npm - @push.rocks/smartproxy - Versions diffs - 21.1.7 → 22.6.0 - Mend

@push.rocks/smartproxy 21.1.7 → 22.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/ts/proxies/smart-proxy/smart-proxy.ts CHANGED Viewed

@@ -1,942 +1,424 @@
 import * as plugins from '../../plugins.js';
 import { logger } from '../../core/utils/logger.js';
-import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
-// Importing required components
-import { ConnectionManager } from './connection-manager.js';
-import { SecurityManager } from './security-manager.js';
-import { TlsManager } from './tls-manager.js';
-import { HttpProxyBridge } from './http-proxy-bridge.js';
-import { TimeoutManager } from './timeout-manager.js';
-import { PortManager } from './port-manager.js';
-import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
-import { RouteConnectionHandler } from './route-connection-handler.js';
-import { NFTablesManager } from './nftables-manager.js';
-// Certificate manager
-import { SmartCertManager, type ICertStatus } from './certificate-manager.js';
-// Import types and utilities
-import type {
-  ISmartProxyOptions
-} from './models/interfaces.js';
-import type { IRouteConfig } from './models/route-types.js';
-// Import mutex for route update synchronization
-import { Mutex } from './utils/mutex.js';
+// Rust bridge and helpers
+import { RustProxyBridge } from './rust-proxy-bridge.js';
+import { RustBinaryLocator } from './rust-binary-locator.js';
+import { RoutePreprocessor } from './route-preprocessor.js';
+import { SocketHandlerServer } from './socket-handler-server.js';
+import { RustMetricsAdapter } from './rust-metrics-adapter.js';
-// Import route validator
+// Route management
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { RouteValidator } from './utils/route-validator.js';
+import { Mutex } from './utils/mutex.js';
-// Import route orchestrator for route management
-import { RouteOrchestrator } from './route-orchestrator.js';
-// Import ACME state manager
-import { AcmeStateManager } from './acme-state-manager.js';
-// Import metrics collector
-import { MetricsCollector } from './metrics-collector.js';
+// Types
+import type { ISmartProxyOptions, TSmartProxyCertProvisionObject } from './models/interfaces.js';
+import type { IRouteConfig } from './models/route-types.js';
 import type { IMetrics } from './models/metrics-types.js';
 /**
- * SmartProxy - Pure route-based API
- *
- * SmartProxy is a unified proxy system that works with routes to define connection handling behavior.
- * Each route contains matching criteria (ports, domains, etc.) and an action to take (forward, redirect, block).
+ * SmartProxy - Rust-backed proxy engine with TypeScript configuration API.
  *
- * Configuration is provided through a set of routes, with each route defining:
- * - What to match (ports, domains, paths, client IPs)
- * - What to do with matching traffic (forward, redirect, block)
- * - How to handle TLS (passthrough, terminate, terminate-and-reencrypt)
- * - Security settings (IP restrictions, connection limits)
- * - Advanced options (timeout, headers, etc.)
+ * All networking (TCP, TLS, HTTP reverse proxy, connection management, security,
+ * NFTables) is handled by the Rust binary. TypeScript is only:
+ * - The npm module interface (types, route helpers)
+ * - The thin IPC wrapper (this class)
+ * - Socket-handler callback relay (for JS-defined handlers)
+ * - Certificate provisioning callbacks (certProvisionFunction)
  */
 export class SmartProxy extends plugins.EventEmitter {
-  // Port manager handles dynamic listener management
-  private portManager: PortManager;
-  private connectionLogger: NodeJS.Timeout | null = null;
-  private isShuttingDown: boolean = false;
-  // Component managers
-  public connectionManager: ConnectionManager;
-  public securityManager: SecurityManager;
-  public tlsManager: TlsManager;
-  public httpProxyBridge: HttpProxyBridge;
-  public timeoutManager: TimeoutManager;
+  public settings: ISmartProxyOptions;
   public routeManager: RouteManager;
-  public routeConnectionHandler: RouteConnectionHandler;
-  public nftablesManager: NFTablesManager;
-  // Certificate manager for ACME and static certificates
-  public certManager: SmartCertManager | null = null;
-  // Global challenge route tracking
-  private globalChallengeRouteActive: boolean = false;
+  private bridge: RustProxyBridge;
+  private preprocessor: RoutePreprocessor;
+  private socketHandlerServer: SocketHandlerServer | null = null;
+  private metricsAdapter: RustMetricsAdapter;
   private routeUpdateLock: Mutex;
-  public acmeStateManager: AcmeStateManager;
-  // Metrics collector
-  public metricsCollector: MetricsCollector;
-  // Route orchestrator for managing route updates
-  private routeOrchestrator: RouteOrchestrator;
-  // Track port usage across route updates
-  private portUsageMap: Map<number, Set<string>> = new Map();
-  /**
-   * Constructor for SmartProxy
-   *
-   * @param settingsArg Configuration options containing routes and other settings
-   * Routes define how traffic is matched and handled, with each route having:
-   * - match: criteria for matching traffic (ports, domains, paths, IPs)
-   * - action: what to do with matched traffic (forward, redirect, block)
-   *
-   * Example:
-   * ```ts
-   * const proxy = new SmartProxy({
-   *   routes: [
-   *     {
-   *       match: {
-   *         ports: 443,
-   *         domains: ['example.com', '*.example.com']
-   *       },
-   *       action: {
-   *         type: 'forward',
-   *         target: { host: '10.0.0.1', port: 8443 },
-   *         tls: { mode: 'passthrough' }
-   *       }
-   *     }
-   *   ],
-   *   defaults: {
-   *     target: { host: 'localhost', port: 8080 },
-   *     security: { ipAllowList: ['*'] }
-   *   }
-   * });
-   * ```
-   */
+  private stopping = false;
   constructor(settingsArg: ISmartProxyOptions) {
     super();
-    // Set reasonable defaults for all settings
+    // Apply defaults
     this.settings = {
       ...settingsArg,
       initialDataTimeout: settingsArg.initialDataTimeout || 120000,
       socketTimeout: settingsArg.socketTimeout || 3600000,
-      inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000,
       maxConnectionLifetime: settingsArg.maxConnectionLifetime || 86400000,
       inactivityTimeout: settingsArg.inactivityTimeout || 14400000,
       gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000,
-      noDelay: settingsArg.noDelay !== undefined ? settingsArg.noDelay : true,
-      keepAlive: settingsArg.keepAlive !== undefined ? settingsArg.keepAlive : true,
-      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000,
-      maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024,
-      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
-      enableKeepAliveProbes:
-        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
-      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
-      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
-      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
-      allowSessionTicket:
-        settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
       connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300,
       keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended',
       keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6,
       extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000,
-      httpProxyPort: settingsArg.httpProxyPort || 8443,
     };
-    // Normalize ACME options if provided (support both email and accountEmail)
+    // Normalize ACME options
     if (this.settings.acme) {
-      // Support both 'email' and 'accountEmail' fields
       if (this.settings.acme.accountEmail && !this.settings.acme.email) {
         this.settings.acme.email = this.settings.acme.accountEmail;
       }
-      // Set reasonable defaults for commonly used fields
       this.settings.acme = {
-        enabled: this.settings.acme.enabled !== false, // Enable by default if acme object exists
+        enabled: this.settings.acme.enabled !== false,
         port: this.settings.acme.port || 80,
         email: this.settings.acme.email,
         useProduction: this.settings.acme.useProduction || false,
         renewThresholdDays: this.settings.acme.renewThresholdDays || 30,
-        autoRenew: this.settings.acme.autoRenew !== false, // Enable by default
+        autoRenew: this.settings.acme.autoRenew !== false,
         certificateStore: this.settings.acme.certificateStore || './certs',
         skipConfiguredCerts: this.settings.acme.skipConfiguredCerts || false,
         renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours || 24,
         routeForwards: this.settings.acme.routeForwards || [],
-        ...this.settings.acme // Preserve any additional fields
+        ...this.settings.acme,
       };
     }
-    // Initialize component managers
-    this.timeoutManager = new TimeoutManager(this);
-    this.securityManager = new SecurityManager(this);
-    this.connectionManager = new ConnectionManager(this);
-    // Create the route manager with SharedRouteManager API
-    // Create a logger adapter to match ILogger interface
-    const loggerAdapter = {
-      debug: (message: string, data?: any) => logger.log('debug', message, data),
-      info: (message: string, data?: any) => logger.log('info', message, data),
-      warn: (message: string, data?: any) => logger.log('warn', message, data),
-      error: (message: string, data?: any) => logger.log('error', message, data)
-    };
-    // Validate initial routes
-    if (this.settings.routes && this.settings.routes.length > 0) {
+    // Validate routes
+    if (this.settings.routes?.length) {
       const validation = RouteValidator.validateRoutes(this.settings.routes);
       if (!validation.valid) {
         RouteValidator.logValidationErrors(validation.errors);
         throw new Error(`Initial route validation failed: ${validation.errors.size} route(s) have errors`);
       }
     }
+    // Create logger adapter
+    const loggerAdapter = {
+      debug: (message: string, data?: any) => logger.log('debug', message, data),
+      info: (message: string, data?: any) => logger.log('info', message, data),
+      warn: (message: string, data?: any) => logger.log('warn', message, data),
+      error: (message: string, data?: any) => logger.log('error', message, data),
+    };
+    // Initialize components
     this.routeManager = new RouteManager({
       logger: loggerAdapter,
       enableDetailedLogging: this.settings.enableDetailedLogging,
-      routes: this.settings.routes
+      routes: this.settings.routes,
     });
-    // Create other required components
-    this.tlsManager = new TlsManager(this);
-    this.httpProxyBridge = new HttpProxyBridge(this);
-    // Initialize connection handler with route support
-    this.routeConnectionHandler = new RouteConnectionHandler(this);
-    // Initialize port manager
-    this.portManager = new PortManager(this);
-    // Initialize NFTablesManager
-    this.nftablesManager = new NFTablesManager(this);
-    // Initialize route update mutex for synchronization
-    this.routeUpdateLock = new Mutex();
-    // Initialize ACME state manager
-    this.acmeStateManager = new AcmeStateManager();
-    // Initialize metrics collector with reference to this SmartProxy instance
-    this.metricsCollector = new MetricsCollector(this, {
-      sampleIntervalMs: this.settings.metrics?.sampleIntervalMs,
-      retentionSeconds: this.settings.metrics?.retentionSeconds
-    });
-    // Initialize route orchestrator for managing route updates
-    this.routeOrchestrator = new RouteOrchestrator(
-      this.portManager,
-      this.routeManager,
-      this.httpProxyBridge,
-      this.nftablesManager,
-      null, // certManager will be set later
-      loggerAdapter
+    this.bridge = new RustProxyBridge();
+    this.preprocessor = new RoutePreprocessor();
+    this.metricsAdapter = new RustMetricsAdapter(
+      this.bridge,
+      this.settings.metrics?.sampleIntervalMs ?? 1000
     );
-  }
-  /**
-   * The settings for the SmartProxy
-   */
-  public settings: ISmartProxyOptions;
-  /**
-   * Helper method to create and configure certificate manager
-   * This ensures consistent setup including the required ACME callback
-   */
-  private async createCertificateManager(
-    routes: IRouteConfig[],
-    certStore: string = './certs',
-    acmeOptions?: any,
-    initialState?: { challengeRouteActive?: boolean }
-  ): Promise<SmartCertManager> {
-    const certManager = new SmartCertManager(routes, certStore, acmeOptions, initialState);
-    // Always set up the route update callback for ACME challenges
-    certManager.setUpdateRoutesCallback(async (routes) => {
-      await this.updateRoutes(routes);
-    });
-    // Connect with HttpProxy if available
-    if (this.httpProxyBridge.getHttpProxy()) {
-      certManager.setHttpProxy(this.httpProxyBridge.getHttpProxy());
-    }
-    // Set the ACME state manager
-    certManager.setAcmeStateManager(this.acmeStateManager);
-    // Pass down the global ACME config if available
-    if (this.settings.acme) {
-      certManager.setGlobalAcmeDefaults(this.settings.acme);
-    }
-    // Pass down the custom certificate provision function if available
-    if (this.settings.certProvisionFunction) {
-      certManager.setCertProvisionFunction(this.settings.certProvisionFunction);
-    }
-    // Pass down the fallback to ACME setting
-    if (this.settings.certProvisionFallbackToAcme !== undefined) {
-      certManager.setCertProvisionFallbackToAcme(this.settings.certProvisionFallbackToAcme);
-    }
-    await certManager.initialize();
-    return certManager;
+    this.routeUpdateLock = new Mutex();
   }
   /**
-   * Initialize certificate manager
+   * Start the proxy.
+   * Spawns the Rust binary, configures socket relay if needed, sends routes, handles cert provisioning.
    */
-  private async initializeCertificateManager(): Promise<void> {
-    // Extract global ACME options if any routes use auto certificates
-    const autoRoutes = this.settings.routes.filter(r =>
-      r.action.tls?.certificate === 'auto'
-    );
-    if (autoRoutes.length === 0 && !this.hasStaticCertRoutes()) {
-      logger.log('info', 'No routes require certificate management', { component: 'certificate-manager' });
-      return;
-    }
-    // Prepare ACME options with priority:
-    // 1. Use top-level ACME config if available
-    // 2. Fall back to first auto route's ACME config
-    // 3. Otherwise use undefined
-    let acmeOptions: { email?: string; useProduction?: boolean; port?: number } | undefined;
-    if (this.settings.acme?.email) {
-      // Use top-level ACME config
-      acmeOptions = {
-        email: this.settings.acme.email,
-        useProduction: this.settings.acme.useProduction || false,
-        port: this.settings.acme.port || 80
-      };
-      logger.log('info', `Using top-level ACME configuration with email: ${acmeOptions.email}`, { component: 'certificate-manager' });
-    } else if (autoRoutes.length > 0) {
-      // Check for route-level ACME config
-      const routeWithAcme = autoRoutes.find(r => r.action.tls?.acme?.email);
-      if (routeWithAcme?.action.tls?.acme) {
-        const routeAcme = routeWithAcme.action.tls.acme;
-        acmeOptions = {
-          email: routeAcme.email,
-          useProduction: routeAcme.useProduction || false,
-          port: routeAcme.challengePort || 80
-        };
-        logger.log('info', `Using route-level ACME configuration from route '${routeWithAcme.name}' with email: ${acmeOptions.email}`, { component: 'certificate-manager' });
-      }
-    }
-    // Validate we have required configuration
-    if (autoRoutes.length > 0 && !acmeOptions?.email) {
+  public async start(): Promise<void> {
+    // Spawn Rust binary
+    const spawned = await this.bridge.spawn();
+    if (!spawned) {
       throw new Error(
-        'ACME email is required for automatic certificate provisioning. ' +
-        'Please provide email in either:\n' +
-        '1. Top-level "acme" configuration\n' +
-        '2. Individual route\'s "tls.acme" configuration'
+        'RustProxy binary not found. Set SMARTPROXY_RUST_BINARY env var, install the platform package, ' +
+        'or build locally with: cd rust && cargo build --release'
       );
     }
-    // Use the helper method to create and configure the certificate manager
-    this.certManager = await this.createCertificateManager(
-      this.settings.routes,
-      this.settings.acme?.certificateStore || './certs',
-      acmeOptions
-    );
-  }
-  /**
-   * Check if we have routes with static certificates
-   */
-  private hasStaticCertRoutes(): boolean {
-    return this.settings.routes.some(r =>
-      r.action.tls?.certificate &&
-      r.action.tls.certificate !== 'auto'
-    );
-  }
-  /**
-   * Start the proxy server with support for both configuration types
-   */
-  public async start() {
-    // Don't start if already shutting down
-    if (this.isShuttingDown) {
-      logger.log('warn', "Cannot start SmartProxy while it's in the shutdown process");
-      return;
-    }
-    // Validate the route configuration
-    const configWarnings = this.routeManager.validateConfiguration();
-    // Also validate ACME configuration
-    const acmeWarnings = this.validateAcmeConfiguration();
-    const allWarnings = [...configWarnings, ...acmeWarnings];
-    if (allWarnings.length > 0) {
-      logger.log('warn', `${allWarnings.length} configuration warnings found`, { count: allWarnings.length });
-      for (const warning of allWarnings) {
-        logger.log('warn', `${warning}`);
-      }
-    }
-    // Get listening ports from RouteManager
-    const listeningPorts = this.routeManager.getListeningPorts();
-    // Initialize port usage tracking using RouteOrchestrator
-    this.portUsageMap = this.routeOrchestrator.updatePortUsageMap(this.settings.routes);
-    // Log port usage for startup
-    logger.log('info', `SmartProxy starting with ${listeningPorts.length} ports: ${listeningPorts.join(', ')}`, {
-      portCount: listeningPorts.length,
-      ports: listeningPorts,
-      component: 'smart-proxy'
+    // Handle unexpected exit (only emits error if not intentionally stopping)
+    this.bridge.on('exit', (code: number | null, signal: string | null) => {
+      if (this.stopping) return;
+      logger.log('error', `RustProxy exited unexpectedly (code=${code}, signal=${signal})`, { component: 'smart-proxy' });
+      this.emit('error', new Error(`RustProxy exited (code=${code}, signal=${signal})`));
     });
-    // Provision NFTables rules for routes that use NFTables
-    for (const route of this.settings.routes) {
-      if (route.action.forwardingEngine === 'nftables') {
-        await this.nftablesManager.provisionRoute(route);
-      }
-    }
+    // Check if any routes need TS-side handling (socket handlers, dynamic functions)
+    const hasHandlerRoutes = this.settings.routes.some(
+      (r) =>
+        (r.action.type === 'socket-handler' && r.action.socketHandler) ||
+        r.action.targets?.some((t) => typeof t.host === 'function' || typeof t.port === 'function')
+    );
-    // Initialize and start HttpProxy if needed - before port binding
-    if (this.settings.useHttpProxy && this.settings.useHttpProxy.length > 0) {
-      await this.httpProxyBridge.initialize();
-      await this.httpProxyBridge.start();
+    // Start socket handler relay server (but don't tell Rust yet - proxy not started)
+    if (hasHandlerRoutes) {
+      this.socketHandlerServer = new SocketHandlerServer(this.preprocessor);
+      await this.socketHandlerServer.start();
     }
-    // Start port listeners using the PortManager BEFORE initializing certificate manager
-    // This ensures all required ports are bound and ready when adding ACME challenge routes
-    await this.portManager.addPorts(listeningPorts);
-    // Initialize certificate manager AFTER port binding is complete
-    // This ensures the ACME challenge port is already bound and ready when needed
-    await this.initializeCertificateManager();
-    // Connect certificate manager with HttpProxy if both are available
-    if (this.certManager && this.httpProxyBridge.getHttpProxy()) {
-      this.certManager.setHttpProxy(this.httpProxyBridge.getHttpProxy());
-    }
+    // Preprocess routes (strip JS functions, convert socket-handler routes)
+    const rustRoutes = this.preprocessor.preprocessForRust(this.settings.routes);
-    // Now that ports are listening, provision any required certificates
-    if (this.certManager) {
-      logger.log('info', 'Starting certificate provisioning now that ports are ready', { component: 'certificate-manager' });
-      await this.certManager.provisionAllCertificates();
-    }
-    // Start the metrics collector now that all components are initialized
-    this.metricsCollector.start();
-    // Set up periodic connection logging and inactivity checks
-    this.connectionLogger = setInterval(() => {
-      // Immediately return if shutting down
-      if (this.isShuttingDown) return;
-      // Perform inactivity check
-      this.connectionManager.performInactivityCheck();
-      // Log connection statistics
-      const now = Date.now();
-      let maxIncoming = 0;
-      let maxOutgoing = 0;
-      let tlsConnections = 0;
-      let nonTlsConnections = 0;
-      let completedTlsHandshakes = 0;
-      let pendingTlsHandshakes = 0;
-      let keepAliveConnections = 0;
-      let httpProxyConnections = 0;
-      // Get connection records for analysis
-      const connectionRecords = this.connectionManager.getConnections();
-      // Analyze active connections
-      for (const record of connectionRecords.values()) {
-        // Track connection stats
-        if (record.isTLS) {
-          tlsConnections++;
-          if (record.tlsHandshakeComplete) {
-            completedTlsHandshakes++;
-          } else {
-            pendingTlsHandshakes++;
-          }
-        } else {
-          nonTlsConnections++;
-        }
+    // Build Rust config
+    const config = this.buildRustConfig(rustRoutes);
-        if (record.hasKeepAlive) {
-          keepAliveConnections++;
-        }
+    // Start the Rust proxy
+    await this.bridge.startProxy(config);
-        if (record.usingNetworkProxy) {
-          httpProxyConnections++;
-        }
+    // Now that Rust proxy is running, configure socket handler relay
+    if (this.socketHandlerServer) {
+      await this.bridge.setSocketHandlerRelay(this.socketHandlerServer.getSocketPath());
+    }
-        maxIncoming = Math.max(maxIncoming, now - record.incomingStartTime);
-        if (record.outgoingStartTime) {
-          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
-        }
-      }
+    // Handle certProvisionFunction
+    await this.provisionCertificatesViaCallback();
-      // Get termination stats
-      const terminationStats = this.connectionManager.getTerminationStats();
-      // Log detailed stats
-      logger.log('info', 'Connection statistics', {
-        activeConnections: connectionRecords.size,
-        tls: {
-          total: tlsConnections,
-          completed: completedTlsHandshakes,
-          pending: pendingTlsHandshakes
-        },
-        nonTls: nonTlsConnections,
-        keepAlive: keepAliveConnections,
-        httpProxy: httpProxyConnections,
-        longestRunning: {
-          incoming: plugins.prettyMs(maxIncoming),
-          outgoing: plugins.prettyMs(maxOutgoing)
-        },
-        terminationStats: {
-          incoming: terminationStats.incoming,
-          outgoing: terminationStats.outgoing
-        },
-        component: 'connection-manager'
-      });
-    }, this.settings.inactivityCheckInterval || 60000);
-    // Make sure the interval doesn't keep the process alive
-    if (this.connectionLogger.unref) {
-      this.connectionLogger.unref();
-    }
-  }
-  /**
-   * Extract domain configurations from routes for certificate provisioning
-   *
-   * Note: This method has been removed as we now work directly with routes
-   */
-  /**
-   * Stop the proxy server
-   */
-  public async stop() {
-    logger.log('info', 'SmartProxy shutting down...');
-    this.isShuttingDown = true;
-    this.portManager.setShuttingDown(true);
-    // Stop certificate manager
-    if (this.certManager) {
-      await this.certManager.stop();
-      logger.log('info', 'Certificate manager stopped');
-    }
-    // Stop NFTablesManager
-    await this.nftablesManager.stop();
-    logger.log('info', 'NFTablesManager stopped');
-    // Stop the connection logger
-    if (this.connectionLogger) {
-      clearInterval(this.connectionLogger);
-      this.connectionLogger = null;
-    }
+    // Start metrics polling
+    this.metricsAdapter.startPolling();
-    // Stop all port listeners
-    await this.portManager.closeAll();
-    logger.log('info', 'All servers closed. Cleaning up active connections...');
-    // Clean up all active connections
-    await this.connectionManager.clearConnections();
-    // Stop HttpProxy
-    await this.httpProxyBridge.stop();
-    // Clear ACME state manager
-    this.acmeStateManager.clear();
-    // Stop metrics collector
-    this.metricsCollector.stop();
-    // Clean up ProtocolDetector singleton
-    const detection = await import('../../detection/index.js');
-    detection.ProtocolDetector.destroy();
-    // Flush any pending deduplicated logs
-    connectionLogDeduplicator.flushAll();
-    logger.log('info', 'SmartProxy shutdown complete.');
-  }
-  /**
-   * Updates the domain configurations for the proxy
-   *
-   * Note: This legacy method has been removed. Use updateRoutes instead.
-   */
-  public async updateDomainConfigs(): Promise<void> {
-    logger.log('warn', 'Method updateDomainConfigs() is deprecated. Use updateRoutes() instead.');
-    throw new Error('updateDomainConfigs() is deprecated - use updateRoutes() instead');
+    logger.log('info', 'SmartProxy started (Rust engine)', { component: 'smart-proxy' });
   }
   /**
-   * Verify the challenge route has been properly removed from routes
+   * Stop the proxy.
    */
-  private async verifyChallengeRouteRemoved(): Promise<void> {
-    const maxRetries = 10;
-    const retryDelay = 100; // milliseconds
-    for (let i = 0; i < maxRetries; i++) {
-      // Check if the challenge route is still in the active routes
-      const challengeRouteExists = this.settings.routes.some(r => r.name === 'acme-challenge');
-      if (!challengeRouteExists) {
-        try {
-          logger.log('info', 'Challenge route successfully removed from routes');
-        } catch (error) {
-          // Silently handle logging errors
-          console.log('[INFO] Challenge route successfully removed from routes');
-        }
-        return;
-      }
-      // Wait before retrying
-      await plugins.smartdelay.delayFor(retryDelay);
-    }
-    const error = `Failed to verify challenge route removal after ${maxRetries} attempts`;
+  public async stop(): Promise<void> {
+    logger.log('info', 'SmartProxy shutting down...', { component: 'smart-proxy' });
+    this.stopping = true;
+    // Stop metrics polling
+    this.metricsAdapter.stopPolling();
+    // Remove exit listener before killing to avoid spurious error events
+    this.bridge.removeAllListeners('exit');
+    // Stop Rust proxy
     try {
-      logger.log('error', error);
-    } catch (logError) {
-      // Silently handle logging errors
-      console.log(`[ERROR] ${error}`);
+      await this.bridge.stopProxy();
+    } catch {
+      // Ignore if already stopped
+    }
+    this.bridge.kill();
+    // Stop socket handler relay
+    if (this.socketHandlerServer) {
+      await this.socketHandlerServer.stop();
+      this.socketHandlerServer = null;
     }
-    throw new Error(error);
+    logger.log('info', 'SmartProxy shutdown complete.', { component: 'smart-proxy' });
   }
   /**
-   * Update routes with new configuration
-   *
-   * This method replaces the current route configuration with the provided routes.
-   * It also provisions certificates for routes that require TLS termination and have
-   * `certificate: 'auto'` set in their TLS configuration.
-   *
-   * @param newRoutes Array of route configurations to use
-   *
-   * Example:
-   * ```ts
-   * proxy.updateRoutes([
-   *   {
-   *     match: { ports: 443, domains: 'secure.example.com' },
-   *     action: {
-   *       type: 'forward',
-   *       target: { host: '10.0.0.1', port: 8443 },
-   *       tls: { mode: 'terminate', certificate: 'auto' }
-   *     }
-   *   }
-   * ]);
-   * ```
+   * Update routes atomically.
    */
   public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
     return this.routeUpdateLock.runExclusive(async () => {
-      try {
-        logger.log('info', `Updating routes (${newRoutes.length} routes)`, {
-          routeCount: newRoutes.length,
-          component: 'smart-proxy'
-        });
-      } catch (error) {
-        // Silently handle logging errors
-        console.log(`[INFO] Updating routes (${newRoutes.length} routes)`);
+      // Validate
+      const validation = RouteValidator.validateRoutes(newRoutes);
+      if (!validation.valid) {
+        RouteValidator.logValidationErrors(validation.errors);
+        throw new Error(`Route validation failed: ${validation.errors.size} route(s) have errors`);
       }
-      // Update route orchestrator dependencies if cert manager changed
-      if (this.certManager && !this.routeOrchestrator.getCertManager()) {
-        this.routeOrchestrator.setCertManager(this.certManager);
-      }
-      // Delegate the complex route update logic to RouteOrchestrator
-      const updateResult = await this.routeOrchestrator.updateRoutes(
-        this.settings.routes,
-        newRoutes,
-        {
-          acmePort: this.settings.acme?.port || 80,
-          acmeOptions: this.certManager?.getAcmeOptions(),
-          acmeState: this.certManager?.getState(),
-          globalChallengeRouteActive: this.globalChallengeRouteActive,
-          createCertificateManager: this.createCertificateManager.bind(this),
-          verifyChallengeRouteRemoved: this.verifyChallengeRouteRemoved.bind(this)
-        }
+      // Preprocess for Rust
+      const rustRoutes = this.preprocessor.preprocessForRust(newRoutes);
+      // Send to Rust
+      await this.bridge.updateRoutes(rustRoutes);
+      // Update local route manager
+      this.routeManager.updateRoutes(newRoutes);
+      // Update socket handler relay if handler routes changed
+      const hasHandlerRoutes = newRoutes.some(
+        (r) =>
+          (r.action.type === 'socket-handler' && r.action.socketHandler) ||
+          r.action.targets?.some((t) => typeof t.host === 'function' || typeof t.port === 'function')
       );
-      // Update settings with the new routes
-      this.settings.routes = newRoutes;
-      // Update global state from orchestrator results
-      this.globalChallengeRouteActive = updateResult.newChallengeRouteActive;
-      // Update port usage map from orchestrator
-      this.portUsageMap = updateResult.portUsageMap;
-      // If certificate manager was recreated, update our reference
-      if (updateResult.newCertManager) {
-        this.certManager = updateResult.newCertManager;
-        // Update the orchestrator's reference too
-        this.routeOrchestrator.setCertManager(this.certManager);
+      if (hasHandlerRoutes && !this.socketHandlerServer) {
+        this.socketHandlerServer = new SocketHandlerServer(this.preprocessor);
+        await this.socketHandlerServer.start();
+        await this.bridge.setSocketHandlerRelay(this.socketHandlerServer.getSocketPath());
+      } else if (!hasHandlerRoutes && this.socketHandlerServer) {
+        await this.socketHandlerServer.stop();
+        this.socketHandlerServer = null;
       }
+      // Update stored routes
+      this.settings.routes = newRoutes;
+      // Handle cert provisioning for new routes
+      await this.provisionCertificatesViaCallback();
+      logger.log('info', `Routes updated (${newRoutes.length} routes)`, { component: 'smart-proxy' });
     });
   }
   /**
-   * Manually provision a certificate for a route
+   * Provision a certificate for a named route.
    */
   public async provisionCertificate(routeName: string): Promise<void> {
-    if (!this.certManager) {
-      throw new Error('Certificate manager not initialized');
-    }
-    const route = this.settings.routes.find(r => r.name === routeName);
-    if (!route) {
-      throw new Error(`Route ${routeName} not found`);
-    }
-    await this.certManager.provisionCertificate(route);
+    await this.bridge.provisionCertificate(routeName);
   }
-  // Port usage tracking methods moved to RouteOrchestrator
   /**
-   * Force renewal of a certificate
+   * Force renewal of a certificate.
    */
   public async renewCertificate(routeName: string): Promise<void> {
-    if (!this.certManager) {
-      throw new Error('Certificate manager not initialized');
-    }
-    await this.certManager.renewCertificate(routeName);
+    await this.bridge.renewCertificate(routeName);
   }
   /**
-   * Get certificate status for a route
+   * Get certificate status for a route (async - calls Rust).
    */
-  public getCertificateStatus(routeName: string): ICertStatus | undefined {
-    if (!this.certManager) {
-      return undefined;
-    }
-    return this.certManager.getCertificateStatus(routeName);
+  public async getCertificateStatus(routeName: string): Promise<any> {
+    return this.bridge.getCertificateStatus(routeName);
   }
   /**
-   * Get proxy metrics with clean API
-   *
-   * @returns IMetrics interface with grouped metrics methods
+   * Get the metrics interface.
    */
   public getMetrics(): IMetrics {
-    return this.metricsCollector;
+    return this.metricsAdapter;
   }
   /**
-   * Validates if a domain name is valid for certificate issuance
+   * Get statistics (async - calls Rust).
    */
-  private isValidDomain(domain: string): boolean {
-    // Very basic domain validation
-    if (!domain || domain.length === 0) {
-      return false;
-    }
-    // Check for wildcard domains (they can't get ACME certs)
-    if (domain.includes('*')) {
-      logger.log('warn', `Wildcard domains like "${domain}" are not supported for automatic ACME certificates`, { domain, component: 'certificate-manager' });
-      return false;
-    }
-    // Check if domain has at least one dot and no invalid characters
-    const validDomainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
-    if (!validDomainRegex.test(domain)) {
-      logger.log('warn', `Domain "${domain}" has invalid format for certificate issuance`, { domain, component: 'certificate-manager' });
-      return false;
-    }
-    return true;
+  public async getStatistics(): Promise<any> {
+    return this.bridge.getStatistics();
   }
   /**
-   * Add a new listening port without changing the route configuration
-   *
-   * This allows you to add a port listener without updating routes.
-   * Useful for preparing to listen on a port before adding routes for it.
-   *
-   * @param port The port to start listening on
-   * @returns Promise that resolves when the port is listening
+   * Add a listening port at runtime.
    */
   public async addListeningPort(port: number): Promise<void> {
-    return this.portManager.addPort(port);
+    await this.bridge.addListeningPort(port);
   }
   /**
-   * Stop listening on a specific port without changing the route configuration
-   *
-   * This allows you to stop a port listener without updating routes.
-   * Useful for temporary maintenance or port changes.
-   *
-   * @param port The port to stop listening on
-   * @returns Promise that resolves when the port is closed
+   * Remove a listening port at runtime.
    */
   public async removeListeningPort(port: number): Promise<void> {
-    return this.portManager.removePort(port);
+    await this.bridge.removeListeningPort(port);
   }
   /**
-   * Get a list of all ports currently being listened on
-   *
-   * @returns Array of port numbers
+   * Get all currently listening ports (async - calls Rust).
    */
-  public getListeningPorts(): number[] {
-    return this.portManager.getListeningPorts();
+  public async getListeningPorts(): Promise<number[]> {
+    if (!this.bridge.running) return [];
+    return this.bridge.getListeningPorts();
   }
   /**
-   * Get statistics about current connections
-   */
-  public getStatistics(): any {
-    const connectionRecords = this.connectionManager.getConnections();
-    const terminationStats = this.connectionManager.getTerminationStats();
-    let tlsConnections = 0;
-    let nonTlsConnections = 0;
-    let keepAliveConnections = 0;
-    let httpProxyConnections = 0;
-    // Analyze active connections
-    for (const record of connectionRecords.values()) {
-      if (record.isTLS) tlsConnections++;
-      else nonTlsConnections++;
-      if (record.hasKeepAlive) keepAliveConnections++;
-      if (record.usingNetworkProxy) httpProxyConnections++;
-    }
-    return {
-      activeConnections: connectionRecords.size,
-      tlsConnections,
-      nonTlsConnections,
-      keepAliveConnections,
-      httpProxyConnections,
-      terminationStats,
-      acmeEnabled: !!this.certManager,
-      port80HandlerPort: this.certManager ? 80 : null,
-      routeCount: this.settings.routes.length,
-      activePorts: this.portManager.getListeningPorts().length,
-      listeningPorts: this.portManager.getListeningPorts()
-    };
-  }
-  /**
-   * Get a list of eligible domains for ACME certificates
+   * Get eligible domains for ACME certificates (sync - reads local routes).
    */
   public getEligibleDomainsForCertificates(): string[] {
     const domains: string[] = [];
-    // Get domains from routes
-    const routes = this.settings.routes || [];
-    for (const route of routes) {
+    for (const route of this.settings.routes || []) {
       if (!route.match.domains) continue;
-      // Skip routes without TLS termination or auto certificates
-      if (route.action.type !== 'forward' ||
-          !route.action.tls ||
-          route.action.tls.mode === 'passthrough' ||
-          route.action.tls.certificate !== 'auto') continue;
-      const routeDomains = Array.isArray(route.match.domains)
-        ? route.match.domains
-        : [route.match.domains];
-      // Skip domains that can't be used with ACME
-      const eligibleDomains = routeDomains.filter(domain =>
-        !domain.includes('*') && this.isValidDomain(domain)
-      );
-      domains.push(...eligibleDomains);
+      if (
+        route.action.type !== 'forward' ||
+        !route.action.tls ||
+        route.action.tls.mode === 'passthrough' ||
+        route.action.tls.certificate !== 'auto'
+      )
+        continue;
+      const routeDomains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+      const eligible = routeDomains.filter((d) => !d.includes('*') && this.isValidDomain(d));
+      domains.push(...eligible);
     }
-    // Legacy mode is no longer supported
     return domains;
   }
   /**
-   * Get NFTables status
+   * Get NFTables status (async - calls Rust).
    */
   public async getNfTablesStatus(): Promise<Record<string, any>> {
-    return this.nftablesManager.getStatus();
+    return this.bridge.getNftablesStatus();
   }
+  // --- Private helpers ---
   /**
-   * Validate ACME configuration
+   * Build the Rust configuration object from TS settings.
    */
-  private validateAcmeConfiguration(): string[] {
-    const warnings: string[] = [];
-    // Check for routes with certificate: 'auto'
-    const autoRoutes = this.settings.routes.filter(r =>
-      r.action.tls?.certificate === 'auto'
-    );
-    if (autoRoutes.length === 0) {
-      return warnings;
-    }
-    // Check if we have ACME email configuration
-    const hasTopLevelEmail = this.settings.acme?.email;
-    const routesWithEmail = autoRoutes.filter(r => r.action.tls?.acme?.email);
-    if (!hasTopLevelEmail && routesWithEmail.length === 0) {
-      warnings.push(
-        'Routes with certificate: "auto" require ACME email configuration. ' +
-        'Add email to either top-level "acme" config or individual route\'s "tls.acme" config.'
-      );
-    }
-    // Check for port 80 availability for challenges
-    if (autoRoutes.length > 0) {
-      const challengePort = this.settings.acme?.port || 80;
-      const portsInUse = this.routeManager.getListeningPorts();
-      if (!portsInUse.includes(challengePort)) {
-        warnings.push(
-          `Port ${challengePort} is not configured for any routes but is needed for ACME challenges. ` +
-          `Add a route listening on port ${challengePort} or ensure it's accessible for HTTP-01 challenges.`
-        );
-      }
-    }
-    // Check for mismatched environments
-    if (this.settings.acme?.useProduction) {
-      const stagingRoutes = autoRoutes.filter(r =>
-        r.action.tls?.acme?.useProduction === false
-      );
-      if (stagingRoutes.length > 0) {
-        warnings.push(
-          'Top-level ACME uses production but some routes use staging. ' +
-          'Consider aligning environments to avoid certificate issues.'
-        );
-      }
-    }
-    // Check for wildcard domains with auto certificates
-    for (const route of autoRoutes) {
-      const domains = Array.isArray(route.match.domains)
-        ? route.match.domains
-        : [route.match.domains];
-      const wildcardDomains = domains.filter(d => d?.includes('*'));
-      if (wildcardDomains.length > 0) {
-        warnings.push(
-          `Route "${route.name}" has wildcard domain(s) ${wildcardDomains.join(', ')} ` +
-          'with certificate: "auto". Wildcard certificates require DNS-01 challenges, ' +
-          'which are not currently supported. Use static certificates instead.'
-        );
+  private buildRustConfig(routes: IRouteConfig[]): any {
+    return {
+      routes,
+      defaults: this.settings.defaults,
+      acme: this.settings.acme
+        ? {
+            enabled: this.settings.acme.enabled,
+            email: this.settings.acme.email,
+            useProduction: this.settings.acme.useProduction,
+            port: this.settings.acme.port,
+            renewThresholdDays: this.settings.acme.renewThresholdDays,
+            autoRenew: this.settings.acme.autoRenew,
+            certificateStore: this.settings.acme.certificateStore,
+            renewCheckIntervalHours: this.settings.acme.renewCheckIntervalHours,
+          }
+        : undefined,
+      connectionTimeout: this.settings.connectionTimeout,
+      initialDataTimeout: this.settings.initialDataTimeout,
+      socketTimeout: this.settings.socketTimeout,
+      maxConnectionLifetime: this.settings.maxConnectionLifetime,
+      gracefulShutdownTimeout: this.settings.gracefulShutdownTimeout,
+      maxConnectionsPerIp: this.settings.maxConnectionsPerIP,
+      connectionRateLimitPerMinute: this.settings.connectionRateLimitPerMinute,
+      keepAliveTreatment: this.settings.keepAliveTreatment,
+      keepAliveInactivityMultiplier: this.settings.keepAliveInactivityMultiplier,
+      extendedKeepAliveLifetime: this.settings.extendedKeepAliveLifetime,
+      acceptProxyProtocol: this.settings.acceptProxyProtocol,
+      sendProxyProtocol: this.settings.sendProxyProtocol,
+    };
+  }
+  /**
+   * For routes with certificate: 'auto', call certProvisionFunction if set.
+   * If the callback returns a cert object, load it into Rust.
+   * If it returns 'http01', let Rust handle ACME.
+   */
+  private async provisionCertificatesViaCallback(): Promise<void> {
+    const provisionFn = this.settings.certProvisionFunction;
+    if (!provisionFn) return;
+    for (const route of this.settings.routes) {
+      if (route.action.tls?.certificate !== 'auto') continue;
+      if (!route.match.domains) continue;
+      const domains = Array.isArray(route.match.domains) ? route.match.domains : [route.match.domains];
+      for (const domain of domains) {
+        if (domain.includes('*')) continue;
+        try {
+          const result: TSmartProxyCertProvisionObject = await provisionFn(domain);
+          if (result === 'http01') {
+            // Rust handles ACME for this domain
+            continue;
+          }
+          // Got a static cert object - load it into Rust
+          if (result && typeof result === 'object') {
+            const certObj = result as plugins.tsclass.network.ICert;
+            await this.bridge.loadCertificate(
+              domain,
+              certObj.publicKey,
+              certObj.privateKey,
+            );
+            logger.log('info', `Certificate loaded via provision function for ${domain}`, { component: 'smart-proxy' });
+          }
+        } catch (err: any) {
+          logger.log('warn', `certProvisionFunction failed for ${domain}: ${err.message}`, { component: 'smart-proxy' });
+          // Fallback to ACME if enabled
+          if (this.settings.certProvisionFallbackToAcme !== false) {
+            logger.log('info', `Falling back to ACME for ${domain}`, { component: 'smart-proxy' });
+          }
+        }
       }
     }
-    return warnings;
   }
-}
+  private isValidDomain(domain: string): boolean {
+    if (!domain || domain.length === 0) return false;
+    if (domain.includes('*')) return false;
+    const validDomainRegex =
+      /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+    return validDomainRegex.test(domain);
+  }
+}