fix(readme): document per-transport metrics and handshake-driven WireGuard connection state

changelog.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2026-03-31 - 1.17.1 - fix(readme)
+document per-transport metrics and handshake-driven WireGuard connection state
+
+- Add README examples for getStatistics() per-transport active client and total connection counters
+- Clarify that WireGuard peers are marked connected only after a successful handshake and disconnect after idle timeout
+- Refresh API and project structure documentation to reflect newly documented stats fields and source files
+
 ## 2026-03-31 - 1.17.0 - feat(wireguard)
 track per-transport server statistics and make WireGuard clients active only after handshake
 

readme.md

@@ -6,11 +6,12 @@ A high-performance VPN solution with a **TypeScript control plane** and a **Rust
 🚀 **Triple transport**: WebSocket (Cloudflare-friendly), raw **QUIC** (datagrams), and **WireGuard** (standard protocol)
 🛡️ **ACL engine** — deny-overrides-allow IP filtering, aligned with SmartProxy conventions
 🔀 **PROXY protocol v2** — real client IPs behind reverse proxies (HAProxy, SmartProxy, Cloudflare Spectrum)
-📊 **Adaptive QoS**: per-client rate limiting, priority queues, connection quality tracking
+📊 **Per-transport metrics**: active clients and total connections broken down by websocket, QUIC, and WireGuard
 🔄 **Hub API**: one `createClient()` call generates keys, assigns IP, returns both SmartVPN + WireGuard configs
 📡 **Real-time telemetry**: RTT, jitter, loss ratio, link health — all via typed APIs
 🌐 **Unified forwarding pipeline**: all transports share the same engine — TUN (kernel), userspace NAT (no root), or testing mode
 🎯 **Destination routing policy**: force-target, block, or allow traffic per destination with nftables integration
+⚡ **Handshake-driven WireGuard state**: peers appear as "connected" only after a successful WireGuard handshake, and auto-disconnect on idle timeout
 
 ## Issue Reporting and Security
 
@@ -140,6 +141,30 @@ Every client authenticates with a **Noise IK handshake** (`Noise_IK_25519_ChaCha
 
 The server runs **all three simultaneously** by default with `transportMode: 'all'`. All transports share the same unified forwarding pipeline (`ForwardingEngine`), IP pool, client registry, and stats — so WireGuard peers get the same userspace NAT, rate limiting, and monitoring as WS/QUIC clients. Clients auto-negotiate with `transport: 'auto'` (tries QUIC first, falls back to WS).
 
+### 📊 Per-Transport Metrics
+
+Server statistics include per-transport breakdowns so you can see exactly how many clients use each protocol:
+
+```typescript
+const stats = await server.getStatistics();
+
+// Aggregate
+console.log(stats.activeClients);       // total connected clients
+console.log(stats.totalConnections);    // total connections since start
+
+// Per-transport active clients
+console.log(stats.activeClientsWebsocket);   // currently connected via WS
+console.log(stats.activeClientsQuic);        // currently connected via QUIC
+console.log(stats.activeClientsWireguard);   // currently connected via WireGuard
+
+// Per-transport total connections
+console.log(stats.totalConnectionsWebsocket);
+console.log(stats.totalConnectionsQuic);
+console.log(stats.totalConnectionsWireguard);
+```
+
+**WireGuard connection state is handshake-driven** — registered WireGuard peers do NOT appear as "connected" until their first successful WireGuard handshake completes. They automatically disconnect after 180 seconds of inactivity or when boringtun reports `ConnectionExpired`. This matches how WebSocket/QUIC clients behave: they appear on connection and disappear on disconnect.
+
 ### 🛡️ ACL Engine (SmartProxy-Aligned)
 
 Security policies per client, using the same `ipAllowList` / `ipBlockList` naming convention as `@push.rocks/smartproxy`:
@@ -256,8 +281,9 @@ The userspace NAT mode extracts destination IP/port from IP packets, opens a rea
 - **Connection quality**: Smoothed RTT, jitter, min/max RTT, loss ratio, link health (`healthy` / `degraded` / `critical`)
 - **Adaptive keepalives**: Interval adjusts based on link health (60s → 30s → 10s)
 - **Per-client rate limiting**: Token bucket with configurable bytes/sec and burst
-- **Dead-peer detection**: 180s inactivity timeout
+- **Dead-peer detection**: 180s inactivity timeout (all transports)
 - **MTU management**: Automatic overhead calculation (IP+TCP+WS+Noise = 79 bytes)
+- **Per-transport stats**: Active client and total connection counts broken down by websocket, QUIC, and WireGuard
 
 ### 🏷️ Client Tags (Trusted vs Informational)
 
@@ -425,6 +451,7 @@ server.on('reconnected', () => { /* socket transport reconnected */ });
 | `IClientRateLimit` | Rate limiting config (bytesPerSec, burstBytes) |
 | `IClientConfigBundle` | Full config bundle returned by `createClient()` — includes SmartVPN config, WireGuard .conf, and secrets |
 | `IVpnClientInfo` | Connected client info (IP, stats, authenticated key, remote addr, transport type) |
+| `IVpnServerStatistics` | Server stats with per-transport breakdowns (activeClientsWebsocket/Quic/Wireguard, totalConnections*) |
 | `IVpnConnectionQuality` | RTT, jitter, loss ratio, link health |
 | `IVpnMtuInfo` | TUN MTU, effective MTU, overhead bytes, oversized packet stats |
 | `IVpnKeypair` | Base64-encoded public/private key pair |
@@ -443,7 +470,7 @@ server.on('reconnected', () => { /* socket transport reconnected */ });
 | `exportClientConfig` | Re-export as SmartVPN config or WireGuard `.conf` |
 | `listClients` / `disconnectClient` | Manage live connections |
 | `setClientRateLimit` / `removeClientRateLimit` | Runtime rate limit adjustments |
-| `getStatus` / `getStatistics` / `getClientTelemetry` | Monitoring |
+| `getStatus` / `getStatistics` / `getClientTelemetry` | Monitoring (stats include per-transport breakdowns) |
 | `generateKeypair` / `generateWgKeypair` / `generateClientKeypair` | Key generation |
 | `addWgPeer` / `removeWgPeer` / `listWgPeers` | WireGuard peer management |
 
@@ -541,6 +568,7 @@ smartvpn/
 │   ├── index.ts                # All exports
 │   ├── smartvpn.interfaces.ts  # Interfaces, types, IPC command maps
 │   ├── smartvpn.plugins.ts     # Dependency imports
+│   ├── smartvpn.paths.ts       # Binary path resolution
 │   ├── smartvpn.classes.vpnserver.ts
 │   ├── smartvpn.classes.vpnclient.ts
 │   ├── smartvpn.classes.vpnbridge.ts
@@ -558,13 +586,19 @@ smartvpn/
 │       ├── proxy_protocol.rs   # PROXY protocol v2 parser
 │       ├── management.rs       # JSON-lines IPC
 │       ├── transport.rs        # WebSocket transport
+│       ├── transport_trait.rs  # Transport abstraction (Sink/Stream)
 │       ├── quic_transport.rs   # QUIC transport
 │       ├── wireguard.rs        # WireGuard (boringtun)
 │       ├── codec.rs            # Binary frame protocol
 │       ├── keepalive.rs        # Adaptive keepalives
 │       ├── ratelimit.rs        # Token bucket
 │       ├── userspace_nat.rs    # Userspace TCP/UDP NAT proxy
-│       └── ...                 # tunnel, network, telemetry, qos, mtu, reconnect
+│       ├── tunnel.rs           # TUN device management
+│       ├── network.rs          # IP pool + networking
+│       ├── telemetry.rs        # RTT/jitter/loss tracking
+│       ├── qos.rs              # Priority queues + smart dropping
+│       ├── mtu.rs              # MTU + ICMP too-big
+│       └── reconnect.rs        # Exponential backoff + session tokens
 ├── test/                       # Test files
 ├── dist_ts/                    # Compiled TypeScript
 └── dist_rust/                  # Cross-compiled binaries (linux amd64 + arm64)
@@ -572,7 +606,7 @@ smartvpn/
 
 ## License and Legal Information
 
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license.md) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 
@@ -584,7 +618,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartvpn',
-  version: '1.17.0',
+  version: '1.17.1',
   description: 'A VPN solution with TypeScript control plane and Rust data plane daemon'
 }