portok 1.0.0

package/portokd.mjs

@@ -0,0 +1,793 @@
+#!/usr/bin/env node
+
+/**
+ * Portok Daemon - Zero-downtime deployment proxy
+ * Routes traffic through a stable port to internal app instances
+ * with health-gated switching, connection draining, and auto-rollback.
+ * 
+ * Performance optimizations:
+ * - FAST_PATH mode for maximum throughput in benchmarks
+ * - Keep-alive agent for upstream connections (critical for throughput)
+ * - No URL parsing in hot path
+ * - Minimal event listeners per request
+ * - Connection header stripping for proper keep-alive upstream
+ */
+
+import http from 'node:http';
+import fs from 'node:fs';
+import crypto from 'node:crypto';
+import httpProxy from 'http-proxy';
+
+// =============================================================================
+// Configuration
+// =============================================================================
+
+// Instance name for multi-instance deployments
+const instanceName = process.env.INSTANCE_NAME || 'default';
+
+// Derive default state file from instance name if not explicitly set
+const defaultStateFile = process.env.STATE_FILE 
+  || (instanceName !== 'default' ? `/var/lib/portok/${instanceName}.json` : './portok-state.json');
+
+const config = {
+  instanceName,
+  listenPort: parseInt(process.env.LISTEN_PORT || '3000', 10),
+  initialTargetPort: parseInt(process.env.INITIAL_TARGET_PORT || '0', 10),
+  stateFile: defaultStateFile,
+  healthPath: process.env.HEALTH_PATH || '/health',
+  healthTimeoutMs: parseInt(process.env.HEALTH_TIMEOUT_MS || '5000', 10),
+  drainMs: parseInt(process.env.DRAIN_MS || '30000', 10),
+  rollbackWindowMs: parseInt(process.env.ROLLBACK_WINDOW_MS || '60000', 10),
+  rollbackCheckEveryMs: parseInt(process.env.ROLLBACK_CHECK_EVERY_MS || '5000', 10),
+  rollbackFailThreshold: parseInt(process.env.ROLLBACK_FAIL_THRESHOLD || '3', 10),
+  adminToken: process.env.ADMIN_TOKEN || '',
+  adminAllowlist: (process.env.ADMIN_ALLOWLIST || '127.0.0.1,::1,::ffff:127.0.0.1').split(',').map(s => s.trim()),
+  adminUnixSocket: process.env.ADMIN_UNIX_SOCKET || '',
+  
+  // Performance tuning: Upstream keep-alive settings
+  // CRITICAL: Without keep-alive, every request opens a new TCP connection
+  upstreamKeepAlive: process.env.UPSTREAM_KEEPALIVE !== '0',
+  upstreamMaxSockets: parseInt(process.env.UPSTREAM_MAX_SOCKETS || '1024', 10),
+  upstreamKeepAliveMsecs: parseInt(process.env.UPSTREAM_KEEPALIVE_MSECS || '1000', 10),
+  
+  // Server timeout settings
+  serverKeepAliveTimeout: parseInt(process.env.SERVER_KEEPALIVE_TIMEOUT || '5000', 10),
+  serverHeadersTimeout: parseInt(process.env.SERVER_HEADERS_TIMEOUT || '6000', 10),
+  
+  // Proxy settings
+  enableXfwd: process.env.ENABLE_XFWD !== '0', // Default ON for standard proxy behavior
+  
+  // FAST_PATH mode: Maximum performance for benchmarks
+  // Disables: statusCounters, rolling RPS, lastProxyError capture
+  // Keeps: totalRequests, inflight, proxyErrors
+  fastPath: process.env.FAST_PATH === '1',
+  
+  // Debug mode: Track upstream socket creation
+  debugUpstream: process.env.DEBUG_UPSTREAM === '1',
+  
+  // Error handling
+  verboseErrors: process.env.VERBOSE_ERRORS === '1',
+};
+
+// Logging helper - only for admin/startup, NEVER in hot path
+function log(category, message) {
+  const prefix = config.instanceName !== 'default' ? `[${config.instanceName}]` : '';
+  console.log(`${prefix}[${category}] ${message}`);
+}
+
+function logError(category, message) {
+  const prefix = config.instanceName !== 'default' ? `[${config.instanceName}]` : '';
+  console.error(`${prefix}[${category}] ${message}`);
+}
+
+// Validate required config
+if (!config.initialTargetPort && !fs.existsSync(config.stateFile)) {
+  logError('config', 'INITIAL_TARGET_PORT is required when no state file exists');
+  process.exit(1);
+}
+
+if (!config.adminToken) {
+  logError('config', 'ADMIN_TOKEN is required');
+  process.exit(1);
+}
+
+// =============================================================================
+// State Management
+// =============================================================================
+
+const state = {
+  activePort: config.initialTargetPort,
+  previousPort: null,
+  drainUntil: null,
+  lastSwitch: {
+    from: null,
+    to: null,
+    at: null,
+    reason: null,
+    id: null,
+  },
+};
+
+// Load state from file if exists
+function loadState() {
+  try {
+    if (fs.existsSync(config.stateFile)) {
+      const data = JSON.parse(fs.readFileSync(config.stateFile, 'utf-8'));
+      state.activePort = data.activePort || config.initialTargetPort;
+      state.previousPort = data.previousPort || null;
+      state.lastSwitch = data.lastSwitch || state.lastSwitch;
+      log('state', `Loaded state from ${config.stateFile}, activePort=${state.activePort}`);
+    }
+  } catch (err) {
+    logError('state', `Failed to load state file: ${err.message}`);
+  }
+}
+
+// Save state to file atomically
+function saveState() {
+  try {
+    const tempFile = `${config.stateFile}.tmp`;
+    const data = JSON.stringify({
+      activePort: state.activePort,
+      previousPort: state.previousPort,
+      lastSwitch: state.lastSwitch,
+    }, null, 2);
+    fs.writeFileSync(tempFile, data, 'utf-8');
+    fs.renameSync(tempFile, config.stateFile);
+    log('state', `Saved state to ${config.stateFile}`);
+  } catch (err) {
+    logError('state', `Failed to save state: ${err.message}`);
+  }
+}
+
+loadState();
+
+// =============================================================================
+// Metrics
+// =============================================================================
+
+const metrics = {
+  startedAt: Date.now(),
+  inflight: 0,
+  inflightMax: 0,
+  totalRequests: 0,
+  totalProxyErrors: 0,
+  // These are only updated when NOT in FAST_PATH mode
+  statusCounters: { '2xx': 0, '3xx': 0, '4xx': 0, '5xx': 0 },
+  requestTimestamps: [], // Only used when NOT in FAST_PATH
+  health: {
+    activePortOk: true,
+    lastCheckedAt: null,
+    consecutiveFails: 0,
+  },
+  lastProxyError: null,
+  // Debug: upstream socket tracking
+  upstreamSocketsCreated: 0,
+};
+
+// Rolling RPS calculation - ONLY called from /__metrics endpoint, not hot path
+function getRollingRps60() {
+  if (config.fastPath) return 0;
+  const now = Date.now();
+  const cutoff = now - 60000;
+  let count = 0;
+  for (let i = metrics.requestTimestamps.length - 1; i >= 0; i--) {
+    if (metrics.requestTimestamps[i] >= cutoff) count++;
+    else break;
+  }
+  return Math.round((count / 60) * 100) / 100;
+}
+
+// Record request timestamp - uses push only, cleanup done periodically
+function recordRequest() {
+  metrics.requestTimestamps.push(Date.now());
+}
+
+// Periodic cleanup of old timestamps (every 10 seconds)
+if (!config.fastPath) {
+  setInterval(() => {
+    const cutoff = Date.now() - 60000;
+    // Find first index >= cutoff using binary-ish scan from start
+    let removeCount = 0;
+    while (removeCount < metrics.requestTimestamps.length && 
+           metrics.requestTimestamps[removeCount] < cutoff) {
+      removeCount++;
+    }
+    if (removeCount > 0) {
+      metrics.requestTimestamps.splice(0, removeCount);
+    }
+  }, 10000);
+}
+
+function incrementStatusCounter(statusCode) {
+  if (statusCode >= 200 && statusCode < 300) metrics.statusCounters['2xx']++;
+  else if (statusCode >= 300 && statusCode < 400) metrics.statusCounters['3xx']++;
+  else if (statusCode >= 400 && statusCode < 500) metrics.statusCounters['4xx']++;
+  else if (statusCode >= 500) metrics.statusCounters['5xx']++;
+}
+
+// =============================================================================
+// Socket Tracking for Connection Draining
+// =============================================================================
+
+// Map<Socket, number> - just store the port number for speed
+const socketPortMap = new Map();
+
+function getSocketPort(socket) {
+  const port = socketPortMap.get(socket);
+  return port !== undefined ? port : state.activePort;
+}
+
+// =============================================================================
+// Upstream Keep-Alive Agent
+// =============================================================================
+
+// CRITICAL for performance: Shared HTTP agent for upstream connections
+const upstreamAgent = new http.Agent({
+  keepAlive: config.upstreamKeepAlive,
+  maxSockets: config.upstreamMaxSockets,
+  keepAliveMsecs: config.upstreamKeepAliveMsecs,
+  scheduling: 'fifo', // Better for keep-alive reuse
+});
+
+// Debug: Track socket creation
+if (config.debugUpstream) {
+  const originalCreateConnection = upstreamAgent.createConnection.bind(upstreamAgent);
+  upstreamAgent.createConnection = function(options, callback) {
+    metrics.upstreamSocketsCreated++;
+    return originalCreateConnection(options, callback);
+  };
+}
+
+// =============================================================================
+// Health Check
+// =============================================================================
+
+async function checkHealth(port, timeout = config.healthTimeoutMs) {
+  return new Promise((resolve) => {
+    const req = http.request({
+      hostname: '127.0.0.1',
+      port,
+      path: config.healthPath,
+      method: 'GET',
+      timeout,
+    }, (res) => {
+      // Consume response to free socket
+      res.resume();
+      resolve(res.statusCode >= 200 && res.statusCode < 300);
+    });
+    
+    req.on('error', () => resolve(false));
+    req.on('timeout', () => {
+      req.destroy();
+      resolve(false);
+    });
+    req.end();
+  });
+}
+
+// =============================================================================
+// Auto Rollback Monitor
+// =============================================================================
+
+let rollbackInterval = null;
+
+function startRollbackMonitor(newPort, previousPort, isRollback = false) {
+  if (isRollback) {
+    log('rollback', 'Skipping rollback monitor for rollback operation');
+    return;
+  }
+
+  if (rollbackInterval) {
+    clearInterval(rollbackInterval);
+    rollbackInterval = null;
+  }
+
+  let consecutiveFails = 0;
+  const endTime = Date.now() + config.rollbackWindowMs;
+
+  log('rollback', `Starting monitor for port ${newPort}, window=${config.rollbackWindowMs}ms`);
+
+  rollbackInterval = setInterval(async () => {
+    if (Date.now() > endTime) {
+      log('rollback', 'Monitor window expired, port is stable');
+      clearInterval(rollbackInterval);
+      rollbackInterval = null;
+      return;
+    }
+
+    if (state.activePort !== newPort) {
+      log('rollback', 'Port changed externally, stopping monitor');
+      clearInterval(rollbackInterval);
+      rollbackInterval = null;
+      return;
+    }
+
+    const healthy = await checkHealth(newPort);
+    metrics.health.lastCheckedAt = Date.now();
+
+    if (!healthy) {
+      consecutiveFails++;
+      metrics.health.consecutiveFails = consecutiveFails;
+      metrics.health.activePortOk = false;
+      log('rollback', `Health check failed (${consecutiveFails}/${config.rollbackFailThreshold})`);
+
+      if (consecutiveFails >= config.rollbackFailThreshold) {
+        log('rollback', `Threshold reached, rolling back to port ${previousPort}`);
+        clearInterval(rollbackInterval);
+        rollbackInterval = null;
+        await performSwitch(previousPort, 'auto-rollback', true);
+      }
+    } else {
+      consecutiveFails = 0;
+      metrics.health.consecutiveFails = 0;
+      metrics.health.activePortOk = true;
+    }
+  }, config.rollbackCheckEveryMs);
+}
+
+// =============================================================================
+// Switching Logic
+// =============================================================================
+
+async function performSwitch(newPort, reason = 'manual', isRollback = false) {
+  const previousPort = state.activePort;
+
+  state.previousPort = previousPort;
+  state.activePort = newPort;
+  state.drainUntil = Date.now() + config.drainMs;
+  state.lastSwitch = {
+    from: previousPort,
+    to: newPort,
+    at: Date.now(),
+    reason,
+    id: crypto.randomUUID(),
+  };
+
+  saveState();
+
+  log('switch', `Switched from port ${previousPort} to ${newPort} (reason: ${reason})`);
+
+  startRollbackMonitor(newPort, previousPort, isRollback);
+
+  setTimeout(() => {
+    if (state.drainUntil && state.drainUntil <= Date.now()) {
+      state.drainUntil = null;
+      log('drain', 'Drain period ended');
+    }
+  }, config.drainMs);
+
+  return state.lastSwitch;
+}
+
+// =============================================================================
+// Security: Token Validation & Rate Limiting
+// =============================================================================
+
+function timingSafeEqual(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false;
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  if (bufA.length !== bufB.length) {
+    crypto.timingSafeEqual(bufA, bufA);
+    return false;
+  }
+  return crypto.timingSafeEqual(bufA, bufB);
+}
+
+function validateAdminToken(req) {
+  const token = req.headers['x-admin-token'];
+  return timingSafeEqual(token || '', config.adminToken);
+}
+
+function isAllowedIP(req) {
+  const remoteAddr = req.socket.remoteAddress || '';
+  return config.adminAllowlist.some(allowed => {
+    if (remoteAddr === `::ffff:${allowed}`) return true;
+    return remoteAddr === allowed;
+  });
+}
+
+const rateLimitMap = new Map();
+const RATE_LIMIT_MAX = parseInt(process.env.ADMIN_RATE_LIMIT || '10', 10);
+const RATE_LIMIT_WINDOW = 60000;
+
+function checkRateLimit(ip) {
+  const now = Date.now();
+  const cutoff = now - RATE_LIMIT_WINDOW;
+
+  let timestamps = rateLimitMap.get(ip) || [];
+  timestamps = timestamps.filter(t => t > cutoff);
+
+  if (timestamps.length >= RATE_LIMIT_MAX) {
+    rateLimitMap.set(ip, timestamps);
+    return false;
+  }
+
+  timestamps.push(now);
+  rateLimitMap.set(ip, timestamps);
+  return true;
+}
+
+setInterval(() => {
+  const now = Date.now();
+  const cutoff = now - RATE_LIMIT_WINDOW;
+  for (const [ip, timestamps] of rateLimitMap.entries()) {
+    const filtered = timestamps.filter(t => t > cutoff);
+    if (filtered.length === 0) {
+      rateLimitMap.delete(ip);
+    } else {
+      rateLimitMap.set(ip, filtered);
+    }
+  }
+}, 60000);
+
+// =============================================================================
+// Admin Endpoints
+// =============================================================================
+
+function sendJSON(res, statusCode, data) {
+  res.writeHead(statusCode, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(data));
+}
+
+// Extract pathname without URL object
+function getPathname(url) {
+  const qIdx = url.indexOf('?');
+  return qIdx === -1 ? url : url.slice(0, qIdx);
+}
+
+// Extract query param without URL parsing
+function getQueryParam(url, param) {
+  const qIdx = url.indexOf('?');
+  if (qIdx === -1) return null;
+  const query = url.slice(qIdx + 1);
+  const regex = new RegExp(`(?:^|&)${param}=([^&]*)`);
+  const match = query.match(regex);
+  return match ? match[1] : null;
+}
+
+async function handleAdminRequest(req, res) {
+  const pathname = getPathname(req.url);
+
+  if (!isAllowedIP(req)) {
+    sendJSON(res, 403, { error: 'Forbidden: IP not allowed' });
+    return true;
+  }
+
+  if (!validateAdminToken(req)) {
+    sendJSON(res, 401, { error: 'Unauthorized: Invalid or missing x-admin-token' });
+    return true;
+  }
+
+  const clientIP = req.socket.remoteAddress || 'unknown';
+  if (!checkRateLimit(clientIP)) {
+    sendJSON(res, 429, { error: 'Too Many Requests: Rate limit exceeded' });
+    return true;
+  }
+
+  if (pathname === '/__status' && req.method === 'GET') {
+    sendJSON(res, 200, {
+      instanceName: config.instanceName,
+      activePort: state.activePort,
+      drainUntil: state.drainUntil,
+      lastSwitch: state.lastSwitch,
+    });
+    return true;
+  }
+
+  if (pathname === '/__metrics' && req.method === 'GET') {
+    const metricsData = {
+      startedAt: new Date(metrics.startedAt).toISOString(),
+      inflight: metrics.inflight,
+      inflightMax: metrics.inflightMax,
+      totalRequests: metrics.totalRequests,
+      totalProxyErrors: metrics.totalProxyErrors,
+      statusCounters: metrics.statusCounters,
+      rollingRps60: getRollingRps60(),
+      health: {
+        ...metrics.health,
+        lastCheckedAt: metrics.health.lastCheckedAt 
+          ? new Date(metrics.health.lastCheckedAt).toISOString() 
+          : null,
+      },
+      lastProxyError: metrics.lastProxyError,
+      fastPath: config.fastPath,
+    };
+    
+    // Include upstream debug info if enabled
+    if (config.debugUpstream) {
+      metricsData.upstreamSocketsCreated = metrics.upstreamSocketsCreated;
+      metricsData.upstreamAgentSockets = {
+        freeSockets: Object.keys(upstreamAgent.freeSockets).length,
+        sockets: Object.keys(upstreamAgent.sockets).length,
+      };
+    }
+    
+    sendJSON(res, 200, metricsData);
+    return true;
+  }
+
+  if (pathname === '/__switch' && req.method === 'POST') {
+    const portStr = getQueryParam(req.url, 'port');
+    const port = parseInt(portStr, 10);
+
+    if (!port || port < 1 || port > 65535) {
+      sendJSON(res, 400, { error: 'Invalid port: must be 1-65535' });
+      return true;
+    }
+
+    log('switch', `Health checking port ${port}...`);
+    const healthy = await checkHealth(port);
+
+    if (!healthy) {
+      sendJSON(res, 409, {
+        error: 'Health check failed',
+        message: `Port ${port} did not respond with 2xx at ${config.healthPath}`,
+      });
+      return true;
+    }
+
+    const result = await performSwitch(port, 'manual', false);
+    sendJSON(res, 200, {
+      success: true,
+      message: `Switched to port ${port}`,
+      switch: result,
+    });
+    return true;
+  }
+
+  if (pathname === '/__health' && req.method === 'GET') {
+    const healthy = await checkHealth(state.activePort);
+    metrics.health.activePortOk = healthy;
+    metrics.health.lastCheckedAt = Date.now();
+
+    if (healthy) {
+      sendJSON(res, 200, {
+        healthy: true,
+        activePort: state.activePort,
+        checkedAt: new Date(metrics.health.lastCheckedAt).toISOString(),
+      });
+    } else {
+      sendJSON(res, 503, {
+        healthy: false,
+        activePort: state.activePort,
+        checkedAt: new Date(metrics.health.lastCheckedAt).toISOString(),
+      });
+    }
+    return true;
+  }
+
+  return false;
+}
+
+// =============================================================================
+// Proxy Server
+// =============================================================================
+
+const proxy = httpProxy.createProxyServer({
+  ws: true,
+  xfwd: config.enableXfwd,
+  // These are critical for performance:
+  changeOrigin: false, // Not needed for localhost
+  selfHandleResponse: false, // Let http-proxy handle response
+  followRedirects: false, // Don't follow redirects
+});
+
+// CRITICAL: Remove connection header to ensure upstream keep-alive works
+// Without this, "connection: close" from client breaks upstream reuse
+proxy.on('proxyReq', (proxyReq, req, res, options) => {
+  // Remove connection header - let agent manage keep-alive
+  proxyReq.removeHeader('connection');
+  // Ensure we don't forward hop-by-hop headers that break keep-alive
+  proxyReq.removeHeader('proxy-connection');
+});
+
+// Proxy error handler - minimal work in hot path
+proxy.on('error', (err, req, res) => {
+  metrics.totalProxyErrors++;
+  
+  // Only capture error details if NOT in FAST_PATH
+  if (!config.fastPath) {
+    metrics.lastProxyError = {
+      message: err.message,
+      timestamp: Date.now(),
+      targetPort: state.activePort,
+    };
+  }
+
+  // Only log if verbose enabled
+  if (config.verboseErrors) {
+    logError('proxy', `${err.message}\n${err.stack}`);
+  }
+
+  // Fast 502 response
+  if (res && !res.headersSent && typeof res.writeHead === 'function') {
+    res.writeHead(502, { 'Content-Type': 'text/plain' });
+    res.end('Bad Gateway');
+  }
+});
+
+// Track response status codes - ONLY if NOT in FAST_PATH mode
+if (!config.fastPath) {
+  proxy.on('proxyRes', (proxyRes) => {
+    incrementStatusCounter(proxyRes.statusCode);
+  });
+}
+
+// =============================================================================
+// HTTP Request Handler - ULTRA OPTIMIZED HOT PATH
+// =============================================================================
+
+// Pre-calculate admin prefix bytes for fastest check
+const SLASH = 47;      // '/'
+const UNDERSCORE = 95; // '_'
+
+function handleRequest(req, res) {
+  const url = req.url;
+  
+  // Fast admin check: is url starting with '/__' ?
+  if (url && url.length > 2 && 
+      url.charCodeAt(0) === SLASH && 
+      url.charCodeAt(1) === UNDERSCORE && 
+      url.charCodeAt(2) === UNDERSCORE) {
+    // Admin path - async handling
+    handleAdminRequest(req, res).then(handled => {
+      if (!handled) {
+        proxyRequestFast(req, res);
+      }
+    });
+    return;
+  }
+
+  // Hot path: proxy immediately
+  proxyRequestFast(req, res);
+}
+
+// Ultra-fast proxy function - minimal overhead
+function proxyRequestFast(req, res) {
+  // Essential metrics only
+  metrics.totalRequests++;
+  metrics.inflight++;
+  
+  // Track max inflight (cheap comparison)
+  if (metrics.inflight > metrics.inflightMax) {
+    metrics.inflightMax = metrics.inflight;
+  }
+  
+  // Rolling RPS tracking - ONLY if not FAST_PATH
+  if (!config.fastPath) {
+    recordRequest();
+  }
+
+  // Get target port (for drain support)
+  const targetPort = getSocketPort(req.socket);
+
+  // Track inflight with protection against double-decrement
+  // Use a simple flag on the response object
+  res._inflightDecremented = false;
+  
+  const onFinish = () => {
+    if (!res._inflightDecremented) {
+      res._inflightDecremented = true;
+      metrics.inflight--;
+    }
+  };
+
+  // Use 'once' to auto-remove listener after first call
+  res.once('finish', onFinish);
+  res.once('close', onFinish);
+
+  // Proxy with keep-alive agent
+  proxy.web(req, res, { 
+    target: { host: '127.0.0.1', port: targetPort },
+    agent: upstreamAgent,
+  });
+}
+
+// WebSocket upgrade handler
+function handleUpgrade(req, socket, head) {
+  const targetPort = getSocketPort(socket);
+
+  // No logging in hot path
+  proxy.ws(req, socket, head, { 
+    target: { host: '127.0.0.1', port: targetPort },
+    agent: upstreamAgent,
+  });
+}
+
+// =============================================================================
+// HTTP Server
+// =============================================================================
+
+const server = http.createServer(handleRequest);
+server.on('upgrade', handleUpgrade);
+
+// Configure server for high concurrency
+server.keepAliveTimeout = config.serverKeepAliveTimeout;
+server.headersTimeout = config.serverHeadersTimeout;
+server.maxHeadersCount = 100; // Reasonable limit
+
+// Track socket connections for draining - minimal overhead
+server.on('connection', (socket) => {
+  socketPortMap.set(socket, state.activePort);
+  socket.once('close', () => socketPortMap.delete(socket));
+});
+
+// =============================================================================
+// Server Startup
+// =============================================================================
+
+server.listen(config.listenPort, () => {
+  log('portokd', `Listening on port ${config.listenPort}`);
+  log('portokd', `Instance: ${config.instanceName}`);
+  log('portokd', `Proxying to 127.0.0.1:${state.activePort}`);
+  log('portokd', `Health path: ${config.healthPath}`);
+  log('portokd', `State file: ${config.stateFile}`);
+  log('portokd', `Admin endpoints: /__status, /__metrics, /__switch, /__health`);
+  log('portokd', `Keep-alive: ${config.upstreamKeepAlive ? 'enabled' : 'disabled'}, maxSockets=${config.upstreamMaxSockets}`);
+  if (config.fastPath) {
+    log('portokd', 'FAST_PATH mode: Minimal metrics for maximum throughput');
+  }
+  if (config.debugUpstream) {
+    log('portokd', 'DEBUG_UPSTREAM mode: Tracking upstream socket creation');
+  }
+});
+
+// Optional: Admin Unix socket
+if (config.adminUnixSocket) {
+  try {
+    fs.unlinkSync(config.adminUnixSocket);
+  } catch (e) {
+    // Ignore if doesn't exist
+  }
+
+  const adminServer = http.createServer(async (req, res) => {
+    req.socket.remoteAddress = '127.0.0.1';
+    if (req.url && req.url.charCodeAt(0) === SLASH && 
+        req.url.charCodeAt(1) === UNDERSCORE && 
+        req.url.charCodeAt(2) === UNDERSCORE) {
+      await handleAdminRequest(req, res);
+    } else {
+      sendJSON(res, 404, { error: 'Not found' });
+    }
+  });
+
+  adminServer.listen(config.adminUnixSocket, () => {
+    log('portokd', `Admin socket listening on ${config.adminUnixSocket}`);
+    fs.chmodSync(config.adminUnixSocket, 0o600);
+  });
+}
+
+// Graceful shutdown
+process.on('SIGTERM', () => {
+  log('portokd', 'Received SIGTERM, shutting down...');
+  upstreamAgent.destroy();
+  server.close(() => {
+    log('portokd', 'Server closed');
+    process.exit(0);
+  });
+});
+
+process.on('SIGINT', () => {
+  log('portokd', 'Received SIGINT, shutting down...');
+  upstreamAgent.destroy();
+  server.close(() => {
+    log('portokd', 'Server closed');
+    process.exit(0);
+  });
+});
+
+// Export for testing
+export {
+  config,
+  state,
+  metrics,
+  checkHealth,
+  performSwitch,
+  validateAdminToken,
+  isAllowedIP,
+  checkRateLimit,
+  server,
+  upstreamAgent,
+};