v4.8.11

changelog.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## 2026-03-17 - 4.8.11 - fix(remoteingress-core)
+stop data frame send loops promptly when stream cancellation is triggered
+
+- Use cancellation-aware tokio::select! around data channel sends in both edge and hub stream forwarding paths
+- Prevent stalled or noisy shutdown behavior when stream or client cancellation happens while awaiting frame delivery
+
+## 2026-03-17 - 4.8.10 - fix(remoteingress-core)
+guard tunnel frame sends with cancellation to prevent async send deadlocks
+
+- Wrap OPEN, CLOSE, CLOSE_BACK, WINDOW_UPDATE, and cleanup channel sends in cancellation-aware tokio::select! blocks.
+- Avoid indefinite blocking when tunnel, stream, or writer tasks are cancelled while awaiting channel capacity.
+- Improve shutdown reliability for edge and hub stream handling under tunnel failure conditions.
+
+## 2026-03-17 - 4.8.9 - fix(repo)
+no changes to commit
+
+
+## 2026-03-17 - 4.8.8 - fix(remoteingress-core)
+cancel stale edge connections when an edge reconnects
+
+- Remove any existing edge entry before registering a reconnected edge
+- Trigger the previous connection's cancellation token so stale sessions shut down immediately instead of waiting for TCP keepalive
+
+## 2026-03-17 - 4.8.7 - fix(remoteingress-core)
+perform graceful TLS shutdown on edge and hub tunnel streams
+
+- Send TLS close_notify before cleanup to avoid peer disconnect warnings on both tunnel endpoints
+- Wrap stream shutdown in a 2 second timeout so connection teardown does not block cleanup
+
+## 2026-03-17 - 4.8.6 - fix(remoteingress-core)
+initialize disconnect reason only when set in hub loop break paths
+
+- Replace the default "unknown" disconnect reason with an explicitly assigned string and document that all hub loop exits set it before use
+- Add an allow attribute for unused assignments to avoid warnings around the deferred initialization pattern
+
+## 2026-03-17 - 4.8.5 - fix(repo)
+no changes to commit
+
+
+## 2026-03-17 - 4.8.4 - fix(remoteingress-core)
+prevent stream stalls by guaranteeing flow-control updates and avoiding bounded per-stream channel overflows
+
+- Replace bounded per-stream data channels with unbounded channels on edge and hub, relying on existing WINDOW_UPDATE flow control to limit bytes in flight
+- Use awaited sends for FRAME_WINDOW_UPDATE and FRAME_WINDOW_UPDATE_BACK so updates are not dropped and streams do not deadlock under backpressure
+- Clean up stream state when channel receivers have already exited instead of closing active streams because a bounded queue filled
+
 ## 2026-03-17 - 4.8.3 - fix(protocol,edge)
 optimize tunnel frame handling and zero-copy uploads in edge I/O
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@serve.zone/remoteingress",
-  "version": "4.8.3",
+  "version": "4.8.11",
   "private": false,
   "description": "Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.",
   "main": "dist_ts/index.js",

rust/crates/remoteingress-core/src/edge.rs

@@ -24,8 +24,9 @@ enum EdgeFrameAction {
 
 /// Per-stream state tracked in the edge's client_writers map.
 struct EdgeStreamState {
-    /// Channel to deliver FRAME_DATA_BACK payloads to the hub_to_client task.
+    /// Unbounded channel to deliver FRAME_DATA_BACK payloads to the hub_to_client task.
-    back_tx: mpsc::Sender<Vec<u8>>,
+    /// Unbounded because flow control (WINDOW_UPDATE) already limits bytes-in-flight.
+    back_tx: mpsc::UnboundedSender<Vec<u8>>,
     /// Send window for FRAME_DATA (upload direction).
     /// Decremented by the client reader, incremented by FRAME_WINDOW_UPDATE_BACK from hub.
     send_window: Arc<AtomicU32>,
@@ -300,10 +301,13 @@ async fn handle_edge_frame(
 ) -> EdgeFrameAction {
     match frame.frame_type {
         FRAME_DATA_BACK => {
+            // Dispatch to per-stream unbounded channel. Flow control (WINDOW_UPDATE)
+            // limits bytes-in-flight, so the channel won't grow unbounded. send() only
+            // fails if the receiver is dropped (hub_to_client task already exited).
             let mut writers = client_writers.lock().await;
             if let Some(state) = writers.get(&frame.stream_id) {
-                if state.back_tx.try_send(frame.payload).is_err() {
+                if state.back_tx.send(frame.payload).is_err() {
-                    log::warn!("Stream {} back-channel full, closing", frame.stream_id);
+                    // Receiver dropped — hub_to_client task already exited, clean up
                     writers.remove(&frame.stream_id);
                 }
             }
@@ -583,6 +587,14 @@ async fn connect_to_hub_and_run(
         }
     };
 
+    // Graceful TLS shutdown: send close_notify so the hub sees a clean disconnect
+    // instead of "peer closed connection without sending TLS close_notify".
+    let mut tls_stream = tunnel_io.into_inner();
+    let _ = tokio::time::timeout(
+        Duration::from_secs(2),
+        tls_stream.shutdown(),
+    ).await;
+
     // Cleanup
     connection_token.cancel();
     stun_handle.abort();
@@ -727,12 +739,18 @@ async fn handle_client_connection(
     // Send OPEN frame with PROXY v1 header via control channel
     let proxy_header = build_proxy_v1_header(&client_ip, edge_ip, client_port, dest_port);
     let open_frame = encode_frame(stream_id, FRAME_OPEN, proxy_header.as_bytes());
-    if tunnel_ctrl_tx.send(open_frame).await.is_err() {
+    let send_ok = tokio::select! {
+        result = tunnel_ctrl_tx.send(open_frame) => result.is_ok(),
+        _ = client_token.cancelled() => false,
+    };
+    if !send_ok {
         return;
     }
 
-    // Set up channel for data coming back from hub (capacity 16 is sufficient with flow control)
+    // Per-stream unbounded back-channel. Flow control (WINDOW_UPDATE) limits
-    let (back_tx, mut back_rx) = mpsc::channel::<Vec<u8>>(1024);
+    // bytes-in-flight, so this won't grow unbounded. Unbounded avoids killing
+    // streams due to channel overflow — backpressure slows streams, never kills them.
+    let (back_tx, mut back_rx) = mpsc::unbounded_channel::<Vec<u8>>();
     // Adaptive initial window: scale with current stream count to keep total in-flight
     // data within the 32MB budget. Prevents burst flooding when many streams open.
     let initial_window = remoteingress_protocol::compute_window_for_stream_count(
@@ -779,10 +797,16 @@ async fn handle_client_connection(
                             if consumed_since_update >= threshold {
                                 let increment = consumed_since_update.min(adaptive_window);
                                 let frame = encode_window_update(stream_id, FRAME_WINDOW_UPDATE, increment);
-                                if wu_tx.try_send(frame).is_ok() {
+                                // Use send().await for guaranteed delivery — dropping WINDOW_UPDATEs
-                                    consumed_since_update -= increment;
+                                // causes permanent flow stalls. Safe: runs in per-stream task, not main loop.
+                                tokio::select! {
+                                    result = wu_tx.send(frame) => {
+                                        if result.is_ok() {
+                                            consumed_since_update -= increment;
+                                        }
+                                    }
+                                    _ = hub_to_client_token.cancelled() => break,
                                 }
-                                // If try_send fails, keep accumulating — retry on next threshold
                             }
                         }
                         None => break,
@@ -794,7 +818,10 @@ async fn handle_client_connection(
         // Send final window update for any remaining consumed bytes
         if consumed_since_update > 0 {
             let frame = encode_window_update(stream_id, FRAME_WINDOW_UPDATE, consumed_since_update);
-            let _ = wu_tx.try_send(frame);
+            tokio::select! {
+                _ = wu_tx.send(frame) => {}
+                _ = hub_to_client_token.cancelled() => {}
+            }
         }
         let _ = client_write.shutdown().await;
     });
@@ -846,10 +873,11 @@ async fn handle_client_connection(
                         send_window.fetch_sub(n as u32, Ordering::Release);
                         encode_frame_header(&mut buf, stream_id, FRAME_DATA, n);
                         let data_frame = buf[..FRAME_HEADER_SIZE + n].to_vec();
-                        if tunnel_data_tx.send(data_frame).await.is_err() {
+                        let sent = tokio::select! {
-                            log::warn!("Stream {} data channel closed, closing", stream_id);
+                            result = tunnel_data_tx.send(data_frame) => result.is_ok(),
-                            break;
+                            _ = client_token.cancelled() => false,
-                        }
+                        };
+                        if !sent { break; }
                     }
                     Err(_) => break,
                 }
@@ -870,9 +898,13 @@ async fn handle_client_connection(
     ).await;
 
     // NOW send CLOSE — the response has been fully delivered (or timed out).
+    // select! with cancellation guard prevents indefinite blocking if tunnel dies.
     if !client_token.is_cancelled() {
         let close_frame = encode_frame(stream_id, FRAME_CLOSE, &[]);
-        let _ = tunnel_data_tx.send(close_frame).await;
+        tokio::select! {
+            _ = tunnel_data_tx.send(close_frame) => {}
+            _ = client_token.cancelled() => {}
+        }
     }
 
     // Clean up

rust/crates/remoteingress-core/src/hub.rs

@@ -14,10 +14,6 @@ use remoteingress_protocol::*;
 
 type HubTlsStream = tokio_rustls::server::TlsStream<TcpStream>;
 
-/// Per-stream data channel capacity. With 4MB window and 32KB frames,
-/// at most ~128 frames are in-flight. 256 provides comfortable headroom.
-const PER_STREAM_DATA_CAPACITY: usize = 256;
-
 /// Result of processing a frame.
 #[allow(dead_code)]
 enum FrameAction {
@@ -27,8 +23,10 @@ enum FrameAction {
 
 /// Per-stream state tracked in the hub's stream map.
 struct HubStreamState {
-    /// Channel to deliver FRAME_DATA payloads to the upstream writer task.
+    /// Unbounded channel to deliver FRAME_DATA payloads to the upstream writer task.
-    data_tx: mpsc::Sender<Vec<u8>>,
+    /// Unbounded because flow control (WINDOW_UPDATE) already limits bytes-in-flight.
+    /// A bounded channel would kill streams instead of applying backpressure.
+    data_tx: mpsc::UnboundedSender<Vec<u8>>,
     /// Cancellation token for this stream.
     cancel_token: CancellationToken,
     /// Send window for FRAME_DATA_BACK (download direction).
@@ -138,7 +136,7 @@ struct ConnectedEdgeInfo {
     peer_addr: String,
     edge_stream_count: Arc<AtomicU32>,
     config_tx: mpsc::Sender<EdgeConfigUpdate>,
-    #[allow(dead_code)] // kept alive for Drop — cancels child tokens when edge is removed
+    /// Used to cancel the old connection when an edge reconnects.
     cancel_token: CancellationToken,
 }
 
@@ -348,7 +346,7 @@ async fn handle_hub_frame(
             });
 
             // Create channel for data from edge to this stream
-            let (stream_data_tx, mut stream_data_rx) = mpsc::channel::<Vec<u8>>(PER_STREAM_DATA_CAPACITY);
+            let (stream_data_tx, mut stream_data_rx) = mpsc::unbounded_channel::<Vec<u8>>();
             // Adaptive initial window: scale with current stream count
             // to keep total in-flight data within the 32MB budget.
             let initial_window = compute_window_for_stream_count(
@@ -426,10 +424,16 @@ async fn handle_hub_frame(
                                             if consumed_since_update >= threshold {
                                                 let increment = consumed_since_update.min(adaptive_window);
                                                 let frame = encode_window_update(stream_id, FRAME_WINDOW_UPDATE_BACK, increment);
-                                                if wub_tx.try_send(frame).is_ok() {
+                                                // Use send().await for guaranteed delivery — dropping WINDOW_UPDATEs
-                                                    consumed_since_update -= increment;
+                                                // causes permanent flow stalls. Safe: runs in per-stream task, not main loop.
+                                                tokio::select! {
+                                                    result = wub_tx.send(frame) => {
+                                                        if result.is_ok() {
+                                                            consumed_since_update -= increment;
+                                                        }
+                                                    }
+                                                    _ = writer_token.cancelled() => break,
                                                 }
-                                                // If try_send fails, keep accumulating — retry on next threshold
                                             }
                                         }
                                         None => break,
@@ -441,7 +445,10 @@ async fn handle_hub_frame(
                         // Send final window update for remaining consumed bytes
                         if consumed_since_update > 0 {
                             let frame = encode_window_update(stream_id, FRAME_WINDOW_UPDATE_BACK, consumed_since_update);
-                            let _ = wub_tx.try_send(frame);
+                            tokio::select! {
+                                _ = wub_tx.send(frame) => {}
+                                _ = writer_token.cancelled() => {}
+                            }
                         }
                         let _ = up_write.shutdown().await;
                     });
@@ -494,10 +501,11 @@ async fn handle_hub_frame(
                                         send_window.fetch_sub(n as u32, Ordering::Release);
                                         encode_frame_header(&mut buf, stream_id, FRAME_DATA_BACK, n);
                                         let frame = buf[..FRAME_HEADER_SIZE + n].to_vec();
-                                        if data_writer_tx.send(frame).await.is_err() {
+                                        let sent = tokio::select! {
-                                            log::warn!("Stream {} data channel closed, closing", stream_id);
+                                            result = data_writer_tx.send(frame) => result.is_ok(),
-                                            break;
+                                            _ = stream_token.cancelled() => false,
-                                        }
+                                        };
+                                        if !sent { break; }
                                     }
                                     Err(_) => break,
                                 }
@@ -507,10 +515,13 @@ async fn handle_hub_frame(
                     }
 
                     // Send CLOSE_BACK via DATA channel (must arrive AFTER last DATA_BACK).
-                    // Use send().await to guarantee delivery (try_send silently drops if full).
+                    // select! with cancellation guard prevents indefinite blocking if tunnel dies.
                     if !stream_token.is_cancelled() {
                         let close_frame = encode_frame(stream_id, FRAME_CLOSE_BACK, &[]);
-                        let _ = data_writer_tx.send(close_frame).await;
+                        tokio::select! {
+                            _ = data_writer_tx.send(close_frame) => {}
+                            _ = stream_token.cancelled() => {}
+                        }
                     }
 
                     writer_for_edge_data.abort();
@@ -521,27 +532,32 @@ async fn handle_hub_frame(
                 if let Err(e) = result {
                     log::error!("Stream {} error: {}", stream_id, e);
                     // Send CLOSE_BACK via DATA channel on error (must arrive after any DATA_BACK).
-                    // Use send().await to guarantee delivery.
                     if !stream_token.is_cancelled() {
                         let close_frame = encode_frame(stream_id, FRAME_CLOSE_BACK, &[]);
-                        let _ = data_writer_tx.send(close_frame).await;
+                        tokio::select! {
+                            _ = data_writer_tx.send(close_frame) => {}
+                            _ = stream_token.cancelled() => {}
+                        }
                     }
                 }
 
-                // Signal main loop to remove stream from the map
+                // Signal main loop to remove stream from the map.
-                let _ = cleanup.send(stream_id).await;
+                // Cancellation guard prevents indefinite blocking if cleanup channel is full.
+                tokio::select! {
+                    _ = cleanup.send(stream_id) => {}
+                    _ = stream_token.cancelled() => {}
+                }
                 stream_counter.fetch_sub(1, Ordering::Relaxed);
             });
         }
         FRAME_DATA => {
-            // Non-blocking dispatch to per-stream channel.
+            // Dispatch to per-stream unbounded channel. Flow control (WINDOW_UPDATE)
-            // With flow control, the sender should rarely exceed the channel capacity.
+            // limits bytes-in-flight, so the channel won't grow unbounded. send() only
+            // fails if the receiver is dropped (stream handler already exited).
             if let Some(state) = streams.get(&frame.stream_id) {
-                if state.data_tx.try_send(frame.payload).is_err() {
+                if state.data_tx.send(frame.payload).is_err() {
-                    log::warn!("Stream {} data channel full, closing stream", frame.stream_id);
+                    // Receiver dropped — stream handler already exited, clean up
-                    if let Some(state) = streams.remove(&frame.stream_id) {
+                    streams.remove(&frame.stream_id);
-                        state.cancel_token.cancel();
-                    }
                 }
             }
         }
@@ -674,6 +690,13 @@ async fn handle_edge_connection(
 
     {
         let mut edges = connected.lock().await;
+        // If this edge already has an active connection (reconnect scenario),
+        // cancel the old connection so it shuts down immediately instead of
+        // lingering until TCP keepalive detects the dead socket.
+        if let Some(old) = edges.remove(&edge_id) {
+            log::info!("Edge {} reconnected, cancelling old connection", edge_id);
+            old.cancel_token.cancel();
+        }
         edges.insert(
             edge_id.clone(),
             ConnectedEdgeInfo {
@@ -732,7 +755,9 @@ async fn handle_edge_connection(
     // Single-owner I/O engine — no tokio::io::split, no mutex
     let mut tunnel_io = remoteingress_protocol::TunnelIo::new(tls_stream, Vec::new());
 
-    let mut disconnect_reason = "unknown".to_string();
+    // Assigned in every break path of the hub_loop before use at the end.
+    #[allow(unused_assignments)]
+    let mut disconnect_reason = String::new();
 
     'hub_loop: loop {
         // Drain completed stream cleanups from spawned tasks
@@ -819,6 +844,14 @@ async fn handle_edge_connection(
         }
     }
 
+    // Graceful TLS shutdown: send close_notify so the edge sees a clean disconnect
+    // instead of "peer closed connection without sending TLS close_notify".
+    let mut tls_stream = tunnel_io.into_inner();
+    let _ = tokio::time::timeout(
+        Duration::from_secs(2),
+        tls_stream.shutdown(),
+    ).await;
+
     // Cleanup: cancel edge token to propagate to all child tasks
     edge_token.cancel();
     config_handle.abort();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/remoteingress',
-  version: '4.8.3',
+  version: '4.8.11',
   description: 'Edge ingress tunnel for DcRouter - accepts incoming TCP connections at network edge and tunnels them to DcRouter SmartProxy preserving client IP via PROXY protocol v1.'
 }