v4.8.4

.gitignore

@@ -17,4 +17,5 @@ node_modules/
 dist/
 dist_*/
 
-# custom
+# custom
+rust/target/

changelog.md

@@ -0,0 +1,321 @@
+# Changelog
+
+## 2026-03-17 - 4.8.4 - fix(remoteingress-core)
+prevent stream stalls by guaranteeing flow-control updates and avoiding bounded per-stream channel overflows
+
+- Replace bounded per-stream data channels with unbounded channels on edge and hub, relying on existing WINDOW_UPDATE flow control to limit bytes in flight
+- Use awaited sends for FRAME_WINDOW_UPDATE and FRAME_WINDOW_UPDATE_BACK so updates are not dropped and streams do not deadlock under backpressure
+- Clean up stream state when channel receivers have already exited instead of closing active streams because a bounded queue filled
+
+## 2026-03-17 - 4.8.3 - fix(protocol,edge)
+optimize tunnel frame handling and zero-copy uploads in edge I/O
+
+- extract hub frame processing into a shared edge handler to remove duplicated tunnel logic
+- add zero-copy frame header encoding and read payloads directly into framed buffers for client-to-hub uploads
+- refactor TunnelIo read/write state to avoid unsafe queue access and reduce buffer churn with incremental parsing
+
+## 2026-03-17 - 4.8.2 - fix(rust-edge)
+refactor tunnel I/O to preserve TLS state and prioritize control frames
+
+- replace split TLS handling with a single-owner TunnelIo to avoid handshake and buffered read corruption
+- prioritize control frames over data frames to prevent WINDOW_UPDATE starvation and flow-control deadlocks
+- improve tunnel reliability with incremental frame parsing, liveness/error events, and corrupt frame header logging
+
+## 2026-03-17 - 4.8.1 - fix(remoteingress-core)
+remove tunnel writer timeouts from edge and hub buffered writes
+
+- Drops the 30 second timeout wrapper around writer.write_all and writer.flush in both edge and hub tunnel writers.
+- Updates error logging to report write failures without referring to stalled writes.
+
+## 2026-03-17 - 4.8.0 - feat(events)
+include disconnect reasons in edge and hub management events
+
+- Add reason fields to tunnelDisconnected and edgeDisconnected events emitted from the Rust core and binary bridge
+- Propagate specific disconnect causes such as EOF, liveness timeout, writer failure, handshake failure, and hub cancellation
+- Update TypeScript edge and hub classes to log and forward disconnect reason data
+- Extend serialization tests to cover the new reason fields
+
+## 2026-03-17 - 4.7.2 - fix(remoteingress-core)
+add tunnel write timeouts and scale initial stream windows by active stream count
+
+- Wrap tunnel frame writes and flushes in a 30-second timeout on both edge and hub to detect stalled writers and trigger faster reconnect or cleanup.
+- Compute each stream's initial send window from the current active stream count instead of using a fixed window to keep total in-flight data within the 32MB budget.
+
+## 2026-03-17 - 4.7.1 - fix(remoteingress-core)
+improve tunnel failure detection and reconnect handling
+
+- Enable TCP keepalive on edge and hub connections to detect silent network failures sooner
+- Trigger immediate reconnect or disconnect when tunnel writer tasks fail instead of waiting for liveness timeouts
+- Prevent active stream counter underflow during concurrent connection cleanup
+
+## 2026-03-16 - 4.7.0 - feat(edge,protocol,test)
+add configurable edge bind address and expand flow-control test coverage
+
+- adds an optional bindAddress configuration for edge TCP listeners, defaulting to 0.0.0.0 when not provided
+- passes bindAddress through the TypeScript edge client and Rust edge runtime so local test setups can bind to localhost
+- adds protocol unit tests for adaptive stream window sizing and window update frame encoding/decoding
+- introduces end-to-end flow-control tests and updates the test script to build before running tests
+
+## 2026-03-16 - 4.6.1 - fix(remoteingress-core)
+avoid spurious tunnel disconnect events and increase control channel capacity
+
+- Emit TunnelDisconnected only after an established connection is actually lost, preventing false disconnect events during failed reconnect attempts.
+- Increase edge and hub control-channel buffer sizes from 64 to 256 to better prioritize control frames under load.
+
+## 2026-03-16 - 4.6.0 - feat(remoteingress-core)
+add adaptive per-stream flow control based on active stream counts
+
+- Track active stream counts on edge and hub connections to size per-stream flow control windows dynamically.
+- Cap WINDOW_UPDATE increments and read sizes to the adaptive window so bandwidth is shared more evenly across concurrent streams.
+- Apply the adaptive logic to both upload and download paths on edge and hub stream handlers.
+
+## 2026-03-16 - 4.5.12 - fix(remoteingress-core)
+improve tunnel liveness handling and enable TCP keepalive for accepted client sockets
+
+- Avoid disconnecting edges when PING or PONG frames cannot be queued because the control channel is temporarily full.
+- Enable TCP_NODELAY and TCP keepalive on accepted client connections to help detect stale or dropped clients.
+
+## 2026-03-16 - 4.5.11 - fix(repo)
+no changes to commit
+
+
+## 2026-03-16 - 4.5.10 - fix(remoteingress-core)
+guard zero-window reads to avoid false EOF handling on stalled streams
+
+- Prevent upload and download loops from calling read on an empty buffer when flow-control window remains at 0 after stall timeout
+- Log a warning and close the affected stream instead of misinterpreting Ok(0) as end-of-file
+
+## 2026-03-16 - 4.5.9 - fix(remoteingress-core)
+delay stream close until downstream response draining finishes to prevent truncated transfers
+
+- Waits for the hub-to-client download task to finish before sending the stream CLOSE frame
+- Prevents upstream reads from being cancelled mid-response during asymmetric transfers such as git fetch
+- Retains the existing timeout so stalled downloads still clean up safely
+
+## 2026-03-16 - 4.5.8 - fix(remoteingress-core)
+ensure upstream writes cancel promptly and reliably deliver CLOSE_BACK frames
+
+- listen for stream cancellation while waiting on upstream write timeouts so FRAME_CLOSE does not block for up to 60 seconds
+- replace try_send with send().await when emitting CLOSE_BACK frames to avoid silently dropping close notifications when the data channel is full
+
+## 2026-03-16 - 4.5.7 - fix(remoteingress-core)
+improve tunnel reconnect and frame write efficiency
+
+- Reuse the TLS connector across edge reconnections to preserve session resumption state and reduce reconnect latency.
+- Buffer hub and edge frame writes to coalesce small control and data frames into fewer TLS records and syscalls while still flushing each frame promptly.
+
+## 2026-03-16 - 4.5.6 - fix(remoteingress-core)
+disable Nagle's algorithm on edge, hub, and upstream TCP sockets to reduce control-frame latency
+
+- Enable TCP_NODELAY on the edge connection to the hub for faster PING/PONG and WINDOW_UPDATE delivery
+- Apply TCP_NODELAY on accepted hub streams before TLS handling
+- Enable TCP_NODELAY on SmartProxy upstream connections before sending the PROXY header
+
+## 2026-03-16 - 4.5.5 - fix(remoteingress-core)
+wait for hub-to-client draining before cleanup and reliably send close frames
+
+- switch CLOSE frame delivery on the data channel from try_send to send().await to avoid dropping it when the channel is full
+- delay stream cleanup until the hub-to-client task finishes or times out so large downstream responses continue after upload EOF
+- add a bounded 5-minute wait for download draining to prevent premature termination of asymmetric transfers such as git fetch
+
+## 2026-03-15 - 4.5.4 - fix(remoteingress-core)
+preserve stream close ordering and add flow-control stall timeouts
+
+- Send CLOSE and CLOSE_BACK frames on the data channel so they arrive after the final stream data frames.
+- Log and abort stalled upload and download paths when flow-control windows stay empty for 120 seconds.
+- Apply a 60-second timeout when writing buffered stream data to the upstream connection to prevent hung streams.
+
+## 2026-03-15 - 4.5.3 - fix(remoteingress-core)
+prioritize control frames over data in edge and hub tunnel writers
+
+- Split tunnel/frame writers into separate control and data channels in edge and hub
+- Use biased select loops so PING, PONG, WINDOW_UPDATE, OPEN, and CLOSE frames are sent before data frames
+- Route stream data through dedicated data channels while keeping OPEN, CLOSE, and flow-control updates on control channels to prevent keepalive starvation under load
+
+## 2026-03-15 - 4.5.2 - fix(remoteingress-core)
+improve stream flow control retries and increase channel buffer capacity
+
+- increase per-stream mpsc channel capacity from 128 to 256 on both edge and hub paths
+- only reset accumulated window update bytes after a successful try_send to avoid dropping flow-control credits when the update channel is busy
+
+## 2026-03-15 - 4.5.1 - fix(protocol)
+increase per-stream flow control window and channel buffers to improve high-RTT throughput
+
+- raise the initial stream window from 256 KB to 4 MB to allow more in-flight data per stream
+- increase edge and hub mpsc channel capacities from 16 to 128 to better absorb throughput under flow control
+
+## 2026-03-15 - 4.5.0 - feat(remoteingress-core)
+add per-stream flow control for edge and hub tunnel data transfer
+
+- introduce WINDOW_UPDATE frame types and protocol helpers for per-stream flow control
+- track per-stream send windows on both edge and hub to limit reads based on available capacity
+- send window updates after downstream writes to reduce channel pressure during large transfers
+
+## 2026-03-15 - 4.4.1 - fix(remoteingress-core)
+prevent stream data loss by applying backpressure and closing saturated channels
+
+- replace non-blocking frame writes with awaited sends in per-stream tasks so large transfers respect backpressure instead of dropping data
+- close and remove streams when back-channel or data channels fill up to avoid TCP stream corruption from silently dropped frames
+
+## 2026-03-03 - 4.4.0 - feat(remoteingress)
+add heartbeat PING/PONG and liveness timeouts; implement fast-reconnect/backoff reset and JS crash-recovery auto-restart
+
+- protocol: add FRAME_PING and FRAME_PONG and unit tests for ping/pong frames
+- edge (Rust): reset backoff after successful connection, respond to PING with PONG, track liveness via deadline and reconnect on timeout, use Duration/Instant helpers
+- hub (Rust): send periodic PING to edges, handle PONGs, enforce liveness timeout and disconnect inactive edges, use tokio interval and time utilities
+- ts: RemoteIngressEdge and RemoteIngressHub: add crash-recovery auto-restart with exponential backoff and max attempts, save/restore config and allowed edges, register/remove exit handlers, ensure stop() marks stopping and cleans up listeners
+- minor API/typing: introduce TAllowedEdge alias and persist allowed edges for restart recovery
+
+## 2026-02-26 - 4.3.0 - feat(hub)
+add optional TLS certificate/key support to hub start config and bridge
+
+- TypeScript: add tls.certPem and tls.keyPem to IHubConfig and include tlsCertPem/tlsKeyPem in startHub bridge command when both are provided
+- TypeScript: extend startHub params with tlsCertPem and tlsKeyPem and conditionally send them
+- Rust: change HubConfig serde attributes for tls_cert_pem and tls_key_pem from skip to default so absent PEM fields deserialize as None
+- Enables optional provisioning of TLS certificate and key to the hub when provided from the JS side
+
+## 2026-02-26 - 4.2.0 - feat(core)
+expose edge peer address in hub events and migrate writers to channel-based, non-blocking framing with stream limits and timeouts
+
+- Add peerAddr to ConnectedEdgeStatus and HubEvent::EdgeConnected and surface it to the TS frontend event (management:edgeConnected).
+- Replace Arc<Mutex<WriteHalf>> writers with dedicated mpsc channel writer tasks in both hub and edge crates to serialize writes off the main tasks.
+- Use non-blocking try_send for data frames to avoid head-of-line blocking and drop frames with warnings when channels are full.
+- Introduce MAX_STREAMS_PER_EDGE semaphore to limit concurrent streams per edge and reject excess opens with a CLOSE_BACK frame.
+- Add a 10s timeout when connecting to SmartProxy to avoid hanging connections.
+- Ensure writer tasks are aborted on shutdown/cleanup and propagate cancellation tokens appropriately.
+
+## 2026-02-26 - 4.1.0 - feat(remoteingress-bin)
+use mimalloc as the global allocator to reduce memory overhead and improve allocation performance
+
+- added mimalloc = "0.1" dependency to rust/crates/remoteingress-bin/Cargo.toml
+- registered mimalloc as the #[global_allocator] in rust/crates/remoteingress-bin/src/main.rs
+- updated Cargo.lock with libmimalloc-sys and mimalloc package entries
+
+## 2026-02-26 - 4.0.1 - fix(hub)
+cancel per-stream tokens on stream close and avoid duplicate StreamClosed events; bump @types/node devDependency to ^25.3.0
+
+- Add CancellationToken to per-stream entries so each stream can be cancelled independently.
+- Ensure StreamClosed event is only emitted when a stream was actually present (guards against duplicate events).
+- Cancel the stream-specific token on FRAME_CLOSE to stop associated tasks and free resources.
+- DevDependency bump: @types/node updated from ^25.2.3 to ^25.3.0.
+
+## 2026-02-19 - 4.0.0 - BREAKING CHANGE(remoteingress-core)
+add cancellation tokens and cooperative shutdown; switch event channels to bounded mpsc and improve cleanup
+
+- Introduce tokio-util::sync::CancellationToken for hub/edge and per-connection/stream cancellation, enabling cooperative shutdown of spawned tasks.
+- Replace unbounded mpsc channels with bounded mpsc::channel(1024) and switch from UnboundedSender/Receiver to Sender/Receiver; use try_send where non-blocking sends are appropriate.
+- Wire cancellation tokens through edge and hub codepaths: child tokens per connection, per-port, per-stream; cancel tokens in stop() and Drop impls to ensure deterministic task termination and cleanup.
+- Reset stream id counters and clear listener state on reconnect; improved error handling around accept/read loops using tokio::select! and cancellation checks.
+- Update Cargo.toml and Cargo.lock to add tokio-util (and related futures entries) as dependencies.
+- BREAKING: public API/types changed — take_event_rx return types and event_tx/event_rx fields now use bounded mpsc::Sender/mpsc::Receiver instead of the unbounded variants; callers must adapt to the new types and bounded behavior.
+
+## 2026-02-18 - 3.3.0 - feat(readme)
+document dynamic port assignment and runtime port updates; clarify TLS multiplexing, frame format, and handshake sequence
+
+- Adds documentation for dynamic port configuration: hub-assigned listen ports, hot-reloadable via FRAME_CONFIG frames
+- Introduces new FRAME type CONFIG (0x06) and describes payload as JSON; notes immediate push of port changes to connected edges
+- Clarifies that the tunnel is a single encrypted TLS multiplexed connection to the hub (preserves PROXY v1 behavior)
+- Specifies frame integer fields are big-endian and that stream IDs are 32-bit unsigned integers
+- Adds new events: portsAssigned and portsUpdated, and updates examples showing updateAllowedEdges usage and live port changes
+
+## 2026-02-18 - 3.2.1 - fix(tests)
+add comprehensive unit and async tests across Rust crates and TypeScript runtime
+
+- Added IPC serialization tests in remoteingress-bin (IPC request/response/event)
+- Added serde and async tests for Edge and Handshake configs and EdgeEvent/EdgeStatus in remoteingress-core (edge.rs)
+- Added extensive Hub tests: constant_time_eq, PROXY header port parsing, serde/camelCase checks, Hub events and async TunnelHub behavior (hub.rs)
+- Added STUN parser unit tests including XOR_MAPPED_ADDRESS, MAPPED_ADDRESS fallback, truncated attribute handling and other edge cases (stun.rs)
+- Added protocol frame encoding and FrameReader tests covering all frame types, payload limits and EOF conditions (remoteingress-protocol)
+- Added TypeScript Node tests for token encode/decode edge cases and RemoteIngressHub/RemoteIngressEdge class basics (test/*.node.ts)
+
+## 2026-02-18 - 3.2.0 - feat(remoteingress (edge/hub/protocol))
+add dynamic port configuration: handshake, FRAME_CONFIG frames, and hot-reloadable listeners
+
+- Introduce a JSON handshake from hub -> edge with initial listen ports and stun interval so edges can configure listeners at connect time.
+- Add FRAME_CONFIG (0x06) to the protocol and implement runtime config updates pushed from hub to connected edges.
+- Edge now applies initial ports and supports hot-reloading: spawn/abort listeners when ports change, and emit PortsAssigned / PortsUpdated events.
+- Hub now stores allowed edge metadata (listen_ports, stun_interval_secs), sends handshake responses on auth, and forwards config updates to connected edges.
+- TypeScript bridge/client updated to emit new port events and periodically log status; updateAllowedEdges API accepts listenPorts and stunIntervalSecs.
+- Stun interval handling moved to use handshake-provided/stored value instead of config.listen_ports being static.
+
+## 2026-02-18 - 3.1.1 - fix(readme)
+update README: add issue reporting/security section, document connection tokens and token utilities, clarify architecture/API and improve examples/formatting
+
+- Added an 'Issue Reporting and Security' section linking to community.foss.global for bug/security reports and contributor onboarding.
+- Documented connection tokens: encodeConnectionToken/decodeConnectionToken utilities, token format (base64url), and examples for hub and edge provisioning.
+- Clarified Hub/Edge usage and examples: condensed event handlers, added token-based start() example, and provided explicit config alternative.
+- Improved README formatting: added emojis, rephrased architecture descriptions, fixed wording and license path capitalization, and expanded example scenarios and interfaces.
+
+## 2026-02-17 - 3.1.0 - feat(edge)
+support connection tokens when starting an edge and add token encode/decode utilities
+
+- Add classes.token.ts with encodeConnectionToken/decodeConnectionToken using a base64url compact JSON format
+- Export token utilities from ts/index.ts
+- RemoteIngressEdge.start now accepts a { token } option and decodes it to an IEdgeConfig before starting
+- Add tests covering export availability, encode→decode roundtrip, malformed token, and missing fields
+- Non-breaking change — recommend a minor version bump
+
+## 2026-02-17 - 3.0.4 - fix(build)
+bump dev dependencies, update build script, and refresh README docs
+
+- Bumped devDependencies: @git.zone/tsbuild ^2.1.25 → ^4.1.2, @git.zone/tsbundle ^2.0.5 → ^2.8.3, @git.zone/tsrun ^1.2.46 → ^2.0.1, @git.zone/tstest ^1.0.44 → ^3.1.8, @push.rocks/tapbundle ^5.0.15 → ^6.0.3, @types/node ^20.8.7 → ^25.2.3
+- Bumped runtime dependency: @push.rocks/qenv ^6.0.5 → ^6.1.3
+- Changed build script: replaced "tsbuild --web --allowimplicitany" with "tsbuild tsfolders --allowimplicitany" (kept tsrust invocation)
+- README updates: added RustBridge notes (localPaths must be full file paths), production binary naming conventions, rust core uses ring as rustls provider; removed emoji from example console output; clarified stunIntervalSecs is optional; renamed example status variable to edgeStatus; minor wire-protocol formatting and wording/legal text tweaks
+
+## 2026-02-17 - 3.0.3 - fix(rust,ts)
+initialize rustls ring CryptoProvider at startup; add rustls dependency and features; make native binary lookup platform-aware
+
+- Install rustls::crypto::ring default_provider at startup to ensure ring-based crypto is available before any TLS usage.
+- Add rustls dependency to remoteingress-bin and update remoteingress-core rustls configuration (disable default-features; enable ring, logging, std, tls12).
+- Adjust TS classes to prefer platform-suffixed production binaries, add exact fallback names, and include explicit cargo output paths for release/debug.
+- Cargo.lock updated to include rustls entry.
+
+## 2026-02-16 - 3.0.2 - fix(readme)
+Document Hub/Edge architecture and new RemoteIngressHub/RemoteIngressEdge API; add Rust core binary, protocol and usage details; note removal of ConnectorPublic/ConnectorPrivate (breaking change)
+
+- Adds comprehensive README describing v3 Hub↔Edge topology and usage examples
+- Introduces Rust core binary (remoteingress-bin) and RustBridge IPC via @push.rocks/smartrust
+- Documents custom multiplexed binary frame protocol over TLS and PROXY protocol v1 for client IP preservation
+- Notes STUN-based public IP discovery and cross-compiled linux/amd64 and linux/arm64 binaries
+- Calls out removal/rename of ConnectorPublic/ConnectorPrivate to RemoteIngressHub/RemoteIngressEdge (breaking API change)
+- Updates install instruction to use pnpm and expands API reference, events, and examples
+
+## 2026-02-16 - 3.0.1 - fix(remoteingress)
+no changes detected in diff; no code modifications to release
+
+- No files changed in the provided diff.
+- No release or version bump required based on current changes.
+
+## 2026-02-16 - 3.0.0 - BREAKING CHANGE(remoteingress)
+migrate core to Rust, add RemoteIngressHub/RemoteIngressEdge JS bridge, and bump package to v2.0.0
+
+- Added Rust workspace and crates: remoteingress-protocol, remoteingress-core, remoteingress-bin (IPC management mode via JSON over stdin/stdout).
+- Implemented protocol framing, PROXY v1 header builder, and async FrameReader in remoteingress-protocol.
+- Implemented hub and edge tunnel logic in Rust including TLS handling, PROXY parsing, and STUN public IP discovery.
+- Added TypeScript runtime bridge classes RemoteIngressHub and RemoteIngressEdge that use @push.rocks/smartrust to spawn/manage the Rust binary.
+- Removed legacy connector public/private TS files and simplified ts/index exports to expose hub/edge classes.
+- Updated package.json: bumped version to 2.0.0, adjusted description, added tsrust build step, new dependency @push.rocks/smartrust and keywords, and included dist_rust in files/glob.
+- Added rust build config for cross-target linkers and new Cargo.toml manifests for the workspace.
+
+## 2024-04-14 - 1.0.2 - 1.0.4 - releases
+Version-only tag commits (no code changes) for recent releases.
+
+- 1.0.2 (2024-03-24) — release tag / version bump only
+- 1.0.3 (2024-04-14) — release tag / version bump only
+- 1.0.4 (2024-04-14) — release tag / version bump only
+
+## 2024-04-14 - 1.0.3 - core
+Core updates and fixes.
+
+- fix(core): update
+
+## 2024-04-14 - 1.0.2 - core
+Core updates and fixes.
+
+- fix(core): update
+
+## 2024-03-24 - 1.0.1 - core
+Core updates and fixes.
+
+- fix(core): update

npmextra.json

@@ -1,11 +1,17 @@
 {
-  "gitzone": {
+  "@git.zone/tsrust": {
+    "targets": [
+      "linux_amd64",
+      "linux_arm64"
+    ]
+  },
+  "@git.zone/cli": {
     "projectType": "npm",
     "module": {
       "githost": "code.foss.global",
       "gitscope": "serve.zone",
       "gitrepo": "remoteingress",
-      "description": "Provides a service for creating private tunnels and reaching private clusters from the outside as part of the @serve.zone stack.",
+      "description": "Provides a service for creating private tunnels and reaching private clusters from the outside, facilitating secure remote access as part of the @serve.zone stack.",
       "npmPackagename": "@serve.zone/remoteingress",
       "license": "MIT",
       "projectDomain": "serve.zone",
@@ -13,21 +19,32 @@
         "remote access",
         "private tunnels",
         "network security",
-        "TLS",
+        "TLS encryption",
         "connector",
-        "serve.zone",
-        "private clusters",
-        "public access",
-        "TypeScript",
-        "node.js"
+        "serve.zone stack",
+        "private clusters access",
+        "public access management",
+        "TypeScript application",
+        "node.js package",
+        "secure communications",
+        "TLS/SSL certificates",
+        "development tools",
+        "software development",
+        "private network integration"
       ]
+    },
+    "release": {
+      "registries": [
+        "https://verdaccio.lossless.digital",
+        "https://registry.npmjs.org"
+      ],
+      "accessLevel": "public"
     }
   },
-  "npmci": {
-    "npmGlobalTools": [],
-    "npmAccessLevel": "public"
-  },
-  "tsdoc": {
+  "@git.zone/tsdoc": {
     "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  },
+  "@ship.zone/szci": {
+    "npmGlobalTools": []
   }
 }

package.json

@@ -1,28 +1,30 @@
 {
   "name": "@serve.zone/remoteingress",
-  "version": "1.0.3",
+  "version": "4.8.4",
   "private": false,
-  "description": "Provides a service for creating private tunnels and reaching private clusters from the outside as part of the @serve.zone stack.",
+  "description": "Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",
   "type": "module",
   "author": "Task Venture Capital GmbH",
   "license": "MIT",
   "scripts": {
-    "test": "(tstest test/ --web)",
-    "build": "(tsbuild --web --allowimplicitany)",
+    "test": "(pnpm run build && tstest test/ --verbose --logfile --timeout 60)",
+    "build": "(tsbuild tsfolders --allowimplicitany && tsrust)",
     "buildDocs": "(tsdoc)"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.1.25",
-    "@git.zone/tsbundle": "^2.0.5",
-    "@git.zone/tsrun": "^1.2.46",
-    "@git.zone/tstest": "^1.0.44",
-    "@push.rocks/tapbundle": "^5.0.15",
-    "@types/node": "^20.8.7"
+    "@git.zone/tsbuild": "^4.1.2",
+    "@git.zone/tsbundle": "^2.8.3",
+    "@git.zone/tsrun": "^2.0.1",
+    "@git.zone/tsrust": "^1.3.0",
+    "@git.zone/tstest": "^3.1.8",
+    "@push.rocks/tapbundle": "^6.0.3",
+    "@types/node": "^25.3.0"
   },
   "dependencies": {
-    "@push.rocks/qenv": "^6.0.5"
+    "@push.rocks/qenv": "^6.1.3",
+    "@push.rocks/smartrust": "^1.2.1"
   },
   "repository": {
     "type": "git",
@@ -42,6 +44,7 @@
     "dist_*/**/*",
     "dist_ts/**/*",
     "dist_ts_web/**/*",
+    "dist_rust/**/*",
     "assets/**/*",
     "cli.js",
     "npmextra.json",
@@ -49,14 +52,15 @@
   ],
   "keywords": [
     "remote access",
-    "private tunnels",
-    "network security",
-    "TLS",
-    "connector",
-    "serve.zone",
-    "private clusters",
-    "public access",
+    "ingress tunnel",
+    "network edge",
+    "PROXY protocol",
+    "multiplexed tunnel",
+    "TCP proxy",
+    "TLS tunnel",
+    "serve.zone stack",
     "TypeScript",
-    "node.js"
+    "Rust",
+    "SmartProxy"
   ]
 }

readme.hints.md

@@ -1,3 +1,12 @@
-* this module is part of the @serve.zone stack
-* it is used to reach private clusters from outside
-* it can be used to create private tunnels to private networks
+* This module is part of the @serve.zone stack
+* v3.0.0+ uses a Hub/Edge architecture with a Rust core binary (`remoteingress-bin`)
+* TypeScript classes `RemoteIngressHub` and `RemoteIngressEdge` bridge to Rust via `@push.rocks/smartrust` RustBridge IPC
+* Custom multiplexed binary frame protocol over TLS for tunneling TCP connections
+* PROXY protocol v1 preserves client IP when forwarding to SmartProxy/DcRouter
+* Edge authenticates to Hub via shared secret over TLS
+* STUN-based public IP discovery at the edge (Cloudflare STUN server)
+* Cross-compiled Rust binary for linux/amd64 and linux/arm64
+* Old `ConnectorPublic`/`ConnectorPrivate` classes no longer exist (removed in v2.0.0/v3.0.0)
+* `localPaths` in RustBridge config must be full file paths (not directories) — smartrust's `RustBinaryLocator` checks `isExecutable()` on each entry directly
+* Production binaries are named with platform suffixes: `remoteingress-bin_linux_amd64`, `remoteingress-bin_linux_arm64`
+* Rust core uses `ring` as the rustls CryptoProvider (explicitly installed in main.rs, aws-lc-rs disabled via default-features=false)

readme.md

@@ -1,88 +1,363 @@
 # @serve.zone/remoteingress
-a remoteingress service for serve.zone
+
+Edge ingress tunnel for DcRouter — accepts incoming TCP connections at the network edge and tunnels them over a single encrypted TLS connection to a DcRouter SmartProxy instance, preserving the original client IP via PROXY protocol v1.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 
 ## Install
-To install `@serve.zone/remoteingress`, use the following command in your terminal:
 
 ```sh
-npm install @serve.zone/remoteingress
+pnpm install @serve.zone/remoteingress
 ```
 
-This will download and install the remote ingress service and its dependencies in your project.
+## 🏗️ Architecture
 
-## Usage
-The `@serve.zone/remoteingress` package is designed to aid in creating secure and private tunnels to private networks, allowing external access to services within a private cluster as part of the @serve.zone stack. To utilize this package, you should have a basic understanding of network protocols and Node.js.
+`@serve.zone/remoteingress` uses a **Hub/Edge** topology with a high-performance Rust core and a TypeScript API surface:
 
-### Getting Started
-First, ensure you have [Node.js](https://nodejs.org/) installed on your system and that your project is set up to support TypeScript.
+```
+┌─────────────────────┐          TLS Tunnel           ┌─────────────────────┐
+│   Network Edge      │  ◄══════════════════════════►  │   Private Cluster   │
+│                     │   (multiplexed frames +        │                     │
+│  RemoteIngressEdge  │    shared-secret auth)         │  RemoteIngressHub   │
+│  Accepts client TCP │                                │  Forwards to        │
+│  connections on     │                                │  SmartProxy on      │
+│  hub-assigned ports │                                │  local ports        │
+└─────────────────────┘                                └─────────────────────┘
+        ▲                                                       │
+        │  TCP from end users                                   ▼
+   Internet                                             DcRouter / SmartProxy
+```
 
-You will need to import the main components of the package, which are `ConnectorPublic` and `ConnectorPrivate`, depending on the role your application is playing. Typically, `ConnectorPublic` would run on a public server accessible from the internet, while `ConnectorPrivate` runs inside a private network, creating a secure tunnel to the `ConnectorPublic` instance.
+| Component | Role |
+|-----------|------|
+| **RemoteIngressEdge** | Deployed at the network edge (e.g. a VPS or cloud instance). Listens on ports assigned by the hub, accepts raw TCP connections, and multiplexes them over a single TLS tunnel to the hub. Ports are hot-reloadable — the hub can change them at runtime. |
+| **RemoteIngressHub** | Deployed alongside DcRouter/SmartProxy in a private cluster. Accepts edge connections, demuxes streams, and forwards each to SmartProxy with a PROXY protocol v1 header so the real client IP is preserved. Controls which ports each edge listens on. |
+| **Rust Binary** (`remoteingress-bin`) | The performance-critical networking core. Managed via `@push.rocks/smartrust` RustBridge IPC — you never interact with it directly. Cross-compiled for `linux/amd64` and `linux/arm64`. |
 
-### Example Setup
+### ✨ Key Features
 
-#### Using `ConnectorPublic`
-The `ConnectorPublic` part of the module is responsible for listening for incoming tunnel connections and forwarding requests to and from the `ConnectorPrivate` instance.
+- 🔒 **TLS-encrypted tunnel** between edge and hub (auto-generated self-signed cert or bring your own)
+- 🔀 **Multiplexed streams** — thousands of client connections flow over a single tunnel
+- 🌐 **PROXY protocol v1** — SmartProxy sees the real client IP, not the tunnel IP
+- 🔑 **Shared-secret authentication** — edges must present valid credentials to connect
+- 🎫 **Connection tokens** — encode all connection details into a single opaque string
+- 📡 **STUN-based public IP discovery** — the edge automatically discovers its public IP via Cloudflare STUN
+- 🔄 **Auto-reconnect** with exponential backoff if the tunnel drops
+- 🎛️ **Dynamic port configuration** — the hub assigns listen ports per edge and can hot-reload them at runtime via `FRAME_CONFIG` frames
+- 📣 **Event-driven** — both Hub and Edge extend `EventEmitter` for real-time monitoring
+- ⚡ **Rust core** — all frame encoding, TLS, and TCP proxying happen in native code for maximum throughput
 
-**Example `ConnectorPublic` Usage:**
+## 🚀 Usage
+
+Both classes are imported from the package and communicate with the Rust binary under the hood. All you need to do is configure and start them.
+
+### Setting Up the Hub (Private Cluster Side)
 
 ```typescript
-import { ConnectorPublic } from '@serve.zone/remoteingress';
+import { RemoteIngressHub } from '@serve.zone/remoteingress';
 
-// Initialize ConnectorPublic
-const publicConnector = new ConnectorPublic();
+const hub = new RemoteIngressHub();
+
+// Listen for events
+hub.on('edgeConnected', ({ edgeId }) => {
+  console.log(`Edge ${edgeId} connected`);
+});
+hub.on('edgeDisconnected', ({ edgeId }) => {
+  console.log(`Edge ${edgeId} disconnected`);
+});
+hub.on('streamOpened', ({ edgeId, streamId }) => {
+  console.log(`Stream ${streamId} opened from edge ${edgeId}`);
+});
+hub.on('streamClosed', ({ edgeId, streamId }) => {
+  console.log(`Stream ${streamId} closed from edge ${edgeId}`);
+});
+
+// Start the hub — it will listen for incoming edge TLS connections
+await hub.start({
+  tunnelPort: 8443,        // port edges connect to (default: 8443)
+  targetHost: '127.0.0.1', // SmartProxy host to forward streams to (default: 127.0.0.1)
+});
+
+// Register which edges are allowed to connect, including their listen ports
+await hub.updateAllowedEdges([
+  {
+    id: 'edge-nyc-01',
+    secret: 'supersecrettoken1',
+    listenPorts: [80, 443],        // ports the edge should listen on
+    stunIntervalSecs: 300,         // STUN discovery interval (default: 300)
+  },
+  {
+    id: 'edge-fra-02',
+    secret: 'supersecrettoken2',
+    listenPorts: [443, 8080],
+  },
+]);
+
+// Dynamically update ports for a connected edge — changes are pushed instantly
+await hub.updateAllowedEdges([
+  {
+    id: 'edge-nyc-01',
+    secret: 'supersecrettoken1',
+    listenPorts: [80, 443, 8443],  // added port 8443 — edge picks it up in real time
+  },
+]);
+
+// Check status at any time
+const status = await hub.getStatus();
+console.log(status);
+// {
+//   running: true,
+//   tunnelPort: 8443,
+//   connectedEdges: [
+//     { edgeId: 'edge-nyc-01', connectedAt: 1700000000, activeStreams: 12 }
+//   ]
+// }
+
+// Graceful shutdown
+await hub.stop();
 ```
 
-The above code initializes the `ConnectorPublic`, making it listen for incoming tunnel connections. In practical use, you would need to provide configurations, such as SSL certificates, to secure the tunnel communication.
+### Setting Up the Edge (Network Edge Side)
 
-#### Using `ConnectorPrivate`
-The `ConnectorPrivate` component establishes a connection to the `ConnectorPublic` and routes traffic between the public interface and the private network.
+The edge can be configured in two ways: with an **opaque connection token** (recommended) or with explicit config fields.
 
-**Example `ConnectorPrivate` Usage:**
+#### Option A: Connection Token (Recommended)
+
+A single token encodes all connection details — ideal for provisioning edges at scale:
 
 ```typescript
-import { ConnectorPrivate } from '@serve.zone/remoteingress';
+import { RemoteIngressEdge } from '@serve.zone/remoteingress';
 
-// Initialize ConnectorPrivate with the host and port of the ConnectorPublic
-const privateConnector = new ConnectorPrivate('public.example.com', 4000);
+const edge = new RemoteIngressEdge();
+
+edge.on('tunnelConnected', () => console.log('Tunnel established'));
+edge.on('tunnelDisconnected', () => console.log('Tunnel lost — will auto-reconnect'));
+edge.on('publicIpDiscovered', ({ ip }) => console.log(`Public IP: ${ip}`));
+edge.on('portsAssigned', ({ listenPorts }) => console.log(`Listening on ports: ${listenPorts}`));
+edge.on('portsUpdated', ({ listenPorts }) => console.log(`Ports updated: ${listenPorts}`));
+
+// Single token contains hubHost, hubPort, edgeId, and secret
+await edge.start({
+  token: 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwicCI6ODQ0MywiZSI6ImVkZ2UtbnljLTAxIiwicyI6InN1cGVyc2VjcmV0dG9rZW4xIn0',
+});
 ```
 
-This example assumes your `ConnectorPublic` is accessible at `public.example.com` on port `4000`. The `ConnectorPrivate` will establish a secure tunnel to this public endpoint and begin routing traffic.
+#### Option B: Explicit Config
 
-### Securely Setting Up The Tunnel
-Security is paramount when creating tunnels that expose private networks. Ensure you use TLS encryption for your tunnels and validate certificates properly. 
+```typescript
+import { RemoteIngressEdge } from '@serve.zone/remoteingress';
 
-For both `ConnectorPublic` and `ConnectorPrivate`, you'll need to provide paths to your SSL certificate files or use a secure context set up with a recognized Certificate Authority (CA).
+const edge = new RemoteIngressEdge();
 
-**Security best practices:**
+edge.on('tunnelConnected', () => console.log('Tunnel established'));
+edge.on('tunnelDisconnected', () => console.log('Tunnel lost — will auto-reconnect'));
+edge.on('publicIpDiscovered', ({ ip }) => console.log(`Public IP: ${ip}`));
+edge.on('portsAssigned', ({ listenPorts }) => console.log(`Listening on ports: ${listenPorts}`));
+edge.on('portsUpdated', ({ listenPorts }) => console.log(`Ports updated: ${listenPorts}`));
 
-- Always use TLS to encrypt tunnel traffic.
-- Ensure your certificates are valid and up-to-date.
-- Consider using client certificates for `ConnectorPrivate` to authenticate to `ConnectorPublic`.
-- Monitor and possibly rate-limit connections to avoid abuse.
+await edge.start({
+  hubHost: 'hub.example.com',  // hostname or IP of the hub
+  hubPort: 8443,               // must match hub's tunnelPort (default: 8443)
+  edgeId: 'edge-nyc-01',       // unique edge identifier
+  secret: 'supersecrettoken1', // must match the hub's allowed edge secret
+});
 
-### Advanced Configuration
-Both `ConnectorPublic` and `ConnectorPrivate` allow for advanced configurations and handling to adjust to specific requirements, such as custom routing, handling different types of traffic (e.g., HTTP, HTTPS), and integrating with existing systems.
+// Check status at any time
+const edgeStatus = await edge.getStatus();
+console.log(edgeStatus);
+// {
+//   running: true,
+//   connected: true,
+//   publicIp: '203.0.113.42',
+//   activeStreams: 5,
+//   listenPorts: [80, 443]
+// }
 
-### Conclusion
-This module simplifies the process of setting up secure, remote ingress into private networks. By leveraging TLS and careful configuration, you can safely expose services within a private cluster to the outside world. Always prioritize security in your setup to protect your infrastructure and data.
+// Graceful shutdown
+await edge.stop();
+```
 
-For more detailed configuration options and advanced use cases, refer to the source code and additional documentation provided in the package.
+### 🎫 Connection Tokens
+
+Connection tokens let you distribute a single opaque string instead of four separate config values. The hub operator generates the token; the edge operator just pastes it in.
+
+```typescript
+import { encodeConnectionToken, decodeConnectionToken } from '@serve.zone/remoteingress';
+
+// Hub side: generate a token for a new edge
+const token = encodeConnectionToken({
+  hubHost: 'hub.example.com',
+  hubPort: 8443,
+  edgeId: 'edge-nyc-01',
+  secret: 'supersecrettoken1',
+});
+console.log(token);
+// => 'eyJoIjoiaHViLmV4YW1wbGUuY29tIiwi...'
+
+// Edge side: inspect a token (optional — start() does this automatically)
+const data = decodeConnectionToken(token);
+console.log(data);
+// {
+//   hubHost: 'hub.example.com',
+//   hubPort: 8443,
+//   edgeId: 'edge-nyc-01',
+//   secret: 'supersecrettoken1'
+// }
+```
+
+Tokens are base64url-encoded (URL-safe, no padding) — safe to pass as environment variables, CLI arguments, or store in config files.
+
+## 📖 API Reference
+
+### `RemoteIngressHub`
+
+| Method / Property | Description |
+|-------------------|-------------|
+| `start(config?)` | Spawns the Rust binary and starts the tunnel listener. Config: `{ tunnelPort?: number, targetHost?: string }` |
+| `stop()` | Gracefully shuts down the hub and kills the Rust process. |
+| `updateAllowedEdges(edges)` | Dynamically update which edges are authorized and what ports they listen on. Each edge: `{ id: string, secret: string, listenPorts?: number[], stunIntervalSecs?: number }`. If ports change for a connected edge, the update is pushed immediately via a `FRAME_CONFIG` frame. |
+| `getStatus()` | Returns current hub status including connected edges and active stream counts. |
+| `running` | `boolean` — whether the Rust binary is alive. |
+
+**Events:** `edgeConnected`, `edgeDisconnected`, `streamOpened`, `streamClosed`
+
+### `RemoteIngressEdge`
+
+| Method / Property | Description |
+|-------------------|-------------|
+| `start(config)` | Spawns the Rust binary and connects to the hub. Accepts `{ token: string }` or `IEdgeConfig`. Listen ports are received from the hub during handshake. |
+| `stop()` | Gracefully shuts down the edge and kills the Rust process. |
+| `getStatus()` | Returns current edge status including connection state, public IP, listen ports, and active streams. |
+| `running` | `boolean` — whether the Rust binary is alive. |
+
+**Events:** `tunnelConnected`, `tunnelDisconnected`, `publicIpDiscovered`, `portsAssigned`, `portsUpdated`
+
+### Token Utilities
+
+| Function | Description |
+|----------|-------------|
+| `encodeConnectionToken(data)` | Encodes `IConnectionTokenData` into a base64url token string. |
+| `decodeConnectionToken(token)` | Decodes a token back into `IConnectionTokenData`. Throws on malformed or incomplete tokens. |
+
+### Interfaces
+
+```typescript
+interface IHubConfig {
+  tunnelPort?: number;   // default: 8443
+  targetHost?: string;   // default: '127.0.0.1'
+}
+
+interface IEdgeConfig {
+  hubHost: string;
+  hubPort?: number;      // default: 8443
+  edgeId: string;
+  secret: string;
+}
+
+interface IConnectionTokenData {
+  hubHost: string;
+  hubPort: number;
+  edgeId: string;
+  secret: string;
+}
+```
+
+## 🔌 Wire Protocol
+
+The tunnel uses a custom binary frame protocol over TLS:
+
+```
+[stream_id: 4 bytes BE][type: 1 byte][length: 4 bytes BE][payload: N bytes]
+```
+
+| Frame Type | Value | Direction | Purpose |
+|------------|-------|-----------|---------|
+| `OPEN` | `0x01` | Edge → Hub | Open a new stream; payload is PROXY v1 header |
+| `DATA` | `0x02` | Edge → Hub | Client data flowing upstream |
+| `CLOSE` | `0x03` | Edge → Hub | Client closed the connection |
+| `DATA_BACK` | `0x04` | Hub → Edge | Response data flowing downstream |
+| `CLOSE_BACK` | `0x05` | Hub → Edge | Upstream (SmartProxy) closed the connection |
+| `CONFIG` | `0x06` | Hub → Edge | Runtime configuration update (e.g. port changes); payload is JSON |
+
+Max payload size per frame: **16 MB**. Stream IDs are 32-bit unsigned integers.
+
+### Handshake Sequence
+
+1. Edge opens a TLS connection to the hub
+2. Edge sends: `EDGE <edgeId> <secret>\n`
+3. Hub verifies credentials (constant-time comparison) and responds with JSON: `{"listenPorts":[...],"stunIntervalSecs":300}\n`
+4. Edge starts TCP listeners on the assigned ports
+5. Frame protocol begins — `OPEN`/`DATA`/`CLOSE` frames flow in both directions
+6. Hub can push `CONFIG` frames at any time to update the edge's listen ports
+
+## 💡 Example Scenarios
+
+### 1. Expose a Private Kubernetes Cluster to the Internet
+
+Deploy an Edge on a public VPS, point your DNS to the VPS IP. The Edge tunnels all traffic to the Hub running inside the cluster, which hands it off to SmartProxy/DcRouter. Your cluster stays fully private — no public-facing ports needed.
+
+### 2. Multi-Region Edge Ingress
+
+Run multiple Edges in different geographic regions (NYC, Frankfurt, Tokyo) all connecting to a single Hub. Use GeoDNS to route users to their nearest Edge. The Hub sees the real client IPs via PROXY protocol regardless of which edge they connected through.
+
+### 3. Secure API Exposure
+
+Your backend runs on a private network with no direct internet access. An Edge on a minimal cloud instance acts as the only public entry point. TLS tunnel + shared-secret auth ensure only your authorized Edge can forward traffic.
+
+### 4. Token-Based Edge Provisioning
+
+Generate connection tokens on the hub side and distribute them to edge operators. Each edge only needs a single token string to connect — no manual configuration of host, port, ID, and secret.
+
+```typescript
+// Hub operator generates token
+const token = encodeConnectionToken({
+  hubHost: 'hub.prod.example.com',
+  hubPort: 8443,
+  edgeId: 'edge-tokyo-01',
+  secret: 'generated-secret-abc123',
+});
+// Send `token` to the edge operator via secure channel
+
+// Edge operator starts with just the token
+const edge = new RemoteIngressEdge();
+await edge.start({ token });
+```
+
+### 5. Dynamic Port Management
+
+The hub controls which ports each edge listens on. Ports can be changed at runtime without restarting the edge — the hub pushes a `CONFIG` frame and the edge hot-reloads its TCP listeners.
+
+```typescript
+// Initially assign ports 80 and 443
+await hub.updateAllowedEdges([
+  { id: 'edge-nyc-01', secret: 'secret', listenPorts: [80, 443] },
+]);
+
+// Later, add port 8080 — the connected edge picks it up instantly
+await hub.updateAllowedEdges([
+  { id: 'edge-nyc-01', secret: 'secret', listenPorts: [80, 443, 8080] },
+]);
+```
 
 ## License and Legal Information
 
-This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 
 ### Trademarks
 
-This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 
 ### Company Information
 
-Task Venture Capital GmbH  
-Registered at District court Bremen HRB 35230 HB, Germany
+Task Venture Capital GmbH
+Registered at District Court Bremen HRB 35230 HB, Germany
 
-For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
 
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

rust/.cargo/config.toml

@@ -0,0 +1,5 @@
+[target.x86_64-unknown-linux-gnu]
+linker = "x86_64-linux-gnu-gcc"
+
+[target.aarch64-unknown-linux-gnu]
+linker = "aarch64-linux-gnu-gcc"

rust/Cargo.toml

@@ -0,0 +1,7 @@
+[workspace]
+resolver = "2"
+members = [
+  "crates/remoteingress-protocol",
+  "crates/remoteingress-core",
+  "crates/remoteingress-bin",
+]

rust/crates/remoteingress-bin/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "remoteingress-bin"
+version = "2.0.0"
+edition = "2021"
+
+[[bin]]
+name = "remoteingress-bin"
+path = "src/main.rs"
+
+[dependencies]
+remoteingress-core = { path = "../remoteingress-core" }
+remoteingress-protocol = { path = "../remoteingress-protocol" }
+tokio = { version = "1", features = ["full"] }
+clap = { version = "4", features = ["derive"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+log = "0.4"
+env_logger = "0.11"
+rustls = { version = "0.23", default-features = false, features = ["ring"] }
+mimalloc = "0.1"

rust/crates/remoteingress-bin/src/main.rs

@@ -0,0 +1,429 @@
+#[global_allocator]
+static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
+
+use clap::Parser;
+use serde::{Deserialize, Serialize};
+use std::sync::Arc;
+use tokio::io::{AsyncBufReadExt, BufReader};
+use tokio::sync::Mutex;
+
+use remoteingress_core::hub::{AllowedEdge, HubConfig, HubEvent, TunnelHub};
+use remoteingress_core::edge::{EdgeConfig, EdgeEvent, TunnelEdge};
+
+#[derive(Parser)]
+#[command(name = "remoteingress-bin", version = "2.0.0")]
+struct Cli {
+    /// Run in IPC management mode (JSON over stdin/stdout)
+    #[arg(long)]
+    management: bool,
+}
+
+// IPC message types
+#[derive(Deserialize)]
+struct IpcRequest {
+    id: String,
+    method: String,
+    params: serde_json::Value,
+}
+
+#[derive(Serialize)]
+struct IpcResponse {
+    id: String,
+    success: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    result: Option<serde_json::Value>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    error: Option<String>,
+}
+
+#[derive(Serialize)]
+struct IpcEvent {
+    event: String,
+    data: serde_json::Value,
+}
+
+fn send_ipc_line(line: &str) {
+    // Write to stdout synchronously, since we're line-buffered
+    use std::io::Write;
+    let stdout = std::io::stdout();
+    let mut out = stdout.lock();
+    let _ = out.write_all(line.as_bytes());
+    let _ = out.write_all(b"\n");
+    let _ = out.flush();
+}
+
+fn send_event(event: &str, data: serde_json::Value) {
+    let evt = IpcEvent {
+        event: event.to_string(),
+        data,
+    };
+    if let Ok(json) = serde_json::to_string(&evt) {
+        send_ipc_line(&json);
+    }
+}
+
+fn send_response(id: &str, result: serde_json::Value) {
+    let resp = IpcResponse {
+        id: id.to_string(),
+        success: true,
+        result: Some(result),
+        error: None,
+    };
+    if let Ok(json) = serde_json::to_string(&resp) {
+        send_ipc_line(&json);
+    }
+}
+
+fn send_error(id: &str, error: &str) {
+    let resp = IpcResponse {
+        id: id.to_string(),
+        success: false,
+        result: None,
+        error: Some(error.to_string()),
+    };
+    if let Ok(json) = serde_json::to_string(&resp) {
+        send_ipc_line(&json);
+    }
+}
+
+#[tokio::main]
+async fn main() {
+    // Install the ring CryptoProvider before any TLS usage
+    rustls::crypto::ring::default_provider()
+        .install_default()
+        .expect("Failed to install rustls ring CryptoProvider");
+
+    let cli = Cli::parse();
+
+    if !cli.management {
+        eprintln!("remoteingress-bin: use --management for IPC mode");
+        std::process::exit(1);
+    }
+
+    // Initialize logging to stderr (stdout is for IPC)
+    env_logger::Builder::from_default_env()
+        .target(env_logger::Target::Stderr)
+        .filter_level(log::LevelFilter::Info)
+        .init();
+
+    // Send ready event
+    send_event("ready", serde_json::json!({ "version": "2.0.0" }));
+
+    // State
+    let hub: Arc<Mutex<Option<Arc<TunnelHub>>>> = Arc::new(Mutex::new(None));
+    let edge: Arc<Mutex<Option<Arc<TunnelEdge>>>> = Arc::new(Mutex::new(None));
+
+    // Read commands from stdin
+    let stdin = tokio::io::stdin();
+    let reader = BufReader::new(stdin);
+    let mut lines = reader.lines();
+
+    while let Ok(Some(line)) = lines.next_line().await {
+        let line = line.trim().to_string();
+        if line.is_empty() {
+            continue;
+        }
+
+        let request: IpcRequest = match serde_json::from_str(&line) {
+            Ok(r) => r,
+            Err(e) => {
+                log::error!("Invalid IPC request: {}", e);
+                continue;
+            }
+        };
+
+        let hub = hub.clone();
+        let edge = edge.clone();
+
+        tokio::spawn(async move {
+            handle_request(request, hub, edge).await;
+        });
+    }
+}
+
+async fn handle_request(
+    req: IpcRequest,
+    hub: Arc<Mutex<Option<Arc<TunnelHub>>>>,
+    edge: Arc<Mutex<Option<Arc<TunnelEdge>>>>,
+) {
+    match req.method.as_str() {
+        "ping" => {
+            send_response(&req.id, serde_json::json!({ "pong": true }));
+        }
+
+        "startHub" => {
+            let config: HubConfig = match serde_json::from_value(req.params.clone()) {
+                Ok(c) => c,
+                Err(e) => {
+                    send_error(&req.id, &format!("invalid hub config: {}", e));
+                    return;
+                }
+            };
+
+            let tunnel_hub = Arc::new(TunnelHub::new(config));
+
+            // Forward hub events to IPC
+            if let Some(mut event_rx) = tunnel_hub.take_event_rx().await {
+                tokio::spawn(async move {
+                    while let Some(event) = event_rx.recv().await {
+                        match &event {
+                            HubEvent::EdgeConnected { edge_id, peer_addr } => {
+                                send_event(
+                                    "edgeConnected",
+                                    serde_json::json!({ "edgeId": edge_id, "peerAddr": peer_addr }),
+                                );
+                            }
+                            HubEvent::EdgeDisconnected { edge_id, reason } => {
+                                send_event(
+                                    "edgeDisconnected",
+                                    serde_json::json!({ "edgeId": edge_id, "reason": reason }),
+                                );
+                            }
+                            HubEvent::StreamOpened {
+                                edge_id,
+                                stream_id,
+                            } => {
+                                send_event(
+                                    "streamOpened",
+                                    serde_json::json!({
+                                        "edgeId": edge_id,
+                                        "streamId": stream_id,
+                                    }),
+                                );
+                            }
+                            HubEvent::StreamClosed {
+                                edge_id,
+                                stream_id,
+                            } => {
+                                send_event(
+                                    "streamClosed",
+                                    serde_json::json!({
+                                        "edgeId": edge_id,
+                                        "streamId": stream_id,
+                                    }),
+                                );
+                            }
+                        }
+                    }
+                });
+            }
+
+            match tunnel_hub.start().await {
+                Ok(()) => {
+                    *hub.lock().await = Some(tunnel_hub);
+                    send_response(&req.id, serde_json::json!({ "started": true }));
+                }
+                Err(e) => {
+                    send_error(&req.id, &format!("failed to start hub: {}", e));
+                }
+            }
+        }
+
+        "stopHub" => {
+            let mut h = hub.lock().await;
+            if let Some(hub_instance) = h.take() {
+                hub_instance.stop().await;
+                send_response(&req.id, serde_json::json!({ "stopped": true }));
+            } else {
+                send_response(
+                    &req.id,
+                    serde_json::json!({ "stopped": true, "wasRunning": false }),
+                );
+            }
+        }
+
+        "updateAllowedEdges" => {
+            #[derive(Deserialize)]
+            #[serde(rename_all = "camelCase")]
+            struct UpdateEdgesParams {
+                edges: Vec<AllowedEdge>,
+            }
+
+            let params: UpdateEdgesParams = match serde_json::from_value(req.params.clone()) {
+                Ok(p) => p,
+                Err(e) => {
+                    send_error(&req.id, &format!("invalid params: {}", e));
+                    return;
+                }
+            };
+
+            let h = hub.lock().await;
+            if let Some(hub_instance) = h.as_ref() {
+                hub_instance.update_allowed_edges(params.edges).await;
+                send_response(&req.id, serde_json::json!({ "updated": true }));
+            } else {
+                send_error(&req.id, "hub not running");
+            }
+        }
+
+        "getHubStatus" => {
+            let h = hub.lock().await;
+            if let Some(hub_instance) = h.as_ref() {
+                let status = hub_instance.get_status().await;
+                send_response(
+                    &req.id,
+                    serde_json::to_value(&status).unwrap_or_default(),
+                );
+            } else {
+                send_response(
+                    &req.id,
+                    serde_json::json!({
+                        "running": false,
+                        "tunnelPort": 0,
+                        "connectedEdges": []
+                    }),
+                );
+            }
+        }
+
+        "startEdge" => {
+            let config: EdgeConfig = match serde_json::from_value(req.params.clone()) {
+                Ok(c) => c,
+                Err(e) => {
+                    send_error(&req.id, &format!("invalid edge config: {}", e));
+                    return;
+                }
+            };
+
+            let tunnel_edge = Arc::new(TunnelEdge::new(config));
+
+            // Forward edge events to IPC
+            if let Some(mut event_rx) = tunnel_edge.take_event_rx().await {
+                tokio::spawn(async move {
+                    while let Some(event) = event_rx.recv().await {
+                        match &event {
+                            EdgeEvent::TunnelConnected => {
+                                send_event("tunnelConnected", serde_json::json!({}));
+                            }
+                            EdgeEvent::TunnelDisconnected { reason } => {
+                                send_event("tunnelDisconnected", serde_json::json!({ "reason": reason }));
+                            }
+                            EdgeEvent::PublicIpDiscovered { ip } => {
+                                send_event(
+                                    "publicIpDiscovered",
+                                    serde_json::json!({ "ip": ip }),
+                                );
+                            }
+                            EdgeEvent::PortsAssigned { listen_ports } => {
+                                send_event(
+                                    "portsAssigned",
+                                    serde_json::json!({ "listenPorts": listen_ports }),
+                                );
+                            }
+                            EdgeEvent::PortsUpdated { listen_ports } => {
+                                send_event(
+                                    "portsUpdated",
+                                    serde_json::json!({ "listenPorts": listen_ports }),
+                                );
+                            }
+                        }
+                    }
+                });
+            }
+
+            match tunnel_edge.start().await {
+                Ok(()) => {
+                    *edge.lock().await = Some(tunnel_edge);
+                    send_response(&req.id, serde_json::json!({ "started": true }));
+                }
+                Err(e) => {
+                    send_error(&req.id, &format!("failed to start edge: {}", e));
+                }
+            }
+        }
+
+        "stopEdge" => {
+            let mut e = edge.lock().await;
+            if let Some(edge_instance) = e.take() {
+                edge_instance.stop().await;
+                send_response(&req.id, serde_json::json!({ "stopped": true }));
+            } else {
+                send_response(
+                    &req.id,
+                    serde_json::json!({ "stopped": true, "wasRunning": false }),
+                );
+            }
+        }
+
+        "getEdgeStatus" => {
+            let e = edge.lock().await;
+            if let Some(edge_instance) = e.as_ref() {
+                let status = edge_instance.get_status().await;
+                send_response(
+                    &req.id,
+                    serde_json::to_value(&status).unwrap_or_default(),
+                );
+            } else {
+                send_response(
+                    &req.id,
+                    serde_json::json!({
+                        "running": false,
+                        "connected": false,
+                        "publicIp": null,
+                        "activeStreams": 0,
+                        "listenPorts": []
+                    }),
+                );
+            }
+        }
+
+        _ => {
+            send_error(&req.id, &format!("unknown method: {}", req.method));
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_ipc_request_deserialize() {
+        let json = r#"{"id": "1", "method": "ping", "params": {}}"#;
+        let req: IpcRequest = serde_json::from_str(json).unwrap();
+        assert_eq!(req.id, "1");
+        assert_eq!(req.method, "ping");
+        assert!(req.params.is_object());
+    }
+
+    #[test]
+    fn test_ipc_response_skip_error_when_none() {
+        let resp = IpcResponse {
+            id: "1".to_string(),
+            success: true,
+            result: Some(serde_json::json!({"pong": true})),
+            error: None,
+        };
+        let json = serde_json::to_value(&resp).unwrap();
+        assert_eq!(json["id"], "1");
+        assert_eq!(json["success"], true);
+        assert_eq!(json["result"]["pong"], true);
+        assert!(json.get("error").is_none());
+    }
+
+    #[test]
+    fn test_ipc_response_skip_result_when_none() {
+        let resp = IpcResponse {
+            id: "2".to_string(),
+            success: false,
+            result: None,
+            error: Some("something failed".to_string()),
+        };
+        let json = serde_json::to_value(&resp).unwrap();
+        assert_eq!(json["id"], "2");
+        assert_eq!(json["success"], false);
+        assert_eq!(json["error"], "something failed");
+        assert!(json.get("result").is_none());
+    }
+
+    #[test]
+    fn test_ipc_event_serialize() {
+        let evt = IpcEvent {
+            event: "ready".to_string(),
+            data: serde_json::json!({"version": "2.0.0"}),
+        };
+        let json = serde_json::to_value(&evt).unwrap();
+        assert_eq!(json["event"], "ready");
+        assert_eq!(json["data"]["version"], "2.0.0");
+    }
+}

rust/crates/remoteingress-core/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "remoteingress-core"
+version = "2.0.0"
+edition = "2021"
+
+[dependencies]
+remoteingress-protocol = { path = "../remoteingress-protocol" }
+tokio = { version = "1", features = ["full"] }
+tokio-rustls = "0.26"
+rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
+rcgen = "0.13"
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+log = "0.4"
+rustls-pemfile = "2"
+tokio-util = "0.7"
+socket2 = "0.5"

rust/crates/remoteingress-core/src/lib.rs

@@ -0,0 +1,5 @@
+pub mod hub;
+pub mod edge;
+pub mod stun;
+
+pub use remoteingress_protocol as protocol;

rust/crates/remoteingress-core/src/stun.rs

@@ -0,0 +1,264 @@
+use std::net::Ipv4Addr;
+use tokio::net::UdpSocket;
+use tokio::time::{timeout, Duration};
+
+const STUN_SERVER: &str = "stun.cloudflare.com:3478";
+const STUN_TIMEOUT: Duration = Duration::from_secs(3);
+
+// STUN constants
+const STUN_BINDING_REQUEST: u16 = 0x0001;
+const STUN_MAGIC_COOKIE: u32 = 0x2112A442;
+const ATTR_XOR_MAPPED_ADDRESS: u16 = 0x0020;
+const ATTR_MAPPED_ADDRESS: u16 = 0x0001;
+
+/// Discover our public IP via STUN Binding Request (RFC 5389).
+/// Returns `None` on timeout or parse failure.
+pub async fn discover_public_ip() -> Option<String> {
+    discover_public_ip_from(STUN_SERVER).await
+}
+
+pub async fn discover_public_ip_from(server: &str) -> Option<String> {
+    let result = timeout(STUN_TIMEOUT, async {
+        let socket = UdpSocket::bind("0.0.0.0:0").await.ok()?;
+        socket.connect(server).await.ok()?;
+
+        // Build STUN Binding Request (20 bytes)
+        let mut request = [0u8; 20];
+        // Message Type: Binding Request (0x0001)
+        request[0..2].copy_from_slice(&STUN_BINDING_REQUEST.to_be_bytes());
+        // Message Length: 0 (no attributes)
+        request[2..4].copy_from_slice(&0u16.to_be_bytes());
+        // Magic Cookie
+        request[4..8].copy_from_slice(&STUN_MAGIC_COOKIE.to_be_bytes());
+        // Transaction ID: 12 random bytes
+        let txn_id: [u8; 12] = rand_bytes();
+        request[8..20].copy_from_slice(&txn_id);
+
+        socket.send(&request).await.ok()?;
+
+        let mut buf = [0u8; 512];
+        let n = socket.recv(&mut buf).await.ok()?;
+        if n < 20 {
+            return None;
+        }
+
+        parse_stun_response(&buf[..n], &txn_id)
+    })
+    .await;
+
+    match result {
+        Ok(ip) => ip,
+        Err(_) => None, // timeout
+    }
+}
+
+fn parse_stun_response(data: &[u8], _txn_id: &[u8; 12]) -> Option<String> {
+    if data.len() < 20 {
+        return None;
+    }
+
+    // Verify it's a Binding Response (0x0101)
+    let msg_type = u16::from_be_bytes([data[0], data[1]]);
+    if msg_type != 0x0101 {
+        return None;
+    }
+
+    let msg_len = u16::from_be_bytes([data[2], data[3]]) as usize;
+    let magic = u32::from_be_bytes([data[4], data[5], data[6], data[7]]);
+
+    // Parse attributes
+    let attrs = &data[20..std::cmp::min(20 + msg_len, data.len())];
+    let mut offset = 0;
+
+    while offset + 4 <= attrs.len() {
+        let attr_type = u16::from_be_bytes([attrs[offset], attrs[offset + 1]]);
+        let attr_len = u16::from_be_bytes([attrs[offset + 2], attrs[offset + 3]]) as usize;
+        offset += 4;
+
+        if offset + attr_len > attrs.len() {
+            break;
+        }
+
+        let attr_data = &attrs[offset..offset + attr_len];
+
+        match attr_type {
+            ATTR_XOR_MAPPED_ADDRESS if attr_data.len() >= 8 => {
+                let family = attr_data[1];
+                if family == 0x01 {
+                    // IPv4
+                    let port_xored = u16::from_be_bytes([attr_data[2], attr_data[3]]);
+                    let _port = port_xored ^ (STUN_MAGIC_COOKIE >> 16) as u16;
+                    let ip_xored = u32::from_be_bytes([
+                        attr_data[4],
+                        attr_data[5],
+                        attr_data[6],
+                        attr_data[7],
+                    ]);
+                    let ip = ip_xored ^ magic;
+                    return Some(Ipv4Addr::from(ip).to_string());
+                }
+            }
+            ATTR_MAPPED_ADDRESS if attr_data.len() >= 8 => {
+                let family = attr_data[1];
+                if family == 0x01 {
+                    // IPv4 (non-XOR fallback)
+                    let ip = u32::from_be_bytes([
+                        attr_data[4],
+                        attr_data[5],
+                        attr_data[6],
+                        attr_data[7],
+                    ]);
+                    return Some(Ipv4Addr::from(ip).to_string());
+                }
+            }
+            _ => {}
+        }
+
+        // Pad to 4-byte boundary
+        offset += (attr_len + 3) & !3;
+    }
+
+    None
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// Build a synthetic STUN Binding Response with given attributes.
+    fn build_stun_response(attrs: &[(u16, &[u8])]) -> Vec<u8> {
+        let mut attrs_bytes = Vec::new();
+        for &(attr_type, attr_data) in attrs {
+            attrs_bytes.extend_from_slice(&attr_type.to_be_bytes());
+            attrs_bytes.extend_from_slice(&(attr_data.len() as u16).to_be_bytes());
+            attrs_bytes.extend_from_slice(attr_data);
+            // Pad to 4-byte boundary
+            let pad = (4 - (attr_data.len() % 4)) % 4;
+            attrs_bytes.extend(std::iter::repeat(0u8).take(pad));
+        }
+
+        let mut response = Vec::new();
+        // msg_type = 0x0101 (Binding Response)
+        response.extend_from_slice(&0x0101u16.to_be_bytes());
+        // message length
+        response.extend_from_slice(&(attrs_bytes.len() as u16).to_be_bytes());
+        // magic cookie
+        response.extend_from_slice(&STUN_MAGIC_COOKIE.to_be_bytes());
+        // transaction ID (12 bytes)
+        response.extend_from_slice(&[0u8; 12]);
+        // attributes
+        response.extend_from_slice(&attrs_bytes);
+        response
+    }
+
+    #[test]
+    fn test_xor_mapped_address_ipv4() {
+        // IP 203.0.113.1 = 0xCB007101, XOR'd with magic 0x2112A442 = 0xEA12D543
+        let attr_data: [u8; 8] = [
+            0x00, 0x01, // reserved + family (IPv4)
+            0x11, 0x2B, // port XOR'd with 0x2112 (port 0x3039 = 12345)
+            0xEA, 0x12, 0xD5, 0x43, // IP XOR'd
+        ];
+        let data = build_stun_response(&[(ATTR_XOR_MAPPED_ADDRESS, &attr_data)]);
+        let txn_id = [0u8; 12];
+        let result = parse_stun_response(&data, &txn_id);
+        assert_eq!(result, Some("203.0.113.1".to_string()));
+    }
+
+    #[test]
+    fn test_mapped_address_fallback_ipv4() {
+        // IP 192.168.1.1 = 0xC0A80101 (no XOR)
+        let attr_data: [u8; 8] = [
+            0x00, 0x01, // reserved + family (IPv4)
+            0x00, 0x50, // port 80
+            0xC0, 0xA8, 0x01, 0x01, // IP
+        ];
+        let data = build_stun_response(&[(ATTR_MAPPED_ADDRESS, &attr_data)]);
+        let txn_id = [0u8; 12];
+        let result = parse_stun_response(&data, &txn_id);
+        assert_eq!(result, Some("192.168.1.1".to_string()));
+    }
+
+    #[test]
+    fn test_response_too_short() {
+        let data = vec![0u8; 19]; // < 20 bytes
+        let txn_id = [0u8; 12];
+        assert_eq!(parse_stun_response(&data, &txn_id), None);
+    }
+
+    #[test]
+    fn test_wrong_msg_type() {
+        // Build with correct helper then overwrite msg_type to 0x0001 (Binding Request)
+        let mut data = build_stun_response(&[]);
+        data[0] = 0x00;
+        data[1] = 0x01;
+        let txn_id = [0u8; 12];
+        assert_eq!(parse_stun_response(&data, &txn_id), None);
+    }
+
+    #[test]
+    fn test_no_mapped_address_attributes() {
+        // Valid response with no attributes
+        let data = build_stun_response(&[]);
+        let txn_id = [0u8; 12];
+        assert_eq!(parse_stun_response(&data, &txn_id), None);
+    }
+
+    #[test]
+    fn test_xor_preferred_over_mapped() {
+        // XOR gives 203.0.113.1, MAPPED gives 192.168.1.1
+        let xor_data: [u8; 8] = [
+            0x00, 0x01,
+            0x11, 0x2B,
+            0xEA, 0x12, 0xD5, 0x43,
+        ];
+        let mapped_data: [u8; 8] = [
+            0x00, 0x01,
+            0x00, 0x50,
+            0xC0, 0xA8, 0x01, 0x01,
+        ];
+        // XOR listed first — should be preferred
+        let data = build_stun_response(&[
+            (ATTR_XOR_MAPPED_ADDRESS, &xor_data),
+            (ATTR_MAPPED_ADDRESS, &mapped_data),
+        ]);
+        let txn_id = [0u8; 12];
+        let result = parse_stun_response(&data, &txn_id);
+        assert_eq!(result, Some("203.0.113.1".to_string()));
+    }
+
+    #[test]
+    fn test_truncated_attribute_data() {
+        // Attribute claims 8 bytes but only 4 are present
+        let mut data = build_stun_response(&[]);
+        // Manually append a truncated XOR_MAPPED_ADDRESS attribute
+        let attr_type = ATTR_XOR_MAPPED_ADDRESS.to_be_bytes();
+        let attr_len = 8u16.to_be_bytes(); // claims 8 bytes
+        let truncated = [0x00, 0x01, 0x11, 0x2B]; // only 4 bytes
+        // Update message length
+        let new_msg_len = (attr_type.len() + attr_len.len() + truncated.len()) as u16;
+        data[2..4].copy_from_slice(&new_msg_len.to_be_bytes());
+        data.extend_from_slice(&attr_type);
+        data.extend_from_slice(&attr_len);
+        data.extend_from_slice(&truncated);
+
+        let txn_id = [0u8; 12];
+        // Should return None, not panic
+        assert_eq!(parse_stun_response(&data, &txn_id), None);
+    }
+}
+
+/// Generate 12 random bytes for transaction ID.
+fn rand_bytes() -> [u8; 12] {
+    let mut bytes = [0u8; 12];
+    // Use a simple approach: mix timestamp + counter
+    let now = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap_or_default();
+    let nanos = now.as_nanos();
+    bytes[0..8].copy_from_slice(&(nanos as u64).to_le_bytes());
+    // Fill remaining with process-id based data
+    let pid = std::process::id();
+    bytes[8..12].copy_from_slice(&pid.to_le_bytes());
+    bytes
+}

rust/crates/remoteingress-protocol/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "remoteingress-protocol"
+version = "2.0.0"
+edition = "2021"
+
+[dependencies]
+tokio = { version = "1", features = ["io-util", "sync", "time"] }
+tokio-util = "0.7"
+log = "0.4"
+
+[dev-dependencies]
+tokio = { version = "1", features = ["io-util", "macros", "rt"] }

rust/crates/remoteingress-protocol/src/lib.rs

@@ -0,0 +1,789 @@
+use std::collections::VecDeque;
+use std::future::Future;
+use std::pin::Pin;
+use std::task::{Context, Poll};
+use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, ReadBuf};
+
+// Frame type constants
+pub const FRAME_OPEN: u8 = 0x01;
+pub const FRAME_DATA: u8 = 0x02;
+pub const FRAME_CLOSE: u8 = 0x03;
+pub const FRAME_DATA_BACK: u8 = 0x04;
+pub const FRAME_CLOSE_BACK: u8 = 0x05;
+pub const FRAME_CONFIG: u8 = 0x06;     // Hub -> Edge: configuration update
+pub const FRAME_PING: u8 = 0x07;       // Hub -> Edge: heartbeat probe
+pub const FRAME_PONG: u8 = 0x08;       // Edge -> Hub: heartbeat response
+pub const FRAME_WINDOW_UPDATE: u8 = 0x09;      // Edge -> Hub: per-stream flow control
+pub const FRAME_WINDOW_UPDATE_BACK: u8 = 0x0A;  // Hub -> Edge: per-stream flow control
+
+// Frame header size: 4 (stream_id) + 1 (type) + 4 (length) = 9 bytes
+pub const FRAME_HEADER_SIZE: usize = 9;
+
+// Maximum payload size (16 MB)
+pub const MAX_PAYLOAD_SIZE: u32 = 16 * 1024 * 1024;
+
+// Per-stream flow control constants
+/// Initial per-stream window size (4 MB). Sized for full throughput at high RTT:
+/// at 100ms RTT, this sustains ~40 MB/s per stream.
+pub const INITIAL_STREAM_WINDOW: u32 = 4 * 1024 * 1024;
+/// Send WINDOW_UPDATE after consuming this many bytes (half the initial window).
+pub const WINDOW_UPDATE_THRESHOLD: u32 = INITIAL_STREAM_WINDOW / 2;
+/// Maximum window size to prevent overflow.
+pub const MAX_WINDOW_SIZE: u32 = 16 * 1024 * 1024;
+
+/// Encode a WINDOW_UPDATE frame for a specific stream.
+pub fn encode_window_update(stream_id: u32, frame_type: u8, increment: u32) -> Vec<u8> {
+    encode_frame(stream_id, frame_type, &increment.to_be_bytes())
+}
+
+/// Compute the target per-stream window size based on the number of active streams.
+/// Total memory budget is ~32MB shared across all streams. As more streams are active,
+/// each gets a smaller window. This adapts to current demand — few streams get high
+/// throughput, many streams save memory and reduce control frame pressure.
+pub fn compute_window_for_stream_count(active: u32) -> u32 {
+    let per_stream = (32 * 1024 * 1024u64) / (active.max(1) as u64);
+    per_stream.clamp(64 * 1024, INITIAL_STREAM_WINDOW as u64) as u32
+}
+
+/// Decode a WINDOW_UPDATE payload into a byte increment. Returns None if payload is malformed.
+pub fn decode_window_update(payload: &[u8]) -> Option<u32> {
+    if payload.len() != 4 {
+        return None;
+    }
+    Some(u32::from_be_bytes([payload[0], payload[1], payload[2], payload[3]]))
+}
+
+/// A single multiplexed frame.
+#[derive(Debug, Clone)]
+pub struct Frame {
+    pub stream_id: u32,
+    pub frame_type: u8,
+    pub payload: Vec<u8>,
+}
+
+/// Encode a frame into bytes: [stream_id:4][type:1][length:4][payload]
+pub fn encode_frame(stream_id: u32, frame_type: u8, payload: &[u8]) -> Vec<u8> {
+    let len = payload.len() as u32;
+    let mut buf = Vec::with_capacity(FRAME_HEADER_SIZE + payload.len());
+    buf.extend_from_slice(&stream_id.to_be_bytes());
+    buf.push(frame_type);
+    buf.extend_from_slice(&len.to_be_bytes());
+    buf.extend_from_slice(payload);
+    buf
+}
+
+/// Write a frame header into `buf[0..FRAME_HEADER_SIZE]`.
+/// The caller must ensure payload is already at `buf[FRAME_HEADER_SIZE..FRAME_HEADER_SIZE + payload_len]`.
+/// This enables zero-copy encoding: read directly into `buf[FRAME_HEADER_SIZE..]`, then
+/// prepend the header without copying the payload.
+pub fn encode_frame_header(buf: &mut [u8], stream_id: u32, frame_type: u8, payload_len: usize) {
+    buf[0..4].copy_from_slice(&stream_id.to_be_bytes());
+    buf[4] = frame_type;
+    buf[5..9].copy_from_slice(&(payload_len as u32).to_be_bytes());
+}
+
+/// Build a PROXY protocol v1 header line.
+/// Format: `PROXY TCP4 <client_ip> <edge_ip> <client_port> <dest_port>\r\n`
+pub fn build_proxy_v1_header(
+    client_ip: &str,
+    edge_ip: &str,
+    client_port: u16,
+    dest_port: u16,
+) -> String {
+    format!(
+        "PROXY TCP4 {} {} {} {}\r\n",
+        client_ip, edge_ip, client_port, dest_port
+    )
+}
+
+/// Stateful async frame reader that yields `Frame` values from an `AsyncRead`.
+pub struct FrameReader<R> {
+    reader: R,
+    header_buf: [u8; FRAME_HEADER_SIZE],
+}
+
+impl<R: AsyncRead + Unpin> FrameReader<R> {
+    pub fn new(reader: R) -> Self {
+        Self {
+            reader,
+            header_buf: [0u8; FRAME_HEADER_SIZE],
+        }
+    }
+
+    /// Read the next frame. Returns `None` on EOF, `Err` on protocol violation.
+    pub async fn next_frame(&mut self) -> Result<Option<Frame>, std::io::Error> {
+        // Read header
+        match self.reader.read_exact(&mut self.header_buf).await {
+            Ok(_) => {}
+            Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
+            Err(e) => return Err(e),
+        }
+
+        let stream_id = u32::from_be_bytes([
+            self.header_buf[0],
+            self.header_buf[1],
+            self.header_buf[2],
+            self.header_buf[3],
+        ]);
+        let frame_type = self.header_buf[4];
+        let length = u32::from_be_bytes([
+            self.header_buf[5],
+            self.header_buf[6],
+            self.header_buf[7],
+            self.header_buf[8],
+        ]);
+
+        if length > MAX_PAYLOAD_SIZE {
+            log::error!(
+                "CORRUPT FRAME HEADER: raw={:02x?} stream_id={} type=0x{:02x} length={}",
+                self.header_buf, stream_id, frame_type, length
+            );
+            return Err(std::io::Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!("frame payload too large: {} bytes (header={:02x?})", length, self.header_buf),
+            ));
+        }
+
+        let mut payload = vec![0u8; length as usize];
+        if length > 0 {
+            self.reader.read_exact(&mut payload).await?;
+        }
+
+        Ok(Some(Frame {
+            stream_id,
+            frame_type,
+            payload,
+        }))
+    }
+
+    /// Consume the reader and return the inner stream.
+    pub fn into_inner(self) -> R {
+        self.reader
+    }
+}
+
+// ---------------------------------------------------------------------------
+// TunnelIo: single-owner I/O multiplexer for the TLS tunnel connection
+// ---------------------------------------------------------------------------
+
+/// Events produced by the TunnelIo event loop.
+#[derive(Debug)]
+pub enum TunnelEvent {
+    /// A complete frame was read from the remote side.
+    Frame(Frame),
+    /// The remote side closed the connection (EOF).
+    Eof,
+    /// A read error occurred.
+    ReadError(std::io::Error),
+    /// A write error occurred.
+    WriteError(std::io::Error),
+    /// No frames received for the liveness timeout duration.
+    LivenessTimeout,
+    /// The cancellation token was triggered.
+    Cancelled,
+}
+
+/// Write state extracted into a sub-struct so the borrow checker can see
+/// disjoint field access between `self.write` and `self.stream`.
+struct WriteState {
+    ctrl_queue: VecDeque<Vec<u8>>,   // PONG, WINDOW_UPDATE, CLOSE, OPEN — always first
+    data_queue: VecDeque<Vec<u8>>,   // DATA, DATA_BACK — only when ctrl is empty
+    offset: usize,                   // progress within current frame being written
+    flush_needed: bool,
+}
+
+impl WriteState {
+    fn has_work(&self) -> bool {
+        !self.ctrl_queue.is_empty() || !self.data_queue.is_empty()
+    }
+}
+
+/// Single-owner I/O engine for the tunnel TLS connection.
+///
+/// Owns the TLS stream directly — no `tokio::io::split()`, no mutex.
+/// Uses two priority write queues: ctrl frames (PONG, WINDOW_UPDATE, CLOSE, OPEN)
+/// are ALWAYS written before data frames (DATA, DATA_BACK). This prevents
+/// WINDOW_UPDATE starvation that causes flow control deadlocks.
+pub struct TunnelIo<S> {
+    stream: S,
+    // Read state: accumulate bytes, parse frames incrementally
+    read_buf: Vec<u8>,
+    read_pos: usize,
+    parse_pos: usize,
+    // Write state: extracted sub-struct for safe disjoint borrows
+    write: WriteState,
+}
+
+impl<S: AsyncRead + AsyncWrite + Unpin> TunnelIo<S> {
+    pub fn new(stream: S, initial_data: Vec<u8>) -> Self {
+        let read_pos = initial_data.len();
+        let mut read_buf = initial_data;
+        if read_buf.capacity() < 65536 {
+            read_buf.reserve(65536 - read_buf.len());
+        }
+        Self {
+            stream,
+            read_buf,
+            read_pos,
+            parse_pos: 0,
+            write: WriteState {
+                ctrl_queue: VecDeque::new(),
+                data_queue: VecDeque::new(),
+                offset: 0,
+                flush_needed: false,
+            },
+        }
+    }
+
+    /// Queue a high-priority control frame (PONG, WINDOW_UPDATE, CLOSE, OPEN).
+    pub fn queue_ctrl(&mut self, frame: Vec<u8>) {
+        self.write.ctrl_queue.push_back(frame);
+    }
+
+    /// Queue a lower-priority data frame (DATA, DATA_BACK).
+    pub fn queue_data(&mut self, frame: Vec<u8>) {
+        self.write.data_queue.push_back(frame);
+    }
+
+    /// Try to parse a complete frame from the read buffer.
+    /// Uses a parse_pos cursor to avoid drain() on every frame.
+    pub fn try_parse_frame(&mut self) -> Option<Result<Frame, std::io::Error>> {
+        let available = self.read_pos - self.parse_pos;
+        if available < FRAME_HEADER_SIZE {
+            return None;
+        }
+
+        let base = self.parse_pos;
+        let stream_id = u32::from_be_bytes([
+            self.read_buf[base], self.read_buf[base + 1],
+            self.read_buf[base + 2], self.read_buf[base + 3],
+        ]);
+        let frame_type = self.read_buf[base + 4];
+        let length = u32::from_be_bytes([
+            self.read_buf[base + 5], self.read_buf[base + 6],
+            self.read_buf[base + 7], self.read_buf[base + 8],
+        ]);
+
+        if length > MAX_PAYLOAD_SIZE {
+            let header = [
+                self.read_buf[base], self.read_buf[base + 1],
+                self.read_buf[base + 2], self.read_buf[base + 3],
+                self.read_buf[base + 4], self.read_buf[base + 5],
+                self.read_buf[base + 6], self.read_buf[base + 7],
+                self.read_buf[base + 8],
+            ];
+            log::error!(
+                "CORRUPT FRAME HEADER: raw={:02x?} stream_id={} type=0x{:02x} length={}",
+                header, stream_id, frame_type, length
+            );
+            return Some(Err(std::io::Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!("frame payload too large: {} bytes (header={:02x?})", length, header),
+            )));
+        }
+
+        let total_frame_size = FRAME_HEADER_SIZE + length as usize;
+        if available < total_frame_size {
+            return None;
+        }
+
+        let payload = self.read_buf[base + FRAME_HEADER_SIZE..base + total_frame_size].to_vec();
+        self.parse_pos += total_frame_size;
+
+        // Compact when parse_pos > half the data to reclaim memory
+        if self.parse_pos > self.read_pos / 2 && self.parse_pos > 0 {
+            self.read_buf.drain(..self.parse_pos);
+            self.read_pos -= self.parse_pos;
+            self.parse_pos = 0;
+        }
+
+        Some(Ok(Frame { stream_id, frame_type, payload }))
+    }
+
+    /// Poll-based I/O step. Returns Ready on events, Pending when idle.
+    ///
+    /// Order: write(ctrl→data) → flush → read → channels → timers
+    pub fn poll_step(
+        &mut self,
+        cx: &mut Context<'_>,
+        ctrl_rx: &mut tokio::sync::mpsc::Receiver<Vec<u8>>,
+        data_rx: &mut tokio::sync::mpsc::Receiver<Vec<u8>>,
+        liveness_deadline: &mut Pin<Box<tokio::time::Sleep>>,
+        cancel_token: &tokio_util::sync::CancellationToken,
+    ) -> Poll<TunnelEvent> {
+        // 1. WRITE: drain ctrl queue first, then data queue.
+        //    TLS poll_write writes plaintext to session buffer (always Ready).
+        //    Batch up to 16 frames per poll cycle.
+        //    Safe: `self.write` and `self.stream` are disjoint fields.
+        let mut writes = 0;
+        while self.write.has_work() && writes < 16 {
+            let from_ctrl = !self.write.ctrl_queue.is_empty();
+            let frame = if from_ctrl {
+                self.write.ctrl_queue.front().unwrap()
+            } else {
+                self.write.data_queue.front().unwrap()
+            };
+            let remaining = &frame[self.write.offset..];
+
+            match Pin::new(&mut self.stream).poll_write(cx, remaining) {
+                Poll::Ready(Ok(0)) => {
+                    return Poll::Ready(TunnelEvent::WriteError(
+                        std::io::Error::new(std::io::ErrorKind::WriteZero, "write zero"),
+                    ));
+                }
+                Poll::Ready(Ok(n)) => {
+                    self.write.offset += n;
+                    self.write.flush_needed = true;
+                    if self.write.offset >= frame.len() {
+                        if from_ctrl { self.write.ctrl_queue.pop_front(); }
+                        else { self.write.data_queue.pop_front(); }
+                        self.write.offset = 0;
+                        writes += 1;
+                    }
+                }
+                Poll::Ready(Err(e)) => return Poll::Ready(TunnelEvent::WriteError(e)),
+                Poll::Pending => break,
+            }
+        }
+
+        // 2. FLUSH: push encrypted data from TLS session to TCP.
+        if self.write.flush_needed {
+            match Pin::new(&mut self.stream).poll_flush(cx) {
+                Poll::Ready(Ok(())) => self.write.flush_needed = false,
+                Poll::Ready(Err(e)) => return Poll::Ready(TunnelEvent::WriteError(e)),
+                Poll::Pending => {} // TCP waker will notify us
+            }
+        }
+
+        // 3. READ: drain stream until Pending to ensure the TCP waker is always registered.
+        //    Without this loop, a Ready return with partial frame data would consume
+        //    the waker without re-registering it, causing the task to sleep until a
+        //    timer or channel wakes it (potentially 15+ seconds of lost reads).
+        loop {
+            // Compact if needed to make room for reads
+            if self.parse_pos > 0 && self.read_buf.len() - self.read_pos < 32768 {
+                self.read_buf.drain(..self.parse_pos);
+                self.read_pos -= self.parse_pos;
+                self.parse_pos = 0;
+            }
+            if self.read_buf.len() < self.read_pos + 32768 {
+                self.read_buf.resize(self.read_pos + 32768, 0);
+            }
+            let mut rbuf = ReadBuf::new(&mut self.read_buf[self.read_pos..]);
+            match Pin::new(&mut self.stream).poll_read(cx, &mut rbuf) {
+                Poll::Ready(Ok(())) => {
+                    let n = rbuf.filled().len();
+                    if n == 0 {
+                        return Poll::Ready(TunnelEvent::Eof);
+                    }
+                    self.read_pos += n;
+                    if let Some(result) = self.try_parse_frame() {
+                        return match result {
+                            Ok(frame) => Poll::Ready(TunnelEvent::Frame(frame)),
+                            Err(e) => Poll::Ready(TunnelEvent::ReadError(e)),
+                        };
+                    }
+                    // Partial data — loop to call poll_read again so the TCP
+                    // waker is re-registered when it finally returns Pending.
+                }
+                Poll::Ready(Err(e)) => return Poll::Ready(TunnelEvent::ReadError(e)),
+                Poll::Pending => break,
+            }
+        }
+
+        // 4. CHANNELS: drain ctrl into ctrl_queue, data into data_queue.
+        let mut got_new = false;
+        loop {
+            match ctrl_rx.poll_recv(cx) {
+                Poll::Ready(Some(frame)) => { self.write.ctrl_queue.push_back(frame); got_new = true; }
+                Poll::Ready(None) => {
+                    return Poll::Ready(TunnelEvent::WriteError(
+                        std::io::Error::new(std::io::ErrorKind::BrokenPipe, "ctrl channel closed"),
+                    ));
+                }
+                Poll::Pending => break,
+            }
+        }
+        loop {
+            match data_rx.poll_recv(cx) {
+                Poll::Ready(Some(frame)) => { self.write.data_queue.push_back(frame); got_new = true; }
+                Poll::Ready(None) => {
+                    return Poll::Ready(TunnelEvent::WriteError(
+                        std::io::Error::new(std::io::ErrorKind::BrokenPipe, "data channel closed"),
+                    ));
+                }
+                Poll::Pending => break,
+            }
+        }
+
+        // 5. TIMERS
+        if liveness_deadline.as_mut().poll(cx).is_ready() {
+            return Poll::Ready(TunnelEvent::LivenessTimeout);
+        }
+        if cancel_token.is_cancelled() {
+            return Poll::Ready(TunnelEvent::Cancelled);
+        }
+
+        // 6. SELF-WAKE: only when we have frames AND flush is done.
+        //    If flush is pending, the TCP write-readiness waker will notify us.
+        //    If we got new channel frames, wake to write them.
+        if got_new || (!self.write.flush_needed && self.write.has_work()) {
+            cx.waker().wake_by_ref();
+        }
+
+        Poll::Pending
+    }
+
+    pub fn into_inner(self) -> S {
+        self.stream
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_encode_frame_header() {
+        let payload = b"hello";
+        let mut buf = vec![0u8; FRAME_HEADER_SIZE + payload.len()];
+        buf[FRAME_HEADER_SIZE..].copy_from_slice(payload);
+        encode_frame_header(&mut buf, 42, FRAME_DATA, payload.len());
+        assert_eq!(buf, encode_frame(42, FRAME_DATA, payload));
+    }
+
+    #[test]
+    fn test_encode_frame_header_empty_payload() {
+        let mut buf = vec![0u8; FRAME_HEADER_SIZE];
+        encode_frame_header(&mut buf, 99, FRAME_CLOSE, 0);
+        assert_eq!(buf, encode_frame(99, FRAME_CLOSE, &[]));
+    }
+
+    #[test]
+    fn test_encode_frame() {
+        let data = b"hello";
+        let encoded = encode_frame(42, FRAME_DATA, data);
+        assert_eq!(encoded.len(), FRAME_HEADER_SIZE + data.len());
+        // stream_id = 42 in BE
+        assert_eq!(&encoded[0..4], &42u32.to_be_bytes());
+        // frame type
+        assert_eq!(encoded[4], FRAME_DATA);
+        // length
+        assert_eq!(&encoded[5..9], &5u32.to_be_bytes());
+        // payload
+        assert_eq!(&encoded[9..], b"hello");
+    }
+
+    #[test]
+    fn test_encode_empty_frame() {
+        let encoded = encode_frame(1, FRAME_CLOSE, &[]);
+        assert_eq!(encoded.len(), FRAME_HEADER_SIZE);
+        assert_eq!(&encoded[5..9], &0u32.to_be_bytes());
+    }
+
+    #[test]
+    fn test_proxy_v1_header() {
+        let header = build_proxy_v1_header("1.2.3.4", "5.6.7.8", 12345, 443);
+        assert_eq!(header, "PROXY TCP4 1.2.3.4 5.6.7.8 12345 443\r\n");
+    }
+
+    #[tokio::test]
+    async fn test_frame_reader() {
+        let frame1 = encode_frame(1, FRAME_OPEN, b"PROXY TCP4 1.2.3.4 5.6.7.8 1234 443\r\n");
+        let frame2 = encode_frame(1, FRAME_DATA, b"GET / HTTP/1.1\r\n");
+        let frame3 = encode_frame(1, FRAME_CLOSE, &[]);
+
+        let mut data = Vec::new();
+        data.extend_from_slice(&frame1);
+        data.extend_from_slice(&frame2);
+        data.extend_from_slice(&frame3);
+
+        let cursor = std::io::Cursor::new(data);
+        let mut reader = FrameReader::new(cursor);
+
+        let f1 = reader.next_frame().await.unwrap().unwrap();
+        assert_eq!(f1.stream_id, 1);
+        assert_eq!(f1.frame_type, FRAME_OPEN);
+        assert!(f1.payload.starts_with(b"PROXY"));
+
+        let f2 = reader.next_frame().await.unwrap().unwrap();
+        assert_eq!(f2.frame_type, FRAME_DATA);
+
+        let f3 = reader.next_frame().await.unwrap().unwrap();
+        assert_eq!(f3.frame_type, FRAME_CLOSE);
+        assert!(f3.payload.is_empty());
+
+        // EOF
+        assert!(reader.next_frame().await.unwrap().is_none());
+    }
+
+    #[test]
+    fn test_encode_frame_config_type() {
+        let payload = b"{\"listenPorts\":[443]}";
+        let encoded = encode_frame(0, FRAME_CONFIG, payload);
+        assert_eq!(encoded[4], FRAME_CONFIG);
+        assert_eq!(&encoded[0..4], &0u32.to_be_bytes());
+        assert_eq!(&encoded[9..], payload.as_slice());
+    }
+
+    #[test]
+    fn test_encode_frame_data_back_type() {
+        let payload = b"response data";
+        let encoded = encode_frame(7, FRAME_DATA_BACK, payload);
+        assert_eq!(encoded[4], FRAME_DATA_BACK);
+        assert_eq!(&encoded[0..4], &7u32.to_be_bytes());
+        assert_eq!(&encoded[5..9], &(payload.len() as u32).to_be_bytes());
+        assert_eq!(&encoded[9..], payload.as_slice());
+    }
+
+    #[test]
+    fn test_encode_frame_close_back_type() {
+        let encoded = encode_frame(99, FRAME_CLOSE_BACK, &[]);
+        assert_eq!(encoded[4], FRAME_CLOSE_BACK);
+        assert_eq!(&encoded[0..4], &99u32.to_be_bytes());
+        assert_eq!(&encoded[5..9], &0u32.to_be_bytes());
+        assert_eq!(encoded.len(), FRAME_HEADER_SIZE);
+    }
+
+    #[test]
+    fn test_encode_frame_large_stream_id() {
+        let encoded = encode_frame(u32::MAX, FRAME_DATA, b"x");
+        assert_eq!(&encoded[0..4], &u32::MAX.to_be_bytes());
+        assert_eq!(encoded[4], FRAME_DATA);
+        assert_eq!(&encoded[5..9], &1u32.to_be_bytes());
+        assert_eq!(encoded[9], b'x');
+    }
+
+    #[tokio::test]
+    async fn test_frame_reader_max_payload_rejection() {
+        let mut data = Vec::new();
+        data.extend_from_slice(&1u32.to_be_bytes());
+        data.push(FRAME_DATA);
+        data.extend_from_slice(&(MAX_PAYLOAD_SIZE + 1).to_be_bytes());
+
+        let cursor = std::io::Cursor::new(data);
+        let mut reader = FrameReader::new(cursor);
+
+        let result = reader.next_frame().await;
+        assert!(result.is_err());
+        let err = result.unwrap_err();
+        assert_eq!(err.kind(), std::io::ErrorKind::InvalidData);
+    }
+
+    #[tokio::test]
+    async fn test_frame_reader_eof_mid_header() {
+        // Only 5 bytes — not enough for a 9-byte header
+        let data = vec![0u8; 5];
+        let cursor = std::io::Cursor::new(data);
+        let mut reader = FrameReader::new(cursor);
+
+        // Should return Ok(None) on partial header EOF
+        let result = reader.next_frame().await;
+        assert!(result.unwrap().is_none());
+    }
+
+    #[tokio::test]
+    async fn test_frame_reader_eof_mid_payload() {
+        // Full header claiming 100 bytes of payload, but only 10 bytes present
+        let mut data = Vec::new();
+        data.extend_from_slice(&1u32.to_be_bytes());
+        data.push(FRAME_DATA);
+        data.extend_from_slice(&100u32.to_be_bytes());
+        data.extend_from_slice(&[0xAB; 10]);
+
+        let cursor = std::io::Cursor::new(data);
+        let mut reader = FrameReader::new(cursor);
+
+        let result = reader.next_frame().await;
+        assert!(result.is_err());
+    }
+
+    #[tokio::test]
+    async fn test_frame_reader_all_frame_types() {
+        let types = [
+            FRAME_OPEN,
+            FRAME_DATA,
+            FRAME_CLOSE,
+            FRAME_DATA_BACK,
+            FRAME_CLOSE_BACK,
+            FRAME_CONFIG,
+            FRAME_PING,
+            FRAME_PONG,
+        ];
+
+        let mut data = Vec::new();
+        for (i, &ft) in types.iter().enumerate() {
+            let payload = format!("payload_{}", i);
+            data.extend_from_slice(&encode_frame(i as u32, ft, payload.as_bytes()));
+        }
+
+        let cursor = std::io::Cursor::new(data);
+        let mut reader = FrameReader::new(cursor);
+
+        for (i, &ft) in types.iter().enumerate() {
+            let frame = reader.next_frame().await.unwrap().unwrap();
+            assert_eq!(frame.stream_id, i as u32);
+            assert_eq!(frame.frame_type, ft);
+            assert_eq!(frame.payload, format!("payload_{}", i).as_bytes());
+        }
+
+        assert!(reader.next_frame().await.unwrap().is_none());
+    }
+
+    #[tokio::test]
+    async fn test_frame_reader_zero_length_payload() {
+        let data = encode_frame(42, FRAME_CLOSE, &[]);
+        let cursor = std::io::Cursor::new(data);
+        let mut reader = FrameReader::new(cursor);
+
+        let frame = reader.next_frame().await.unwrap().unwrap();
+        assert_eq!(frame.stream_id, 42);
+        assert_eq!(frame.frame_type, FRAME_CLOSE);
+        assert!(frame.payload.is_empty());
+    }
+
+    #[test]
+    fn test_encode_frame_ping_pong() {
+        // PING: stream_id=0, empty payload (control frame)
+        let ping = encode_frame(0, FRAME_PING, &[]);
+        assert_eq!(ping[4], FRAME_PING);
+        assert_eq!(&ping[0..4], &0u32.to_be_bytes());
+        assert_eq!(ping.len(), FRAME_HEADER_SIZE);
+
+        // PONG: stream_id=0, empty payload (control frame)
+        let pong = encode_frame(0, FRAME_PONG, &[]);
+        assert_eq!(pong[4], FRAME_PONG);
+        assert_eq!(&pong[0..4], &0u32.to_be_bytes());
+        assert_eq!(pong.len(), FRAME_HEADER_SIZE);
+    }
+
+    // --- compute_window_for_stream_count tests ---
+
+    #[test]
+    fn test_adaptive_window_zero_streams() {
+        // 0 streams treated as 1: 32MB/1 = 32MB → clamped to 4MB max
+        assert_eq!(compute_window_for_stream_count(0), INITIAL_STREAM_WINDOW);
+    }
+
+    #[test]
+    fn test_adaptive_window_one_stream() {
+        // 32MB/1 = 32MB → clamped to 4MB max
+        assert_eq!(compute_window_for_stream_count(1), INITIAL_STREAM_WINDOW);
+    }
+
+    #[test]
+    fn test_adaptive_window_at_max_boundary() {
+        // 32MB/8 = 4MB = exactly INITIAL_STREAM_WINDOW
+        assert_eq!(compute_window_for_stream_count(8), INITIAL_STREAM_WINDOW);
+    }
+
+    #[test]
+    fn test_adaptive_window_just_below_max() {
+        // 32MB/9 = 3,728,270 — first value below INITIAL_STREAM_WINDOW
+        let w = compute_window_for_stream_count(9);
+        assert!(w < INITIAL_STREAM_WINDOW);
+        assert_eq!(w, (32 * 1024 * 1024u64 / 9) as u32);
+    }
+
+    #[test]
+    fn test_adaptive_window_16_streams() {
+        // 32MB/16 = 2MB
+        assert_eq!(compute_window_for_stream_count(16), 2 * 1024 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_100_streams() {
+        // 32MB/100 = 335,544 bytes (~327KB)
+        let w = compute_window_for_stream_count(100);
+        assert_eq!(w, (32 * 1024 * 1024u64 / 100) as u32);
+        assert!(w > 64 * 1024); // above floor
+        assert!(w < INITIAL_STREAM_WINDOW as u32); // below ceiling
+    }
+
+    #[test]
+    fn test_adaptive_window_200_streams() {
+        // 32MB/200 = 167,772 bytes (~163KB), above 64KB floor
+        let w = compute_window_for_stream_count(200);
+        assert_eq!(w, (32 * 1024 * 1024u64 / 200) as u32);
+        assert!(w > 64 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_500_streams() {
+        // 32MB/500 = 67,108 bytes (~65.5KB), just above 64KB floor
+        let w = compute_window_for_stream_count(500);
+        assert_eq!(w, (32 * 1024 * 1024u64 / 500) as u32);
+        assert!(w > 64 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_at_min_boundary() {
+        // 32MB/512 = 65,536 = exactly 64KB floor
+        assert_eq!(compute_window_for_stream_count(512), 64 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_below_min_clamped() {
+        // 32MB/513 = 65,408 → clamped up to 64KB
+        assert_eq!(compute_window_for_stream_count(513), 64 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_1000_streams() {
+        // 32MB/1000 = 33,554 → clamped to 64KB
+        assert_eq!(compute_window_for_stream_count(1000), 64 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_max_u32() {
+        // Extreme: u32::MAX streams → tiny value → clamped to 64KB
+        assert_eq!(compute_window_for_stream_count(u32::MAX), 64 * 1024);
+    }
+
+    #[test]
+    fn test_adaptive_window_monotonically_decreasing() {
+        // Window should decrease (or stay same) as stream count increases
+        let mut prev = compute_window_for_stream_count(1);
+        for n in [2, 5, 10, 50, 100, 200, 500, 512, 1000] {
+            let w = compute_window_for_stream_count(n);
+            assert!(w <= prev, "window increased from {} to {} at n={}", prev, w, n);
+            prev = w;
+        }
+    }
+
+    #[test]
+    fn test_adaptive_window_total_budget_bounded() {
+        // active × per_stream_window should never exceed 32MB (+ clamp overhead for high N)
+        for n in [1, 10, 50, 100, 200, 500] {
+            let w = compute_window_for_stream_count(n);
+            let total = w as u64 * n as u64;
+            assert!(total <= 32 * 1024 * 1024, "total {}MB exceeds budget at n={}", total / (1024*1024), n);
+        }
+    }
+
+    // --- encode/decode window_update roundtrip ---
+
+    #[test]
+    fn test_window_update_roundtrip() {
+        for &increment in &[0u32, 1, 64 * 1024, INITIAL_STREAM_WINDOW, MAX_WINDOW_SIZE, u32::MAX] {
+            let frame = encode_window_update(42, FRAME_WINDOW_UPDATE, increment);
+            assert_eq!(frame[4], FRAME_WINDOW_UPDATE);
+            let decoded = decode_window_update(&frame[FRAME_HEADER_SIZE..]);
+            assert_eq!(decoded, Some(increment));
+        }
+    }
+
+    #[test]
+    fn test_window_update_back_roundtrip() {
+        let frame = encode_window_update(7, FRAME_WINDOW_UPDATE_BACK, 1234567);
+        assert_eq!(frame[4], FRAME_WINDOW_UPDATE_BACK);
+        assert_eq!(decode_window_update(&frame[FRAME_HEADER_SIZE..]), Some(1234567));
+    }
+
+    #[test]
+    fn test_decode_window_update_malformed() {
+        assert_eq!(decode_window_update(&[]), None);
+        assert_eq!(decode_window_update(&[0, 0, 0]), None);
+        assert_eq!(decode_window_update(&[0, 0, 0, 0, 0]), None);
+    }
+}

test/test.classes.node.ts

@@ -0,0 +1,35 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import { EventEmitter } from 'events';
+import { RemoteIngressHub, RemoteIngressEdge } from '../ts/index.js';
+
+tap.test('RemoteIngressHub constructor does not throw', async () => {
+  const hub = new RemoteIngressHub();
+  expect(hub).toBeTruthy();
+});
+
+tap.test('RemoteIngressHub is instanceof EventEmitter', async () => {
+  const hub = new RemoteIngressHub();
+  expect(hub).toBeInstanceOf(EventEmitter);
+});
+
+tap.test('RemoteIngressHub.running is false before start', async () => {
+  const hub = new RemoteIngressHub();
+  expect(hub.running).toBeFalse();
+});
+
+tap.test('RemoteIngressEdge constructor does not throw', async () => {
+  const edge = new RemoteIngressEdge();
+  expect(edge).toBeTruthy();
+});
+
+tap.test('RemoteIngressEdge is instanceof EventEmitter', async () => {
+  const edge = new RemoteIngressEdge();
+  expect(edge).toBeInstanceOf(EventEmitter);
+});
+
+tap.test('RemoteIngressEdge.running is false before start', async () => {
+  const edge = new RemoteIngressEdge();
+  expect(edge.running).toBeFalse();
+});
+
+export default tap.start();

test/test.flowcontrol.node.ts

@@ -0,0 +1,475 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as net from 'net';
+import * as crypto from 'crypto';
+import { RemoteIngressHub, RemoteIngressEdge } from '../ts/index.js';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Find N free ports by binding to port 0 and collecting OS-assigned ports. */
+async function findFreePorts(count: number): Promise<number[]> {
+  const servers: net.Server[] = [];
+  const ports: number[] = [];
+  for (let i = 0; i < count; i++) {
+    const server = net.createServer();
+    await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
+    ports.push((server.address() as net.AddressInfo).port);
+    servers.push(server);
+  }
+  await Promise.all(servers.map((s) => new Promise<void>((resolve) => s.close(() => resolve()))));
+  return ports;
+}
+
+type TrackingServer = net.Server & { destroyAll: () => void };
+
+/** Start a TCP echo server that tracks connections for force-close. */
+function startEchoServer(port: number, host: string): Promise<TrackingServer> {
+  return new Promise((resolve, reject) => {
+    const connections = new Set<net.Socket>();
+    const server = net.createServer((socket) => {
+      connections.add(socket);
+      socket.on('close', () => connections.delete(socket));
+
+      // Skip PROXY protocol v1 header line before echoing
+      let proxyHeaderParsed = false;
+      let pendingBuf = Buffer.alloc(0);
+      socket.on('data', (data: Buffer) => {
+        if (!proxyHeaderParsed) {
+          pendingBuf = Buffer.concat([pendingBuf, data]);
+          const idx = pendingBuf.indexOf('\r\n');
+          if (idx !== -1) {
+            proxyHeaderParsed = true;
+            const remainder = pendingBuf.subarray(idx + 2);
+            if (remainder.length > 0) {
+              socket.write(remainder);
+            }
+          }
+          return;
+        }
+        socket.write(data);
+      });
+      socket.on('error', () => {});
+    }) as TrackingServer;
+
+    server.destroyAll = () => {
+      for (const conn of connections) conn.destroy();
+      connections.clear();
+    };
+
+    server.on('error', reject);
+    server.listen(port, host, () => resolve(server));
+  });
+}
+
+/**
+ * Start a server that sends a large response immediately on first data received.
+ * Does NOT wait for end (the tunnel protocol has no half-close).
+ * On receiving first data chunk after PROXY header, sends responseSize bytes then closes.
+ */
+function startLargeResponseServer(port: number, host: string, responseSize: number): Promise<TrackingServer> {
+  return new Promise((resolve, reject) => {
+    const connections = new Set<net.Socket>();
+    const server = net.createServer((socket) => {
+      connections.add(socket);
+      socket.on('close', () => connections.delete(socket));
+
+      let proxyHeaderParsed = false;
+      let pendingBuf = Buffer.alloc(0);
+      let responseSent = false;
+
+      socket.on('data', (data: Buffer) => {
+        if (!proxyHeaderParsed) {
+          pendingBuf = Buffer.concat([pendingBuf, data]);
+          const idx = pendingBuf.indexOf('\r\n');
+          if (idx !== -1) {
+            proxyHeaderParsed = true;
+            const remainder = pendingBuf.subarray(idx + 2);
+            if (remainder.length > 0 && !responseSent) {
+              responseSent = true;
+              sendLargeResponse(socket, responseSize);
+            }
+          }
+          return;
+        }
+        if (!responseSent) {
+          responseSent = true;
+          sendLargeResponse(socket, responseSize);
+        }
+      });
+      socket.on('error', () => {});
+    }) as TrackingServer;
+
+    server.destroyAll = () => {
+      for (const conn of connections) conn.destroy();
+      connections.clear();
+    };
+
+    server.on('error', reject);
+    server.listen(port, host, () => resolve(server));
+  });
+}
+
+function sendLargeResponse(socket: net.Socket, totalBytes: number) {
+  const chunkSize = 32 * 1024;
+  let sent = 0;
+  const writeChunk = () => {
+    while (sent < totalBytes) {
+      const toWrite = Math.min(chunkSize, totalBytes - sent);
+      // Use a deterministic pattern for verification
+      const chunk = Buffer.alloc(toWrite, (sent % 256) & 0xff);
+      const canContinue = socket.write(chunk);
+      sent += toWrite;
+      if (!canContinue) {
+        socket.once('drain', writeChunk);
+        return;
+      }
+    }
+    socket.end();
+  };
+  writeChunk();
+}
+
+/** Force-close a server: destroy all connections, then close. */
+async function forceCloseServer(server: TrackingServer): Promise<void> {
+  server.destroyAll();
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+}
+
+interface TestTunnel {
+  hub: RemoteIngressHub;
+  edge: RemoteIngressEdge;
+  edgePort: number;
+  cleanup: () => Promise<void>;
+}
+
+/**
+ * Start a full hub + edge tunnel.
+ * Edge binds to 127.0.0.1, upstream server binds to 127.0.0.2.
+ * Hub targetHost = 127.0.0.2 so hub -> upstream doesn't loop back to edge.
+ */
+async function startTunnel(edgePort: number, hubPort: number): Promise<TestTunnel> {
+  const hub = new RemoteIngressHub();
+  const edge = new RemoteIngressEdge();
+
+  await hub.start({
+    tunnelPort: hubPort,
+    targetHost: '127.0.0.2',
+  });
+
+  await hub.updateAllowedEdges([
+    { id: 'test-edge', secret: 'test-secret', listenPorts: [edgePort] },
+  ]);
+
+  const connectedPromise = new Promise<void>((resolve, reject) => {
+    const timeout = setTimeout(() => reject(new Error('Edge did not connect within 10s')), 10000);
+    edge.once('tunnelConnected', () => {
+      clearTimeout(timeout);
+      resolve();
+    });
+  });
+
+  await edge.start({
+    hubHost: '127.0.0.1',
+    hubPort,
+    edgeId: 'test-edge',
+    secret: 'test-secret',
+    bindAddress: '127.0.0.1',
+  });
+
+  await connectedPromise;
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  return {
+    hub,
+    edge,
+    edgePort,
+    cleanup: async () => {
+      await edge.stop();
+      await hub.stop();
+    },
+  };
+}
+
+/**
+ * Send data through the tunnel and collect the echoed response.
+ */
+function sendAndReceive(port: number, data: Buffer, timeoutMs = 30000): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    let totalReceived = 0;
+    const expectedLength = data.length;
+    let settled = false;
+
+    const client = net.createConnection({ host: '127.0.0.1', port }, () => {
+      client.write(data);
+      client.end();
+    });
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.destroy();
+        reject(new Error(`Timeout after ${timeoutMs}ms — received ${totalReceived}/${expectedLength} bytes`));
+      }
+    }, timeoutMs);
+
+    client.on('data', (chunk: Buffer) => {
+      chunks.push(chunk);
+      totalReceived += chunk.length;
+      if (totalReceived >= expectedLength && !settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.destroy();
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('end', () => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('error', (err) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        reject(err);
+      }
+    });
+  });
+}
+
+/**
+ * Connect to the tunnel, send a small request, and collect a large response.
+ * Does NOT call end() — the tunnel has no half-close.
+ * Instead, collects until expectedResponseSize bytes arrive.
+ */
+function sendAndReceiveLarge(
+  port: number,
+  data: Buffer,
+  expectedResponseSize: number,
+  timeoutMs = 60000,
+): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    let totalReceived = 0;
+    let settled = false;
+
+    const client = net.createConnection({ host: '127.0.0.1', port }, () => {
+      client.write(data);
+      // Do NOT call client.end() — the server will respond immediately
+      // and the tunnel CLOSE will happen when the download finishes
+    });
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        client.destroy();
+        reject(new Error(`Timeout after ${timeoutMs}ms — received ${totalReceived}/${expectedResponseSize} bytes`));
+      }
+    }, timeoutMs);
+
+    client.on('data', (chunk: Buffer) => {
+      chunks.push(chunk);
+      totalReceived += chunk.length;
+      if (totalReceived >= expectedResponseSize && !settled) {
+        settled = true;
+        clearTimeout(timer);
+        client.destroy();
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('end', () => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        resolve(Buffer.concat(chunks));
+      }
+    });
+
+    client.on('error', (err) => {
+      if (!settled) {
+        settled = true;
+        clearTimeout(timer);
+        reject(err);
+      }
+    });
+  });
+}
+
+function sha256(buf: Buffer): string {
+  return crypto.createHash('sha256').update(buf).digest('hex');
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+let tunnel: TestTunnel;
+let echoServer: TrackingServer;
+let hubPort: number;
+let edgePort: number;
+
+tap.test('setup: start echo server and tunnel', async () => {
+  [hubPort, edgePort] = await findFreePorts(2);
+
+  echoServer = await startEchoServer(edgePort, '127.0.0.2');
+  tunnel = await startTunnel(edgePort, hubPort);
+
+  expect(tunnel.hub.running).toBeTrue();
+});
+
+tap.test('single stream: 32MB transfer exceeding initial 4MB window', async () => {
+  const size = 32 * 1024 * 1024;
+  const data = crypto.randomBytes(size);
+  const expectedHash = sha256(data);
+
+  const received = await sendAndReceive(edgePort, data, 60000);
+
+  expect(received.length).toEqual(size);
+  expect(sha256(received)).toEqual(expectedHash);
+});
+
+tap.test('200 concurrent streams with 64KB each', async () => {
+  const streamCount = 200;
+  const payloadSize = 64 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 30000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('512 concurrent streams at minimum window boundary (16KB each)', async () => {
+  const streamCount = 512;
+  const payloadSize = 16 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 60000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('asymmetric transfer: 4KB request -> 4MB response', async () => {
+  // Swap to large-response server
+  await forceCloseServer(echoServer);
+  const responseSize = 4 * 1024 * 1024; // 4 MB
+  const largeServer = await startLargeResponseServer(edgePort, '127.0.0.2', responseSize);
+
+  try {
+    const requestData = crypto.randomBytes(4 * 1024); // 4 KB
+    const received = await sendAndReceiveLarge(edgePort, requestData, responseSize, 60000);
+    expect(received.length).toEqual(responseSize);
+  } finally {
+    // Always restore echo server even on failure
+    await forceCloseServer(largeServer);
+    echoServer = await startEchoServer(edgePort, '127.0.0.2');
+  }
+});
+
+tap.test('100 streams x 1MB each (100MB total exceeding 32MB budget)', async () => {
+  const streamCount = 100;
+  const payloadSize = 1 * 1024 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 120000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('active stream counter tracks concurrent connections', async () => {
+  const N = 50;
+
+  // Open N connections and keep them alive (send data but don't close)
+  const sockets: net.Socket[] = [];
+  const connectPromises = Array.from({ length: N }, () => {
+    return new Promise<net.Socket>((resolve, reject) => {
+      const sock = net.createConnection({ host: '127.0.0.1', port: edgePort }, () => {
+        resolve(sock);
+      });
+      sock.on('error', () => {});
+      setTimeout(() => reject(new Error('connect timeout')), 5000);
+    });
+  });
+
+  const connected = await Promise.all(connectPromises);
+  sockets.push(...connected);
+
+  // Brief delay for stream registration to propagate
+  await new Promise((resolve) => setTimeout(resolve, 500));
+
+  // Verify the edge reports >= N active streams.
+  // This counter is the input to compute_window_for_stream_count(),
+  // so its accuracy determines whether adaptive window sizing is correct.
+  const status = await tunnel.edge.getStatus();
+  expect(status.activeStreams).toBeGreaterThanOrEqual(N);
+
+  // Clean up: destroy all sockets (the tunnel's 300s stream timeout will handle cleanup)
+  for (const sock of sockets) {
+    sock.destroy();
+  }
+});
+
+tap.test('50 streams x 2MB each (forces multiple window refills per stream)', async () => {
+  // At 50 concurrent streams: adaptive window = 32MB/50 = 655KB per stream
+  // Each stream sends 2MB → needs ~3 WINDOW_UPDATE refill cycles per stream
+  const streamCount = 50;
+  const payloadSize = 2 * 1024 * 1024;
+
+  const promises = Array.from({ length: streamCount }, () => {
+    const data = crypto.randomBytes(payloadSize);
+    const hash = sha256(data);
+    return sendAndReceive(edgePort, data, 120000).then((received) => ({
+      sent: hash,
+      received: sha256(received),
+      sizeOk: received.length === payloadSize,
+    }));
+  });
+
+  const results = await Promise.all(promises);
+  const failures = results.filter((r) => !r.sizeOk || r.sent !== r.received);
+
+  expect(failures.length).toEqual(0);
+});
+
+tap.test('teardown: stop tunnel and echo server', async () => {
+  await tunnel.cleanup();
+  await forceCloseServer(echoServer);
+});
+
+export default tap.start();

test/test.token.node.ts

@@ -0,0 +1,152 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import { encodeConnectionToken, decodeConnectionToken, type IConnectionTokenData } from '../ts/classes.token.js';
+
+tap.test('token roundtrip with unicode chars in secret', async () => {
+  const data: IConnectionTokenData = {
+    hubHost: 'hub.example.com',
+    hubPort: 8443,
+    edgeId: 'edge-1',
+    secret: 'sécret-with-ünïcödé-日本語',
+  };
+  const token = encodeConnectionToken(data);
+  const decoded = decodeConnectionToken(token);
+  expect(decoded.secret).toEqual(data.secret);
+});
+
+tap.test('token roundtrip with empty edgeId', async () => {
+  const data: IConnectionTokenData = {
+    hubHost: 'hub.test',
+    hubPort: 443,
+    edgeId: '',
+    secret: 'key',
+  };
+  const token = encodeConnectionToken(data);
+  const decoded = decodeConnectionToken(token);
+  expect(decoded.edgeId).toEqual('');
+});
+
+tap.test('token roundtrip with port 0', async () => {
+  const data: IConnectionTokenData = {
+    hubHost: 'h',
+    hubPort: 0,
+    edgeId: 'e',
+    secret: 's',
+  };
+  const token = encodeConnectionToken(data);
+  const decoded = decodeConnectionToken(token);
+  expect(decoded.hubPort).toEqual(0);
+});
+
+tap.test('token roundtrip with port 65535', async () => {
+  const data: IConnectionTokenData = {
+    hubHost: 'h',
+    hubPort: 65535,
+    edgeId: 'e',
+    secret: 's',
+  };
+  const token = encodeConnectionToken(data);
+  const decoded = decodeConnectionToken(token);
+  expect(decoded.hubPort).toEqual(65535);
+});
+
+tap.test('token roundtrip with very long secret (10k chars)', async () => {
+  const longSecret = 'x'.repeat(10000);
+  const data: IConnectionTokenData = {
+    hubHost: 'host',
+    hubPort: 1234,
+    edgeId: 'edge',
+    secret: longSecret,
+  };
+  const token = encodeConnectionToken(data);
+  const decoded = decodeConnectionToken(token);
+  expect(decoded.secret).toEqual(longSecret);
+  expect(decoded.secret.length).toEqual(10000);
+});
+
+tap.test('token string is URL-safe', async () => {
+  const data: IConnectionTokenData = {
+    hubHost: 'hub.example.com',
+    hubPort: 8443,
+    edgeId: 'edge-001',
+    secret: 'super+secret/key==with+special/chars',
+  };
+  const token = encodeConnectionToken(data);
+  expect(token).toMatch(/^[A-Za-z0-9_-]+$/);
+});
+
+tap.test('decode empty string throws', async () => {
+  let error: Error | undefined;
+  try {
+    decodeConnectionToken('');
+  } catch (e) {
+    error = e as Error;
+  }
+  expect(error).toBeInstanceOf(Error);
+});
+
+tap.test('decode valid base64 but wrong JSON shape throws missing required fields', async () => {
+  // Encode { "a": 1, "b": 2 } — valid JSON but wrong shape
+  const token = Buffer.from(JSON.stringify({ a: 1, b: 2 }), 'utf-8')
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+
+  let error: Error | undefined;
+  try {
+    decodeConnectionToken(token);
+  } catch (e) {
+    error = e as Error;
+  }
+  expect(error).toBeInstanceOf(Error);
+  expect(error!.message).toInclude('missing required fields');
+});
+
+tap.test('decode valid JSON but wrong field types throws missing required fields', async () => {
+  // h is number instead of string, p is string instead of number
+  const token = Buffer.from(JSON.stringify({ h: 123, p: 'notnum', e: 'e', s: 's' }), 'utf-8')
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+
+  let error: Error | undefined;
+  try {
+    decodeConnectionToken(token);
+  } catch (e) {
+    error = e as Error;
+  }
+  expect(error).toBeInstanceOf(Error);
+  expect(error!.message).toInclude('missing required fields');
+});
+
+tap.test('decode with extra fields succeeds', async () => {
+  const token = Buffer.from(
+    JSON.stringify({ h: 'host', p: 443, e: 'edge', s: 'secret', extra: 'ignored' }),
+    'utf-8',
+  )
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+
+  const decoded = decodeConnectionToken(token);
+  expect(decoded.hubHost).toEqual('host');
+  expect(decoded.hubPort).toEqual(443);
+  expect(decoded.edgeId).toEqual('edge');
+  expect(decoded.secret).toEqual('secret');
+});
+
+tap.test('encode is deterministic', async () => {
+  const data: IConnectionTokenData = {
+    hubHost: 'hub.test',
+    hubPort: 8443,
+    edgeId: 'edge-1',
+    secret: 'deterministic-key',
+  };
+  const token1 = encodeConnectionToken(data);
+  const token2 = encodeConnectionToken(data);
+  expect(token1).toEqual(token2);
+});
+
+export default tap.start();

test/test.ts

@@ -1,8 +1,61 @@
-import { expect, expectAsync, tap } from '@push.rocks/tapbundle';
-import * as remoteingress from '../ts/index.js'
+import { expect, tap } from '@push.rocks/tapbundle';
+import * as remoteingress from '../ts/index.js';
 
-tap.test('first test', async () => {
-  console.log(remoteingress)
-})
+tap.test('should export RemoteIngressHub', async () => {
+  expect(remoteingress.RemoteIngressHub).toBeTypeOf('function');
+});
 
-tap.start()
+tap.test('should export RemoteIngressEdge', async () => {
+  expect(remoteingress.RemoteIngressEdge).toBeTypeOf('function');
+});
+
+tap.test('should export encodeConnectionToken and decodeConnectionToken', async () => {
+  expect(remoteingress.encodeConnectionToken).toBeTypeOf('function');
+  expect(remoteingress.decodeConnectionToken).toBeTypeOf('function');
+});
+
+tap.test('should roundtrip encode → decode a connection token', async () => {
+  const data: remoteingress.IConnectionTokenData = {
+    hubHost: 'hub.example.com',
+    hubPort: 8443,
+    edgeId: 'edge-001',
+    secret: 'super-secret-key',
+  };
+  const token = remoteingress.encodeConnectionToken(data);
+  const decoded = remoteingress.decodeConnectionToken(token);
+  expect(decoded.hubHost).toEqual(data.hubHost);
+  expect(decoded.hubPort).toEqual(data.hubPort);
+  expect(decoded.edgeId).toEqual(data.edgeId);
+  expect(decoded.secret).toEqual(data.secret);
+});
+
+tap.test('should throw on malformed token', async () => {
+  let error: Error | undefined;
+  try {
+    remoteingress.decodeConnectionToken('not-valid-json!!!');
+  } catch (e) {
+    error = e as Error;
+  }
+  expect(error).toBeInstanceOf(Error);
+  expect(error!.message).toInclude('Invalid connection token');
+});
+
+tap.test('should throw on token with missing fields', async () => {
+  // Encode a partial object (missing 'p' and 's')
+  const partial = Buffer.from(JSON.stringify({ h: 'host', e: 'edge' }), 'utf-8')
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+
+  let error: Error | undefined;
+  try {
+    remoteingress.decodeConnectionToken(partial);
+  } catch (e) {
+    error = e as Error;
+  }
+  expect(error).toBeInstanceOf(Error);
+  expect(error!.message).toInclude('missing required fields');
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -1,8 +1,8 @@
 /**
- * autocreated commitinfo by @pushrocks/commitinfo
+ * autocreated commitinfo by @push.rocks/commitinfo
  */
 export const commitinfo = {
   name: '@serve.zone/remoteingress',
-  version: '1.0.3',
-  description: 'Provides a service for creating private tunnels and reaching private clusters from the outside as part of the @serve.zone stack.'
+  version: '4.8.4',
+  description: 'Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.'
 }

ts/classes.remoteingressedge.ts

@@ -0,0 +1,247 @@
+import * as plugins from './plugins.js';
+import { EventEmitter } from 'events';
+import { decodeConnectionToken } from './classes.token.js';
+
+// Command map for the edge side of remoteingress-bin
+type TEdgeCommands = {
+  ping: {
+    params: Record<string, never>;
+    result: { pong: boolean };
+  };
+  startEdge: {
+    params: {
+      hubHost: string;
+      hubPort: number;
+      edgeId: string;
+      secret: string;
+      bindAddress?: string;
+    };
+    result: { started: boolean };
+  };
+  stopEdge: {
+    params: Record<string, never>;
+    result: { stopped: boolean; wasRunning?: boolean };
+  };
+  getEdgeStatus: {
+    params: Record<string, never>;
+    result: {
+      running: boolean;
+      connected: boolean;
+      publicIp: string | null;
+      activeStreams: number;
+      listenPorts: number[];
+    };
+  };
+};
+
+export interface IEdgeConfig {
+  hubHost: string;
+  hubPort?: number;
+  edgeId: string;
+  secret: string;
+  bindAddress?: string;
+}
+
+const MAX_RESTART_ATTEMPTS = 10;
+const MAX_RESTART_BACKOFF_MS = 30_000;
+
+export class RemoteIngressEdge extends EventEmitter {
+  private bridge: InstanceType<typeof plugins.smartrust.RustBridge<TEdgeCommands>>;
+  private started = false;
+  private stopping = false;
+  private savedConfig: IEdgeConfig | null = null;
+  private restartBackoffMs = 1000;
+  private restartAttempts = 0;
+  private statusInterval: ReturnType<typeof setInterval> | undefined;
+
+  constructor() {
+    super();
+
+    const packageDir = plugins.path.resolve(
+      plugins.path.dirname(new URL(import.meta.url).pathname),
+      '..',
+    );
+
+    this.bridge = new plugins.smartrust.RustBridge<TEdgeCommands>({
+      binaryName: 'remoteingress-bin',
+      cliArgs: ['--management'],
+      requestTimeoutMs: 30_000,
+      readyTimeoutMs: 10_000,
+      localPaths: [
+        // Platform-suffixed binary in dist_rust (production)
+        plugins.path.join(packageDir, 'dist_rust', `remoteingress-bin_${process.platform === 'win32' ? 'windows' : 'linux'}_${process.arch === 'x64' ? 'amd64' : process.arch}`),
+        // Exact binaryName fallback in dist_rust
+        plugins.path.join(packageDir, 'dist_rust', 'remoteingress-bin'),
+        // Development build paths (cargo output uses exact name)
+        plugins.path.join(packageDir, 'rust', 'target', 'release', 'remoteingress-bin'),
+        plugins.path.join(packageDir, 'rust', 'target', 'debug', 'remoteingress-bin'),
+      ],
+      searchSystemPath: false,
+    });
+
+    // Forward events from Rust binary
+    this.bridge.on('management:tunnelConnected', () => {
+      this.emit('tunnelConnected');
+    });
+    this.bridge.on('management:tunnelDisconnected', (data: { reason?: string }) => {
+      const reason = data?.reason ?? 'unknown';
+      console.log(`[RemoteIngressEdge] Tunnel disconnected: ${reason}`);
+      this.emit('tunnelDisconnected', data);
+    });
+    this.bridge.on('management:publicIpDiscovered', (data: { ip: string }) => {
+      this.emit('publicIpDiscovered', data);
+    });
+    this.bridge.on('management:portsAssigned', (data: { listenPorts: number[] }) => {
+      console.log(`[RemoteIngressEdge] Ports assigned by hub: ${data.listenPorts.join(', ')}`);
+      this.emit('portsAssigned', data);
+    });
+    this.bridge.on('management:portsUpdated', (data: { listenPorts: number[] }) => {
+      console.log(`[RemoteIngressEdge] Ports updated by hub: ${data.listenPorts.join(', ')}`);
+      this.emit('portsUpdated', data);
+    });
+  }
+
+  /**
+   * Start the edge — spawns the Rust binary and connects to the hub.
+   * Accepts either a connection token or an explicit IEdgeConfig.
+   */
+  public async start(config: { token: string } | IEdgeConfig): Promise<void> {
+    let edgeConfig: IEdgeConfig;
+
+    if ('token' in config) {
+      const decoded = decodeConnectionToken(config.token);
+      edgeConfig = {
+        hubHost: decoded.hubHost,
+        hubPort: decoded.hubPort,
+        edgeId: decoded.edgeId,
+        secret: decoded.secret,
+      };
+    } else {
+      edgeConfig = config;
+    }
+
+    this.savedConfig = edgeConfig;
+    this.stopping = false;
+
+    const spawned = await this.bridge.spawn();
+    if (!spawned) {
+      throw new Error('Failed to spawn remoteingress-bin');
+    }
+
+    // Register crash recovery handler
+    this.bridge.on('exit', this.handleCrashRecovery);
+
+    await this.bridge.sendCommand('startEdge', {
+      hubHost: edgeConfig.hubHost,
+      hubPort: edgeConfig.hubPort ?? 8443,
+      edgeId: edgeConfig.edgeId,
+      secret: edgeConfig.secret,
+      ...(edgeConfig.bindAddress ? { bindAddress: edgeConfig.bindAddress } : {}),
+    });
+
+    this.started = true;
+    this.restartAttempts = 0;
+    this.restartBackoffMs = 1000;
+
+    // Start periodic status logging
+    this.statusInterval = setInterval(async () => {
+      try {
+        const status = await this.getStatus();
+        console.log(
+          `[RemoteIngressEdge] Status: connected=${status.connected}, ` +
+          `streams=${status.activeStreams}, ports=[${status.listenPorts.join(',')}], ` +
+          `publicIp=${status.publicIp ?? 'unknown'}`
+        );
+      } catch {
+        // Bridge may be shutting down
+      }
+    }, 60_000);
+  }
+
+  /**
+   * Stop the edge and kill the Rust process.
+   */
+  public async stop(): Promise<void> {
+    this.stopping = true;
+    if (this.statusInterval) {
+      clearInterval(this.statusInterval);
+      this.statusInterval = undefined;
+    }
+    if (this.started) {
+      try {
+        await this.bridge.sendCommand('stopEdge', {} as Record<string, never>);
+      } catch {
+        // Process may already be dead
+      }
+      this.bridge.removeListener('exit', this.handleCrashRecovery);
+      this.bridge.kill();
+      this.started = false;
+    }
+  }
+
+  /**
+   * Get the current edge status.
+   */
+  public async getStatus() {
+    return this.bridge.sendCommand('getEdgeStatus', {} as Record<string, never>);
+  }
+
+  /**
+   * Check if the bridge is running.
+   */
+  public get running(): boolean {
+    return this.bridge.running;
+  }
+
+  /**
+   * Handle unexpected Rust binary crash — auto-restart with backoff.
+   */
+  private handleCrashRecovery = async (code: number | null, signal: string | null) => {
+    if (this.stopping || !this.started || !this.savedConfig) {
+      return;
+    }
+
+    console.error(
+      `[RemoteIngressEdge] Rust binary crashed (code=${code}, signal=${signal}), ` +
+      `attempt ${this.restartAttempts + 1}/${MAX_RESTART_ATTEMPTS}`
+    );
+
+    this.started = false;
+
+    if (this.restartAttempts >= MAX_RESTART_ATTEMPTS) {
+      console.error('[RemoteIngressEdge] Max restart attempts reached, giving up');
+      this.emit('crashRecoveryFailed');
+      return;
+    }
+
+    await new Promise(resolve => setTimeout(resolve, this.restartBackoffMs));
+    this.restartBackoffMs = Math.min(this.restartBackoffMs * 2, MAX_RESTART_BACKOFF_MS);
+    this.restartAttempts++;
+
+    try {
+      const spawned = await this.bridge.spawn();
+      if (!spawned) {
+        console.error('[RemoteIngressEdge] Failed to respawn binary');
+        return;
+      }
+
+      this.bridge.on('exit', this.handleCrashRecovery);
+
+      await this.bridge.sendCommand('startEdge', {
+        hubHost: this.savedConfig.hubHost,
+        hubPort: this.savedConfig.hubPort ?? 8443,
+        edgeId: this.savedConfig.edgeId,
+        secret: this.savedConfig.secret,
+        ...(this.savedConfig.bindAddress ? { bindAddress: this.savedConfig.bindAddress } : {}),
+      });
+
+      this.started = true;
+      this.restartAttempts = 0;
+      this.restartBackoffMs = 1000;
+      console.log('[RemoteIngressEdge] Successfully recovered from crash');
+      this.emit('crashRecovered');
+    } catch (err) {
+      console.error(`[RemoteIngressEdge] Crash recovery failed: ${err}`);
+    }
+  };
+}

ts/classes.remoteingresshub.ts

@@ -0,0 +1,233 @@
+import * as plugins from './plugins.js';
+import { EventEmitter } from 'events';
+
+// Command map for the hub side of remoteingress-bin
+type THubCommands = {
+  ping: {
+    params: Record<string, never>;
+    result: { pong: boolean };
+  };
+  startHub: {
+    params: {
+      tunnelPort: number;
+      targetHost?: string;
+      tlsCertPem?: string;
+      tlsKeyPem?: string;
+    };
+    result: { started: boolean };
+  };
+  stopHub: {
+    params: Record<string, never>;
+    result: { stopped: boolean; wasRunning?: boolean };
+  };
+  updateAllowedEdges: {
+    params: {
+      edges: Array<{ id: string; secret: string; listenPorts?: number[]; stunIntervalSecs?: number }>;
+    };
+    result: { updated: boolean };
+  };
+  getHubStatus: {
+    params: Record<string, never>;
+    result: {
+      running: boolean;
+      tunnelPort: number;
+      connectedEdges: Array<{
+        edgeId: string;
+        connectedAt: number;
+        activeStreams: number;
+        peerAddr: string;
+      }>;
+    };
+  };
+};
+
+export interface IHubConfig {
+  tunnelPort?: number;
+  targetHost?: string;
+  tls?: {
+    certPem?: string;
+    keyPem?: string;
+  };
+}
+
+type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; stunIntervalSecs?: number };
+
+const MAX_RESTART_ATTEMPTS = 10;
+const MAX_RESTART_BACKOFF_MS = 30_000;
+
+export class RemoteIngressHub extends EventEmitter {
+  private bridge: InstanceType<typeof plugins.smartrust.RustBridge<THubCommands>>;
+  private started = false;
+  private stopping = false;
+  private savedConfig: IHubConfig | null = null;
+  private savedEdges: TAllowedEdge[] = [];
+  private restartBackoffMs = 1000;
+  private restartAttempts = 0;
+
+  constructor() {
+    super();
+
+    const packageDir = plugins.path.resolve(
+      plugins.path.dirname(new URL(import.meta.url).pathname),
+      '..',
+    );
+
+    this.bridge = new plugins.smartrust.RustBridge<THubCommands>({
+      binaryName: 'remoteingress-bin',
+      cliArgs: ['--management'],
+      requestTimeoutMs: 30_000,
+      readyTimeoutMs: 10_000,
+      localPaths: [
+        // Platform-suffixed binary in dist_rust (production)
+        plugins.path.join(packageDir, 'dist_rust', `remoteingress-bin_${process.platform === 'win32' ? 'windows' : 'linux'}_${process.arch === 'x64' ? 'amd64' : process.arch}`),
+        // Exact binaryName fallback in dist_rust
+        plugins.path.join(packageDir, 'dist_rust', 'remoteingress-bin'),
+        // Development build paths (cargo output uses exact name)
+        plugins.path.join(packageDir, 'rust', 'target', 'release', 'remoteingress-bin'),
+        plugins.path.join(packageDir, 'rust', 'target', 'debug', 'remoteingress-bin'),
+      ],
+      searchSystemPath: false,
+    });
+
+    // Forward events from Rust binary
+    this.bridge.on('management:edgeConnected', (data: { edgeId: string; peerAddr: string }) => {
+      this.emit('edgeConnected', data);
+    });
+    this.bridge.on('management:edgeDisconnected', (data: { edgeId: string; reason?: string }) => {
+      const reason = data?.reason ?? 'unknown';
+      console.log(`[RemoteIngressHub] Edge ${data.edgeId} disconnected: ${reason}`);
+      this.emit('edgeDisconnected', data);
+    });
+    this.bridge.on('management:streamOpened', (data: { edgeId: string; streamId: number }) => {
+      this.emit('streamOpened', data);
+    });
+    this.bridge.on('management:streamClosed', (data: { edgeId: string; streamId: number }) => {
+      this.emit('streamClosed', data);
+    });
+  }
+
+  /**
+   * Start the hub — spawns the Rust binary and starts the tunnel server.
+   */
+  public async start(config: IHubConfig = {}): Promise<void> {
+    this.savedConfig = config;
+    this.stopping = false;
+
+    const spawned = await this.bridge.spawn();
+    if (!spawned) {
+      throw new Error('Failed to spawn remoteingress-bin');
+    }
+
+    // Register crash recovery handler
+    this.bridge.on('exit', this.handleCrashRecovery);
+
+    await this.bridge.sendCommand('startHub', {
+      tunnelPort: config.tunnelPort ?? 8443,
+      targetHost: config.targetHost ?? '127.0.0.1',
+      ...(config.tls?.certPem && config.tls?.keyPem
+        ? { tlsCertPem: config.tls.certPem, tlsKeyPem: config.tls.keyPem }
+        : {}),
+    });
+
+    this.started = true;
+    this.restartAttempts = 0;
+    this.restartBackoffMs = 1000;
+  }
+
+  /**
+   * Stop the hub and kill the Rust process.
+   */
+  public async stop(): Promise<void> {
+    this.stopping = true;
+    if (this.started) {
+      try {
+        await this.bridge.sendCommand('stopHub', {} as Record<string, never>);
+      } catch {
+        // Process may already be dead
+      }
+      this.bridge.removeListener('exit', this.handleCrashRecovery);
+      this.bridge.kill();
+      this.started = false;
+    }
+  }
+
+  /**
+   * Update the list of allowed edges that can connect to this hub.
+   */
+  public async updateAllowedEdges(edges: TAllowedEdge[]): Promise<void> {
+    this.savedEdges = edges;
+    await this.bridge.sendCommand('updateAllowedEdges', { edges });
+  }
+
+  /**
+   * Get the current hub status.
+   */
+  public async getStatus() {
+    return this.bridge.sendCommand('getHubStatus', {} as Record<string, never>);
+  }
+
+  /**
+   * Check if the bridge is running.
+   */
+  public get running(): boolean {
+    return this.bridge.running;
+  }
+
+  /**
+   * Handle unexpected Rust binary crash — auto-restart with backoff.
+   */
+  private handleCrashRecovery = async (code: number | null, signal: string | null) => {
+    if (this.stopping || !this.started || !this.savedConfig) {
+      return;
+    }
+
+    console.error(
+      `[RemoteIngressHub] Rust binary crashed (code=${code}, signal=${signal}), ` +
+      `attempt ${this.restartAttempts + 1}/${MAX_RESTART_ATTEMPTS}`
+    );
+
+    this.started = false;
+
+    if (this.restartAttempts >= MAX_RESTART_ATTEMPTS) {
+      console.error('[RemoteIngressHub] Max restart attempts reached, giving up');
+      this.emit('crashRecoveryFailed');
+      return;
+    }
+
+    await new Promise(resolve => setTimeout(resolve, this.restartBackoffMs));
+    this.restartBackoffMs = Math.min(this.restartBackoffMs * 2, MAX_RESTART_BACKOFF_MS);
+    this.restartAttempts++;
+
+    try {
+      const spawned = await this.bridge.spawn();
+      if (!spawned) {
+        console.error('[RemoteIngressHub] Failed to respawn binary');
+        return;
+      }
+
+      this.bridge.on('exit', this.handleCrashRecovery);
+
+      const config = this.savedConfig;
+      await this.bridge.sendCommand('startHub', {
+        tunnelPort: config.tunnelPort ?? 8443,
+        targetHost: config.targetHost ?? '127.0.0.1',
+        ...(config.tls?.certPem && config.tls?.keyPem
+          ? { tlsCertPem: config.tls.certPem, tlsKeyPem: config.tls.keyPem }
+          : {}),
+      });
+
+      // Restore allowed edges
+      if (this.savedEdges.length > 0) {
+        await this.bridge.sendCommand('updateAllowedEdges', { edges: this.savedEdges });
+      }
+
+      this.started = true;
+      this.restartAttempts = 0;
+      this.restartBackoffMs = 1000;
+      console.log('[RemoteIngressHub] Successfully recovered from crash');
+      this.emit('crashRecovered');
+    } catch (err) {
+      console.error(`[RemoteIngressHub] Crash recovery failed: ${err}`);
+    }
+  };
+}

ts/classes.token.ts

@@ -0,0 +1,66 @@
+/**
+ * Connection token utilities for RemoteIngress edge connections.
+ * A token is a base64url-encoded compact JSON object carrying hub connection details.
+ */
+
+export interface IConnectionTokenData {
+  hubHost: string;
+  hubPort: number;
+  edgeId: string;
+  secret: string;
+}
+
+/**
+ * Encode connection data into a single opaque token string (base64url).
+ */
+export function encodeConnectionToken(data: IConnectionTokenData): string {
+  const compact = JSON.stringify({
+    h: data.hubHost,
+    p: data.hubPort,
+    e: data.edgeId,
+    s: data.secret,
+  });
+  // base64url: standard base64 with + → -, / → _, trailing = stripped
+  return Buffer.from(compact, 'utf-8')
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+}
+
+/**
+ * Decode a connection token back into its constituent fields.
+ * Throws on malformed or incomplete tokens.
+ */
+export function decodeConnectionToken(token: string): IConnectionTokenData {
+  let parsed: { h?: unknown; p?: unknown; e?: unknown; s?: unknown };
+  try {
+    // Restore standard base64 from base64url
+    let base64 = token.replace(/-/g, '+').replace(/_/g, '/');
+    // Re-add padding
+    const remainder = base64.length % 4;
+    if (remainder === 2) base64 += '==';
+    else if (remainder === 3) base64 += '=';
+
+    const json = Buffer.from(base64, 'base64').toString('utf-8');
+    parsed = JSON.parse(json);
+  } catch {
+    throw new Error('Invalid connection token');
+  }
+
+  if (
+    typeof parsed.h !== 'string' ||
+    typeof parsed.p !== 'number' ||
+    typeof parsed.e !== 'string' ||
+    typeof parsed.s !== 'string'
+  ) {
+    throw new Error('Invalid connection token: missing required fields');
+  }
+
+  return {
+    hubHost: parsed.h,
+    hubPort: parsed.p,
+    edgeId: parsed.e,
+    secret: parsed.s,
+  };
+}

ts/connector.private.ts

@@ -1,38 +0,0 @@
-import * as plugins from './plugins.js';
-
-export class ConnectorPrivate {
-  private targetHost: string;
-  private targetPort: number;
-
-  constructor(targetHost: string, targetPort: number = 4000) {
-    this.targetHost = targetHost;
-    this.targetPort = targetPort;
-    this.connectToPublicRemoteConnector();
-  }
-
-  private connectToPublicRemoteConnector(): void {
-    const options = {
-      // Include CA certificate if necessary, for example:
-      // ca: fs.readFileSync('path/to/ca.pem'),
-      rejectUnauthorized: true // Only set this to true if you are sure about the server's certificate
-    };
-
-    const tunnel = plugins.tls.connect(this.targetPort, options, () => {
-      console.log('Connected to PublicRemoteConnector on port 4000');
-    });
-
-    tunnel.on('data', (data: Buffer) => {
-      const targetConnection = plugins.tls.connect({
-        host: this.targetHost,
-        port: this.targetPort,
-        // Include necessary options for the target connection
-      }, () => {
-        targetConnection.write(data);
-      });
-
-      targetConnection.on('data', (backData: Buffer) => {
-        tunnel.write(backData); // Send data back through the tunnel
-      });
-    });
-  }
-}

ts/connector.public.ts

@@ -1,45 +0,0 @@
-import * as plugins from './plugins.js';
-
-class PublicRemoteConnector {
-  private tunnel: plugins.tls.TLSSocket | null = null;
-
-  constructor() {
-    this.createTunnel();
-    this.listenOnPorts();
-  }
-
-  private createTunnel(): void {
-    const options = {
-      key: plugins.fs.readFileSync('path/to/key.pem'),
-      cert: plugins.fs.readFileSync('path/to/cert.pem'),
-    };
-
-    const server = plugins.tls.createServer(options, (socket: plugins.tls.TLSSocket) => {
-      this.tunnel = socket;
-      console.log('Tunnel established with LocalConnector');
-    });
-
-    server.listen(4000, () => {
-      console.log('PublicRemoteConnector listening for tunnel on port 4000');
-    });
-  }
-
-  private listenOnPorts(): void {
-    // Example for port 80, adapt for port 443 similarly
-    // Note: TLS for the initial connection might not apply directly for HTTP/HTTPS traffic without additional setup
-    const options = {
-      key: plugins.fs.readFileSync('path/to/key.pem'),
-      cert: plugins.fs.readFileSync('path/to/cert.pem'),
-    };
-
-    plugins.tls.createServer(options, (socket: plugins.tls.TLSSocket) => {
-      console.log('Received connection, tunneling to LocalConnector');
-      if (this.tunnel) {
-        socket.pipe(this.tunnel).pipe(socket);
-      } else {
-        console.log('Tunnel to LocalConnector not established');
-        socket.end();
-      }
-    }).listen(80); // Repeat this block for any other ports you wish to listen on
-  }
-}

ts/index.ts

@@ -1,14 +1,3 @@
-import * as plugins from './plugins.js';
-
-import { ConnectorPublic } from './connector.public.js';
-import { ConnectorPrivate } from './connector.private.js';
-
-export {
-  ConnectorPublic,
-  ConnectorPrivate
-}
-
-export const runCli = async () => {
-  const qenv = new plugins.qenv.Qenv();
-  const mode = await qenv.getEnvVarOnDemand('MODE');
-}
+export * from './classes.remoteingresshub.js';
+export * from './classes.remoteingressedge.js';
+export * from './classes.token.js';

ts/plugins.ts

@@ -1,15 +1,7 @@
 // node native scope
-import * as tls from 'tls';
-import * as fs from 'fs';
-
-export {
-  tls,
-  fs,
-}
+import * as path from 'path';
+export { path };
 
 // @push.rocks scope
-import * as qenv from '@push.rocks/qenv';
-
-export {
-  qenv,
-}
+import * as smartrust from '@push.rocks/smartrust';
+export { smartrust };