:
       '@lit-labs/ssr-dom-shim': 1.4.0
 
-  '@lit/reactive-element@2.1.2':
-    dependencies:
-      '@lit-labs/ssr-dom-shim': 1.5.1
-
   '@mixmark-io/domino@2.2.0': {}
 
   '@module-federation/error-codes@0.22.0': {}
@@ -4934,40 +4723,6 @@ snapshots:
       '@push.rocks/smartlog': 3.1.10
       '@push.rocks/smartpath': 6.0.0
 
-  '@push.rocks/smartacme@8.0.0(socks@2.8.7)':
-    dependencies:
-      '@api.global/typedserver': 3.0.80(@push.rocks/smartserve@2.0.1)
-      '@apiclient.xyz/cloudflare': 6.4.3
-      '@push.rocks/lik': 6.2.2
-      '@push.rocks/smartdata': 5.16.7(socks@2.8.7)
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartdns': 6.2.2
-      '@push.rocks/smartfile': 11.2.7
-      '@push.rocks/smartlog': 3.1.10
-      '@push.rocks/smartnetwork': 4.4.0
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrequest': 2.1.0
-      '@push.rocks/smartstring': 4.1.0
-      '@push.rocks/smarttime': 4.1.1
-      '@push.rocks/smartunique': 3.0.9
-      '@tsclass/tsclass': 9.3.0
-      acme-client: 5.4.0
-    transitivePeerDependencies:
-      - '@aws-sdk/credential-providers'
-      - '@mongodb-js/zstd'
-      - '@nuxt/kit'
-      - bare-abort-controller
-      - encoding
-      - gcp-metadata
-      - kerberos
-      - mongodb-client-encryption
-      - react
-      - react-native-b4a
-      - snappy
-      - socks
-      - supports-color
-      - vue
-
   '@push.rocks/smartarchive@4.2.4':
     dependencies:
       '@push.rocks/smartdelay': 3.0.5
@@ -5109,22 +4864,6 @@ snapshots:
     dependencies:
       '@push.rocks/smartpromise': 4.2.3
 
-  '@push.rocks/smartdns@6.2.2':
-    dependencies:
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartenv': 5.0.13
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrequest': 2.1.0
-      '@tsclass/tsclass': 5.0.0
-      '@types/dns-packet': 5.6.5
-      '@types/elliptic': 6.4.18
-      acme-client: 5.4.0
-      dns-packet: 5.6.1
-      elliptic: 6.6.1
-      minimatch: 10.2.0
-    transitivePeerDependencies:
-      - supports-color
-
   '@push.rocks/smartdns@7.6.1':
     dependencies:
       '@push.rocks/smartdelay': 3.0.5
@@ -5247,13 +4986,6 @@ snapshots:
       fast-json-stable-stringify: 2.1.0
       lodash.clonedeep: 4.5.0
 
-  '@push.rocks/smartjson@6.0.0':
-    dependencies:
-      '@push.rocks/smartenv': 6.0.0
-      '@push.rocks/smartstring': 4.1.0
-      fast-json-stable-stringify: 2.1.0
-      lodash.clonedeep: 4.5.0
-
   '@push.rocks/smartlog-destination-devtools@1.0.12':
     dependencies:
       '@push.rocks/smartlog-interfaces': 3.0.2
@@ -5584,15 +5316,6 @@ snapshots:
       '@push.rocks/smartrx': 3.0.10
       '@push.rocks/webstore': 2.0.20
 
-  '@push.rocks/smartstate@2.0.30':
-    dependencies:
-      '@push.rocks/lik': 6.2.2
-      '@push.rocks/smarthash': 3.2.6
-      '@push.rocks/smartjson': 6.0.0
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrx': 3.0.10
-      '@push.rocks/webstore': 2.0.20
-
   '@push.rocks/smartstream@3.2.5':
     dependencies:
       '@push.rocks/lik': 6.2.2
@@ -5657,22 +5380,6 @@ snapshots:
       - supports-color
       - vue
 
-  '@push.rocks/taskbuffer@4.2.0':
-    dependencies:
-      '@design.estate/dees-element': 2.1.6
-      '@push.rocks/lik': 6.2.2
-      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartlog': 3.1.10
-      '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/smartrx': 3.0.10
-      '@push.rocks/smarttime': 4.1.1
-      '@push.rocks/smartunique': 3.0.9
-    transitivePeerDependencies:
-      - '@nuxt/kit'
-      - react
-      - supports-color
-      - vue
-
   '@push.rocks/webrequest@3.0.37':
     dependencies:
       '@push.rocks/smartdelay': 3.0.5
@@ -6201,8 +5908,6 @@ snapshots:
 
   '@tempfix/idb@8.0.3': {}
 
-  '@tempfix/lenis@1.3.20': {}
-
   '@tokenizer/inflate@0.4.1':
     dependencies:
       debug: 4.4.3
@@ -6218,10 +5923,6 @@ snapshots:
     dependencies:
       type-fest: 4.41.0
 
-  '@tsclass/tsclass@5.0.0':
-    dependencies:
-      type-fest: 4.41.0
-
   '@tsclass/tsclass@9.3.0':
     dependencies:
       type-fest: 4.41.0
@@ -6315,29 +6016,16 @@ snapshots:
 
   '@types/minimatch@5.1.2': {}
 
-  '@types/minimatch@6.0.0':
-    dependencies:
-      minimatch: 10.2.0
-
   '@types/ms@2.1.0': {}
 
   '@types/mute-stream@0.0.4':
     dependencies:
       '@types/node': 25.2.3
 
-  '@types/node-fetch@2.6.13':
-    dependencies:
-      '@types/node': 25.2.3
-      form-data: 4.0.5
-
   '@types/node-forge@1.3.14':
     dependencies:
       '@types/node': 25.2.3
 
-  '@types/node@18.19.130':
-    dependencies:
-      undici-types: 5.26.5
-
   '@types/node@22.19.11':
     dependencies:
       undici-types: 6.21.0
@@ -6410,10 +6098,6 @@ snapshots:
 
   '@ungap/structured-clone@1.3.0': {}
 
-  abort-controller@3.0.0:
-    dependencies:
-      event-target-shim: 5.0.1
-
   accepts@1.3.8:
     dependencies:
       mime-types: 2.1.35
@@ -6660,18 +6344,6 @@ snapshots:
       strip-ansi: 6.0.1
       wrap-ansi: 7.0.0
 
-  cloudflare@5.2.0:
-    dependencies:
-      '@types/node': 18.19.130
-      '@types/node-fetch': 2.6.13
-      abort-controller: 3.0.0
-      agentkeepalive: 4.6.0
-      form-data-encoder: 1.7.2
-      formdata-node: 4.4.1
-      node-fetch: 2.7.0
-    transitivePeerDependencies:
-      - encoding
-
   color-convert@2.0.1:
     dependencies:
       color-name: 1.1.4
@@ -6923,8 +6595,6 @@ snapshots:
 
   etag@1.8.1: {}
 
-  event-target-shim@5.0.1: {}
-
   eventemitter3@4.0.7: {}
 
   events-universal@1.0.1:
@@ -7076,8 +6746,6 @@ snapshots:
       cross-spawn: 7.0.6
       signal-exit: 4.1.0
 
-  form-data-encoder@1.7.2: {}
-
   form-data-encoder@2.1.4: {}
 
   form-data@4.0.5:
@@ -7090,11 +6758,6 @@ snapshots:
 
   format@0.2.2: {}
 
-  formdata-node@4.4.1:
-    dependencies:
-      node-domexception: 1.0.0
-      web-streams-polyfill: 4.0.0-beta.3
-
   forwarded@0.2.0: {}
 
   fresh@2.0.0: {}
@@ -7412,32 +7075,16 @@ snapshots:
       '@lit/reactive-element': 2.1.1
       lit-html: 3.3.1
 
-  lit-element@4.2.2:
-    dependencies:
-      '@lit-labs/ssr-dom-shim': 1.5.1
-      '@lit/reactive-element': 2.1.2
-      lit-html: 3.3.2
-
   lit-html@3.3.1:
     dependencies:
       '@types/trusted-types': 2.0.7
 
-  lit-html@3.3.2:
-    dependencies:
-      '@types/trusted-types': 2.0.7
-
   lit@3.3.1:
     dependencies:
       '@lit/reactive-element': 2.1.1
       lit-element: 4.2.1
       lit-html: 3.3.1
 
-  lit@3.3.2:
-    dependencies:
-      '@lit/reactive-element': 2.1.2
-      lit-element: 4.2.2
-      lit-html: 3.3.2
-
   locate-path@5.0.0:
     dependencies:
       p-locate: 4.1.0
@@ -8001,12 +7648,6 @@ snapshots:
     dependencies:
       lower-case: 1.1.4
 
-  node-domexception@1.0.0: {}
-
-  node-fetch@2.7.0:
-    dependencies:
-      whatwg-url: 5.0.0
-
   node-forge@1.3.3: {}
 
   normalize-newline@4.1.0:
@@ -8652,8 +8293,6 @@ snapshots:
       '@tokenizer/token': 0.3.0
       ieee754: 1.2.1
 
-  tr46@0.0.3: {}
-
   tr46@5.1.1:
     dependencies:
       punycode: 2.3.1
@@ -8705,8 +8344,6 @@ snapshots:
 
   uint8array-extras@1.5.0: {}
 
-  undici-types@5.26.5: {}
-
   undici-types@6.21.0: {}
 
   undici-types@7.16.0: {}
@@ -8773,12 +8410,8 @@ snapshots:
       '@types/unist': 3.0.3
       vfile-message: 4.0.3
 
-  web-streams-polyfill@4.0.0-beta.3: {}
-
   webdriver-bidi-protocol@0.4.0: {}
 
-  webidl-conversions@3.0.1: {}
-
   webidl-conversions@7.0.0: {}
 
   whatwg-mimetype@3.0.0: {}
@@ -8788,11 +8421,6 @@ snapshots:
       tr46: 5.1.1
       webidl-conversions: 7.0.0
 
-  whatwg-url@5.0.0:
-    dependencies:
-      tr46: 0.0.3
-      webidl-conversions: 3.0.1
-
   which@2.0.2:
     dependencies:
       isexe: 2.0.0

readme.byte-counting-audit.md

@@ -1,169 +0,0 @@
-# SmartProxy Byte Counting Audit Report
-
-## Executive Summary
-
-After a comprehensive audit of the SmartProxy codebase, I can confirm that **byte counting is implemented correctly** with no instances of double counting. Each byte transferred through the proxy is counted exactly once in each direction.
-
-## Byte Counting Implementation
-
-### 1. Core Tracking Mechanisms
-
-SmartProxy uses two complementary tracking systems:
-
-1. **Connection Records** (`IConnectionRecord`):
-   - `bytesReceived`: Total bytes received from client
-   - `bytesSent`: Total bytes sent to client
-
-2. **MetricsCollector**:
-   - Global throughput tracking via `ThroughputTracker`
-   - Per-connection byte tracking for route/IP metrics
-   - Called via `recordBytes(connectionId, bytesIn, bytesOut)`
-
-### 2. Where Bytes Are Counted
-
-Bytes are counted in only two files:
-
-#### a) `route-connection-handler.ts`
-- **Line 351**: TLS alert bytes when no SNI is provided
-- **Lines 1286-1301**: Data forwarding callbacks in `setupBidirectionalForwarding()`
-
-#### b) `http-proxy-bridge.ts`  
-- **Line 127**: Initial TLS chunk for HttpProxy connections
-- **Lines 142-154**: Data forwarding callbacks in `setupBidirectionalForwarding()`
-
-## Connection Flow Analysis
-
-### 1. Direct TCP Connection (No TLS)
-
-```
-Client → SmartProxy → Target Server
-```
-
-1. Connection arrives at `RouteConnectionHandler.handleConnection()`
-2. For non-TLS ports, immediately routes via `routeConnection()`
-3. `setupDirectConnection()` creates target connection
-4. `setupBidirectionalForwarding()` handles all data transfer:
-   - `onClientData`: `bytesReceived += chunk.length` + `recordBytes(chunk.length, 0)`
-   - `onServerData`: `bytesSent += chunk.length` + `recordBytes(0, chunk.length)`
-
-**Result**: ✅ Each byte counted exactly once
-
-### 2. TLS Passthrough Connection
-
-```
-Client (TLS) → SmartProxy → Target Server (TLS)
-```
-
-1. Connection waits for initial data to detect TLS
-2. TLS handshake detected, SNI extracted
-3. Route matched, `setupDirectConnection()` called
-4. Initial chunk stored in `pendingData` (NOT counted yet)
-5. On target connect, `pendingData` written to target (still not counted)
-6. `setupBidirectionalForwarding()` counts ALL bytes including initial chunk
-
-**Result**: ✅ Each byte counted exactly once
-
-### 3. TLS Termination via HttpProxy
-
-```
-Client (TLS) → SmartProxy → HttpProxy (localhost) → Target Server
-```
-
-1. TLS connection detected with `tls.mode = "terminate"`
-2. `forwardToHttpProxy()` called:
-   - Initial chunk: `bytesReceived += chunk.length` + `recordBytes(chunk.length, 0)`
-3. Proxy connection created to HttpProxy on localhost
-4. `setupBidirectionalForwarding()` handles subsequent data
-
-**Result**: ✅ Each byte counted exactly once
-
-### 4. HTTP Connection via HttpProxy
-
-```
-Client (HTTP) → SmartProxy → HttpProxy (localhost) → Target Server
-```
-
-1. Connection on configured HTTP port (`useHttpProxy` ports)
-2. Same flow as TLS termination
-3. All byte counting identical to TLS termination
-
-**Result**: ✅ Each byte counted exactly once
-
-### 5. NFTables Forwarding
-
-```
-Client → [Kernel NFTables] → Target Server
-```
-
-1. Connection detected, route matched with `forwardingEngine: 'nftables'`
-2. Connection marked as `usingNetworkProxy = true`
-3. NO application-level forwarding (kernel handles packet routing)
-4. NO byte counting in application layer
-
-**Result**: ✅ No counting (correct - kernel handles everything)
-
-## Special Cases
-
-### PROXY Protocol
-- PROXY protocol headers sent to backend servers are NOT counted in client metrics
-- Only actual client data is counted
-- **Correct behavior**: Protocol overhead is not client data
-
-### TLS Alerts
-- TLS alerts (e.g., for missing SNI) are counted as sent bytes
-- **Correct behavior**: Alerts are actual data sent to the client
-
-### Initial Chunks
-- **Direct connections**: Stored in `pendingData`, counted when forwarded
-- **HttpProxy connections**: Counted immediately upon receipt
-- **Both approaches**: Count each byte exactly once
-
-## Verification Methodology
-
-1. **Code Analysis**: Searched for all instances of:
-   - `bytesReceived +=` and `bytesSent +=`
-   - `recordBytes()` calls
-   - Data forwarding implementations
-
-2. **Flow Tracing**: Followed data path for each connection type from entry to exit
-
-3. **Handler Review**: Examined all forwarding handlers to ensure no additional counting
-
-## Findings
-
-### ✅ No Double Counting Detected
-
-- Each byte is counted exactly once in the direction it flows
-- Connection records and metrics are updated consistently
-- No overlapping or duplicate counting logic found
-
-### Areas of Excellence
-
-1. **Centralized Counting**: All byte counting happens in just two files
-2. **Consistent Pattern**: Uses `setupBidirectionalForwarding()` with callbacks
-3. **Clear Separation**: Forwarding handlers don't interfere with proxy metrics
-
-## Recommendations
-
-1. **Debug Logging**: Add optional debug logging to verify byte counts in production:
-   ```typescript
-   if (settings.debugByteCount) {
-     logger.log('debug', `Bytes counted: ${connectionId} +${bytes} (total: ${record.bytesReceived})`);
-   }
-   ```
-
-2. **Unit Tests**: Create specific tests to ensure byte counting accuracy:
-   - Test initial chunk handling
-   - Test PROXY protocol overhead exclusion
-   - Test HttpProxy forwarding accuracy
-
-3. **Protocol Overhead Tracking**: Consider separately tracking:
-   - PROXY protocol headers
-   - TLS handshake bytes
-   - HTTP headers vs body
-
-4. **NFTables Documentation**: Clearly document that NFTables-forwarded connections are not included in application metrics
-
-## Conclusion
-
-SmartProxy's byte counting implementation is **robust and accurate**. The design ensures that each byte is counted exactly once, with clear separation between connection tracking and metrics collection. No remediation is required.

rust/Cargo.lock

@@ -961,16 +961,19 @@ dependencies = [
  "arc-swap",
  "bytes",
  "dashmap",
+ "http-body",
  "http-body-util",
  "hyper",
  "hyper-util",
  "regex",
+ "rustls",
  "rustproxy-config",
  "rustproxy-metrics",
  "rustproxy-routing",
  "rustproxy-security",
  "thiserror 2.0.18",
  "tokio",
+ "tokio-rustls",
  "tokio-util",
  "tracing",
 ]

rust/Cargo.toml

@@ -29,6 +29,7 @@ serde_json = "1"
 # HTTP proxy engine (hyper-based)
 hyper = { version = "1", features = ["http1", "http2", "server", "client"] }
 hyper-util = { version = "0.1", features = ["tokio", "http1", "http2", "client-legacy", "server-auto"] }
+http-body = "1"
 http-body-util = "0.1"
 bytes = "1"
 

rust/crates/rustproxy-config/src/helpers.rs

@@ -17,6 +17,7 @@ pub fn create_http_route(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: RouteAction {
             action_type: RouteActionType::Forward,
@@ -108,6 +109,7 @@ pub fn create_http_to_https_redirect(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: RouteAction {
             action_type: RouteActionType::Forward,
@@ -200,6 +202,7 @@ pub fn create_load_balancer_route(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: RouteAction {
             action_type: RouteActionType::Forward,

rust/crates/rustproxy-config/src/route_types.rs

@@ -114,6 +114,10 @@ pub struct RouteMatch {
     /// Match specific HTTP headers
     #[serde(skip_serializing_if = "Option::is_none")]
     pub headers: Option<HashMap<String, String>>,
+
+    /// Match specific protocol: "http" (includes h2 + websocket) or "tcp"
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub protocol: Option<String>,
 }
 
 // ─── Target Match ────────────────────────────────────────────────────

rust/crates/rustproxy-http/Cargo.toml

@@ -14,9 +14,12 @@ rustproxy-metrics = { workspace = true }
 hyper = { workspace = true }
 hyper-util = { workspace = true }
 regex = { workspace = true }
+http-body = { workspace = true }
 http-body-util = { workspace = true }
 bytes = { workspace = true }
 tokio = { workspace = true }
+rustls = { workspace = true }
+tokio-rustls = { workspace = true }
 tracing = { workspace = true }
 thiserror = { workspace = true }
 anyhow = { workspace = true }

rust/crates/rustproxy-http/src/counting_body.rs

@@ -0,0 +1,126 @@
+//! A body wrapper that counts bytes flowing through and reports them to MetricsCollector.
+
+use std::pin::Pin;
+use std::sync::Arc;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::task::{Context, Poll};
+
+use bytes::Bytes;
+use http_body::Frame;
+use rustproxy_metrics::MetricsCollector;
+
+/// Wraps any `http_body::Body` and counts data bytes passing through.
+///
+/// When the body is fully consumed or dropped, accumulated byte counts
+/// are reported to the `MetricsCollector`.
+///
+/// The inner body is pinned on the heap to support `!Unpin` types like `hyper::body::Incoming`.
+pub struct CountingBody<B> {
+    inner: Pin<Box<B>>,
+    counted_bytes: AtomicU64,
+    metrics: Arc<MetricsCollector>,
+    route_id: Option<String>,
+    source_ip: Option<String>,
+    /// Whether we count bytes as "in" (request body) or "out" (response body).
+    direction: Direction,
+    /// Whether we've already reported the bytes (to avoid double-reporting on drop).
+    reported: bool,
+}
+
+/// Which direction the bytes flow.
+#[derive(Clone, Copy)]
+pub enum Direction {
+    /// Request body: bytes flowing from client → upstream (counted as bytes_in)
+    In,
+    /// Response body: bytes flowing from upstream → client (counted as bytes_out)
+    Out,
+}
+
+impl<B> CountingBody<B> {
+    /// Create a new CountingBody wrapping an inner body.
+    pub fn new(
+        inner: B,
+        metrics: Arc<MetricsCollector>,
+        route_id: Option<String>,
+        source_ip: Option<String>,
+        direction: Direction,
+    ) -> Self {
+        Self {
+            inner: Box::pin(inner),
+            counted_bytes: AtomicU64::new(0),
+            metrics,
+            route_id,
+            source_ip,
+            direction,
+            reported: false,
+        }
+    }
+
+    /// Report accumulated bytes to the metrics collector.
+    fn report(&mut self) {
+        if self.reported {
+            return;
+        }
+        self.reported = true;
+
+        let bytes = self.counted_bytes.load(Ordering::Relaxed);
+        if bytes == 0 {
+            return;
+        }
+
+        let route_id = self.route_id.as_deref();
+        let source_ip = self.source_ip.as_deref();
+        match self.direction {
+            Direction::In => self.metrics.record_bytes(bytes, 0, route_id, source_ip),
+            Direction::Out => self.metrics.record_bytes(0, bytes, route_id, source_ip),
+        }
+    }
+}
+
+impl<B> Drop for CountingBody<B> {
+    fn drop(&mut self) {
+        self.report();
+    }
+}
+
+// CountingBody is Unpin because inner is Pin<Box<B>> (always Unpin).
+impl<B> Unpin for CountingBody<B> {}
+
+impl<B> http_body::Body for CountingBody<B>
+where
+    B: http_body::Body<Data = Bytes>,
+{
+    type Data = Bytes;
+    type Error = B::Error;
+
+    fn poll_frame(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+    ) -> Poll<Option<Result<Frame<Self::Data>, Self::Error>>> {
+        let this = self.get_mut();
+
+        match this.inner.as_mut().poll_frame(cx) {
+            Poll::Ready(Some(Ok(frame))) => {
+                if let Some(data) = frame.data_ref() {
+                    this.counted_bytes.fetch_add(data.len() as u64, Ordering::Relaxed);
+                }
+                Poll::Ready(Some(Ok(frame)))
+            }
+            Poll::Ready(Some(Err(e))) => Poll::Ready(Some(Err(e))),
+            Poll::Ready(None) => {
+                // Body is fully consumed — report now
+                this.report();
+                Poll::Ready(None)
+            }
+            Poll::Pending => Poll::Pending,
+        }
+    }
+
+    fn is_end_stream(&self) -> bool {
+        self.inner.is_end_stream()
+    }
+
+    fn size_hint(&self) -> http_body::SizeHint {
+        self.inner.size_hint()
+    }
+}

rust/crates/rustproxy-http/src/lib.rs

@@ -3,12 +3,14 @@
 //! Hyper-based HTTP proxy service for RustProxy.
 //! Handles HTTP request parsing, route-based forwarding, and response filtering.
 
+pub mod counting_body;
 pub mod proxy_service;
 pub mod request_filter;
 pub mod response_filter;
 pub mod template;
 pub mod upstream_selector;
 
+pub use counting_body::*;
 pub use proxy_service::*;
 pub use template::*;
 pub use upstream_selector::*;

rust/crates/rustproxy-http/src/proxy_service.rs

@@ -18,9 +18,13 @@ use tokio::net::TcpStream;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, error, info, warn};
 
+use std::pin::Pin;
+use std::task::{Context, Poll};
+
 use rustproxy_routing::RouteManager;
 use rustproxy_metrics::MetricsCollector;
 
+use crate::counting_body::{CountingBody, Direction};
 use crate::request_filter::RequestFilter;
 use crate::response_filter::ResponseFilter;
 use crate::upstream_selector::UpstreamSelector;
@@ -34,6 +38,125 @@ const DEFAULT_WS_INACTIVITY_TIMEOUT: std::time::Duration = std::time::Duration::
 /// Default WebSocket max lifetime (24 hours).
 const DEFAULT_WS_MAX_LIFETIME: std::time::Duration = std::time::Duration::from_secs(86400);
 
+/// Backend stream that can be either plain TCP or TLS-wrapped.
+/// Used for `terminate-and-reencrypt` mode where the backend requires TLS.
+pub(crate) enum BackendStream {
+    Plain(TcpStream),
+    Tls(tokio_rustls::client::TlsStream<TcpStream>),
+}
+
+impl tokio::io::AsyncRead for BackendStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> Poll<std::io::Result<()>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_read(cx, buf),
+            BackendStream::Tls(s) => Pin::new(s).poll_read(cx, buf),
+        }
+    }
+}
+
+impl tokio::io::AsyncWrite for BackendStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<std::io::Result<usize>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_write(cx, buf),
+            BackendStream::Tls(s) => Pin::new(s).poll_write(cx, buf),
+        }
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_flush(cx),
+            BackendStream::Tls(s) => Pin::new(s).poll_flush(cx),
+        }
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_shutdown(cx),
+            BackendStream::Tls(s) => Pin::new(s).poll_shutdown(cx),
+        }
+    }
+}
+
+/// Connect to a backend over TLS. Uses InsecureVerifier for internal backends
+/// with self-signed certs (same pattern as tls_handler::connect_tls).
+async fn connect_tls_backend(
+    host: &str,
+    port: u16,
+) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
+    let _ = rustls::crypto::ring::default_provider().install_default();
+    let config = rustls::ClientConfig::builder()
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(InsecureBackendVerifier))
+        .with_no_client_auth();
+
+    let connector = tokio_rustls::TlsConnector::from(Arc::new(config));
+    let stream = TcpStream::connect(format!("{}:{}", host, port)).await?;
+    stream.set_nodelay(true)?;
+
+    let server_name = rustls::pki_types::ServerName::try_from(host.to_string())?;
+    let tls_stream = connector.connect(server_name, stream).await?;
+    debug!("Backend TLS connection established to {}:{}", host, port);
+    Ok(tls_stream)
+}
+
+/// Insecure certificate verifier for backend TLS connections.
+/// Internal backends may use self-signed certs.
+#[derive(Debug)]
+struct InsecureBackendVerifier;
+
+impl rustls::client::danger::ServerCertVerifier for InsecureBackendVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        _server_name: &rustls::pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls::pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        vec![
+            rustls::SignatureScheme::RSA_PKCS1_SHA256,
+            rustls::SignatureScheme::RSA_PKCS1_SHA384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA512,
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+            rustls::SignatureScheme::ED25519,
+            rustls::SignatureScheme::RSA_PSS_SHA256,
+            rustls::SignatureScheme::RSA_PSS_SHA384,
+            rustls::SignatureScheme::RSA_PSS_SHA512,
+        ]
+    }
+}
+
 /// HTTP proxy service that processes HTTP traffic.
 pub struct HttpProxyService {
     route_manager: Arc<RouteManager>,
@@ -172,6 +295,7 @@ impl HttpProxyService {
             tls_version: None,
             headers: Some(&headers),
             is_tls: false,
+            protocol: Some("http"),
         };
 
         let route_match = match self.route_manager.find_route(&ctx) {
@@ -183,12 +307,14 @@ impl HttpProxyService {
         };
 
         let route_id = route_match.route.id.as_deref();
-        self.metrics.connection_opened(route_id);
+        let ip_str = peer_addr.ip().to_string();
+        self.metrics.record_http_request();
+        self.metrics.connection_opened(route_id, Some(&ip_str));
 
         // Apply request filters (IP check, rate limiting, auth)
         if let Some(ref security) = route_match.route.security {
             if let Some(response) = RequestFilter::apply(security, &req, &peer_addr) {
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(response);
             }
         }
@@ -196,7 +322,7 @@ impl HttpProxyService {
         // Check for test response (returns immediately, no upstream needed)
         if let Some(ref advanced) = route_match.route.action.advanced {
             if let Some(ref test_response) = advanced.test_response {
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(Self::build_test_response(test_response));
             }
         }
@@ -204,7 +330,7 @@ impl HttpProxyService {
         // Check for static file serving
         if let Some(ref advanced) = route_match.route.action.advanced {
             if let Some(ref static_files) = advanced.static_files {
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(Self::serve_static_file(&path, static_files));
             }
         }
@@ -213,7 +339,7 @@ impl HttpProxyService {
         let target = match route_match.target {
             Some(t) => t,
             None => {
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "No target available"));
             }
         };
@@ -231,7 +357,7 @@ impl HttpProxyService {
 
         if is_websocket {
             let result = self.handle_websocket_upgrade(
-                req, peer_addr, &upstream, route_match.route, route_id, &upstream_key, cancel,
+                req, peer_addr, &upstream, route_match.route, route_id, &upstream_key, cancel, &ip_str,
             ).await;
             // Note: for WebSocket, connection_ended is called inside
             // the spawned tunnel task when the connection closes.
@@ -270,35 +396,58 @@ impl HttpProxyService {
             }
         }
 
-        // Connect to upstream with timeout
-        let upstream_stream = match tokio::time::timeout(
+        // Connect to upstream with timeout (TLS if upstream.use_tls is set)
+        let backend = if upstream.use_tls {
+            match tokio::time::timeout(
+                self.connect_timeout,
+                connect_tls_backend(&upstream.host, upstream.port),
+            ).await {
+                Ok(Ok(tls)) => BackendStream::Tls(tls),
+                Ok(Err(e)) => {
+                    error!("Failed TLS connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
+                    self.upstream_selector.connection_ended(&upstream_key);
+                    self.metrics.connection_closed(route_id, Some(&ip_str));
+                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
+                }
+                Err(_) => {
+                    error!("Upstream TLS connect timeout for {}:{}", upstream.host, upstream.port);
+                    self.upstream_selector.connection_ended(&upstream_key);
+                    self.metrics.connection_closed(route_id, Some(&ip_str));
+                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
+                }
+            }
+        } else {
+            match tokio::time::timeout(
                 self.connect_timeout,
                 TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
             ).await {
-            Ok(Ok(s)) => s,
+                Ok(Ok(s)) => {
+                    s.set_nodelay(true).ok();
+                    BackendStream::Plain(s)
+                }
                 Ok(Err(e)) => {
                     error!("Failed to connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
                     self.upstream_selector.connection_ended(&upstream_key);
-                self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(&ip_str));
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
                 }
                 Err(_) => {
                     error!("Upstream connect timeout for {}:{}", upstream.host, upstream.port);
                     self.upstream_selector.connection_ended(&upstream_key);
-                self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(&ip_str));
                     return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
                 }
+            }
         };
-        upstream_stream.set_nodelay(true).ok();
 
-        let io = TokioIo::new(upstream_stream);
+        let io = TokioIo::new(backend);
 
         let result = if use_h2 {
             // HTTP/2 backend
-            self.forward_h2(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id).await
+            self.forward_h2(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str).await
         } else {
             // HTTP/1.1 backend (default)
-            self.forward_h1(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id).await
+            self.forward_h1(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str).await
         };
         self.upstream_selector.connection_ended(&upstream_key);
         result
@@ -307,7 +456,7 @@ impl HttpProxyService {
     /// Forward request to backend via HTTP/1.1 with body streaming.
     async fn forward_h1(
         &self,
-        io: TokioIo<TcpStream>,
+        io: TokioIo<BackendStream>,
         parts: hyper::http::request::Parts,
         body: Incoming,
         upstream_headers: hyper::HeaderMap,
@@ -315,12 +464,13 @@ impl HttpProxyService {
         upstream: &crate::upstream_selector::UpstreamSelection,
         route: &rustproxy_config::RouteConfig,
         route_id: Option<&str>,
+        source_ip: &str,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         let (mut sender, conn) = match hyper::client::conn::http1::handshake(io).await {
             Ok(h) => h,
             Err(e) => {
                 error!("Upstream handshake failed: {}", e);
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend handshake failed"));
             }
         };
@@ -345,25 +495,34 @@ impl HttpProxyService {
             }
         }
 
+        // Wrap the request body in CountingBody to track bytes_in
+        let counting_req_body = CountingBody::new(
+            body,
+            Arc::clone(&self.metrics),
+            route_id.map(|s| s.to_string()),
+            Some(source_ip.to_string()),
+            Direction::In,
+        );
+
         // Stream the request body through to upstream
-        let upstream_req = upstream_req.body(body).unwrap();
+        let upstream_req = upstream_req.body(counting_req_body).unwrap();
 
         let upstream_response = match sender.send_request(upstream_req).await {
             Ok(resp) => resp,
             Err(e) => {
                 error!("Upstream request failed: {}", e);
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend request failed"));
             }
         };
 
-        self.build_streaming_response(upstream_response, route, route_id).await
+        self.build_streaming_response(upstream_response, route, route_id, source_ip).await
     }
 
     /// Forward request to backend via HTTP/2 with body streaming.
     async fn forward_h2(
         &self,
-        io: TokioIo<TcpStream>,
+        io: TokioIo<BackendStream>,
         parts: hyper::http::request::Parts,
         body: Incoming,
         upstream_headers: hyper::HeaderMap,
@@ -371,13 +530,14 @@ impl HttpProxyService {
         upstream: &crate::upstream_selector::UpstreamSelection,
         route: &rustproxy_config::RouteConfig,
         route_id: Option<&str>,
+        source_ip: &str,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         let exec = hyper_util::rt::TokioExecutor::new();
         let (mut sender, conn) = match hyper::client::conn::http2::handshake(exec, io).await {
             Ok(h) => h,
             Err(e) => {
                 error!("HTTP/2 upstream handshake failed: {}", e);
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 handshake failed"));
             }
         };
@@ -401,27 +561,41 @@ impl HttpProxyService {
             }
         }
 
+        // Wrap the request body in CountingBody to track bytes_in
+        let counting_req_body = CountingBody::new(
+            body,
+            Arc::clone(&self.metrics),
+            route_id.map(|s| s.to_string()),
+            Some(source_ip.to_string()),
+            Direction::In,
+        );
+
         // Stream the request body through to upstream
-        let upstream_req = upstream_req.body(body).unwrap();
+        let upstream_req = upstream_req.body(counting_req_body).unwrap();
 
         let upstream_response = match sender.send_request(upstream_req).await {
             Ok(resp) => resp,
             Err(e) => {
                 error!("HTTP/2 upstream request failed: {}", e);
-                self.metrics.connection_closed(route_id);
+                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 request failed"));
             }
         };
 
-        self.build_streaming_response(upstream_response, route, route_id).await
+        self.build_streaming_response(upstream_response, route, route_id, source_ip).await
     }
 
     /// Build the client-facing response from an upstream response, streaming the body.
+    ///
+    /// The response body is wrapped in a `CountingBody` that counts bytes as they
+    /// stream from upstream to client. When the body is fully consumed (or dropped),
+    /// it reports byte counts to the metrics collector and calls `connection_closed`.
     async fn build_streaming_response(
         &self,
         upstream_response: Response<Incoming>,
         route: &rustproxy_config::RouteConfig,
         route_id: Option<&str>,
+        source_ip: &str,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         let (resp_parts, resp_body) = upstream_response.into_parts();
 
@@ -433,10 +607,23 @@ impl HttpProxyService {
             ResponseFilter::apply_headers(route, headers, None);
         }
 
-        self.metrics.connection_closed(route_id);
+        // Wrap the response body in CountingBody to track bytes_out.
+        // CountingBody will report bytes and we close the connection metric
+        // after the body stream completes (not before it even starts).
+        let counting_body = CountingBody::new(
+            resp_body,
+            Arc::clone(&self.metrics),
+            route_id.map(|s| s.to_string()),
+            Some(source_ip.to_string()),
+            Direction::Out,
+        );
 
-        // Stream the response body directly from upstream to client
-        let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(resp_body);
+        // Close the connection metric now — the HTTP request/response cycle is done
+        // from the proxy's perspective once we hand the streaming body to hyper.
+        // Bytes will still be counted as they flow.
+        self.metrics.connection_closed(route_id, Some(source_ip));
+
+        let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_body);
 
         Ok(response.body(body).unwrap())
     }
@@ -451,6 +638,7 @@ impl HttpProxyService {
         route_id: Option<&str>,
         upstream_key: &str,
         cancel: CancellationToken,
+        source_ip: &str,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         use tokio::io::{AsyncReadExt, AsyncWriteExt};
 
@@ -466,7 +654,7 @@ impl HttpProxyService {
                     .unwrap_or("");
                 if !allowed_origins.is_empty() && !allowed_origins.iter().any(|o| o == "*" || o == origin) {
                     self.upstream_selector.connection_ended(upstream_key);
-                    self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::FORBIDDEN, "Origin not allowed"));
                 }
             }
@@ -474,26 +662,49 @@ impl HttpProxyService {
 
         info!("WebSocket upgrade from {} -> {}:{}", peer_addr, upstream.host, upstream.port);
 
-        // Connect to upstream with timeout
-        let mut upstream_stream = match tokio::time::timeout(
+        // Connect to upstream with timeout (TLS if upstream.use_tls is set)
+        let mut upstream_stream: BackendStream = if upstream.use_tls {
+            match tokio::time::timeout(
+                self.connect_timeout,
+                connect_tls_backend(&upstream.host, upstream.port),
+            ).await {
+                Ok(Ok(tls)) => BackendStream::Tls(tls),
+                Ok(Err(e)) => {
+                    error!("WebSocket: failed TLS connect upstream {}:{}: {}", upstream.host, upstream.port, e);
+                    self.upstream_selector.connection_ended(upstream_key);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
+                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
+                }
+                Err(_) => {
+                    error!("WebSocket: upstream TLS connect timeout for {}:{}", upstream.host, upstream.port);
+                    self.upstream_selector.connection_ended(upstream_key);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
+                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
+                }
+            }
+        } else {
+            match tokio::time::timeout(
                 self.connect_timeout,
                 TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
             ).await {
-            Ok(Ok(s)) => s,
+                Ok(Ok(s)) => {
+                    s.set_nodelay(true).ok();
+                    BackendStream::Plain(s)
+                }
                 Ok(Err(e)) => {
                     error!("WebSocket: failed to connect upstream {}:{}: {}", upstream.host, upstream.port, e);
                     self.upstream_selector.connection_ended(upstream_key);
-                self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
                 }
                 Err(_) => {
                     error!("WebSocket: upstream connect timeout for {}:{}", upstream.host, upstream.port);
                     self.upstream_selector.connection_ended(upstream_key);
-                self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
                 }
+            }
         };
-        upstream_stream.set_nodelay(true).ok();
 
         let path = req.uri().path().to_string();
         let upstream_path = {
@@ -551,7 +762,7 @@ impl HttpProxyService {
         if let Err(e) = upstream_stream.write_all(raw_request.as_bytes()).await {
             error!("WebSocket: failed to send upgrade request to upstream: {}", e);
             self.upstream_selector.connection_ended(upstream_key);
-            self.metrics.connection_closed(route_id);
+            self.metrics.connection_closed(route_id, Some(source_ip));
             return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend write failed"));
         }
 
@@ -562,7 +773,7 @@ impl HttpProxyService {
                 Ok(0) => {
                     error!("WebSocket: upstream closed before completing handshake");
                     self.upstream_selector.connection_ended(upstream_key);
-                    self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend closed"));
                 }
                 Ok(_) => {
@@ -576,14 +787,14 @@ impl HttpProxyService {
                     if response_buf.len() > 8192 {
                         error!("WebSocket: upstream response headers too large");
                         self.upstream_selector.connection_ended(upstream_key);
-                        self.metrics.connection_closed(route_id);
+                        self.metrics.connection_closed(route_id, Some(source_ip));
                         return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend response too large"));
                     }
                 }
                 Err(e) => {
                     error!("WebSocket: failed to read upstream response: {}", e);
                     self.upstream_selector.connection_ended(upstream_key);
-                    self.metrics.connection_closed(route_id);
+                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend read failed"));
                 }
             }
@@ -601,7 +812,7 @@ impl HttpProxyService {
         if status_code != 101 {
             debug!("WebSocket: upstream rejected upgrade with status {}", status_code);
             self.upstream_selector.connection_ended(upstream_key);
-            self.metrics.connection_closed(route_id);
+            self.metrics.connection_closed(route_id, Some(source_ip));
             return Ok(error_response(
                 StatusCode::from_u16(status_code).unwrap_or(StatusCode::BAD_GATEWAY),
                 "WebSocket upgrade rejected by backend",
@@ -635,6 +846,7 @@ impl HttpProxyService {
 
         let metrics = Arc::clone(&self.metrics);
         let route_id_owned = route_id.map(|s| s.to_string());
+        let source_ip_owned = source_ip.to_string();
         let upstream_selector = self.upstream_selector.clone();
         let upstream_key_owned = upstream_key.to_string();
 
@@ -645,7 +857,7 @@ impl HttpProxyService {
                     debug!("WebSocket: client upgrade failed: {}", e);
                     upstream_selector.connection_ended(&upstream_key_owned);
                     if let Some(ref rid) = route_id_owned {
-                        metrics.connection_closed(Some(rid.as_str()));
+                        metrics.connection_closed(Some(rid.as_str()), Some(&source_ip_owned));
                     }
                     return;
                 }
@@ -750,8 +962,8 @@ impl HttpProxyService {
 
             upstream_selector.connection_ended(&upstream_key_owned);
             if let Some(ref rid) = route_id_owned {
-                metrics.record_bytes(bytes_in, bytes_out, Some(rid.as_str()));
-                metrics.connection_closed(Some(rid.as_str()));
+                metrics.record_bytes(bytes_in, bytes_out, Some(rid.as_str()), Some(&source_ip_owned));
+                metrics.connection_closed(Some(rid.as_str()), Some(&source_ip_owned));
             }
         });
 

rust/crates/rustproxy-metrics/src/collector.rs

@@ -1,6 +1,9 @@
 use dashmap::DashMap;
 use serde::{Deserialize, Serialize};
 use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::Mutex;
+
+use crate::throughput::{ThroughputSample, ThroughputTracker};
 
 /// Aggregated metrics snapshot.
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -12,7 +15,14 @@ pub struct Metrics {
     pub bytes_out: u64,
     pub throughput_in_bytes_per_sec: u64,
     pub throughput_out_bytes_per_sec: u64,
+    pub throughput_recent_in_bytes_per_sec: u64,
+    pub throughput_recent_out_bytes_per_sec: u64,
     pub routes: std::collections::HashMap<String, RouteMetrics>,
+    pub ips: std::collections::HashMap<String, IpMetrics>,
+    pub throughput_history: Vec<ThroughputSample>,
+    pub total_http_requests: u64,
+    pub http_requests_per_sec: u64,
+    pub http_requests_per_sec_recent: u64,
 }
 
 /// Per-route metrics.
@@ -25,6 +35,20 @@ pub struct RouteMetrics {
     pub bytes_out: u64,
     pub throughput_in_bytes_per_sec: u64,
     pub throughput_out_bytes_per_sec: u64,
+    pub throughput_recent_in_bytes_per_sec: u64,
+    pub throughput_recent_out_bytes_per_sec: u64,
+}
+
+/// Per-IP metrics.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct IpMetrics {
+    pub active_connections: u64,
+    pub total_connections: u64,
+    pub bytes_in: u64,
+    pub bytes_out: u64,
+    pub throughput_in_bytes_per_sec: u64,
+    pub throughput_out_bytes_per_sec: u64,
 }
 
 /// Statistics snapshot.
@@ -38,7 +62,18 @@ pub struct Statistics {
     pub uptime_seconds: u64,
 }
 
+/// Default retention for throughput samples (1 hour).
+const DEFAULT_RETENTION_SECONDS: usize = 3600;
+
+/// Maximum number of IPs to include in a snapshot (top by active connections).
+const MAX_IPS_IN_SNAPSHOT: usize = 100;
+
 /// Metrics collector tracking connections and throughput.
+///
+/// Design: The hot path (`record_bytes`) is entirely lock-free — it only touches
+/// `AtomicU64` counters. The cold path (`sample_all`, called at 1Hz) drains
+/// those atomics and feeds the throughput trackers under a Mutex. This avoids
+/// contention when `record_bytes` is called per-chunk in the TCP copy loop.
 pub struct MetricsCollector {
     active_connections: AtomicU64,
     total_connections: AtomicU64,
@@ -51,10 +86,38 @@ pub struct MetricsCollector {
     /// Per-route byte counters
     route_bytes_in: DashMap<String, AtomicU64>,
     route_bytes_out: DashMap<String, AtomicU64>,
+
+    // ── Per-IP tracking ──
+    ip_connections: DashMap<String, AtomicU64>,
+    ip_total_connections: DashMap<String, AtomicU64>,
+    ip_bytes_in: DashMap<String, AtomicU64>,
+    ip_bytes_out: DashMap<String, AtomicU64>,
+    ip_pending_tp: DashMap<String, (AtomicU64, AtomicU64)>,
+    ip_throughput: DashMap<String, Mutex<ThroughputTracker>>,
+
+    // ── HTTP request tracking ──
+    total_http_requests: AtomicU64,
+    pending_http_requests: AtomicU64,
+    http_request_throughput: Mutex<ThroughputTracker>,
+
+    // ── Lock-free pending throughput counters (hot path) ──
+    global_pending_tp_in: AtomicU64,
+    global_pending_tp_out: AtomicU64,
+    route_pending_tp: DashMap<String, (AtomicU64, AtomicU64)>,
+
+    // ── Throughput history — only locked during sampling (cold path) ──
+    global_throughput: Mutex<ThroughputTracker>,
+    route_throughput: DashMap<String, Mutex<ThroughputTracker>>,
+    retention_seconds: usize,
 }
 
 impl MetricsCollector {
     pub fn new() -> Self {
+        Self::with_retention(DEFAULT_RETENTION_SECONDS)
+    }
+
+    /// Create a MetricsCollector with a custom retention period for throughput history.
+    pub fn with_retention(retention_seconds: usize) -> Self {
         Self {
             active_connections: AtomicU64::new(0),
             total_connections: AtomicU64::new(0),
@@ -64,11 +127,26 @@ impl MetricsCollector {
             route_total_connections: DashMap::new(),
             route_bytes_in: DashMap::new(),
             route_bytes_out: DashMap::new(),
+            ip_connections: DashMap::new(),
+            ip_total_connections: DashMap::new(),
+            ip_bytes_in: DashMap::new(),
+            ip_bytes_out: DashMap::new(),
+            ip_pending_tp: DashMap::new(),
+            ip_throughput: DashMap::new(),
+            total_http_requests: AtomicU64::new(0),
+            pending_http_requests: AtomicU64::new(0),
+            http_request_throughput: Mutex::new(ThroughputTracker::new(retention_seconds)),
+            global_pending_tp_in: AtomicU64::new(0),
+            global_pending_tp_out: AtomicU64::new(0),
+            route_pending_tp: DashMap::new(),
+            global_throughput: Mutex::new(ThroughputTracker::new(retention_seconds)),
+            route_throughput: DashMap::new(),
+            retention_seconds,
         }
     }
 
     /// Record a new connection.
-    pub fn connection_opened(&self, route_id: Option<&str>) {
+    pub fn connection_opened(&self, route_id: Option<&str>, source_ip: Option<&str>) {
         self.active_connections.fetch_add(1, Ordering::Relaxed);
         self.total_connections.fetch_add(1, Ordering::Relaxed);
 
@@ -82,10 +160,21 @@ impl MetricsCollector {
                 .or_insert_with(|| AtomicU64::new(0))
                 .fetch_add(1, Ordering::Relaxed);
         }
+
+        if let Some(ip) = source_ip {
+            self.ip_connections
+                .entry(ip.to_string())
+                .or_insert_with(|| AtomicU64::new(0))
+                .fetch_add(1, Ordering::Relaxed);
+            self.ip_total_connections
+                .entry(ip.to_string())
+                .or_insert_with(|| AtomicU64::new(0))
+                .fetch_add(1, Ordering::Relaxed);
+        }
     }
 
     /// Record a connection closing.
-    pub fn connection_closed(&self, route_id: Option<&str>) {
+    pub fn connection_closed(&self, route_id: Option<&str>, source_ip: Option<&str>) {
         self.active_connections.fetch_sub(1, Ordering::Relaxed);
 
         if let Some(route_id) = route_id {
@@ -96,13 +185,34 @@ impl MetricsCollector {
                 }
             }
         }
+
+        if let Some(ip) = source_ip {
+            if let Some(counter) = self.ip_connections.get(ip) {
+                let val = counter.load(Ordering::Relaxed);
+                if val > 0 {
+                    counter.fetch_sub(1, Ordering::Relaxed);
+                }
+                // Clean up zero-count entries to prevent memory growth
+                if val <= 1 {
+                    drop(counter);
+                    self.ip_connections.remove(ip);
+                }
+            }
+        }
     }
 
-    /// Record bytes transferred.
-    pub fn record_bytes(&self, bytes_in: u64, bytes_out: u64, route_id: Option<&str>) {
+    /// Record bytes transferred (lock-free hot path).
+    ///
+    /// Called per-chunk in the TCP copy loop. Only touches AtomicU64 counters —
+    /// no Mutex is taken. The throughput trackers are fed during `sample_all()`.
+    pub fn record_bytes(&self, bytes_in: u64, bytes_out: u64, route_id: Option<&str>, source_ip: Option<&str>) {
         self.total_bytes_in.fetch_add(bytes_in, Ordering::Relaxed);
         self.total_bytes_out.fetch_add(bytes_out, Ordering::Relaxed);
 
+        // Accumulate into lock-free pending throughput counters
+        self.global_pending_tp_in.fetch_add(bytes_in, Ordering::Relaxed);
+        self.global_pending_tp_out.fetch_add(bytes_out, Ordering::Relaxed);
+
         if let Some(route_id) = route_id {
             self.route_bytes_in
                 .entry(route_id.to_string())
@@ -112,6 +222,123 @@ impl MetricsCollector {
                 .entry(route_id.to_string())
                 .or_insert_with(|| AtomicU64::new(0))
                 .fetch_add(bytes_out, Ordering::Relaxed);
+
+            // Accumulate into per-route pending throughput counters (lock-free)
+            let entry = self.route_pending_tp
+                .entry(route_id.to_string())
+                .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+            entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+            entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+        }
+
+        if let Some(ip) = source_ip {
+            self.ip_bytes_in
+                .entry(ip.to_string())
+                .or_insert_with(|| AtomicU64::new(0))
+                .fetch_add(bytes_in, Ordering::Relaxed);
+            self.ip_bytes_out
+                .entry(ip.to_string())
+                .or_insert_with(|| AtomicU64::new(0))
+                .fetch_add(bytes_out, Ordering::Relaxed);
+
+            // Accumulate into per-IP pending throughput counters (lock-free)
+            let entry = self.ip_pending_tp
+                .entry(ip.to_string())
+                .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+            entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+            entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+        }
+    }
+
+    /// Record an HTTP request (called once per request in the HTTP proxy).
+    pub fn record_http_request(&self) {
+        self.total_http_requests.fetch_add(1, Ordering::Relaxed);
+        self.pending_http_requests.fetch_add(1, Ordering::Relaxed);
+    }
+
+    /// Take a throughput sample on all trackers (cold path, call at 1Hz or configured interval).
+    ///
+    /// Drains the lock-free pending counters and feeds the accumulated bytes
+    /// into the throughput trackers (under Mutex). This is the only place
+    /// the Mutex is locked.
+    pub fn sample_all(&self) {
+        // Drain global pending bytes and feed into the tracker
+        let global_in = self.global_pending_tp_in.swap(0, Ordering::Relaxed);
+        let global_out = self.global_pending_tp_out.swap(0, Ordering::Relaxed);
+        if let Ok(mut tracker) = self.global_throughput.lock() {
+            tracker.record_bytes(global_in, global_out);
+            tracker.sample();
+        }
+
+        // Drain per-route pending bytes; collect into a Vec to avoid holding DashMap shards
+        let mut route_samples: Vec<(String, u64, u64)> = Vec::new();
+        for entry in self.route_pending_tp.iter() {
+            let route_id = entry.key().clone();
+            let pending_in = entry.value().0.swap(0, Ordering::Relaxed);
+            let pending_out = entry.value().1.swap(0, Ordering::Relaxed);
+            route_samples.push((route_id, pending_in, pending_out));
+        }
+
+        // Feed pending bytes into route trackers and sample
+        let retention = self.retention_seconds;
+        for (route_id, pending_in, pending_out) in &route_samples {
+            // Ensure the tracker exists
+            self.route_throughput
+                .entry(route_id.clone())
+                .or_insert_with(|| Mutex::new(ThroughputTracker::new(retention)));
+            // Now get a separate ref and lock it
+            if let Some(tracker_ref) = self.route_throughput.get(route_id) {
+                if let Ok(mut tracker) = tracker_ref.value().lock() {
+                    tracker.record_bytes(*pending_in, *pending_out);
+                    tracker.sample();
+                }
+            }
+        }
+
+        // Also sample any route trackers that had no new pending bytes
+        // (to keep their sample window advancing)
+        for entry in self.route_throughput.iter() {
+            if !self.route_pending_tp.contains_key(entry.key()) {
+                if let Ok(mut tracker) = entry.value().lock() {
+                    tracker.sample();
+                }
+            }
+        }
+
+        // Drain per-IP pending bytes and feed into IP throughput trackers
+        let mut ip_samples: Vec<(String, u64, u64)> = Vec::new();
+        for entry in self.ip_pending_tp.iter() {
+            let ip = entry.key().clone();
+            let pending_in = entry.value().0.swap(0, Ordering::Relaxed);
+            let pending_out = entry.value().1.swap(0, Ordering::Relaxed);
+            ip_samples.push((ip, pending_in, pending_out));
+        }
+        for (ip, pending_in, pending_out) in &ip_samples {
+            self.ip_throughput
+                .entry(ip.clone())
+                .or_insert_with(|| Mutex::new(ThroughputTracker::new(retention)));
+            if let Some(tracker_ref) = self.ip_throughput.get(ip) {
+                if let Ok(mut tracker) = tracker_ref.value().lock() {
+                    tracker.record_bytes(*pending_in, *pending_out);
+                    tracker.sample();
+                }
+            }
+        }
+        // Sample idle IP trackers
+        for entry in self.ip_throughput.iter() {
+            if !self.ip_pending_tp.contains_key(entry.key()) {
+                if let Ok(mut tracker) = entry.value().lock() {
+                    tracker.sample();
+                }
+            }
+        }
+
+        // Drain pending HTTP request count and feed into HTTP throughput tracker
+        let pending_reqs = self.pending_http_requests.swap(0, Ordering::Relaxed);
+        if let Ok(mut tracker) = self.http_request_throughput.lock() {
+            // Use bytes_in field to track request count (each request = 1 "byte")
+            tracker.record_bytes(pending_reqs, 0);
+            tracker.sample();
         }
     }
 
@@ -135,10 +362,22 @@ impl MetricsCollector {
         self.total_bytes_out.load(Ordering::Relaxed)
     }
 
-    /// Get a full metrics snapshot including per-route data.
+    /// Get a full metrics snapshot including per-route and per-IP data.
     pub fn snapshot(&self) -> Metrics {
         let mut routes = std::collections::HashMap::new();
 
+        // Get global throughput (instant = last 1 sample, recent = last 10 samples)
+        let (global_tp_in, global_tp_out, global_recent_in, global_recent_out, throughput_history) =
+            self.global_throughput
+                .lock()
+                .map(|t| {
+                    let (i_in, i_out) = t.instant();
+                    let (r_in, r_out) = t.recent();
+                    let history = t.history(60);
+                    (i_in, i_out, r_in, r_out, history)
+                })
+                .unwrap_or((0, 0, 0, 0, Vec::new()));
+
         // Collect per-route metrics
         for entry in self.route_total_connections.iter() {
             let route_id = entry.key().clone();
@@ -156,24 +395,92 @@ impl MetricsCollector {
                 .map(|c| c.load(Ordering::Relaxed))
                 .unwrap_or(0);
 
+            let (route_tp_in, route_tp_out, route_recent_in, route_recent_out) = self.route_throughput
+                .get(&route_id)
+                .and_then(|entry| entry.value().lock().ok().map(|t| {
+                    let (i_in, i_out) = t.instant();
+                    let (r_in, r_out) = t.recent();
+                    (i_in, i_out, r_in, r_out)
+                }))
+                .unwrap_or((0, 0, 0, 0));
+
             routes.insert(route_id, RouteMetrics {
                 active_connections: active,
                 total_connections: total,
                 bytes_in,
                 bytes_out,
-                throughput_in_bytes_per_sec: 0,
-                throughput_out_bytes_per_sec: 0,
+                throughput_in_bytes_per_sec: route_tp_in,
+                throughput_out_bytes_per_sec: route_tp_out,
+                throughput_recent_in_bytes_per_sec: route_recent_in,
+                throughput_recent_out_bytes_per_sec: route_recent_out,
             });
         }
 
+        // Collect per-IP metrics — only IPs with active connections or total > 0,
+        // capped at top MAX_IPS_IN_SNAPSHOT sorted by active count
+        let mut ip_entries: Vec<(String, u64, u64, u64, u64, u64, u64)> = Vec::new();
+        for entry in self.ip_total_connections.iter() {
+            let ip = entry.key().clone();
+            let total = entry.value().load(Ordering::Relaxed);
+            let active = self.ip_connections
+                .get(&ip)
+                .map(|c| c.load(Ordering::Relaxed))
+                .unwrap_or(0);
+            let bytes_in = self.ip_bytes_in
+                .get(&ip)
+                .map(|c| c.load(Ordering::Relaxed))
+                .unwrap_or(0);
+            let bytes_out = self.ip_bytes_out
+                .get(&ip)
+                .map(|c| c.load(Ordering::Relaxed))
+                .unwrap_or(0);
+            let (tp_in, tp_out) = self.ip_throughput
+                .get(&ip)
+                .and_then(|entry| entry.value().lock().ok().map(|t| t.instant()))
+                .unwrap_or((0, 0));
+            ip_entries.push((ip, active, total, bytes_in, bytes_out, tp_in, tp_out));
+        }
+        // Sort by active connections descending, then cap
+        ip_entries.sort_by(|a, b| b.1.cmp(&a.1));
+        ip_entries.truncate(MAX_IPS_IN_SNAPSHOT);
+
+        let mut ips = std::collections::HashMap::new();
+        for (ip, active, total, bytes_in, bytes_out, tp_in, tp_out) in ip_entries {
+            ips.insert(ip, IpMetrics {
+                active_connections: active,
+                total_connections: total,
+                bytes_in,
+                bytes_out,
+                throughput_in_bytes_per_sec: tp_in,
+                throughput_out_bytes_per_sec: tp_out,
+            });
+        }
+
+        // HTTP request rates
+        let (http_rps, http_rps_recent) = self.http_request_throughput
+            .lock()
+            .map(|t| {
+                let (instant, _) = t.instant();
+                let (recent, _) = t.recent();
+                (instant, recent)
+            })
+            .unwrap_or((0, 0));
+
         Metrics {
             active_connections: self.active_connections(),
             total_connections: self.total_connections(),
             bytes_in: self.total_bytes_in(),
             bytes_out: self.total_bytes_out(),
-            throughput_in_bytes_per_sec: 0,
-            throughput_out_bytes_per_sec: 0,
+            throughput_in_bytes_per_sec: global_tp_in,
+            throughput_out_bytes_per_sec: global_tp_out,
+            throughput_recent_in_bytes_per_sec: global_recent_in,
+            throughput_recent_out_bytes_per_sec: global_recent_out,
             routes,
+            ips,
+            throughput_history,
+            total_http_requests: self.total_http_requests.load(Ordering::Relaxed),
+            http_requests_per_sec: http_rps,
+            http_requests_per_sec_recent: http_rps_recent,
         }
     }
 }
@@ -198,10 +505,10 @@ mod tests {
     #[test]
     fn test_connection_opened_increments() {
         let collector = MetricsCollector::new();
-        collector.connection_opened(None);
+        collector.connection_opened(None, None);
         assert_eq!(collector.active_connections(), 1);
         assert_eq!(collector.total_connections(), 1);
-        collector.connection_opened(None);
+        collector.connection_opened(None, None);
         assert_eq!(collector.active_connections(), 2);
         assert_eq!(collector.total_connections(), 2);
     }
@@ -209,10 +516,10 @@ mod tests {
     #[test]
     fn test_connection_closed_decrements() {
         let collector = MetricsCollector::new();
-        collector.connection_opened(None);
-        collector.connection_opened(None);
+        collector.connection_opened(None, None);
+        collector.connection_opened(None, None);
         assert_eq!(collector.active_connections(), 2);
-        collector.connection_closed(None);
+        collector.connection_closed(None, None);
         assert_eq!(collector.active_connections(), 1);
         // total_connections should stay at 2
         assert_eq!(collector.total_connections(), 2);
@@ -221,23 +528,23 @@ mod tests {
     #[test]
     fn test_route_specific_tracking() {
         let collector = MetricsCollector::new();
-        collector.connection_opened(Some("route-a"));
-        collector.connection_opened(Some("route-a"));
-        collector.connection_opened(Some("route-b"));
+        collector.connection_opened(Some("route-a"), None);
+        collector.connection_opened(Some("route-a"), None);
+        collector.connection_opened(Some("route-b"), None);
 
         assert_eq!(collector.active_connections(), 3);
         assert_eq!(collector.total_connections(), 3);
 
-        collector.connection_closed(Some("route-a"));
+        collector.connection_closed(Some("route-a"), None);
         assert_eq!(collector.active_connections(), 2);
     }
 
     #[test]
     fn test_record_bytes() {
         let collector = MetricsCollector::new();
-        collector.record_bytes(100, 200, Some("route-a"));
-        collector.record_bytes(50, 75, Some("route-a"));
-        collector.record_bytes(25, 30, None);
+        collector.record_bytes(100, 200, Some("route-a"), None);
+        collector.record_bytes(50, 75, Some("route-a"), None);
+        collector.record_bytes(25, 30, None, None);
 
         let total_in = collector.total_bytes_in.load(Ordering::Relaxed);
         let total_out = collector.total_bytes_out.load(Ordering::Relaxed);
@@ -248,4 +555,114 @@ mod tests {
         let route_in = collector.route_bytes_in.get("route-a").unwrap();
         assert_eq!(route_in.load(Ordering::Relaxed), 150);
     }
+
+    #[test]
+    fn test_throughput_tracking() {
+        let collector = MetricsCollector::with_retention(60);
+
+        // Open a connection so the route appears in the snapshot
+        collector.connection_opened(Some("route-a"), None);
+
+        // Record some bytes
+        collector.record_bytes(1000, 2000, Some("route-a"), None);
+        collector.record_bytes(500, 750, None, None);
+
+        // Take a sample (simulates the 1Hz tick)
+        collector.sample_all();
+
+        // Check global throughput
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.throughput_in_bytes_per_sec, 1500);
+        assert_eq!(snapshot.throughput_out_bytes_per_sec, 2750);
+
+        // Check per-route throughput
+        let route_a = snapshot.routes.get("route-a").unwrap();
+        assert_eq!(route_a.throughput_in_bytes_per_sec, 1000);
+        assert_eq!(route_a.throughput_out_bytes_per_sec, 2000);
+    }
+
+    #[test]
+    fn test_throughput_zero_before_sampling() {
+        let collector = MetricsCollector::with_retention(60);
+        collector.record_bytes(1000, 2000, None, None);
+
+        // Without sampling, throughput should be 0
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.throughput_in_bytes_per_sec, 0);
+        assert_eq!(snapshot.throughput_out_bytes_per_sec, 0);
+    }
+
+    #[test]
+    fn test_per_ip_tracking() {
+        let collector = MetricsCollector::with_retention(60);
+
+        collector.connection_opened(Some("route-a"), Some("1.2.3.4"));
+        collector.connection_opened(Some("route-a"), Some("1.2.3.4"));
+        collector.connection_opened(Some("route-b"), Some("5.6.7.8"));
+
+        // Check IP active connections (drop DashMap refs immediately to avoid deadlock)
+        assert_eq!(
+            collector.ip_connections.get("1.2.3.4").unwrap().load(Ordering::Relaxed),
+            2
+        );
+        assert_eq!(
+            collector.ip_connections.get("5.6.7.8").unwrap().load(Ordering::Relaxed),
+            1
+        );
+
+        // Record bytes per IP
+        collector.record_bytes(100, 200, Some("route-a"), Some("1.2.3.4"));
+        collector.record_bytes(300, 400, Some("route-b"), Some("5.6.7.8"));
+        collector.sample_all();
+
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.ips.len(), 2);
+        let ip1_metrics = snapshot.ips.get("1.2.3.4").unwrap();
+        assert_eq!(ip1_metrics.active_connections, 2);
+        assert_eq!(ip1_metrics.bytes_in, 100);
+
+        // Close connections
+        collector.connection_closed(Some("route-a"), Some("1.2.3.4"));
+        assert_eq!(
+            collector.ip_connections.get("1.2.3.4").unwrap().load(Ordering::Relaxed),
+            1
+        );
+
+        // Close last connection for IP — should be cleaned up
+        collector.connection_closed(Some("route-a"), Some("1.2.3.4"));
+        assert!(collector.ip_connections.get("1.2.3.4").is_none());
+    }
+
+    #[test]
+    fn test_http_request_tracking() {
+        let collector = MetricsCollector::with_retention(60);
+
+        collector.record_http_request();
+        collector.record_http_request();
+        collector.record_http_request();
+
+        assert_eq!(collector.total_http_requests.load(Ordering::Relaxed), 3);
+
+        collector.sample_all();
+
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.total_http_requests, 3);
+        assert_eq!(snapshot.http_requests_per_sec, 3);
+    }
+
+    #[test]
+    fn test_throughput_history_in_snapshot() {
+        let collector = MetricsCollector::with_retention(60);
+
+        for i in 1..=5 {
+            collector.record_bytes(i * 100, i * 200, None, None);
+            collector.sample_all();
+        }
+
+        let snapshot = collector.snapshot();
+        assert_eq!(snapshot.throughput_history.len(), 5);
+        // History should be chronological (oldest first)
+        assert_eq!(snapshot.throughput_history[0].bytes_in, 100);
+        assert_eq!(snapshot.throughput_history[4].bytes_in, 500);
+    }
 }

rust/crates/rustproxy-metrics/src/throughput.rs

@@ -1,8 +1,10 @@
+use serde::{Deserialize, Serialize};
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::time::{Instant, SystemTime, UNIX_EPOCH};
 
 /// A single throughput sample.
-#[derive(Debug, Clone, Copy)]
+#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
 pub struct ThroughputSample {
     pub timestamp_ms: u64,
     pub bytes_in: u64,
@@ -106,6 +108,27 @@ impl ThroughputTracker {
         self.throughput(10)
     }
 
+    /// Return the last N samples in chronological order (oldest first).
+    pub fn history(&self, window_seconds: usize) -> Vec<ThroughputSample> {
+        let window = window_seconds.min(self.count);
+        if window == 0 {
+            return Vec::new();
+        }
+        let mut result = Vec::with_capacity(window);
+        for i in 0..window {
+            let idx = if self.write_index >= i + 1 {
+                self.write_index - i - 1
+            } else {
+                self.capacity - (i + 1 - self.write_index)
+            };
+            if idx < self.samples.len() {
+                result.push(self.samples[idx]);
+            }
+        }
+        result.reverse(); // Return oldest-first (chronological)
+        result
+    }
+
     /// How long this tracker has been alive.
     pub fn uptime(&self) -> std::time::Duration {
         self.created_at.elapsed()
@@ -170,4 +193,40 @@ mod tests {
         std::thread::sleep(std::time::Duration::from_millis(10));
         assert!(tracker.uptime().as_millis() >= 10);
     }
+
+    #[test]
+    fn test_history_returns_chronological() {
+        let mut tracker = ThroughputTracker::new(60);
+        for i in 1..=5 {
+            tracker.record_bytes(i * 100, i * 200);
+            tracker.sample();
+        }
+        let history = tracker.history(5);
+        assert_eq!(history.len(), 5);
+        // First sample should have 100 bytes_in, last should have 500
+        assert_eq!(history[0].bytes_in, 100);
+        assert_eq!(history[4].bytes_in, 500);
+    }
+
+    #[test]
+    fn test_history_wraps_around() {
+        let mut tracker = ThroughputTracker::new(3); // Small capacity
+        for i in 1..=5 {
+            tracker.record_bytes(i * 100, i * 200);
+            tracker.sample();
+        }
+        // Only last 3 should be retained
+        let history = tracker.history(10); // Ask for more than available
+        assert_eq!(history.len(), 3);
+        assert_eq!(history[0].bytes_in, 300);
+        assert_eq!(history[1].bytes_in, 400);
+        assert_eq!(history[2].bytes_in, 500);
+    }
+
+    #[test]
+    fn test_history_empty() {
+        let tracker = ThroughputTracker::new(60);
+        let history = tracker.history(10);
+        assert!(history.is_empty());
+    }
 }

rust/crates/rustproxy-passthrough/src/forwarder.rs

@@ -5,13 +5,14 @@ use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
 use tracing::debug;
 
-use super::connection_record::ConnectionRecord;
+use rustproxy_metrics::MetricsCollector;
 
-/// Statistics for a forwarded connection.
-#[derive(Debug, Default)]
-pub struct ForwardStats {
-    pub bytes_in: AtomicU64,
-    pub bytes_out: AtomicU64,
+/// Context for forwarding metrics, replacing the growing tuple pattern.
+#[derive(Clone)]
+pub struct ForwardMetricsCtx {
+    pub collector: Arc<MetricsCollector>,
+    pub route_id: Option<String>,
+    pub source_ip: Option<String>,
 }
 
 /// Perform bidirectional TCP forwarding between client and backend.
@@ -68,6 +69,10 @@ pub async fn forward_bidirectional(
 
 /// Perform bidirectional TCP forwarding with inactivity and max lifetime timeouts.
 ///
+/// When `metrics` is provided, bytes are reported to the MetricsCollector
+/// per-chunk (lock-free) as they flow through the copy loops, enabling
+/// real-time throughput sampling for long-lived connections.
+///
 /// Returns (bytes_from_client, bytes_from_backend) when the connection closes or times out.
 pub async fn forward_bidirectional_with_timeouts(
     client: TcpStream,
@@ -76,10 +81,14 @@ pub async fn forward_bidirectional_with_timeouts(
     inactivity_timeout: std::time::Duration,
     max_lifetime: std::time::Duration,
     cancel: CancellationToken,
+    metrics: Option<ForwardMetricsCtx>,
 ) -> std::io::Result<(u64, u64)> {
     // Send initial data (peeked bytes) to backend
     if let Some(data) = initial_data {
         backend.write_all(data).await?;
+        if let Some(ref ctx) = metrics {
+            ctx.collector.record_bytes(data.len() as u64, 0, ctx.route_id.as_deref(), ctx.source_ip.as_deref());
+        }
     }
 
     let (mut client_read, mut client_write) = client.into_split();
@@ -90,6 +99,7 @@ pub async fn forward_bidirectional_with_timeouts(
 
     let la1 = Arc::clone(&last_activity);
     let initial_len = initial_data.map_or(0u64, |d| d.len() as u64);
+    let metrics_c2b = metrics.clone();
     let c2b = tokio::spawn(async move {
         let mut buf = vec![0u8; 65536];
         let mut total = initial_len;
@@ -103,12 +113,16 @@ pub async fn forward_bidirectional_with_timeouts(
             }
             total += n as u64;
             la1.store(start.elapsed().as_millis() as u64, Ordering::Relaxed);
+            if let Some(ref ctx) = metrics_c2b {
+                ctx.collector.record_bytes(n as u64, 0, ctx.route_id.as_deref(), ctx.source_ip.as_deref());
+            }
         }
         let _ = backend_write.shutdown().await;
         total
     });
 
     let la2 = Arc::clone(&last_activity);
+    let metrics_b2c = metrics;
     let b2c = tokio::spawn(async move {
         let mut buf = vec![0u8; 65536];
         let mut total = 0u64;
@@ -122,6 +136,9 @@ pub async fn forward_bidirectional_with_timeouts(
             }
             total += n as u64;
             la2.store(start.elapsed().as_millis() as u64, Ordering::Relaxed);
+            if let Some(ref ctx) = metrics_b2c {
+                ctx.collector.record_bytes(0, n as u64, ctx.route_id.as_deref(), ctx.source_ip.as_deref());
+            }
         }
         let _ = client_write.shutdown().await;
         total
@@ -173,153 +190,3 @@ pub async fn forward_bidirectional_with_timeouts(
     watchdog.abort();
     Ok((bytes_in, bytes_out))
 }
-
-/// Forward bidirectional with a callback for byte counting.
-pub async fn forward_bidirectional_with_stats(
-    client: TcpStream,
-    backend: TcpStream,
-    initial_data: Option<&[u8]>,
-    stats: Arc<ForwardStats>,
-) -> std::io::Result<()> {
-    let (bytes_in, bytes_out) = forward_bidirectional(client, backend, initial_data).await?;
-    stats.bytes_in.fetch_add(bytes_in, Ordering::Relaxed);
-    stats.bytes_out.fetch_add(bytes_out, Ordering::Relaxed);
-    Ok(())
-}
-
-/// Perform bidirectional TCP forwarding with inactivity / lifetime timeouts,
-/// updating a `ConnectionRecord` with byte counts and activity timestamps
-/// in real time for zombie detection.
-///
-/// When `record` is `None`, this behaves identically to
-/// `forward_bidirectional_with_timeouts`.
-///
-/// The record's `client_closed` / `backend_closed` flags are set when the
-/// respective copy loop terminates, giving the zombie scanner visibility
-/// into half-open connections.
-pub async fn forward_bidirectional_with_record(
-    client: TcpStream,
-    mut backend: TcpStream,
-    initial_data: Option<&[u8]>,
-    inactivity_timeout: std::time::Duration,
-    max_lifetime: std::time::Duration,
-    cancel: CancellationToken,
-    record: Option<Arc<ConnectionRecord>>,
-) -> std::io::Result<(u64, u64)> {
-    // Send initial data (peeked bytes) to backend
-    if let Some(data) = initial_data {
-        backend.write_all(data).await?;
-        if let Some(ref r) = record {
-            r.record_bytes_in(data.len() as u64);
-        }
-    }
-
-    let (mut client_read, mut client_write) = client.into_split();
-    let (mut backend_read, mut backend_write) = backend.into_split();
-
-    let last_activity = Arc::new(AtomicU64::new(0));
-    let start = std::time::Instant::now();
-
-    let la1 = Arc::clone(&last_activity);
-    let initial_len = initial_data.map_or(0u64, |d| d.len() as u64);
-    let rec1 = record.clone();
-    let c2b = tokio::spawn(async move {
-        let mut buf = vec![0u8; 65536];
-        let mut total = initial_len;
-        loop {
-            let n = match client_read.read(&mut buf).await {
-                Ok(0) | Err(_) => break,
-                Ok(n) => n,
-            };
-            if backend_write.write_all(&buf[..n]).await.is_err() {
-                break;
-            }
-            total += n as u64;
-            let now_ms = start.elapsed().as_millis() as u64;
-            la1.store(now_ms, Ordering::Relaxed);
-            if let Some(ref r) = rec1 {
-                r.record_bytes_in(n as u64);
-            }
-        }
-        let _ = backend_write.shutdown().await;
-        // Mark client side as closed
-        if let Some(ref r) = rec1 {
-            r.client_closed.store(true, Ordering::Relaxed);
-        }
-        total
-    });
-
-    let la2 = Arc::clone(&last_activity);
-    let rec2 = record.clone();
-    let b2c = tokio::spawn(async move {
-        let mut buf = vec![0u8; 65536];
-        let mut total = 0u64;
-        loop {
-            let n = match backend_read.read(&mut buf).await {
-                Ok(0) | Err(_) => break,
-                Ok(n) => n,
-            };
-            if client_write.write_all(&buf[..n]).await.is_err() {
-                break;
-            }
-            total += n as u64;
-            let now_ms = start.elapsed().as_millis() as u64;
-            la2.store(now_ms, Ordering::Relaxed);
-            if let Some(ref r) = rec2 {
-                r.record_bytes_out(n as u64);
-            }
-        }
-        let _ = client_write.shutdown().await;
-        // Mark backend side as closed
-        if let Some(ref r) = rec2 {
-            r.backend_closed.store(true, Ordering::Relaxed);
-        }
-        total
-    });
-
-    // Watchdog: inactivity, max lifetime, and cancellation
-    let la_watch = Arc::clone(&last_activity);
-    let c2b_handle = c2b.abort_handle();
-    let b2c_handle = b2c.abort_handle();
-    let watchdog = tokio::spawn(async move {
-        let check_interval = std::time::Duration::from_secs(5);
-        let mut last_seen = 0u64;
-        loop {
-            tokio::select! {
-                _ = cancel.cancelled() => {
-                    debug!("Connection cancelled by shutdown");
-                    c2b_handle.abort();
-                    b2c_handle.abort();
-                    break;
-                }
-                _ = tokio::time::sleep(check_interval) => {
-                    // Check max lifetime
-                    if start.elapsed() >= max_lifetime {
-                        debug!("Connection exceeded max lifetime, closing");
-                        c2b_handle.abort();
-                        b2c_handle.abort();
-                        break;
-                    }
-
-                    // Check inactivity
-                    let current = la_watch.load(Ordering::Relaxed);
-                    if current == last_seen {
-                        let elapsed_since_activity = start.elapsed().as_millis() as u64 - current;
-                        if elapsed_since_activity >= inactivity_timeout.as_millis() as u64 {
-                            debug!("Connection inactive for {}ms, closing", elapsed_since_activity);
-                            c2b_handle.abort();
-                            b2c_handle.abort();
-                            break;
-                        }
-                    }
-                    last_seen = current;
-                }
-            }
-        }
-    });
-
-    let bytes_in = c2b.await.unwrap_or(0);
-    let bytes_out = b2c.await.unwrap_or(0);
-    watchdog.abort();
-    Ok((bytes_in, bytes_out))
-}

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 use arc_swap::ArcSwap;
 use tokio::net::TcpListener;
+use tokio_rustls::TlsAcceptor;
 use tokio_util::sync::CancellationToken;
 use tracing::{info, error, debug, warn};
 use thiserror::Error;
@@ -20,14 +21,16 @@ use crate::connection_tracker::ConnectionTracker;
 struct ConnectionGuard {
     metrics: Arc<MetricsCollector>,
     route_id: Option<String>,
+    source_ip: Option<String>,
     disarmed: bool,
 }
 
 impl ConnectionGuard {
-    fn new(metrics: Arc<MetricsCollector>, route_id: Option<&str>) -> Self {
+    fn new(metrics: Arc<MetricsCollector>, route_id: Option<&str>, source_ip: Option<&str>) -> Self {
         Self {
             metrics,
             route_id: route_id.map(|s| s.to_string()),
+            source_ip: source_ip.map(|s| s.to_string()),
             disarmed: false,
         }
     }
@@ -42,7 +45,7 @@ impl ConnectionGuard {
 impl Drop for ConnectionGuard {
     fn drop(&mut self) {
         if !self.disarmed {
-            self.metrics.connection_closed(self.route_id.as_deref());
+            self.metrics.connection_closed(self.route_id.as_deref(), self.source_ip.as_deref());
         }
     }
 }
@@ -120,8 +123,10 @@ pub struct TcpListenerManager {
     route_manager: Arc<ArcSwap<RouteManager>>,
     /// Shared metrics collector
     metrics: Arc<MetricsCollector>,
-    /// TLS acceptors indexed by domain (ArcSwap for hot-reload visibility in accept loops)
+    /// Raw PEM TLS configs indexed by domain (kept for fallback with custom TLS versions)
     tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
+    /// Shared TLS acceptor (pre-parsed certs + session cache). None when no certs configured.
+    shared_tls_acceptor: Arc<ArcSwap<Option<TlsAcceptor>>>,
     /// HTTP proxy service for HTTP-level forwarding
     http_proxy: Arc<HttpProxyService>,
     /// Connection configuration
@@ -152,6 +157,7 @@ impl TcpListenerManager {
             route_manager: Arc::new(ArcSwap::from(route_manager)),
             metrics,
             tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
+            shared_tls_acceptor: Arc::new(ArcSwap::from(Arc::new(None))),
             http_proxy,
             conn_config: Arc::new(conn_config),
             conn_tracker,
@@ -177,6 +183,7 @@ impl TcpListenerManager {
             route_manager: Arc::new(ArcSwap::from(route_manager)),
             metrics,
             tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
+            shared_tls_acceptor: Arc::new(ArcSwap::from(Arc::new(None))),
             http_proxy,
             conn_config: Arc::new(conn_config),
             conn_tracker,
@@ -195,8 +202,26 @@ impl TcpListenerManager {
     }
 
     /// Set TLS certificate configurations.
+    /// Builds a shared TLS acceptor with pre-parsed certs and session resumption support.
     /// Uses ArcSwap so running accept loops immediately see the new certs.
     pub fn set_tls_configs(&self, configs: HashMap<String, TlsCertConfig>) {
+        if !configs.is_empty() {
+            match tls_handler::CertResolver::new(&configs)
+                .and_then(tls_handler::build_shared_tls_acceptor)
+            {
+                Ok(acceptor) => {
+                    info!("Built shared TLS acceptor for {} domain(s)", configs.len());
+                    self.shared_tls_acceptor.store(Arc::new(Some(acceptor)));
+                }
+                Err(e) => {
+                    warn!("Failed to build shared TLS acceptor: {}, falling back to per-connection", e);
+                    self.shared_tls_acceptor.store(Arc::new(None));
+                }
+            }
+        } else {
+            self.shared_tls_acceptor.store(Arc::new(None));
+        }
+        // Keep raw PEM configs for fallback (routes with custom TLS versions)
         self.tls_configs.store(Arc::new(configs));
     }
 
@@ -222,6 +247,7 @@ impl TcpListenerManager {
         let route_manager_swap = Arc::clone(&self.route_manager);
         let metrics = Arc::clone(&self.metrics);
         let tls_configs = Arc::clone(&self.tls_configs);
+        let shared_tls_acceptor = Arc::clone(&self.shared_tls_acceptor);
         let http_proxy = Arc::clone(&self.http_proxy);
         let conn_config = Arc::clone(&self.conn_config);
         let conn_tracker = Arc::clone(&self.conn_tracker);
@@ -231,7 +257,7 @@ impl TcpListenerManager {
         let handle = tokio::spawn(async move {
             Self::accept_loop(
                 listener, port, route_manager_swap, metrics, tls_configs,
-                http_proxy, conn_config, conn_tracker, cancel, relay,
+                shared_tls_acceptor, http_proxy, conn_config, conn_tracker, cancel, relay,
             ).await;
         });
 
@@ -320,6 +346,7 @@ impl TcpListenerManager {
         route_manager_swap: Arc<ArcSwap<RouteManager>>,
         metrics: Arc<MetricsCollector>,
         tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
+        shared_tls_acceptor: Arc<ArcSwap<Option<TlsAcceptor>>>,
         http_proxy: Arc<HttpProxyService>,
         conn_config: Arc<ConnectionConfig>,
         conn_tracker: Arc<ConnectionTracker>,
@@ -351,6 +378,8 @@ impl TcpListenerManager {
                             let m = Arc::clone(&metrics);
                             // Load the latest TLS configs from ArcSwap on each connection
                             let tc = tls_configs.load_full();
+                            // Load the latest shared TLS acceptor from ArcSwap
+                            let sa = shared_tls_acceptor.load_full();
                             let hp = Arc::clone(&http_proxy);
                             let cc = Arc::clone(&conn_config);
                             let ct = Arc::clone(&conn_tracker);
@@ -360,7 +389,7 @@ impl TcpListenerManager {
 
                             tokio::spawn(async move {
                                 let result = Self::handle_connection(
-                                    stream, port, peer_addr, rm, m, tc, hp, cc, cn, sr,
+                                    stream, port, peer_addr, rm, m, tc, sa, hp, cc, cn, sr,
                                 ).await;
                                 if let Err(e) = result {
                                     debug!("Connection error from {}: {}", peer_addr, e);
@@ -386,6 +415,7 @@ impl TcpListenerManager {
         route_manager: Arc<RouteManager>,
         metrics: Arc<MetricsCollector>,
         tls_configs: Arc<HashMap<String, TlsCertConfig>>,
+        shared_tls_acceptor: Arc<Option<TlsAcceptor>>,
         http_proxy: Arc<HttpProxyService>,
         conn_config: Arc<ConnectionConfig>,
         cancel: CancellationToken,
@@ -395,6 +425,9 @@ impl TcpListenerManager {
 
         stream.set_nodelay(true)?;
 
+        // Extract source IP once for all metric calls
+        let ip_str = peer_addr.ip().to_string();
+
         // === Fast path: try port-only matching before peeking at data ===
         // This handles "server-speaks-first" protocols where the client
         // doesn't send initial data (e.g., SMTP, greeting-based protocols).
@@ -413,6 +446,7 @@ impl TcpListenerManager {
                 tls_version: None,
                 headers: None,
                 is_tls: false,
+                protocol: None,
             };
 
             if let Some(quick_match) = route_manager.find_route(&quick_ctx) {
@@ -460,8 +494,8 @@ impl TcpListenerManager {
                             }
                         }
 
-                        metrics.connection_opened(route_id);
-                        let _fast_guard = ConnectionGuard::new(Arc::clone(&metrics), route_id);
+                        metrics.connection_opened(route_id, Some(&ip_str));
+                        let _fast_guard = ConnectionGuard::new(Arc::clone(&metrics), route_id, Some(&ip_str));
 
                         let connect_timeout = std::time::Duration::from_millis(conn_config.connection_timeout_ms);
                         let inactivity_timeout = std::time::Duration::from_millis(conn_config.socket_timeout_ms);
@@ -496,17 +530,25 @@ impl TcpListenerManager {
                             let mut backend_w = backend;
                             backend_w.write_all(header.as_bytes()).await?;
 
-                            let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                            let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                                 stream, backend_w, None,
                                 inactivity_timeout, max_lifetime, cancel,
+                                Some(forwarder::ForwardMetricsCtx {
+                                    collector: Arc::clone(&metrics),
+                                    route_id: route_id.map(|s| s.to_string()),
+                                    source_ip: Some(ip_str.clone()),
+                                }),
                             ).await?;
-                            metrics.record_bytes(bytes_in, bytes_out, route_id);
                         } else {
-                            let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                            let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                                 stream, backend, None,
                                 inactivity_timeout, max_lifetime, cancel,
+                                Some(forwarder::ForwardMetricsCtx {
+                                    collector: Arc::clone(&metrics),
+                                    route_id: route_id.map(|s| s.to_string()),
+                                    source_ip: Some(ip_str.clone()),
+                                }),
                             ).await?;
-                            metrics.record_bytes(bytes_in, bytes_out, route_id);
                         }
 
                         return Ok(());
@@ -609,6 +651,8 @@ impl TcpListenerManager {
             tls_version: None,
             headers: None,
             is_tls,
+            // For TLS connections, protocol is unknown until after termination
+            protocol: if is_http { Some("http") } else if !is_tls { Some("tcp") } else { None },
         };
 
         let route_match = route_manager.find_route(&ctx);
@@ -646,8 +690,8 @@ impl TcpListenerManager {
         }
 
         // Track connection in metrics — guard ensures connection_closed on all exit paths
-        metrics.connection_opened(route_id);
-        let _conn_guard = ConnectionGuard::new(Arc::clone(&metrics), route_id);
+        metrics.connection_opened(route_id, Some(&ip_str));
+        let _conn_guard = ConnectionGuard::new(Arc::clone(&metrics), route_id, Some(&ip_str));
 
         // Check if this is a socket-handler route that should be relayed to TypeScript
         if route_match.route.action.action_type == RouteActionType::SocketHandler {
@@ -661,6 +705,7 @@ impl TcpListenerManager {
                     stream, n, port, peer_addr,
                     &route_match, domain.as_deref(), is_tls,
                     &relay_socket_path,
+                    &metrics, route_id,
                 ).await;
             } else {
                 debug!("Socket-handler route matched but no relay path configured");
@@ -751,21 +796,21 @@ impl TcpListenerManager {
                 let mut actual_buf = vec![0u8; n];
                 stream.read_exact(&mut actual_buf).await?;
 
-                let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                     stream, backend, Some(&actual_buf),
                     inactivity_timeout, max_lifetime, cancel,
+                    Some(forwarder::ForwardMetricsCtx {
+                        collector: Arc::clone(&metrics),
+                        route_id: route_id.map(|s| s.to_string()),
+                        source_ip: Some(ip_str.clone()),
+                    }),
                 ).await?;
-                metrics.record_bytes(bytes_in, bytes_out, route_id);
                 Ok(())
             }
             Some(rustproxy_config::TlsMode::Terminate) => {
-                let tls_config = Self::find_tls_config(&domain, &tls_configs)?;
-
-                // TLS accept with timeout, applying route-level TLS settings
+                // Use shared acceptor (session resumption) or fall back to per-connection
                 let route_tls = route_match.route.action.tls.as_ref();
-                let acceptor = tls_handler::build_tls_acceptor_with_config(
-                    &tls_config.cert_pem, &tls_config.key_pem, route_tls,
-                )?;
+                let acceptor = Self::get_tls_acceptor(&domain, &tls_configs, &*shared_tls_acceptor, route_tls)?;
                 let tls_stream = match tokio::time::timeout(
                     std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
                     tls_handler::accept_tls(stream, &acceptor),
@@ -785,6 +830,15 @@ impl TcpListenerManager {
                     }
                 };
 
+                // Check protocol restriction from route config
+                if let Some(ref required_protocol) = route_match.route.route_match.protocol {
+                    let detected = if peeked { "http" } else { "tcp" };
+                    if required_protocol != detected {
+                        debug!("Protocol mismatch: route requires '{}', got '{}'", required_protocol, detected);
+                        return Err("Protocol mismatch".into());
+                    }
+                }
+
                 if peeked {
                     debug!(
                         "TLS Terminate + HTTP: {} -> {}:{} (domain: {:?})",
@@ -812,21 +866,72 @@ impl TcpListenerManager {
                     let (tls_read, tls_write) = tokio::io::split(buf_stream);
                     let (backend_read, backend_write) = tokio::io::split(backend);
 
-                    let (bytes_in, bytes_out) = Self::forward_bidirectional_split_with_timeouts(
+                    let (_bytes_in, _bytes_out) = Self::forward_bidirectional_split_with_timeouts(
                         tls_read, tls_write, backend_read, backend_write,
                         inactivity_timeout, max_lifetime,
+                        Some(forwarder::ForwardMetricsCtx {
+                            collector: Arc::clone(&metrics),
+                            route_id: route_id.map(|s| s.to_string()),
+                            source_ip: Some(ip_str.clone()),
+                        }),
                     ).await;
-
-                    metrics.record_bytes(bytes_in, bytes_out, route_id);
                 }
                 Ok(())
             }
             Some(rustproxy_config::TlsMode::TerminateAndReencrypt) => {
+                // Inline TLS accept + HTTP detection (same pattern as Terminate mode)
                 let route_tls = route_match.route.action.tls.as_ref();
-                Self::handle_tls_terminate_reencrypt(
-                    stream, n, &domain, &target_host, target_port,
-                    peer_addr, &tls_configs, &metrics, route_id, &conn_config, route_tls,
-                ).await
+                let acceptor = Self::get_tls_acceptor(&domain, &tls_configs, &*shared_tls_acceptor, route_tls)?;
+                let tls_stream = match tokio::time::timeout(
+                    std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
+                    tls_handler::accept_tls(stream, &acceptor),
+                ).await {
+                    Ok(Ok(s)) => s,
+                    Ok(Err(e)) => return Err(e),
+                    Err(_) => return Err("TLS handshake timeout".into()),
+                };
+
+                // Peek at decrypted data to detect protocol
+                let mut buf_stream = tokio::io::BufReader::new(tls_stream);
+                let is_http_data = {
+                    use tokio::io::AsyncBufReadExt;
+                    match buf_stream.fill_buf().await {
+                        Ok(data) => sni_parser::is_http(data),
+                        Err(_) => false,
+                    }
+                };
+
+                // Check protocol restriction from route config
+                if let Some(ref required_protocol) = route_match.route.route_match.protocol {
+                    let detected = if is_http_data { "http" } else { "tcp" };
+                    if required_protocol != detected {
+                        debug!("Protocol mismatch: route requires '{}', got '{}'", required_protocol, detected);
+                        return Err("Protocol mismatch".into());
+                    }
+                }
+
+                if is_http_data {
+                    // HTTP: full per-request routing via HttpProxyService
+                    // (backend TLS handled by HttpProxyService when upstream.use_tls is set)
+                    debug!(
+                        "TLS Terminate+Reencrypt + HTTP: {} (domain: {:?})",
+                        peer_addr, domain
+                    );
+                    _conn_guard.disarm();
+                    http_proxy.handle_io(buf_stream, peer_addr, port, cancel.clone()).await;
+                } else {
+                    // Non-HTTP: TLS-to-TLS tunnel (existing behavior for raw TCP protocols)
+                    debug!(
+                        "TLS Terminate+Reencrypt + TCP: {} -> {}:{}",
+                        peer_addr, target_host, target_port
+                    );
+                    Self::handle_tls_reencrypt_tunnel(
+                        buf_stream, &target_host, target_port,
+                        peer_addr, Arc::clone(&metrics), route_id,
+                        &conn_config,
+                    ).await?;
+                }
+                Ok(())
             }
             None => {
                 if is_http {
@@ -862,11 +967,15 @@ impl TcpListenerManager {
                     let mut actual_buf = vec![0u8; n];
                     stream.read_exact(&mut actual_buf).await?;
 
-                    let (bytes_in, bytes_out) = forwarder::forward_bidirectional_with_timeouts(
+                    let (_bytes_in, _bytes_out) = forwarder::forward_bidirectional_with_timeouts(
                         stream, backend, Some(&actual_buf),
                         inactivity_timeout, max_lifetime, cancel,
+                        Some(forwarder::ForwardMetricsCtx {
+                            collector: Arc::clone(&metrics),
+                            route_id: route_id.map(|s| s.to_string()),
+                            source_ip: Some(ip_str.clone()),
+                        }),
                     ).await?;
-                    metrics.record_bytes(bytes_in, bytes_out, route_id);
                     Ok(())
                 }
             }
@@ -892,6 +1001,8 @@ impl TcpListenerManager {
         domain: Option<&str>,
         is_tls: bool,
         relay_path: &str,
+        metrics: &MetricsCollector,
+        route_id: Option<&str>,
     ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
         use tokio::io::{AsyncReadExt, AsyncWriteExt};
         use tokio::net::UnixStream;
@@ -932,12 +1043,22 @@ impl TcpListenerManager {
         unix_stream.write_all(&initial_buf).await?;
 
         // Bidirectional relay between TCP client and Unix socket handler
+        let initial_len = initial_buf.len() as u64;
         match tokio::io::copy_bidirectional(&mut stream, &mut unix_stream).await {
             Ok((c2s, s2c)) => {
+                // Include initial data bytes that were forwarded before copy_bidirectional
+                let total_in = c2s + initial_len;
                 debug!("Socket handler relay complete for {}: {} bytes in, {} bytes out",
-                    route_key, c2s, s2c);
+                    route_key, total_in, s2c);
+                let ip = peer_addr.ip().to_string();
+                metrics.record_bytes(total_in, s2c, route_id, Some(&ip));
             }
             Err(e) => {
+                // Still record the initial data even on error
+                if initial_len > 0 {
+                    let ip = peer_addr.ip().to_string();
+                    metrics.record_bytes(initial_len, 0, route_id, Some(&ip));
+                }
                 debug!("Socket handler relay ended for {}: {}", route_key, e);
             }
         }
@@ -945,40 +1066,18 @@ impl TcpListenerManager {
         Ok(())
     }
 
-    /// Handle TLS terminate-and-reencrypt: accept TLS from client, connect TLS to backend.
-    async fn handle_tls_terminate_reencrypt(
-        stream: tokio::net::TcpStream,
-        _peek_len: usize,
-        domain: &Option<String>,
+    /// Handle non-HTTP TLS-to-TLS tunnel for terminate-and-reencrypt mode.
+    /// TLS accept has already been done by the caller; this only connects to the
+    /// backend over TLS and forwards bidirectionally.
+    async fn handle_tls_reencrypt_tunnel(
+        buf_stream: tokio::io::BufReader<tokio_rustls::server::TlsStream<tokio::net::TcpStream>>,
         target_host: &str,
         target_port: u16,
         peer_addr: std::net::SocketAddr,
-        tls_configs: &HashMap<String, TlsCertConfig>,
-        metrics: &MetricsCollector,
+        metrics: Arc<MetricsCollector>,
         route_id: Option<&str>,
         conn_config: &ConnectionConfig,
-        route_tls: Option<&rustproxy_config::RouteTls>,
     ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-        let tls_config = Self::find_tls_config(domain, tls_configs)?;
-        let acceptor = tls_handler::build_tls_acceptor_with_config(
-            &tls_config.cert_pem, &tls_config.key_pem, route_tls,
-        )?;
-
-        // Accept TLS from client with timeout
-        let client_tls = match tokio::time::timeout(
-            std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
-            tls_handler::accept_tls(stream, &acceptor),
-        ).await {
-            Ok(Ok(s)) => s,
-            Ok(Err(e)) => return Err(e),
-            Err(_) => return Err("TLS handshake timeout".into()),
-        };
-
-        debug!(
-            "TLS Terminate+Reencrypt: {} -> {}:{} (domain: {:?})",
-            peer_addr, target_host, target_port, domain
-        );
-
         // Connect to backend over TLS with timeout
         let backend_tls = match tokio::time::timeout(
             std::time::Duration::from_millis(conn_config.connection_timeout_ms),
@@ -989,8 +1088,9 @@ impl TcpListenerManager {
             Err(_) => return Err("Backend TLS connection timeout".into()),
         };
 
-        // Forward between two TLS streams
-        let (client_read, client_write) = tokio::io::split(client_tls);
+        // Forward between decrypted client stream and backend TLS stream
+        // (BufReader preserves any already-buffered data from the peek)
+        let (client_read, client_write) = tokio::io::split(buf_stream);
         let (backend_read, backend_write) = tokio::io::split(backend_tls);
 
         let base_inactivity_ms = conn_config.socket_timeout_ms;
@@ -1019,15 +1119,43 @@ impl TcpListenerManager {
             }
         };
 
-        let (bytes_in, bytes_out) = Self::forward_bidirectional_split_with_timeouts(
+        let (_bytes_in, _bytes_out) = Self::forward_bidirectional_split_with_timeouts(
             client_read, client_write, backend_read, backend_write,
             inactivity_timeout, max_lifetime,
+            Some(forwarder::ForwardMetricsCtx {
+                collector: metrics,
+                route_id: route_id.map(|s| s.to_string()),
+                source_ip: Some(peer_addr.ip().to_string()),
+            }),
         ).await;
 
-        metrics.record_bytes(bytes_in, bytes_out, route_id);
         Ok(())
     }
 
+    /// Get a TLS acceptor, preferring the shared one (with session resumption)
+    /// and falling back to per-connection when custom TLS versions are configured.
+    fn get_tls_acceptor(
+        domain: &Option<String>,
+        tls_configs: &HashMap<String, TlsCertConfig>,
+        shared_tls_acceptor: &Option<TlsAcceptor>,
+        route_tls: Option<&rustproxy_config::RouteTls>,
+    ) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
+        let has_custom_versions = route_tls
+            .and_then(|t| t.versions.as_ref())
+            .map(|v| !v.is_empty())
+            .unwrap_or(false);
+
+        if !has_custom_versions {
+            if let Some(shared) = shared_tls_acceptor {
+                return Ok(shared.clone()); // TlsAcceptor wraps Arc<ServerConfig>, clone is cheap
+            }
+        }
+
+        // Fallback: per-connection acceptor (custom TLS versions or shared build failed)
+        let tls_config = Self::find_tls_config(domain, tls_configs)?;
+        tls_handler::build_tls_acceptor_with_config(&tls_config.cert_pem, &tls_config.key_pem, route_tls)
+    }
+
     /// Find the TLS config for a given domain.
     fn find_tls_config<'a>(
         domain: &Option<String>,
@@ -1058,6 +1186,9 @@ impl TcpListenerManager {
     }
 
     /// Forward bidirectional between two split streams with inactivity and lifetime timeouts.
+    ///
+    /// When `metrics` is provided, bytes are reported per-chunk (lock-free) for
+    /// real-time throughput measurement.
     async fn forward_bidirectional_split_with_timeouts<R1, W1, R2, W2>(
         mut client_read: R1,
         mut client_write: W1,
@@ -1065,6 +1196,7 @@ impl TcpListenerManager {
         mut backend_write: W2,
         inactivity_timeout: std::time::Duration,
         max_lifetime: std::time::Duration,
+        metrics: Option<forwarder::ForwardMetricsCtx>,
     ) -> (u64, u64)
     where
         R1: tokio::io::AsyncRead + Unpin + Send + 'static,
@@ -1080,6 +1212,7 @@ impl TcpListenerManager {
         let start = std::time::Instant::now();
 
         let la1 = Arc::clone(&last_activity);
+        let metrics_c2b = metrics.clone();
         let c2b = tokio::spawn(async move {
             let mut buf = vec![0u8; 65536];
             let mut total = 0u64;
@@ -1096,12 +1229,16 @@ impl TcpListenerManager {
                     start.elapsed().as_millis() as u64,
                     Ordering::Relaxed,
                 );
+                if let Some(ref ctx) = metrics_c2b {
+                    ctx.collector.record_bytes(n as u64, 0, ctx.route_id.as_deref(), ctx.source_ip.as_deref());
+                }
             }
             let _ = backend_write.shutdown().await;
             total
         });
 
         let la2 = Arc::clone(&last_activity);
+        let metrics_b2c = metrics;
         let b2c = tokio::spawn(async move {
             let mut buf = vec![0u8; 65536];
             let mut total = 0u64;
@@ -1118,6 +1255,9 @@ impl TcpListenerManager {
                     start.elapsed().as_millis() as u64,
                     Ordering::Relaxed,
                 );
+                if let Some(ref ctx) = metrics_b2c {
+                    ctx.collector.record_bytes(0, n as u64, ctx.route_id.as_deref(), ctx.source_ip.as_deref());
+                }
             }
             let _ = client_write.shutdown().await;
             total

rust/crates/rustproxy-passthrough/src/tls_handler.rs

@@ -1,17 +1,99 @@
+use std::collections::HashMap;
 use std::io::BufReader;
 use std::sync::Arc;
 
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::server::ResolvesServerCert;
+use rustls::sign::CertifiedKey;
 use rustls::ServerConfig;
 use tokio::net::TcpStream;
 use tokio_rustls::{TlsAcceptor, TlsConnector, server::TlsStream as ServerTlsStream};
-use tracing::debug;
+use tracing::{debug, info};
+
+use crate::tcp_listener::TlsCertConfig;
 
 /// Ensure the default crypto provider is installed.
 fn ensure_crypto_provider() {
     let _ = rustls::crypto::ring::default_provider().install_default();
 }
 
+/// SNI-based certificate resolver with pre-parsed CertifiedKeys.
+/// Enables shared ServerConfig across connections — avoids per-connection PEM parsing
+/// and enables TLS session resumption.
+#[derive(Debug)]
+pub struct CertResolver {
+    certs: HashMap<String, Arc<CertifiedKey>>,
+    fallback: Option<Arc<CertifiedKey>>,
+}
+
+impl CertResolver {
+    /// Build a resolver from PEM-encoded cert/key configs.
+    /// Parses all PEM data upfront so connections only do a cheap HashMap lookup.
+    pub fn new(configs: &HashMap<String, TlsCertConfig>) -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
+        ensure_crypto_provider();
+        let provider = rustls::crypto::ring::default_provider();
+        let mut certs = HashMap::new();
+        let mut fallback = None;
+
+        for (domain, cfg) in configs {
+            let cert_chain = load_certs(&cfg.cert_pem)?;
+            let key = load_private_key(&cfg.key_pem)?;
+            let ck = Arc::new(CertifiedKey::from_der(cert_chain, key, &provider)
+                .map_err(|e| format!("CertifiedKey for {}: {}", domain, e))?);
+            if domain == "*" {
+                fallback = Some(Arc::clone(&ck));
+            }
+            certs.insert(domain.clone(), ck);
+        }
+
+        // If no explicit "*" fallback, use the first available cert
+        if fallback.is_none() {
+            fallback = certs.values().next().map(Arc::clone);
+        }
+
+        Ok(Self { certs, fallback })
+    }
+}
+
+impl ResolvesServerCert for CertResolver {
+    fn resolve(&self, client_hello: rustls::server::ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
+        let domain = match client_hello.server_name() {
+            Some(name) => name,
+            None => return self.fallback.clone(),
+        };
+        // Exact match
+        if let Some(ck) = self.certs.get(domain) {
+            return Some(Arc::clone(ck));
+        }
+        // Wildcard: sub.example.com → *.example.com
+        if let Some(dot) = domain.find('.') {
+            let wc = format!("*.{}", &domain[dot + 1..]);
+            if let Some(ck) = self.certs.get(&wc) {
+                return Some(Arc::clone(ck));
+            }
+        }
+        self.fallback.clone()
+    }
+}
+
+/// Build a shared TLS acceptor with SNI resolution, session cache, and session tickets.
+/// The returned acceptor can be reused across all connections (cheap Arc clone).
+pub fn build_shared_tls_acceptor(resolver: CertResolver) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
+    ensure_crypto_provider();
+    let mut config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_cert_resolver(Arc::new(resolver));
+
+    // Shared session cache — enables session ID resumption across connections
+    config.session_storage = rustls::server::ServerSessionMemoryCache::new(4096);
+    // Session ticket resumption (12-hour lifetime, Chacha20Poly1305 encrypted)
+    config.ticketer = rustls::crypto::ring::Ticketer::new()
+        .map_err(|e| format!("Ticketer: {}", e))?;
+
+    info!("Built shared TLS config with session cache (4096) and ticket support");
+    Ok(TlsAcceptor::from(Arc::new(config)))
+}
+
 /// Build a TLS acceptor from PEM-encoded cert and key data.
 pub fn build_tls_acceptor(cert_pem: &str, key_pem: &str) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
     build_tls_acceptor_with_config(cert_pem, key_pem, None)

rust/crates/rustproxy-routing/src/route_manager.rs

@@ -12,6 +12,8 @@ pub struct MatchContext<'a> {
     pub tls_version: Option<&'a str>,
     pub headers: Option<&'a HashMap<String, String>>,
     pub is_tls: bool,
+    /// Detected protocol: "http" or "tcp". None when unknown (e.g. pre-TLS-termination).
+    pub protocol: Option<&'a str>,
 }
 
 /// Result of a route match.
@@ -87,9 +89,17 @@ impl RouteManager {
                 if !matchers::domain_matches_any(&patterns, domain) {
                     return false;
                 }
+            } else if ctx.is_tls {
+                // TLS connection without SNI cannot match a domain-restricted route.
+                // This prevents session-ticket resumption from misrouting when clients
+                // omit SNI (RFC 8446 recommends but doesn't mandate SNI on resumption).
+                // Wildcard-only routes (domains: ["*"]) still match since they accept all.
+                let patterns = domains.to_vec();
+                let is_wildcard_only = patterns.iter().all(|d| *d == "*");
+                if !is_wildcard_only {
+                    return false;
+                }
             }
-            // If no domain provided but route requires domain, it depends on context
-            // For TLS passthrough, we need SNI; for other cases we may still match
         }
 
         // Path matching
@@ -137,6 +147,17 @@ impl RouteManager {
             }
         }
 
+        // Protocol matching
+        if let Some(ref required_protocol) = rm.protocol {
+            if let Some(protocol) = ctx.protocol {
+                if required_protocol != protocol {
+                    return false;
+                }
+            }
+            // If protocol not yet known (None), allow match — protocol will be
+            // validated after detection (post-TLS-termination peek)
+        }
+
         true
     }
 
@@ -277,6 +298,7 @@ mod tests {
                 client_ip: None,
                 tls_version: None,
                 headers: None,
+                protocol: None,
             },
             action: RouteAction {
                 action_type: RouteActionType::Forward,
@@ -327,6 +349,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         let result = manager.find_route(&ctx);
@@ -349,6 +372,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         let result = manager.find_route(&ctx).unwrap();
@@ -372,6 +396,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         assert!(manager.find_route(&ctx).is_none());
@@ -457,6 +482,116 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_some());
+    }
+
+    #[test]
+    fn test_tls_no_sni_rejects_domain_restricted_route() {
+        let routes = vec![make_route(443, Some("example.com"), 0)];
+        let manager = RouteManager::new(routes);
+
+        // TLS connection without SNI should NOT match a domain-restricted route
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_none());
+    }
+
+    #[test]
+    fn test_tls_no_sni_rejects_wildcard_subdomain_route() {
+        let routes = vec![make_route(443, Some("*.example.com"), 0)];
+        let manager = RouteManager::new(routes);
+
+        // TLS connection without SNI should NOT match *.example.com
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_none());
+    }
+
+    #[test]
+    fn test_tls_no_sni_matches_wildcard_only_route() {
+        let routes = vec![make_route(443, Some("*"), 0)];
+        let manager = RouteManager::new(routes);
+
+        // TLS connection without SNI SHOULD match a wildcard-only route
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_some());
+    }
+
+    #[test]
+    fn test_tls_no_sni_skips_domain_restricted_matches_fallback() {
+        // Two routes: first is domain-restricted, second is wildcard catch-all
+        let routes = vec![
+            make_route(443, Some("specific.com"), 10),
+            make_route(443, Some("*"), 0),
+        ];
+        let manager = RouteManager::new(routes);
+
+        // TLS without SNI should skip specific.com and fall through to wildcard
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        let result = manager.find_route(&ctx);
+        assert!(result.is_some());
+        let matched_domains = result.unwrap().route.route_match.domains.as_ref()
+            .map(|d| d.to_vec()).unwrap();
+        assert!(matched_domains.contains(&"*"));
+    }
+
+    #[test]
+    fn test_non_tls_no_domain_still_matches_domain_restricted() {
+        // Non-TLS (plain HTTP) without domain should still match domain-restricted routes
+        // (the HTTP proxy layer handles Host-based routing)
+        let routes = vec![make_route(80, Some("example.com"), 0)];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: None,
         };
 
         assert!(manager.find_route(&ctx).is_some());
@@ -475,6 +610,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         assert!(manager.find_route(&ctx).is_some());
@@ -525,6 +661,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
         let result = manager.find_route(&ctx).unwrap();
         assert_eq!(result.target.unwrap().host.first(), "api-backend");
@@ -538,8 +675,102 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
         let result = manager.find_route(&ctx).unwrap();
         assert_eq!(result.target.unwrap().host.first(), "default-backend");
     }
+
+    fn make_route_with_protocol(port: u16, domain: Option<&str>, protocol: Option<&str>) -> RouteConfig {
+        let mut route = make_route(port, domain, 0);
+        route.route_match.protocol = protocol.map(|s| s.to_string());
+        route
+    }
+
+    #[test]
+    fn test_protocol_http_matches_http() {
+        let routes = vec![make_route_with_protocol(80, None, Some("http"))];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("http"),
+        };
+        assert!(manager.find_route(&ctx).is_some());
+    }
+
+    #[test]
+    fn test_protocol_http_rejects_tcp() {
+        let routes = vec![make_route_with_protocol(80, None, Some("http"))];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("tcp"),
+        };
+        assert!(manager.find_route(&ctx).is_none());
+    }
+
+    #[test]
+    fn test_protocol_none_matches_any() {
+        // Route with no protocol restriction matches any protocol
+        let routes = vec![make_route_with_protocol(80, None, None)];
+        let manager = RouteManager::new(routes);
+
+        let ctx_http = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("http"),
+        };
+        assert!(manager.find_route(&ctx_http).is_some());
+
+        let ctx_tcp = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("tcp"),
+        };
+        assert!(manager.find_route(&ctx_tcp).is_some());
+    }
+
+    #[test]
+    fn test_protocol_http_matches_when_unknown() {
+        // Route with protocol: "http" should match when ctx.protocol is None
+        // (pre-TLS-termination, protocol not yet known)
+        let routes = vec![make_route_with_protocol(443, None, Some("http"))];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+        assert!(manager.find_route(&ctx).is_some());
+    }
 }

rust/crates/rustproxy/src/lib.rs

@@ -71,11 +71,14 @@ pub struct RustProxy {
     cert_manager: Option<Arc<tokio::sync::Mutex<CertManager>>>,
     challenge_server: Option<challenge_server::ChallengeServer>,
     renewal_handle: Option<tokio::task::JoinHandle<()>>,
+    sampling_handle: Option<tokio::task::JoinHandle<()>>,
     nft_manager: Option<NftManager>,
     started: bool,
     started_at: Option<Instant>,
     /// Shared path to a Unix domain socket for relaying socket-handler connections back to TypeScript.
     socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
+    /// Dynamically loaded certificates (via loadCertificate IPC), independent of CertManager.
+    loaded_certs: HashMap<String, TlsCertConfig>,
 }
 
 impl RustProxy {
@@ -100,18 +103,24 @@ impl RustProxy {
         let cert_manager = Self::build_cert_manager(&options)
             .map(|cm| Arc::new(tokio::sync::Mutex::new(cm)));
 
+        let retention = options.metrics.as_ref()
+            .and_then(|m| m.retention_seconds)
+            .unwrap_or(3600) as usize;
+
         Ok(Self {
             options,
             route_table: ArcSwap::from(Arc::new(route_manager)),
             listener_manager: None,
-            metrics: Arc::new(MetricsCollector::new()),
+            metrics: Arc::new(MetricsCollector::with_retention(retention)),
             cert_manager,
             challenge_server: None,
             renewal_handle: None,
+            sampling_handle: None,
             nft_manager: None,
             started: false,
             started_at: None,
             socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
+            loaded_certs: HashMap::new(),
         })
     }
 
@@ -262,6 +271,13 @@ impl RustProxy {
             }
         }
 
+        // Merge dynamically loaded certs (from loadCertificate IPC)
+        for (d, c) in &self.loaded_certs {
+            if !tls_configs.contains_key(d) {
+                tls_configs.insert(d.clone(), c.clone());
+            }
+        }
+
         if !tls_configs.is_empty() {
             debug!("Loaded TLS certificates for {} domains", tls_configs.len());
             listener.set_tls_configs(tls_configs);
@@ -276,6 +292,21 @@ impl RustProxy {
         self.started = true;
         self.started_at = Some(Instant::now());
 
+        // Start the throughput sampling task
+        let metrics = Arc::clone(&self.metrics);
+        let interval_ms = self.options.metrics.as_ref()
+            .and_then(|m| m.sample_interval_ms)
+            .unwrap_or(1000);
+        self.sampling_handle = Some(tokio::spawn(async move {
+            let mut interval = tokio::time::interval(
+                std::time::Duration::from_millis(interval_ms)
+            );
+            loop {
+                interval.tick().await;
+                metrics.sample_all();
+            }
+        }));
+
         // Apply NFTables rules for routes using nftables forwarding engine
         self.apply_nftables_rules(&self.options.routes.clone()).await;
 
@@ -478,6 +509,11 @@ impl RustProxy {
 
         info!("Stopping RustProxy...");
 
+        // Stop sampling task
+        if let Some(handle) = self.sampling_handle.take() {
+            handle.abort();
+        }
+
         // Stop renewal timer
         if let Some(handle) = self.renewal_handle.take() {
             handle.abort();
@@ -550,6 +586,12 @@ impl RustProxy {
                     }
                 }
             }
+            // Merge dynamically loaded certs (from loadCertificate IPC)
+            for (d, c) in &self.loaded_certs {
+                if !tls_configs.contains_key(d) {
+                    tls_configs.insert(d.clone(), c.clone());
+                }
+            }
             listener.set_tls_configs(tls_configs);
 
             // Add new ports
@@ -760,6 +802,12 @@ impl RustProxy {
             cm.load_static(domain.to_string(), bundle);
         }
 
+        // Persist in loaded_certs so future rebuild calls include this cert
+        self.loaded_certs.insert(domain.to_string(), TlsCertConfig {
+            cert_pem: cert_pem.clone(),
+            key_pem: key_pem.clone(),
+        });
+
         // Hot-swap TLS config on the listener
         if let Some(ref mut listener) = self.listener_manager {
             let mut tls_configs = Self::extract_tls_configs(&self.options.routes);
@@ -783,6 +831,13 @@ impl RustProxy {
                 }
             }
 
+            // Merge dynamically loaded certs from previous loadCertificate calls
+            for (d, c) in &self.loaded_certs {
+                if !tls_configs.contains_key(d) {
+                    tls_configs.insert(d.clone(), c.clone());
+                }
+            }
+
             listener.set_tls_configs(tls_configs);
         }
 

rust/crates/rustproxy/tests/common/mod.rs

@@ -201,6 +201,7 @@ pub fn make_test_route(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: rustproxy_config::RouteAction {
             action_type: rustproxy_config::RouteActionType::Forward,

test/test.throughput.ts

@@ -0,0 +1,699 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import type { IRouteConfig } from '../ts/index.js';
+import * as net from 'net';
+import * as http from 'http';
+import * as tls from 'tls';
+import * as https from 'https';
+import * as fs from 'fs';
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// ────────────────────────────────────────────────────────────────────────────
+// Port assignments (unique to avoid conflicts with other tests)
+// ────────────────────────────────────────────────────────────────────────────
+const TCP_ECHO_PORT = 47500;
+const HTTP_ECHO_PORT = 47501;
+const TLS_ECHO_PORT = 47502;
+const PROXY_TCP_PORT = 47510;
+const PROXY_HTTP_PORT = 47511;
+const PROXY_TLS_PASS_PORT = 47512;
+const PROXY_TLS_TERM_PORT = 47513;
+const PROXY_SOCKET_PORT = 47514;
+const PROXY_MULTI_A_PORT = 47515;
+const PROXY_MULTI_B_PORT = 47516;
+const PROXY_TP_HTTP_PORT = 47517;
+
+// ────────────────────────────────────────────────────────────────────────────
+// Test certificates
+// ────────────────────────────────────────────────────────────────────────────
+const CERT_PEM = fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'cert.pem'), 'utf8');
+const KEY_PEM = fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'key.pem'), 'utf8');
+
+// ────────────────────────────────────────────────────────────────────────────
+// Backend servers
+// ────────────────────────────────────────────────────────────────────────────
+let tcpEchoServer: net.Server;
+let httpEchoServer: http.Server;
+let tlsEchoServer: tls.Server;
+
+// Helper: force-poll the metrics adapter
+async function pollMetrics(proxy: SmartProxy): Promise<void> {
+  await (proxy as any).metricsAdapter.poll();
+}
+
+// ════════════════════════════════════════════════════════════════════════════
+// Setup: backend servers
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('setup - TCP echo server', async () => {
+  tcpEchoServer = net.createServer((socket) => {
+    socket.on('data', (data) => socket.write(data));
+    socket.on('error', () => {});
+  });
+  await new Promise<void>((resolve) => {
+    tcpEchoServer.listen(TCP_ECHO_PORT, () => {
+      console.log(`TCP echo server on port ${TCP_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+tap.test('setup - HTTP echo server', async () => {
+  httpEchoServer = http.createServer((req, res) => {
+    let body = '';
+    req.on('data', (chunk) => (body += chunk));
+    req.on('end', () => {
+      res.writeHead(200, { 'Content-Type': 'text/plain' });
+      res.end(`echo:${body}`);
+    });
+  });
+  await new Promise<void>((resolve) => {
+    httpEchoServer.listen(HTTP_ECHO_PORT, () => {
+      console.log(`HTTP echo server on port ${HTTP_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+tap.test('setup - TLS echo server', async () => {
+  tlsEchoServer = tls.createServer(
+    { cert: CERT_PEM, key: KEY_PEM },
+    (socket) => {
+      socket.on('data', (data) => socket.write(data));
+      socket.on('error', () => {});
+    },
+  );
+  await new Promise<void>((resolve) => {
+    tlsEchoServer.listen(TLS_ECHO_PORT, () => {
+      console.log(`TLS echo server on port ${TLS_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 1: TCP Forward (plain TCP passthrough — no domain, no TLS)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('TCP forward - real-time byte tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'tcp-forward',
+        name: 'tcp-forward',
+        match: { ports: PROXY_TCP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+
+  // Connect and send data
+  const client = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    client.connect(PROXY_TCP_PORT, 'localhost', () => resolve());
+    client.on('error', reject);
+  });
+
+  let received = 0;
+  client.on('data', (data) => (received += data.length));
+
+  // Send 10 KB in chunks over 1 second
+  const chunk = Buffer.alloc(1024, 'A');
+  for (let i = 0; i < 10; i++) {
+    client.write(chunk);
+    await tools.delayFor(100);
+  }
+
+  // Wait for echo data and sampling to accumulate
+  await tools.delayFor(500);
+
+  // === Key assertion: metrics visible WHILE the connection is still open ===
+  // Before this change, TCP bytes were only reported after connection close.
+  // Now bytes are reported per-chunk in real-time.
+  await pollMetrics(proxy);
+
+  const mDuring = proxy.getMetrics();
+  const bytesInDuring = mDuring.totals.bytesIn();
+  const bytesOutDuring = mDuring.totals.bytesOut();
+  console.log(`TCP forward (during) — bytesIn: ${bytesInDuring}, bytesOut: ${bytesOutDuring}`);
+  expect(bytesInDuring).toBeGreaterThan(0);
+  expect(bytesOutDuring).toBeGreaterThan(0);
+
+  // Check that throughput is non-zero during active TCP traffic
+  const tpDuring = mDuring.throughput.recent();
+  console.log(`TCP forward (during) — recent throughput: in=${tpDuring.in}, out=${tpDuring.out}`);
+  expect(tpDuring.in + tpDuring.out).toBeGreaterThan(0);
+
+  // Close connection
+  client.destroy();
+  await tools.delayFor(500);
+
+  // Final check
+  await pollMetrics(proxy);
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`TCP forward (final) — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+  expect(bytesIn).toBeGreaterThanOrEqual(bytesInDuring);
+  expect(bytesOut).toBeGreaterThanOrEqual(bytesOutDuring);
+
+  // Check per-route tracking
+  const byRoute = m.throughput.byRoute();
+  console.log('TCP forward — throughput byRoute:', Array.from(byRoute.entries()));
+
+  // ── v25.2.0: Per-IP tracking (TCP connections) ──
+  const byIP = m.connections.byIP();
+  console.log('TCP forward — connections byIP:', Array.from(byIP.entries()));
+  expect(byIP.size).toBeGreaterThan(0);
+
+  const topIPs = m.connections.topIPs(10);
+  console.log('TCP forward — topIPs:', topIPs);
+  expect(topIPs.length).toBeGreaterThan(0);
+  expect(topIPs[0].ip).toBeTruthy();
+
+  // ── v25.2.0: Throughput history ──
+  const history = m.throughput.history(10);
+  console.log('TCP forward — throughput history length:', history.length);
+  expect(history.length).toBeGreaterThan(0);
+  expect(history[0].timestamp).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 2: HTTP Forward (plain HTTP proxy)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('HTTP forward - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'http-forward',
+        name: 'http-forward',
+        match: { ports: PROXY_HTTP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send 10 HTTP requests with 1 KB body each
+  for (let i = 0; i < 10; i++) {
+    const body = 'X'.repeat(1024);
+    await new Promise<void>((resolve, reject) => {
+      const req = http.request(
+        {
+          hostname: 'localhost',
+          port: PROXY_HTTP_PORT,
+          path: '/echo',
+          method: 'POST',
+          headers: { 'Content-Type': 'text/plain', 'Content-Length': String(body.length) },
+        },
+        (res) => {
+          let data = '';
+          res.on('data', (chunk) => (data += chunk));
+          res.on('end', () => resolve());
+        },
+      );
+      req.on('error', reject);
+      req.setTimeout(5000, () => {
+        req.destroy();
+        reject(new Error('HTTP request timeout'));
+      });
+      req.end(body);
+    });
+  }
+
+  // Wait for sampling + poll
+  await tools.delayFor(500);
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`HTTP forward — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // Both directions should have bytes (CountingBody tracks request + response)
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  // ── v25.2.0: Per-IP tracking (HTTP connections) ──
+  const byIP = m.connections.byIP();
+  console.log('HTTP forward — connections byIP:', Array.from(byIP.entries()));
+  expect(byIP.size).toBeGreaterThan(0);
+
+  const topIPs = m.connections.topIPs(10);
+  console.log('HTTP forward — topIPs:', topIPs);
+  expect(topIPs.length).toBeGreaterThan(0);
+  expect(topIPs[0].ip).toBeTruthy();
+
+  // ── v25.2.0: HTTP request counting ──
+  const totalReqs = m.requests.total();
+  const rps = m.requests.perSecond();
+  console.log(`HTTP forward — requests total: ${totalReqs}, perSecond: ${rps}`);
+  expect(totalReqs).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 3: TLS Passthrough (SNI-based, Rust passes encrypted data through)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('TLS passthrough - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'tls-passthrough',
+        name: 'tls-passthrough',
+        match: { ports: PROXY_TLS_PASS_PORT, domains: 'localhost' },
+        action: {
+          type: 'forward',
+          tls: { mode: 'passthrough' },
+          targets: [{ host: 'localhost', port: TLS_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Connect via TLS through the proxy (SNI: localhost)
+  const tlsClient = tls.connect(
+    {
+      host: 'localhost',
+      port: PROXY_TLS_PASS_PORT,
+      servername: 'localhost',
+      rejectUnauthorized: false,
+    },
+  );
+
+  await new Promise<void>((resolve, reject) => {
+    tlsClient.on('secureConnect', () => resolve());
+    tlsClient.on('error', reject);
+  });
+
+  // Send some data
+  const data = Buffer.alloc(2048, 'B');
+  tlsClient.write(data);
+
+  // Wait for echo
+  let received = 0;
+  tlsClient.on('data', (chunk) => (received += chunk.length));
+  await tools.delayFor(1000);
+
+  console.log(`TLS passthrough — received ${received} bytes back`);
+  expect(received).toBeGreaterThan(0);
+
+  tlsClient.destroy();
+  await tools.delayFor(500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`TLS passthrough — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // TLS passthrough tracks encrypted bytes flowing through
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 4: TLS Terminate + HTTP (Rust terminates TLS, forwards to HTTP backend)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('TLS terminate + HTTP forward - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'tls-terminate',
+        name: 'tls-terminate',
+        match: { ports: PROXY_TLS_TERM_PORT, domains: 'localhost' },
+        action: {
+          type: 'forward',
+          tls: {
+            mode: 'terminate',
+            certificate: {
+              cert: CERT_PEM,
+              key: KEY_PEM,
+            },
+          },
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+    disableDefaultCert: true,
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send HTTPS request through the proxy
+  const body = 'Z'.repeat(2048);
+  await new Promise<void>((resolve, reject) => {
+    const req = https.request(
+      {
+        hostname: 'localhost',
+        port: PROXY_TLS_TERM_PORT,
+        path: '/echo',
+        method: 'POST',
+        headers: { 'Content-Type': 'text/plain', 'Content-Length': String(body.length) },
+        rejectUnauthorized: false,
+      },
+      (res) => {
+        let data = '';
+        res.on('data', (chunk) => (data += chunk));
+        res.on('end', () => {
+          console.log(`TLS terminate — response: ${data.slice(0, 50)}...`);
+          resolve();
+        });
+      },
+    );
+    req.on('error', reject);
+    req.setTimeout(5000, () => {
+      req.destroy();
+      reject(new Error('HTTPS request timeout'));
+    });
+    req.end(body);
+  });
+
+  await tools.delayFor(500);
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`TLS terminate — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // TLS terminate: request body (bytesIn) and response body (bytesOut) via CountingBody
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 5: Socket Handler (JS callback handling)
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('Socket handler - byte totals tracking', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'socket-handler',
+        name: 'socket-handler',
+        match: { ports: PROXY_SOCKET_PORT },
+        action: {
+          type: 'socket-handler',
+          socketHandler: (socket, _context) => {
+            socket.on('data', (data) => socket.write(data)); // echo
+            socket.on('error', () => {});
+          },
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Connect and send data
+  const client = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    client.connect(PROXY_SOCKET_PORT, 'localhost', () => resolve());
+    client.on('error', reject);
+  });
+
+  const data = Buffer.alloc(4096, 'C');
+  client.write(data);
+
+  let received = 0;
+  client.on('data', (chunk) => (received += chunk.length));
+  await tools.delayFor(500);
+
+  console.log(`Socket handler — received ${received} bytes back`);
+
+  client.destroy();
+  await tools.delayFor(500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const bytesIn = m.totals.bytesIn();
+  const bytesOut = m.totals.bytesOut();
+  console.log(`Socket handler — bytesIn: ${bytesIn}, bytesOut: ${bytesOut}`);
+
+  // Socket handler relay now records bytes after copy_bidirectional completes
+  expect(bytesIn).toBeGreaterThan(0);
+  expect(bytesOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 6: Multi-route throughput isolation
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('Multi-route throughput isolation', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'route-alpha',
+        name: 'route-alpha',
+        match: { ports: PROXY_MULTI_A_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+      {
+        id: 'route-beta',
+        name: 'route-beta',
+        match: { ports: PROXY_MULTI_B_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send different amounts to each route
+  // Route alpha: 8 KB
+  const clientA = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    clientA.connect(PROXY_MULTI_A_PORT, 'localhost', () => resolve());
+    clientA.on('error', reject);
+  });
+  clientA.on('data', () => {}); // drain
+  for (let i = 0; i < 8; i++) {
+    clientA.write(Buffer.alloc(1024, 'A'));
+    await tools.delayFor(50);
+  }
+
+  // Route beta: 2 KB
+  const clientB = new net.Socket();
+  await new Promise<void>((resolve, reject) => {
+    clientB.connect(PROXY_MULTI_B_PORT, 'localhost', () => resolve());
+    clientB.on('error', reject);
+  });
+  clientB.on('data', () => {}); // drain
+  for (let i = 0; i < 2; i++) {
+    clientB.write(Buffer.alloc(1024, 'B'));
+    await tools.delayFor(50);
+  }
+
+  await tools.delayFor(500);
+
+  // Close both
+  clientA.destroy();
+  clientB.destroy();
+  await tools.delayFor(500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+
+  // Check per-route throughput exists for both
+  const byRoute = m.throughput.byRoute();
+  console.log('Multi-route — throughput byRoute:', Array.from(byRoute.entries()));
+
+  // Check per-route connection counts
+  const connByRoute = m.connections.byRoute();
+  console.log('Multi-route — connections byRoute:', Array.from(connByRoute.entries()));
+
+  // Both routes should have tracked data
+  const totalIn = m.totals.bytesIn();
+  const totalOut = m.totals.bytesOut();
+  console.log(`Multi-route — total bytesIn: ${totalIn}, bytesOut: ${totalOut}`);
+
+  expect(totalIn).toBeGreaterThan(0);
+  expect(totalOut).toBeGreaterThan(0);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Group 7: Throughput sampling over time (HTTP-based for real-time tracking)
+//
+// Uses HTTP proxy path where CountingBody reports bytes incrementally
+// as each request/response body completes. This allows the sampling task
+// to capture non-zero throughput during active traffic.
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('Throughput sampling - values appear during active HTTP traffic', async (tools) => {
+  const proxy = new SmartProxy({
+    routes: [
+      {
+        id: 'sampling-test',
+        name: 'sampling-test',
+        match: { ports: PROXY_TP_HTTP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: { enabled: true, sampleIntervalMs: 100, retentionSeconds: 60 },
+  });
+  await proxy.start();
+  await tools.delayFor(300);
+
+  // Send HTTP requests continuously for ~2 seconds
+  let sending = true;
+  let requestCount = 0;
+  const sendLoop = (async () => {
+    while (sending) {
+      const body = 'D'.repeat(5120); // 5 KB per request
+      try {
+        await new Promise<void>((resolve, reject) => {
+          const req = http.request(
+            {
+              hostname: 'localhost',
+              port: PROXY_TP_HTTP_PORT,
+              path: '/echo',
+              method: 'POST',
+              headers: { 'Content-Type': 'text/plain', 'Content-Length': String(body.length) },
+            },
+            (res) => {
+              res.on('data', () => {});
+              res.on('end', () => resolve());
+            },
+          );
+          req.on('error', reject);
+          req.setTimeout(3000, () => {
+            req.destroy();
+            reject(new Error('timeout'));
+          });
+          req.end(body);
+        });
+        requestCount++;
+      } catch {
+        // Ignore errors during shutdown
+        break;
+      }
+    }
+  })();
+
+  // After 1.5 seconds of active traffic, check throughput
+  await tools.delayFor(1500);
+
+  await pollMetrics(proxy);
+
+  const m = proxy.getMetrics();
+  const tp = m.throughput.instant();
+  const totalIn = m.totals.bytesIn();
+  const totalOut = m.totals.bytesOut();
+  console.log(`Sampling test — after 1.5s of traffic: instant in=${tp.in}, out=${tp.out}`);
+  console.log(`Sampling test — totals: bytesIn=${totalIn}, bytesOut=${totalOut}, requests=${requestCount}`);
+
+  // Totals should definitely be non-zero after 1.5s of HTTP requests
+  expect(totalIn + totalOut).toBeGreaterThan(0);
+
+  // Throughput instant should be non-zero during active traffic.
+  // The sampling interval is 100ms, so we've had ~15 samples by now.
+  // Each sample captures bytes from completed HTTP request/response bodies.
+  // Note: this can occasionally be 0 if sample boundaries don't align, so we
+  // also check that at least the throughput was non-zero for *some* recent window.
+  const tpRecent = m.throughput.recent();
+  console.log(`Sampling test — recent throughput: in=${tpRecent.in}, out=${tpRecent.out}`);
+  expect(tpRecent.in + tpRecent.out).toBeGreaterThan(0);
+
+  // ── v25.2.0: Per-IP tracking ──
+  const byIP = m.connections.byIP();
+  console.log('Sampling test — connections byIP:', Array.from(byIP.entries()));
+  expect(byIP.size).toBeGreaterThan(0);
+
+  const topIPs = m.connections.topIPs(10);
+  console.log('Sampling test — topIPs:', topIPs);
+  expect(topIPs.length).toBeGreaterThan(0);
+  expect(topIPs[0].ip).toBeTruthy();
+  expect(topIPs[0].count).toBeGreaterThanOrEqual(0);
+
+  // ── v25.2.0: Throughput history ──
+  const history = m.throughput.history(10);
+  console.log(`Sampling test — throughput history: ${history.length} points`);
+  if (history.length > 0) {
+    console.log('  first:', history[0], 'last:', history[history.length - 1]);
+  }
+  expect(history.length).toBeGreaterThan(0);
+  expect(history[0].timestamp).toBeGreaterThan(0);
+
+  // ── v25.2.0: Per-IP throughput ──
+  const tpByIP = m.throughput.byIP();
+  console.log('Sampling test — throughput byIP:', Array.from(tpByIP.entries()));
+
+  // ── v25.2.0: HTTP request counting ──
+  const totalReqs = m.requests.total();
+  const rps = m.requests.perSecond();
+  const rpm = m.requests.perMinute();
+  console.log(`Sampling test — HTTP requests: total=${totalReqs}, perSecond=${rps}, perMinute=${rpm}`);
+  expect(totalReqs).toBeGreaterThan(0);
+
+  // Stop sending
+  sending = false;
+  await sendLoop;
+
+  // After traffic stops, wait for metrics to settle
+  await tools.delayFor(500);
+  await pollMetrics(proxy);
+
+  const mAfter = proxy.getMetrics();
+  const tpAfter = mAfter.throughput.instant();
+  console.log(`Sampling test — after traffic stops: instant in=${tpAfter.in}, out=${tpAfter.out}`);
+
+  await proxy.stop();
+  await tools.delayFor(200);
+});
+
+// ════════════════════════════════════════════════════════════════════════════
+// Cleanup
+// ════════════════════════════════════════════════════════════════════════════
+tap.test('cleanup - close backend servers', async () => {
+  await new Promise<void>((resolve) => tcpEchoServer.close(() => resolve()));
+  await new Promise<void>((resolve) => httpEchoServer.close(() => resolve()));
+  await new Promise<void>((resolve) => tlsEchoServer.close(() => resolve()));
+  console.log('All backend servers closed');
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '24.0.1',
+  version: '25.6.0',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/index.ts

@@ -8,7 +8,7 @@ export { SharedRouteManager as RouteManager } from './core/routing/route-manager
 
 // Export smart-proxy models
 export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './proxies/smart-proxy/models/index.js';
-export type { TSmartProxyCertProvisionObject } from './proxies/smart-proxy/models/interfaces.js';
+export type { TSmartProxyCertProvisionObject, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './proxies/smart-proxy/models/interfaces.js';
 export * from './proxies/smart-proxy/utils/index.js';
 
 // Original: export * from './smartproxy/classes.pp.snihandler.js'

ts/plugins.ts

@@ -2,14 +2,13 @@
 import { EventEmitter } from 'node:events';
 import * as fs from 'node:fs';
 import * as http from 'node:http';
-import * as https from 'node:https';
 import * as net from 'node:net';
 import * as path from 'node:path';
 import * as tls from 'node:tls';
 import * as url from 'node:url';
 import * as http2 from 'node:http2';
 
-export { EventEmitter, fs, http, https, net, path, tls, url, http2 };
+export { EventEmitter, fs, http, net, path, tls, url, http2 };
 
 // tsclass scope
 import * as tsclass from '@tsclass/tsclass';
@@ -17,44 +16,19 @@ import * as tsclass from '@tsclass/tsclass';
 export { tsclass };
 
 // pushrocks scope
-import * as lik from '@push.rocks/lik';
-import * as smartdelay from '@push.rocks/smartdelay';
-import * as smartpromise from '@push.rocks/smartpromise';
-import * as smartrequest from '@push.rocks/smartrequest';
-import * as smartstring from '@push.rocks/smartstring';
-import * as smartfile from '@push.rocks/smartfile';
 import * as smartcrypto from '@push.rocks/smartcrypto';
-import * as smartacme from '@push.rocks/smartacme';
-import * as smartacmePlugins from '@push.rocks/smartacme/dist_ts/smartacme.plugins.js';
-import * as smartacmeHandlers from '@push.rocks/smartacme/dist_ts/handlers/index.js';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
-import * as taskbuffer from '@push.rocks/taskbuffer';
-import * as smartrx from '@push.rocks/smartrx';
 import * as smartrust from '@push.rocks/smartrust';
 
 export {
-  lik,
-  smartdelay,
-  smartrequest,
-  smartpromise,
-  smartstring,
-  smartfile,
   smartcrypto,
-  smartacme,
-  smartacmePlugins,
-  smartacmeHandlers,
   smartlog,
   smartlogDestinationLocal,
-  taskbuffer,
-  smartrx,
   smartrust,
 };
 
 // third party scope
-import prettyMs from 'pretty-ms';
-import * as ws from 'ws';
-import wsDefault from 'ws';
 import { minimatch } from 'minimatch';
 
-export { prettyMs, ws, wsDefault, minimatch };
+export { minimatch };

ts/proxies/smart-proxy/models/index.ts

@@ -2,6 +2,6 @@
  * SmartProxy models
  */
 // Export everything except IAcmeOptions from interfaces
-export type { ISmartProxyOptions, ISmartProxyCertStore, IConnectionRecord, TSmartProxyCertProvisionObject } from './interfaces.js';
+export type { ISmartProxyOptions, ISmartProxyCertStore, IConnectionRecord, TSmartProxyCertProvisionObject, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './interfaces.js';
 export * from './route-types.js';
 export * from './metrics-types.js';

ts/proxies/smart-proxy/models/interfaces.ts

@@ -34,6 +34,38 @@ import type { IRouteConfig } from './route-types.js';
  */
 export type TSmartProxyCertProvisionObject = plugins.tsclass.network.ICert | 'http01';
 
+/**
+ * Communication channel passed as second argument to certProvisionFunction.
+ * Allows the callback to report metadata back to SmartProxy for event emission.
+ */
+export interface ICertProvisionEventComms {
+  /** Informational log */
+  log: (message: string) => void;
+  /** Warning (non-fatal) */
+  warn: (message: string) => void;
+  /** Error */
+  error: (message: string) => void;
+  /** Set the certificate expiry date (for the issued event) */
+  setExpiryDate: (date: Date) => void;
+  /** Set the source/method used for provisioning (e.g. 'smartacme-dns-01') */
+  setSource: (source: string) => void;
+}
+
+/** Payload for 'certificate-issued' and 'certificate-renewed' events */
+export interface ICertificateIssuedEvent {
+  domain: string;
+  expiryDate?: string;   // ISO 8601
+  source: string;        // e.g. 'certProvisionFunction', 'smartacme-dns-01'
+  isRenewal?: boolean;
+}
+
+/** Payload for 'certificate-failed' event */
+export interface ICertificateFailedEvent {
+  domain: string;
+  error: string;
+  source: string;
+}
+
 // Legacy options and type checking functions have been removed
 
 /**
@@ -140,7 +172,7 @@ export interface ISmartProxyOptions {
    * Optional certificate provider callback. Return 'http01' to use HTTP-01 challenges,
    * or a static certificate object for immediate provisioning.
    */
-  certProvisionFunction?: (domain: string) => Promise<TSmartProxyCertProvisionObject>;
+  certProvisionFunction?: (domain: string, eventComms: ICertProvisionEventComms) => Promise<TSmartProxyCertProvisionObject>;
   
   /**
    * Whether to fallback to ACME if custom certificate provision fails.
@@ -148,6 +180,21 @@ export interface ISmartProxyOptions {
    */
   certProvisionFallbackToAcme?: boolean;
 
+  /**
+   * Per-domain timeout in ms for certProvisionFunction calls.
+   * If a single domain's provisioning takes longer than this, it's aborted
+   * and a certificate-failed event is emitted.
+   * Default: 300000 (5 minutes)
+   */
+  certProvisionTimeout?: number;
+
+  /**
+   * Maximum number of domains to provision certificates for concurrently.
+   * Prevents overwhelming ACME providers when many domains provision at once.
+   * Default: 4
+   */
+  certProvisionConcurrency?: number;
+
   /**
    * Disable the default self-signed fallback certificate.
    * When false (default), a self-signed cert is generated at startup and loaded

ts/proxies/smart-proxy/models/route-types.ts

@@ -39,6 +39,7 @@ export interface IRouteMatch {
   clientIp?: string[];     // Match specific client IPs
   tlsVersion?: string[];   // Match specific TLS versions
   headers?: Record<string, string | RegExp>; // Match specific HTTP headers
+  protocol?: 'http' | 'tcp';  // Match specific protocol (http includes h2 + websocket upgrades)
 }
 
 

ts/proxies/smart-proxy/rust-metrics-adapter.ts

@@ -72,12 +72,23 @@ export class RustMetricsAdapter implements IMetrics {
       return result;
     },
     byIP: (): Map<string, number> => {
-      // Per-IP tracking not yet available from Rust
-      return new Map();
+      const result = new Map<string, number>();
+      if (this.cache?.ips) {
+        for (const [ip, im] of Object.entries(this.cache.ips)) {
+          result.set(ip, (im as any).activeConnections ?? 0);
+        }
+      }
+      return result;
     },
-    topIPs: (_limit?: number): Array<{ ip: string; count: number }> => {
-      // Per-IP tracking not yet available from Rust
-      return [];
+    topIPs: (limit: number = 10): Array<{ ip: string; count: number }> => {
+      const result: Array<{ ip: string; count: number }> = [];
+      if (this.cache?.ips) {
+        for (const [ip, im] of Object.entries(this.cache.ips)) {
+          result.push({ ip, count: (im as any).activeConnections ?? 0 });
+        }
+      }
+      result.sort((a, b) => b.count - a.count);
+      return result.slice(0, limit);
     },
   };
 
@@ -89,7 +100,10 @@ export class RustMetricsAdapter implements IMetrics {
       };
     },
     recent: (): IThroughputData => {
-      return this.throughput.instant();
+      return {
+        in: this.cache?.throughputRecentInBytesPerSec ?? 0,
+        out: this.cache?.throughputRecentOutBytesPerSec ?? 0,
+      };
     },
     average: (): IThroughputData => {
       return this.throughput.instant();
@@ -97,9 +111,13 @@ export class RustMetricsAdapter implements IMetrics {
     custom: (_seconds: number): IThroughputData => {
       return this.throughput.instant();
     },
-    history: (_seconds: number): Array<IThroughputHistoryPoint> => {
-      // Throughput history not yet available from Rust
-      return [];
+    history: (seconds: number): Array<IThroughputHistoryPoint> => {
+      if (!this.cache?.throughputHistory) return [];
+      return this.cache.throughputHistory.slice(-seconds).map((p: any) => ({
+        timestamp: p.timestampMs,
+        in: p.bytesIn,
+        out: p.bytesOut,
+      }));
     },
     byRoute: (_windowSeconds?: number): Map<string, IThroughputData> => {
       const result = new Map<string, IThroughputData>();
@@ -114,21 +132,28 @@ export class RustMetricsAdapter implements IMetrics {
       return result;
     },
     byIP: (_windowSeconds?: number): Map<string, IThroughputData> => {
-      return new Map();
+      const result = new Map<string, IThroughputData>();
+      if (this.cache?.ips) {
+        for (const [ip, im] of Object.entries(this.cache.ips)) {
+          result.set(ip, {
+            in: (im as any).throughputInBytesPerSec ?? 0,
+            out: (im as any).throughputOutBytesPerSec ?? 0,
+          });
+        }
+      }
+      return result;
     },
   };
 
   public requests = {
     perSecond: (): number => {
-      // Rust tracks connections, not HTTP requests (TCP-level proxy)
-      return 0;
+      return this.cache?.httpRequestsPerSec ?? 0;
     },
     perMinute: (): number => {
-      return 0;
+      return (this.cache?.httpRequestsPerSecRecent ?? 0) * 60;
     },
     total: (): number => {
-      // Use total connections as a proxy for total requests
-      return this.cache?.totalConnections ?? 0;
+      return this.cache?.totalHttpRequests ?? this.cache?.totalConnections ?? 0;
     },
   };
 

ts/proxies/smart-proxy/smart-proxy.ts

@@ -12,9 +12,10 @@ import { SharedRouteManager as RouteManager } from '../../core/routing/route-man
 import { RouteValidator } from './utils/route-validator.js';
 import { generateDefaultCertificate } from './utils/default-cert-generator.js';
 import { Mutex } from './utils/mutex.js';
+import { ConcurrencySemaphore } from './utils/concurrency-semaphore.js';
 
 // Types
-import type { ISmartProxyOptions, TSmartProxyCertProvisionObject, IAcmeOptions } from './models/interfaces.js';
+import type { ISmartProxyOptions, TSmartProxyCertProvisionObject, IAcmeOptions, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './models/interfaces.js';
 import type { IRouteConfig } from './models/route-types.js';
 import type { IMetrics } from './models/metrics-types.js';
 
@@ -38,6 +39,7 @@ export class SmartProxy extends plugins.EventEmitter {
   private metricsAdapter: RustMetricsAdapter;
   private routeUpdateLock: Mutex;
   private stopping = false;
+  private certProvisionPromise: Promise<void> | null = null;
 
   constructor(settingsArg: ISmartProxyOptions) {
     super();
@@ -191,13 +193,18 @@ export class SmartProxy extends plugins.EventEmitter {
       }
     }
 
-    // Handle certProvisionFunction
-    await this.provisionCertificatesViaCallback(preloadedDomains);
-
-    // Start metrics polling
+    // Start metrics polling BEFORE cert provisioning — the Rust engine is already
+    // running and accepting connections, so metrics should be available immediately.
+    // Cert provisioning can hang indefinitely (e.g. DNS-01 ACME timeouts) and must
+    // not block metrics collection.
     this.metricsAdapter.startPolling();
 
     logger.log('info', 'SmartProxy started (Rust engine)', { component: 'smart-proxy' });
+
+    // Fire-and-forget cert provisioning — Rust engine is already running and serving traffic.
+    // Events (certificate-issued / certificate-failed) fire independently per domain.
+    this.certProvisionPromise = this.provisionCertificatesViaCallback(preloadedDomains)
+      .catch((err) => logger.log('error', `Unexpected error in cert provisioning: ${err.message}`, { component: 'smart-proxy' }));
   }
 
   /**
@@ -207,6 +214,12 @@ export class SmartProxy extends plugins.EventEmitter {
     logger.log('info', 'SmartProxy shutting down...', { component: 'smart-proxy' });
     this.stopping = true;
 
+    // Wait for in-flight cert provisioning to bail out (it checks this.stopping)
+    if (this.certProvisionPromise) {
+      await this.certProvisionPromise;
+      this.certProvisionPromise = null;
+    }
+
     // Stop metrics polling
     this.metricsAdapter.stopPolling();
 
@@ -234,7 +247,7 @@ export class SmartProxy extends plugins.EventEmitter {
    * Update routes atomically.
    */
   public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
-    return this.routeUpdateLock.runExclusive(async () => {
+    await this.routeUpdateLock.runExclusive(async () => {
       // Validate
       const validation = RouteValidator.validateRoutes(newRoutes);
       if (!validation.valid) {
@@ -270,11 +283,13 @@ export class SmartProxy extends plugins.EventEmitter {
       // Update stored routes
       this.settings.routes = newRoutes;
 
-      // Handle cert provisioning for new routes
-      await this.provisionCertificatesViaCallback();
-
       logger.log('info', `Routes updated (${newRoutes.length} routes)`, { component: 'smart-proxy' });
     });
+
+    // Fire-and-forget cert provisioning outside the mutex — routes are already updated,
+    // cert provisioning doesn't need the route update lock and may be slow.
+    this.certProvisionPromise = this.provisionCertificatesViaCallback()
+      .catch((err) => logger.log('error', `Unexpected error in cert provisioning after route update: ${err.message}`, { component: 'smart-proxy' }));
   }
 
   /**
@@ -396,6 +411,7 @@ export class SmartProxy extends plugins.EventEmitter {
       extendedKeepAliveLifetime: this.settings.extendedKeepAliveLifetime,
       acceptProxyProtocol: this.settings.acceptProxyProtocol,
       sendProxyProtocol: this.settings.sendProxyProtocol,
+      metrics: this.settings.metrics,
     };
   }
 
@@ -408,7 +424,9 @@ export class SmartProxy extends plugins.EventEmitter {
     const provisionFn = this.settings.certProvisionFunction;
     if (!provisionFn) return;
 
-    const provisionedDomains = new Set<string>(skipDomains);
+    // Phase 1: Collect all unique (domain, route) pairs that need provisioning
+    const seen = new Set<string>(skipDomains);
+    const tasks: Array<{ domain: string; route: IRouteConfig }> = [];
 
     for (const route of this.settings.routes) {
       if (route.action.tls?.certificate !== 'auto') continue;
@@ -418,13 +436,64 @@ export class SmartProxy extends plugins.EventEmitter {
       const certDomains = this.normalizeDomainsForCertProvisioning(rawDomains);
 
       for (const domain of certDomains) {
-        if (provisionedDomains.has(domain)) continue;
-        provisionedDomains.add(domain);
+        if (seen.has(domain)) continue;
+        seen.add(domain);
+        tasks.push({ domain, route });
+      }
+    }
+
+    if (tasks.length === 0) return;
+
+    // Phase 2: Process all domains in parallel with concurrency limit
+    const concurrency = this.settings.certProvisionConcurrency ?? 4;
+    const semaphore = new ConcurrencySemaphore(concurrency);
+
+    const promises = tasks.map(async ({ domain, route }) => {
+      await semaphore.acquire();
       try {
-          const result: TSmartProxyCertProvisionObject = await provisionFn(domain);
+        await this.provisionSingleDomain(domain, route, provisionFn);
+      } finally {
+        semaphore.release();
+      }
+    });
+
+    await Promise.allSettled(promises);
+  }
+
+  /**
+   * Provision a single domain's certificate via the callback.
+   * Includes per-domain timeout and shutdown checks.
+   */
+  private async provisionSingleDomain(
+    domain: string,
+    route: IRouteConfig,
+    provisionFn: (domain: string, eventComms: ICertProvisionEventComms) => Promise<TSmartProxyCertProvisionObject>,
+  ): Promise<void> {
+    if (this.stopping) return;
+
+    let expiryDate: string | undefined;
+    let source = 'certProvisionFunction';
+
+    const eventComms: ICertProvisionEventComms = {
+      log: (msg) => logger.log('info', `[certProvision ${domain}] ${msg}`, { component: 'smart-proxy' }),
+      warn: (msg) => logger.log('warn', `[certProvision ${domain}] ${msg}`, { component: 'smart-proxy' }),
+      error: (msg) => logger.log('error', `[certProvision ${domain}] ${msg}`, { component: 'smart-proxy' }),
+      setExpiryDate: (date) => { expiryDate = date.toISOString(); },
+      setSource: (s) => { source = s; },
+    };
+
+    const timeoutMs = this.settings.certProvisionTimeout ?? 300_000; // 5 min default
+
+    try {
+      const result: TSmartProxyCertProvisionObject = await this.withTimeout(
+        provisionFn(domain, eventComms),
+        timeoutMs,
+        `Certificate provisioning timed out for ${domain} after ${timeoutMs}ms`,
+      );
+
+      if (this.stopping) return;
 
       if (result === 'http01') {
-            // Callback wants HTTP-01 for this domain — trigger Rust ACME explicitly
         if (route.name) {
           try {
             await this.bridge.provisionCertificate(route.name);
@@ -434,11 +503,12 @@ export class SmartProxy extends plugins.EventEmitter {
               'Note: Rust ACME is disabled when certProvisionFunction is set.', { component: 'smart-proxy' });
           }
         }
-            continue;
+        return;
       }
 
-          // Got a static cert object - load it into Rust
       if (result && typeof result === 'object') {
+        if (this.stopping) return;
+
         const certObj = result as plugins.tsclass.network.ICert;
         await this.bridge.loadCertificate(
           domain,
@@ -455,10 +525,22 @@ export class SmartProxy extends plugins.EventEmitter {
             logger.log('warn', `certStore.save() failed for ${domain}: ${storeErr.message}`, { component: 'smart-proxy' });
           }
         }
+
+        this.emit('certificate-issued', {
+          domain,
+          expiryDate: expiryDate || (certObj.validUntil ? new Date(certObj.validUntil).toISOString() : undefined),
+          source,
+        } satisfies ICertificateIssuedEvent);
       }
     } catch (err: any) {
       logger.log('warn', `certProvisionFunction failed for ${domain}: ${err.message}`, { component: 'smart-proxy' });
 
+      this.emit('certificate-failed', {
+        domain,
+        error: err.message,
+        source,
+      } satisfies ICertificateFailedEvent);
+
       // Fallback to ACME if enabled and route has a name
       if (this.settings.certProvisionFallbackToAcme !== false && route.name) {
         try {
@@ -473,7 +555,18 @@ export class SmartProxy extends plugins.EventEmitter {
       }
     }
   }
-    }
+
+  /**
+   * Race a promise against a timeout. Rejects with the given message if the timeout fires first.
+   */
+  private withTimeout<T>(promise: Promise<T>, ms: number, message: string): Promise<T> {
+    return new Promise<T>((resolve, reject) => {
+      const timer = setTimeout(() => reject(new Error(message)), ms);
+      promise.then(
+        (val) => { clearTimeout(timer); resolve(val); },
+        (err) => { clearTimeout(timer); reject(err); },
+      );
+    });
   }
 
   /**

ts/proxies/smart-proxy/utils/concurrency-semaphore.ts

@@ -0,0 +1,28 @@
+/**
+ * Async concurrency semaphore — limits the number of concurrent async operations.
+ */
+export class ConcurrencySemaphore {
+  private running = 0;
+  private waitQueue: Array<() => void> = [];
+
+  constructor(private readonly maxConcurrency: number) {}
+
+  async acquire(): Promise<void> {
+    if (this.running < this.maxConcurrency) {
+      this.running++;
+      return;
+    }
+    return new Promise<void>((resolve) => {
+      this.waitQueue.push(() => {
+        this.running++;
+        resolve();
+      });
+    });
+  }
+
+  release(): void {
+    this.running--;
+    const next = this.waitQueue.shift();
+    if (next) next();
+  }
+}

ts/proxies/smart-proxy/utils/index.ts

@@ -17,6 +17,9 @@ export * from './route-utils.js';
 // Export default certificate generator
 export { generateDefaultCertificate } from './default-cert-generator.js';
 
+// Export concurrency semaphore
+export { ConcurrencySemaphore } from './concurrency-semaphore.js';
+
 // Export additional functions from route-helpers that weren't already exported
 export {
   createApiGatewayRoute,