fix(remoteingress-core): perform graceful TLS shutdown on edge and hub tunnel streams

changelog.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2026-03-17 - 4.8.7 - fix(remoteingress-core)
+perform graceful TLS shutdown on edge and hub tunnel streams
+
+- Send TLS close_notify before cleanup to avoid peer disconnect warnings on both tunnel endpoints
+- Wrap stream shutdown in a 2 second timeout so connection teardown does not block cleanup
+
 ## 2026-03-17 - 4.8.6 - fix(remoteingress-core)
 initialize disconnect reason only when set in hub loop break paths
 

rust/crates/remoteingress-core/src/edge.rs

@@ -587,6 +587,14 @@ async fn connect_to_hub_and_run(
         }
     };
 
+    // Graceful TLS shutdown: send close_notify so the hub sees a clean disconnect
+    // instead of "peer closed connection without sending TLS close_notify".
+    let mut tls_stream = tunnel_io.into_inner();
+    let _ = tokio::time::timeout(
+        Duration::from_secs(2),
+        tls_stream.shutdown(),
+    ).await;
+
     // Cleanup
     connection_token.cancel();
     stun_handle.abort();

rust/crates/remoteingress-core/src/hub.rs

@@ -824,6 +824,14 @@ async fn handle_edge_connection(
         }
     }
 
+    // Graceful TLS shutdown: send close_notify so the edge sees a clean disconnect
+    // instead of "peer closed connection without sending TLS close_notify".
+    let mut tls_stream = tunnel_io.into_inner();
+    let _ = tokio::time::timeout(
+        Duration::from_secs(2),
+        tls_stream.shutdown(),
+    ).await;
+
     // Cleanup: cancel edge token to propagate to all child tasks
     edge_token.cancel();
     config_handle.abort();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/remoteingress',
-  version: '4.8.6',
+  version: '4.8.7',
   description: 'Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.'
 }