feat(tunnel): require explicit target schemes

- Replace "Raw TCP listener" references with http.Server/hijack model
- Update architecture diagram and description
- Add testing section to AGENTS.md with test summary
- Update key patterns to match current code
- Fix file locations table (add e2e_test.go, reconstructed_conn.go)

AGENTS.md

@@ -0,0 +1,86 @@
+# Conduit — Agent Guidelines
+
+## Project Overview
+
+Conduit is a self-hosted tunneling service (Go, single binary). A **server** (`conduit serve`) runs on a public host and routes incoming HTTP requests by subdomain to registered **tunnels**. A **client** (`conduit tunnel`) connects via WebSocket, receives forwarded traffic, and relays it to a local target using either an HTTP reverse-proxy or raw TCP dial.
+
+## Build & Test
+
+```bash
+# Build all platforms
+make build_local
+
+# Run tests
+make tests              # includes race detection + coverage
+
+# Lint
+golangci-lint run
+```
+
+Go 1.25+ is required (`go.mod`). Nix devshell provides Go, gopls, golangci-lint.
+
+## Architecture at a Glance
+
+```
+server/server.go        — net/http.Server, ServeHTTP routes by Host subdomain to tunnel or control API
+tunnel/tunnel.go        — Core Tunnel struct, WebSocket message loop, stream management
+tunnel/forwarder.go     — Forwarder interface; HTTP/HTTPS → HTTP forwarder, everything else → TCP
+tunnel/http_forwarder.go — httputil.ReverseProxy served over net.Pipe via multiConnListener
+tunnel/tcp_forwarder.go  — Direct net.Dial TCP forwarding
+tunnel/stream.go        — Stream interface (io.ReadWriteCloser + Source/Target)
+server/reconstructed_conn.go — Replays re-serialized headers + buffered body + raw conn after hijack
+store/store.go          — In-memory request/response recorder with pub/sub (SSE)
+web/web.go              — Local tunnel monitor (port 8181), embedded static UI assets, SSE endpoint
+config/config.go        — Reflection-based config from struct tags → flags + env vars + client config file
+pkg/maps/map.go         — Generic sync.RWMutex-guarded map
+```
+
+## Code Conventions
+
+- **Go style**: standard `gofmt`, golangci-lint with `.golangci.toml`
+- **Comment style**: Title Case heading above logical blocks (see root `AGENTS.md`)
+- **Config**: add struct tags (`json`, `default`, `description`) to `ServerConfig` or `ClientConfig` — flags and env vars are auto-derived. Client config may also come from `./conduit.json` or `~/.config/conduit/config.json` for `server`, `api_key`, `log_level`, and `log_format` only.
+- **Logging**: use `logrus` (`log` alias); structured fields preferred
+- **Concurrency**: use `pkg/maps.Map` for shared maps; protect other shared state with `sync.Mutex`
+- **Error handling**: return errors up; log at command/entry-point level. Use `fmt.Errorf` with `%w` for wrapping
+
+## Key Patterns
+
+1. **ServeHTTP + Hijack for tunnel routing**: The server uses `net/http.Server` with a `ServeHTTP` handler. It inspects the `Host` header to determine routing. Control API requests are handled normally via `http.ResponseWriter`. Tunnel requests hijack the TCP connection, re-serialize the HTTP request, and forward it through the tunnel via `reconstructedConn`.
+2. **Reconstructed connection**: After hijack, `reconstructedConn` combines re-serialized request headers, buffered body data from the hijacked `bufio.ReadWriter`, and the raw connection into a single `io.Reader` so the tunnel client receives the complete request.
+3. **Forwarder abstraction**: `Forwarder` interface decouples tunnel transport from protocol handling. `NewForwarder` only uses `url.Parse` for `http://`/`https://` schemes; everything else (including parse failures like bare `host:port`) is treated as raw TCP. HTTP forwarder uses `net.Pipe` + `multiConnListener` to feed connections into a standard `http.Server`.
+4. **Context-threaded records**: Request records are attached to context in `RecordRequest` and retrieved in `RecordResponse` via the `ModifyResponse` hook.
+
+## Adding a New Forwarder
+
+1. Implement `tunnel.Forwarder` interface (`Type()`, `Initialize()`, `Start()`)
+2. Add a case in `tunnel.NewForwarder()` factory
+3. Add corresponding `ForwarderType` const
+
+## Testing
+
+E2E tests live in `e2e_test.go` at the project root. They spin up real servers, tunnels, and targets on random ports. `make tests` runs with `-race` and coverage enabled.
+
+```bash
+# Run all tests
+make tests
+
+# Run specific test
+ go test -v -run TestHTTPTunnelRoundTrip -count=1 ./...
+```
+
+16 tests covering: HTTP round-trip (GET/POST), TCP echo, large bodies (1MB resp / 512KB req), response quality (headers, content-type, content-length), error paths (404, 401, duplicate name), multi-tunnel routing, concurrency, and graceful shutdown.
+
+## File Locations
+
+| Concern | Files |
+|---------|-------|
+| CLI entry | `main.go`, `cmd/` |
+| Server | `server/` |
+| Tunneling | `tunnel/` |
+| Config | `config/` |
+| Storage | `store/` |
+| Web UI | `web/`, `web/pages/` |
+| Shared types | `types/` |
+| Utilities | `pkg/maps/` |
+| E2E tests | `e2e_test.go` |

Makefile

@@ -30,6 +30,6 @@ clean:
 	rm -rf ./build
 
 tests:
-	SET_TEST=set_val go test -coverpkg=./... ./... -coverprofile=./cover.out
+	SET_TEST=set_val go test -race -coverpkg=./... ./... -coverprofile=./cover.out
 	go tool cover -html=./cover.out -o ./cover.html
 	rm ./cover.out

README.md

@@ -1,18 +1,143 @@
 # Conduit
 
-A lightweight tunneling service that enables secure connection forwarding through a remote server.
+A lightweight tunneling service that exposes local services to the internet through a public server — similar to ngrok, but self-hosted.
 
-**How:** Deploy Conduit on a public server (e.g., `https://conduit.example.com`) to create tunnels from local services to the internet. Simply point a tunnel to your local endpoint (such as `localhost:8000`) and assign it a custom subdomain identifier like `black-fox-123`. Your local service becomes instantly accessible at `https://black-fox-123.conduit.example.com`.
+Deploy Conduit on a public server (e.g., `https://conduit.example.com`), then create tunnels from your local machine. Point a tunnel at a local endpoint (e.g., `localhost:8000`) and it becomes accessible at a subdomain like `https://black-fox-123.conduit.example.com`.
-
-**Key Benefits:**
-
-- Expose local development servers to the internet
-- Share work-in-progress applications with clients or teammates
-- Test webhooks and external integrations
-- Bypass firewall restrictions for remote access
-
-Perfect for developers who need quick, temporary public access to local services without complex networking setup.
-
-### Example
 
 ![Example](https://gitea.va.reichard.io/evan/conduit/raw/branch/main/assets/example.gif)
+
+## Features
+
+- **HTTP & TCP tunneling** — automatically detected based on the target scheme
+- **Subdomain routing** — each tunnel gets a unique subdomain on the server
+- **Auto-generated tunnel names** — random `color-animal-number` names when none is provided
+- **Local tunnel monitor** — web UI on `:8181` with SSE-based live request/response inspection
+- **API key authentication** — simple shared-key auth between client and server
+- **Minimal footprint** — single binary, no external dependencies
+
+## Architecture
+
+```
+┌──────────────┐         WebSocket          ┌──────────────────┐
+│ conduit      │◄──────────────────────────► │ conduit          │
+│ tunnel       │    (control + streams)      │ serve            │
+│ (client)     │                             │ (public server)  │
+├──────────────┤                             ├──────────────────┤
+│ HTTP Fwd  or │                             │ http.Server      │
+│ TCP Fwd      │                             │ Subdomain router │
+├──────────────┤                             │ WS upgrade       │
+│ Tunnel       │                             └──────────────────┘
+│ Monitor :8181│
+└──────────────┘
+```
+
+The server uses `net/http.Server` to accept connections and inspects the HTTP `Host` header for routing. Requests to the base domain hit the control API; requests to subdomains are hijacked and forwarded over WebSocket to the matching tunnel client. The client then forwards traffic to the local target via either a reverse-proxy (HTTP) or direct TCP dial.
+
+## Quick Start
+
+### Prerequisites
+
+- Go 1.25+ (or Docker)
+
+### Build
+
+```bash
+# Local build (all platforms)
+make build_local
+
+# Docker
+make docker_build_local
+```
+
+### Server
+
+Run the server on a publicly accessible host:
+
+```bash
+conduit serve \
+  --server https://conduit.example.com \
+  --bind 0.0.0.0:8080 \
+  --api_key your-secret-key
+```
+
+Or with Docker:
+
+```bash
+docker run -p 8080:8080 \
+  -e CONDUIT_SERVER=https://conduit.example.com \
+  -e CONDUIT_API_KEY=your-secret-key \
+  conduit:latest
+```
+
+### Client
+
+Create a tunnel to expose a local service:
+
+```bash
+# HTTP tunnel (auto-generates name)
+conduit tunnel \
+  --server https://conduit.example.com \
+  --api_key your-secret-key \
+  --target http://localhost:8000
+
+# Named TCP tunnel
+conduit tunnel \
+  --server https://conduit.example.com \
+  --api_key your-secret-key \
+  --name my-service \
+  --target tcp://localhost:5432
+```
+
+Targets must include an explicit `tcp://`, `http://`, or `https://` scheme. The local tunnel monitor is available at `http://localhost:8181` for HTTP tunnels.
+
+## Configuration
+
+All options can be set via CLI flags or environment variables (`CONDUIT_` prefix):
+
+### Server (`conduit serve`)
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Public server address |
+| `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
+| `--bind` | `CONDUIT_BIND` | `0.0.0.0:8080` | Listen address |
+| `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
+| `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
+
+### Client (`conduit tunnel`)
+
+| Flag | Env Var | Default | Description |
+|------|---------|---------|-------------|
+| `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Conduit server address |
+| `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
+| `--name` | `CONDUIT_NAME` | (auto-generated) | Tunnel subdomain name |
+| `--target` | `CONDUIT_TARGET` | — | Local target address with `tcp://`, `http://`, or `https://` scheme (required) |
+| `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
+| `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
+
+## Server API
+
+| Endpoint | Description |
+|----------|-------------|
+| `/_conduit/tunnel?tunnelName=<name>&apiKey=<key>` | WebSocket tunnel registration |
+| `/_conduit/info?apiKey=<key>` | JSON list of active tunnels |
+
+## Project Structure
+
+```
+├── cmd/             # Cobra CLI commands (root, serve, tunnel)
+├── config/          # Configuration parsing & logging setup
+├── server/          # HTTP server, subdomain routing, hijack + WebSocket upgrade
+├── tunnel/          # Tunnel, Stream, and Forwarder abstractions
+├── store/           # In-memory request/response recording for the monitor
+├── web/             # Local tunnel monitor HTTP server & SSE streaming
+├── types/           # Shared message types
+├── pkg/maps/        # Generic concurrent map
+├── build/           # Compiled binaries (gitignored in practice)
+├── Dockerfile       # Single-stage Docker build
+└── Makefile         # Build & release targets
+```
+
+## License
+
+See repository for license details.

cmd/tunnel.go

@@ -16,7 +16,7 @@ import (
 )
 
 var tunnelCmd = &cobra.Command{
-	Use:   "tunnel <name> <host:port>",
+	Use:   "tunnel --target <scheme://host:port>",
 	Short: "Create a conduit tunnel",
 	Run: func(cmd *cobra.Command, args []string) {
 		// Get Client Config

config/config.go

@@ -1,10 +1,12 @@
 package config
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"reflect"
 	"strings"
 
@@ -51,7 +53,7 @@ type ServerConfig struct {
 type ClientConfig struct {
 	BaseConfig
 	TunnelName   string `json:"name" description:"Tunnel name"`
-	TunnelTarget string `json:"target" description:"Tunnel target address"`
+	TunnelTarget string `json:"target" description:"Tunnel target address (tcp://, http://, or https://)"`
 }
 
 func (c *ClientConfig) Validate() error {
@@ -69,7 +71,7 @@ func GetServerConfig(cmdFlags *pflag.FlagSet) (*ServerConfig, error) {
 
 	cfgValues := make(map[string]string)
 	for _, def := range defs {
-		cfgValues[def.Key] = getConfigValue(cmdFlags, def)
+		cfgValues[def.Key] = getConfigValue(cmdFlags, nil, def)
 	}
 
 	cfg := &ServerConfig{
@@ -86,9 +88,15 @@ func GetServerConfig(cmdFlags *pflag.FlagSet) (*ServerConfig, error) {
 func GetClientConfig(cmdFlags *pflag.FlagSet) (*ClientConfig, error) {
 	defs := GetConfigDefs[ClientConfig]()
 
+	// Load Client Config File
+	fileValues, err := getClientConfigFileValues()
+	if err != nil {
+		return nil, err
+	}
+
 	cfgValues := make(map[string]string)
 	for _, def := range defs {
-		cfgValues[def.Key] = getConfigValue(cmdFlags, def)
+		cfgValues[def.Key] = getConfigValue(cmdFlags, fileValues, def)
 	}
 
 	cfg := &ClientConfig{
@@ -122,7 +130,33 @@ func getBaseConfig(cfgValues map[string]string) BaseConfig {
 	}
 }
 
-func getConfigValue(cmdFlags *pflag.FlagSet, def ConfigDef) string {
+func getClientConfigFileValues() (map[string]string, error) {
+	path, err := findConfigFile()
+	if err != nil {
+		return nil, err
+	}
+	if path == "" {
+		return nil, nil
+	}
+
+	// Load Config File
+	values, err := loadConfigFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Keep Client File Settings Explicit - Tunnel name and target are intentionally
+	// not read from the config file because they should be provided per invocation.
+	clientValues := make(map[string]string)
+	for key, value := range values {
+		if isClientFileConfigKey(key) {
+			clientValues[key] = value
+		}
+	}
+	return clientValues, nil
+}
+
+func getConfigValue(cmdFlags *pflag.FlagSet, fileValues map[string]string, def ConfigDef) string {
 	// 1. Get Flags First
 	if cmdFlags != nil {
 		if val, err := cmdFlags.GetString(def.Key); err == nil && val != "" && val != def.Default {
@@ -135,10 +169,65 @@ func getConfigValue(cmdFlags *pflag.FlagSet, def ConfigDef) string {
 		return envVal
 	}
 
-	// 3. Defaults Last
+	// 3. Config File Next
+	if fileValues != nil {
+		if val := fileValues[def.Key]; val != "" {
+			return val
+		}
+	}
+
+	// 4. Defaults Last
 	return def.Default
 }
 
+func findConfigFile() (string, error) {
+	// Check Project Config
+	localPath := "conduit.json"
+	if _, err := os.Stat(localPath); err == nil {
+		return localPath, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		return "", err
+	}
+
+	// Check User Config
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return "", nil
+	}
+	userPath := filepath.Join(configDir, "conduit", "config.json")
+	if _, err := os.Stat(userPath); err == nil {
+		return userPath, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		return "", err
+	}
+
+	return "", nil
+}
+
+func loadConfigFile(path string) (map[string]string, error) {
+	// Read Config File
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Decode Config File
+	values := make(map[string]string)
+	if err := json.Unmarshal(data, &values); err != nil {
+		return nil, fmt.Errorf("failed to parse config file %s: %w", path, err)
+	}
+	return values, nil
+}
+
+func isClientFileConfigKey(key string) bool {
+	switch key {
+	case "server", "api_key", "log_level", "log_format":
+		return true
+	default:
+		return false
+	}
+}
+
 func processFields(t reflect.Type, defs *[]ConfigDef) {
 	for i := 0; i < t.NumField(); i++ {
 		field := t.Field(i)

config/config_test.go

@@ -0,0 +1,144 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/spf13/pflag"
+)
+
+func TestLoadConfigFile(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.json")
+	if err := os.WriteFile(path, []byte(`{"server":"https://example.com","api_key":"secret"}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Load Config File
+	values, err := loadConfigFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify Values
+	if values["server"] != "https://example.com" {
+		t.Fatalf("expected server from config file, got %q", values["server"])
+	}
+	if values["api_key"] != "secret" {
+		t.Fatalf("expected api_key from config file, got %q", values["api_key"])
+	}
+}
+
+func TestFindConfigFile(t *testing.T) {
+	workDir := t.TempDir()
+	configDir := t.TempDir()
+	oldDir, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := os.Chdir(oldDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+	if err := os.Chdir(workDir); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("XDG_CONFIG_HOME", configDir)
+
+	// Missing Config File
+	path, err := findConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if path != "" {
+		t.Fatalf("expected no config file, got %q", path)
+	}
+
+	// User Config File
+	userPath := filepath.Join(configDir, "conduit", "config.json")
+	if err := os.MkdirAll(filepath.Dir(userPath), 0o700); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(userPath, []byte(`{}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	path, err = findConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if path != userPath {
+		t.Fatalf("expected user config file %q, got %q", userPath, path)
+	}
+
+	// Local Config File Precedence
+	localPath := "conduit.json"
+	if err := os.WriteFile(localPath, []byte(`{}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	path, err = findConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if path != localPath {
+		t.Fatalf("expected local config file %q, got %q", localPath, path)
+	}
+}
+
+func TestGetConfigValuePriority(t *testing.T) {
+	def := ConfigDef{Key: "server", Env: "CONDUIT_SERVER", Default: "default"}
+	fileValues := map[string]string{"server": "file"}
+
+	// Config File Beats Default
+	if value := getConfigValue(nil, fileValues, def); value != "file" {
+		t.Fatalf("expected file value, got %q", value)
+	}
+
+	// Environment Beats Config File
+	t.Setenv("CONDUIT_SERVER", "env")
+	if value := getConfigValue(nil, fileValues, def); value != "env" {
+		t.Fatalf("expected env value, got %q", value)
+	}
+
+	// Flags Beat Environment
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("server", "default", "server")
+	if err := flags.Set("server", "flag"); err != nil {
+		t.Fatal(err)
+	}
+	if value := getConfigValue(flags, fileValues, def); value != "flag" {
+		t.Fatalf("expected flag value, got %q", value)
+	}
+}
+
+func TestGetClientConfigFileValuesIgnoresTunnelSettings(t *testing.T) {
+	workDir := t.TempDir()
+	oldDir, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := os.Chdir(oldDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+	if err := os.Chdir(workDir); err != nil {
+		t.Fatal(err)
+	}
+
+	// Write Local Config File
+	if err := os.WriteFile("conduit.json", []byte(`{"server":"https://example.com","api_key":"secret","name":"saved","target":"localhost:3000"}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	values, err := getClientConfigFileValues()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if values["server"] != "https://example.com" {
+		t.Fatalf("expected server from config file, got %q", values["server"])
+	}
+	if values["name"] != "" || values["target"] != "" {
+		t.Fatalf("expected tunnel settings to be ignored, got name=%q target=%q", values["name"], values["target"])
+	}
+}

e2e_test.go

@@ -0,0 +1,864 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"reichard.io/conduit/config"
+	"reichard.io/conduit/server"
+	"reichard.io/conduit/store"
+	"reichard.io/conduit/tunnel"
+	"reichard.io/conduit/web"
+)
+
+// ---------- Helpers ----------
+
+// startConduitServer creates and starts a conduit server on a random port.
+// Returns the server address (host:port) and a cancel func for teardown.
+func startConduitServer(t *testing.T, apiKey string) (string, context.CancelFunc) {
+	t.Helper()
+
+	// Find Free Port
+	port := getFreePort(t)
+	bindAddr := fmt.Sprintf("127.0.0.1:%d", port)
+	serverAddr := fmt.Sprintf("http://%s", bindAddr)
+
+	cfg := &config.ServerConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: serverAddr,
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		BindAddress: bindAddr,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	srv, err := server.NewServer(ctx, cfg)
+	if err != nil {
+		cancel()
+		t.Fatalf("failed to create server: %v", err)
+	}
+
+	// Start Server in Background
+	errCh := make(chan error, 1)
+	go func() { errCh <- srv.Start() }()
+
+	// Wait for Server to Accept
+	waitForPort(t, bindAddr, 3*time.Second)
+
+	// Check Early Errors
+	select {
+	case err := <-errCh:
+		cancel()
+		t.Fatalf("server exited early: %v", err)
+	default:
+	}
+
+	return bindAddr, cancel
+}
+
+// startHTTPTarget creates a simple HTTP server that echoes request info.
+func startHTTPTarget(t *testing.T) (string, context.CancelFunc) {
+	t.Helper()
+
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Test-Header", "present")
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "echo: %s %s", r.Method, r.URL.Path)
+	})
+	mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("ok"))
+	})
+	mux.HandleFunc("/post", func(w http.ResponseWriter, r *http.Request) {
+		body, _ := io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "received: %s", string(body))
+	})
+
+	srv := &http.Server{Addr: addr, Handler: mux}
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() { srv.ListenAndServe() }()
+	go func() { <-ctx.Done(); srv.Close() }()
+
+	waitForPort(t, addr, 3*time.Second)
+
+	return addr, cancel
+}
+
+// startTCPEchoTarget creates a TCP server that echoes back whatever it receives.
+func startTCPEchoTarget(t *testing.T) (string, context.CancelFunc) {
+	t.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to start tcp echo: %v", err)
+	}
+	addr := listener.Addr().String()
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		<-ctx.Done()
+		listener.Close()
+	}()
+
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				return
+			}
+			go func(c net.Conn) {
+				defer c.Close()
+				io.Copy(c, c)
+			}(conn)
+		}
+	}()
+
+	return addr, cancel
+}
+
+// connectTunnel creates a conduit tunnel client and starts it.
+func connectTunnel(t *testing.T, serverAddr, targetAddr, tunnelName, apiKey string) context.CancelFunc {
+	t.Helper()
+
+	cfg := &config.ClientConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: fmt.Sprintf("http://%s", serverAddr),
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		TunnelName:   tunnelName,
+		TunnelTarget: targetAddr,
+	}
+
+	// Create Tunnel Store
+	tunnelStore := store.NewTunnelStore(100)
+
+	// Create Forwarder
+	forwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+	if err != nil {
+		t.Fatalf("failed to create forwarder: %v", err)
+	}
+
+	var wg sync.WaitGroup
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Start Forwarder
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		forwarder.Start(ctx)
+	}()
+
+	// Create & Start Tunnel
+	tun, err := tunnel.NewClientTunnel(cfg, forwarder)
+	if err != nil {
+		cancel()
+		t.Fatalf("failed to create tunnel: %v", err)
+	}
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		tun.Start(ctx)
+	}()
+
+	// Start Web Server
+	webServer := web.NewWebServer(tunnelStore)
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		webServer.Start(ctx)
+	}()
+
+	// Brief Settle Time
+	time.Sleep(100 * time.Millisecond)
+
+	cleanup := func() {
+		cancel()
+		wg.Wait()
+	}
+	return cleanup
+}
+
+// sendHTTPViaTunnel sends an HTTP request through the conduit server to a tunnel.
+func sendHTTPViaTunnel(t *testing.T, serverAddr, tunnelName, method, path, body string) *http.Response {
+	t.Helper()
+
+	url := fmt.Sprintf("http://%s%s", serverAddr, path)
+	var bodyReader io.Reader
+	if body != "" {
+		bodyReader = strings.NewReader(body)
+	}
+
+	req, err := http.NewRequest(method, url, bodyReader)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+
+	// Route via Subdomain
+	req.Host = fmt.Sprintf("%s.%s", tunnelName, serverAddr)
+
+	client := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: &http.Transport{DisableKeepAlives: true},
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	return resp
+}
+
+func readBody(t *testing.T, resp *http.Response) string {
+	t.Helper()
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("failed to read body: %v", err)
+	}
+	return string(b)
+}
+
+func getFreePort(t *testing.T) int {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to get free port: %v", err)
+	}
+	port := l.Addr().(*net.TCPAddr).Port
+	l.Close()
+	return port
+}
+
+func waitForPort(t *testing.T, addr string, timeout time.Duration) {
+	t.Helper()
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		conn, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
+		if err == nil {
+			conn.Close()
+			return
+		}
+		time.Sleep(25 * time.Millisecond)
+	}
+	t.Fatalf("port %s not ready after %s", addr, timeout)
+}
+
+// ---------- Tests ----------
+
+func TestHTTPTunnelRoundTrip(t *testing.T) {
+	apiKey := "test-key-http"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "http-test", apiKey)
+	defer stopTunnel()
+
+	// GET /
+	resp := sendHTTPViaTunnel(t, serverAddr, "http-test", "GET", "/", "")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "echo: GET /") {
+		t.Errorf("unexpected body: %s", body)
+	}
+
+	// GET /health
+	resp = sendHTTPViaTunnel(t, serverAddr, "http-test", "GET", "/health", "")
+	body = readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if body != "ok" {
+		t.Errorf("expected 'ok', got %q", body)
+	}
+}
+
+func TestHTTPTunnelPOST(t *testing.T) {
+	apiKey := "test-key-post"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "post-test", apiKey)
+	defer stopTunnel()
+
+	// POST /post
+	resp := sendHTTPViaTunnel(t, serverAddr, "post-test", "POST", "/post", "hello world")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "received: hello world") {
+		t.Errorf("unexpected body: %s", body)
+	}
+}
+
+func TestUnknownTunnelReturns404(t *testing.T) {
+	apiKey := "test-key-404"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Request to Non-Existent Tunnel
+	resp := sendHTTPViaTunnel(t, serverAddr, "no-such-tunnel", "GET", "/", "")
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "unknown tunnel") {
+		t.Errorf("expected 'unknown tunnel' error, got: %s", body)
+	}
+}
+
+func TestDuplicateTunnelNameRejected(t *testing.T) {
+	apiKey := "test-key-dup"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect First Tunnel
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "dup-test", apiKey)
+	defer stopTunnel1()
+
+	// Attempt Duplicate — this should fail at WebSocket dial
+	cfg := &config.ClientConfig{
+		BaseConfig: config.BaseConfig{
+			ServerAddress: fmt.Sprintf("http://%s", serverAddr),
+			APIKey:        apiKey,
+			LogLevel:      "error",
+			LogFormat:     "text",
+		},
+		TunnelName:   "dup-test",
+		TunnelTarget: fmt.Sprintf("http://%s", targetAddr),
+	}
+
+	tunnelStore := store.NewTunnelStore(100)
+	forwarder, err := tunnel.NewForwarder(cfg.TunnelTarget, tunnelStore)
+	if err != nil {
+		t.Fatalf("failed to create forwarder: %v", err)
+	}
+
+	_, err = tunnel.NewClientTunnel(cfg, forwarder)
+	if err == nil {
+		t.Error("expected error for duplicate tunnel name, got nil")
+	}
+}
+
+func TestUnauthorizedControlAccess(t *testing.T) {
+	apiKey := "test-key-auth"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Request Info with Wrong API Key
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=wrong-key", serverAddr)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", resp.StatusCode)
+	}
+}
+
+func TestInfoEndpointListsTunnels(t *testing.T) {
+	apiKey := "test-key-info"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "info-test", apiKey)
+	defer stopTunnel()
+
+	// Query Info Endpoint
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=%s", serverAddr, apiKey)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	body := readBody(t, resp)
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected 200, got %d", resp.StatusCode)
+	}
+	if !strings.Contains(body, "info-test") {
+		t.Errorf("expected tunnel 'info-test' in response: %s", body)
+	}
+}
+
+func TestMultipleTunnelsRouteCorrectly(t *testing.T) {
+	apiKey := "test-key-multi"
+
+	// Start Two Separate Target Servers
+	target1Addr, stopTarget1 := startHTTPTarget(t)
+	defer stopTarget1()
+
+	port2 := getFreePort(t)
+	addr2 := fmt.Sprintf("127.0.0.1:%d", port2)
+	mux2 := http.NewServeMux()
+	mux2.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, "target-two")
+	})
+	srv2 := &http.Server{Addr: addr2, Handler: mux2}
+	go srv2.ListenAndServe()
+	defer srv2.Close()
+	waitForPort(t, addr2, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Two Tunnels
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", target1Addr), "multi-one", apiKey)
+	defer stopTunnel1()
+
+	stopTunnel2 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr2), "multi-two", apiKey)
+	defer stopTunnel2()
+
+	// Request to First Tunnel
+	resp1 := sendHTTPViaTunnel(t, serverAddr, "multi-one", "GET", "/", "")
+	body1 := readBody(t, resp1)
+	if !strings.Contains(body1, "echo: GET /") {
+		t.Errorf("tunnel one unexpected body: %s", body1)
+	}
+
+	// Request to Second Tunnel
+	resp2 := sendHTTPViaTunnel(t, serverAddr, "multi-two", "GET", "/", "")
+	body2 := readBody(t, resp2)
+	if body2 != "target-two" {
+		t.Errorf("tunnel two expected 'target-two', got: %s", body2)
+	}
+}
+
+func TestServerGracefulShutdown(t *testing.T) {
+	apiKey := "test-key-shutdown"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+
+	// Cancel Server
+	stopServer()
+
+	// Verify Port Is Closed
+	time.Sleep(200 * time.Millisecond)
+	conn, err := net.DialTimeout("tcp", serverAddr, 500*time.Millisecond)
+	if err == nil {
+		conn.Close()
+		t.Error("expected server port to be closed after shutdown")
+	}
+}
+
+// ---------- HTTP Response Quality Tests ----------
+
+func TestHTTPResponseHasProperHeaders(t *testing.T) {
+	apiKey := "test-key-headers"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "hdr-test", apiKey)
+	defer stopTunnel()
+
+	// Send Request Through Tunnel
+	resp := sendHTTPViaTunnel(t, serverAddr, "hdr-test", "GET", "/", "")
+	defer resp.Body.Close()
+
+	// Verify Proper HTTP Semantics
+	if resp.Proto != "HTTP/1.1" {
+		t.Errorf("expected HTTP/1.1, got %s", resp.Proto)
+	}
+	if resp.Header.Get("X-Test-Header") != "present" {
+		t.Errorf("expected X-Test-Header: present, got %q", resp.Header.Get("X-Test-Header"))
+	}
+	if resp.ContentLength <= 0 && resp.TransferEncoding == nil {
+		t.Errorf("expected Content-Length or Transfer-Encoding, got neither")
+	}
+}
+
+func TestHTTPControlEndpointResponseQuality(t *testing.T) {
+	apiKey := "test-key-ctrl-quality"
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// 404 on Unknown Tunnel — Verify stdlib response format
+	resp := sendHTTPViaTunnel(t, serverAddr, "nope", "GET", "/", "")
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected 404, got %d", resp.StatusCode)
+	}
+
+	// Content-Type Should Be Set by http.Error
+	ct := resp.Header.Get("Content-Type")
+	if !strings.Contains(ct, "text/plain") {
+		t.Errorf("expected text/plain Content-Type, got %q", ct)
+	}
+
+	// Content-Length Should Be Present
+	if resp.ContentLength <= 0 {
+		t.Errorf("expected positive Content-Length, got %d", resp.ContentLength)
+	}
+
+	// Info Endpoint — JSON response quality
+	url := fmt.Sprintf("http://%s/_conduit/info?apiKey=%s", serverAddr, apiKey)
+	req, _ := http.NewRequest("GET", url, nil)
+	req.Host = serverAddr
+
+	resp2, err := (&http.Client{Timeout: 5 * time.Second}).Do(req)
+	if err != nil {
+		t.Fatalf("info request failed: %v", err)
+	}
+	defer resp2.Body.Close()
+
+	if resp2.Header.Get("Content-Type") != "application/json" {
+		t.Errorf("expected application/json, got %q", resp2.Header.Get("Content-Type"))
+	}
+}
+
+// ---------- Large Body Tests ----------
+
+func TestHTTPLargeResponseBody(t *testing.T) {
+	apiKey := "test-key-large-resp"
+
+	// Start Target That Returns a Large Body
+	largeBody := strings.Repeat("A", 1024*1024) // 1 MB
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/large", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(largeBody))
+	})
+	srv := &http.Server{Addr: addr, Handler: mux}
+	go srv.ListenAndServe()
+	defer srv.Close()
+	waitForPort(t, addr, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr), "large-resp", apiKey)
+	defer stopTunnel()
+
+	// Request Large Response
+	resp := sendHTTPViaTunnel(t, serverAddr, "large-resp", "GET", "/large", "")
+	body := readBody(t, resp)
+
+	if len(body) != len(largeBody) {
+		t.Errorf("expected %d bytes, got %d", len(largeBody), len(body))
+	}
+}
+
+func TestHTTPLargeRequestBody(t *testing.T) {
+	apiKey := "test-key-large-req"
+
+	// Start Target That Echoes Body Size
+	port := getFreePort(t)
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/upload", func(w http.ResponseWriter, r *http.Request) {
+		data, _ := io.ReadAll(r.Body)
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "size:%d", len(data))
+	})
+	srv := &http.Server{Addr: addr, Handler: mux}
+	go srv.ListenAndServe()
+	defer srv.Close()
+	waitForPort(t, addr, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr), "large-req", apiKey)
+	defer stopTunnel()
+
+	// Send Large Request Body (512 KB)
+	largePayload := strings.Repeat("B", 512*1024)
+	resp := sendHTTPViaTunnel(t, serverAddr, "large-req", "POST", "/upload", largePayload)
+	body := readBody(t, resp)
+
+	expected := fmt.Sprintf("size:%d", len(largePayload))
+	if body != expected {
+		t.Errorf("expected %q, got %q", expected, body)
+	}
+}
+
+// ---------- TCP Tunnel Tests ----------
+
+func TestTCPTunnelEcho(t *testing.T) {
+	apiKey := "test-key-tcp"
+
+	// Start TCP Echo Server
+	tcpAddr, stopTCP := startTCPEchoTarget(t)
+	defer stopTCP()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect TCP Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("tcp://%s", tcpAddr), "tcp-test", apiKey)
+	defer stopTunnel()
+
+	// Send Raw HTTP Request Through Tunnel to TCP Echo
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer conn.Close()
+
+	// Write a Raw HTTP Request (the TCP echo will bounce it back)
+	reqLine := fmt.Sprintf("GET / HTTP/1.1\r\nHost: tcp-test.%s\r\n\r\n", serverAddr)
+	_, err = conn.Write([]byte(reqLine))
+	if err != nil {
+		t.Fatalf("failed to write: %v", err)
+	}
+
+	// Read Echoed Data
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	if err != nil {
+		t.Fatalf("failed to read echo: %v", err)
+	}
+
+	response := string(buf[:n])
+	if !strings.Contains(response, "GET / HTTP/1.1") {
+		t.Errorf("expected echoed request, got: %q", response)
+	}
+}
+
+func TestTCPTunnelLargePayload(t *testing.T) {
+	apiKey := "test-key-tcp-large"
+
+	// Start TCP Echo Server
+	tcpAddr, stopTCP := startTCPEchoTarget(t)
+	defer stopTCP()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect TCP Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("tcp://%s", tcpAddr), "tcp-large", apiKey)
+	defer stopTunnel()
+
+	// Connect and Send Large Payload
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		t.Fatalf("failed to connect: %v", err)
+	}
+	defer conn.Close()
+
+	// Route via Host Header Then Send 64 KB Payload
+	header := fmt.Sprintf("POST /data HTTP/1.1\r\nHost: tcp-large.%s\r\nContent-Length: 65536\r\n\r\n", serverAddr)
+	payload := header + strings.Repeat("X", 64*1024)
+
+	_, err = conn.Write([]byte(payload))
+	if err != nil {
+		t.Fatalf("failed to write: %v", err)
+	}
+
+	// Read All Echoed Data
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+	var received []byte
+	buf := make([]byte, 8192)
+	for len(received) < len(payload) {
+		n, err := conn.Read(buf)
+		if err != nil {
+			break
+		}
+		received = append(received, buf[:n]...)
+	}
+
+	if len(received) != len(payload) {
+		t.Errorf("expected %d bytes echoed, got %d", len(payload), len(received))
+	}
+}
+
+// ---------- Concurrency Tests ----------
+
+func TestConcurrentHTTPRequests(t *testing.T) {
+	apiKey := "test-key-concurrent"
+
+	// Start Target HTTP Server
+	targetAddr, stopTarget := startHTTPTarget(t)
+	defer stopTarget()
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", targetAddr), "conc-test", apiKey)
+	defer stopTunnel()
+
+	// Fire 20 Concurrent Requests
+	const numRequests = 20
+	var wg sync.WaitGroup
+	errors := make(chan string, numRequests)
+
+	for i := range numRequests {
+		wg.Add(1)
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/item/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "conc-test", "GET", path, "")
+			body := readBody(t, resp)
+
+			expected := fmt.Sprintf("echo: GET %s", path)
+			if !strings.Contains(body, expected) {
+				errors <- fmt.Sprintf("request %d: expected %q, got %q", idx, expected, body)
+			}
+			if resp.StatusCode != http.StatusOK {
+				errors <- fmt.Sprintf("request %d: expected 200, got %d", idx, resp.StatusCode)
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(errors)
+
+	for errMsg := range errors {
+		t.Error(errMsg)
+	}
+}
+
+func TestConcurrentMultiTunnelRequests(t *testing.T) {
+	apiKey := "test-key-conc-multi"
+
+	// Start Two Target Servers
+	target1Addr, stopTarget1 := startHTTPTarget(t)
+	defer stopTarget1()
+
+	port2 := getFreePort(t)
+	addr2 := fmt.Sprintf("127.0.0.1:%d", port2)
+	mux2 := http.NewServeMux()
+	mux2.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "server-two: %s", r.URL.Path)
+	})
+	srv2 := &http.Server{Addr: addr2, Handler: mux2}
+	go srv2.ListenAndServe()
+	defer srv2.Close()
+	waitForPort(t, addr2, 3*time.Second)
+
+	// Start Conduit Server
+	serverAddr, stopServer := startConduitServer(t, apiKey)
+	defer stopServer()
+
+	// Connect Two Tunnels
+	stopTunnel1 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", target1Addr), "cm-one", apiKey)
+	defer stopTunnel1()
+
+	stopTunnel2 := connectTunnel(t, serverAddr, fmt.Sprintf("http://%s", addr2), "cm-two", apiKey)
+	defer stopTunnel2()
+
+	// Fire Concurrent Requests to Both Tunnels
+	const perTunnel = 10
+	var wg sync.WaitGroup
+	errors := make(chan string, perTunnel*2)
+
+	for i := range perTunnel {
+		wg.Add(2)
+
+		// Requests to Tunnel One
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/a/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "cm-one", "GET", path, "")
+			body := readBody(t, resp)
+			if !strings.Contains(body, fmt.Sprintf("echo: GET %s", path)) {
+				errors <- fmt.Sprintf("tunnel-one req %d: got %q", idx, body)
+			}
+		}(i)
+
+		// Requests to Tunnel Two
+		go func(idx int) {
+			defer wg.Done()
+			path := fmt.Sprintf("/b/%d", idx)
+			resp := sendHTTPViaTunnel(t, serverAddr, "cm-two", "GET", path, "")
+			body := readBody(t, resp)
+			if !strings.Contains(body, fmt.Sprintf("server-two: %s", path)) {
+				errors <- fmt.Sprintf("tunnel-two req %d: got %q", idx, body)
+			}
+		}(i)
+	}
+
+	wg.Wait()
+	close(errors)
+
+	for errMsg := range errors {
+		t.Error(errMsg)
+	}
+}

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760038930,
+        "lastModified": 1777578337,
-        "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=",
+        "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3",
+        "rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
         "type": "github"
       },
       "original": {

flake.nix

@@ -6,8 +6,14 @@
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils }:
+  outputs =
-    flake-utils.lib.eachDefaultSystem (system:
+    { self
+    , nixpkgs
+    , flake-utils
+    ,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
         pkgs = nixpkgs.legacyPackages.${system};
       in
@@ -15,6 +21,7 @@
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
             go
+            gopls
             golangci-lint
           ];
           shellHook = ''

go.mod

@@ -3,12 +3,14 @@ module reichard.io/conduit
 go 1.25.1
 
 require (
-	github.com/google/uuid v1.6.0 // indirect
+	github.com/google/uuid v1.6.0
-	github.com/gorilla/websocket v1.5.3 // indirect
+	github.com/gorilla/websocket v1.5.3
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/sirupsen/logrus v1.9.3
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cobra v1.10.1
-	github.com/spf13/cobra v1.10.1 // indirect
+	github.com/spf13/pflag v1.0.9
-	github.com/spf13/pflag v1.0.9 // indirect
+)
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+
-	maragu.dev/gomponents v1.2.0 // indirect
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
 )

go.sum

@@ -1,5 +1,6 @@
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -7,6 +8,7 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -16,11 +18,11 @@ github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-maragu.dev/gomponents v1.2.0 h1:H7/N5htz1GCnhu0HB1GasluWeU2rJZOYztVEyN61iTc=
-maragu.dev/gomponents v1.2.0/go.mod h1:oEDahza2gZoXDoDHhw8jBNgH+3UR5ni7Ur648HORydM=

pkg/maps/map.go

@@ -42,6 +42,8 @@ func (m *Map[K, V]) HasKey(key K) bool {
 
 func (m *Map[K, V]) Entries() iter.Seq2[K, V] {
 	return func(yield func(K, V) bool) {
+		m.mu.RLock()
+		defer m.mu.RUnlock()
 		for k, v := range m.items {
 			if !yield(k, v) {
 				return

server/raw_http_response_writer.go

@@ -1,48 +0,0 @@
-package server
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"net/http"
-)
-
-var _ http.ResponseWriter = (*rawHTTPResponseWriter)(nil)
-
-type rawHTTPResponseWriter struct {
-	conn   net.Conn
-	header http.Header
-}
-
-func (f *rawHTTPResponseWriter) Header() http.Header {
-	if f.header == nil {
-		f.header = make(http.Header)
-	}
-	return f.header
-}
-
-func (f *rawHTTPResponseWriter) Write(data []byte) (int, error) {
-	return f.conn.Write(data)
-}
-
-func (f *rawHTTPResponseWriter) WriteHeader(statusCode int) {
-	// Write Status
-	status := fmt.Sprintf("HTTP/1.1 %d %s\r\n", statusCode, http.StatusText(statusCode))
-	_, _ = f.conn.Write([]byte(status))
-
-	// Write Headers
-	for key, values := range f.header {
-		for _, value := range values {
-			_, _ = fmt.Fprintf(f.conn, "%s: %s\r\n", key, value)
-		}
-	}
-
-	// End Headers
-	_, _ = f.conn.Write([]byte("\r\n"))
-}
-
-func (f *rawHTTPResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	// Return Raw Connection & ReadWriter
-	rw := bufio.NewReadWriter(bufio.NewReader(f.conn), bufio.NewWriter(f.conn))
-	return f.conn, rw, nil
-}

server/reconstructed_conn.go

@@ -1,7 +1,6 @@
 package server
 
 import (
-	"bytes"
 	"io"
 	"net"
 )
@@ -14,17 +13,17 @@ type reconstructedConn struct {
 	reader io.Reader
 }
 
-// Read reads from the reconstructed reader (captured data + original conn).
+// Read reads from the reconstructed reader (prepended data + original conn).
 func (rc *reconstructedConn) Read(p []byte) (n int, err error) {
 	return rc.reader.Read(p)
 }
 
-// newReconstructedConn creates a reconstructed connection that replays captured data
+// newReconstructedConn creates a reconstructed connection that replays the provided
-// before reading from the original connection.
+// readers in order before reading from the underlying connection.
-func newReconstructedConn(conn net.Conn, capturedData *bytes.Buffer) net.Conn {
+func newReconstructedConn(conn net.Conn, readers ...io.Reader) net.Conn {
-	allReader := io.MultiReader(capturedData, conn)
+	allReaders := append(readers, conn)
 	return &reconstructedConn{
 		Conn:   conn,
-		reader: allReader,
+		reader: io.MultiReader(allReaders...),
 	}
 }

server/server.go

@@ -1,18 +1,15 @@
 package server
 
 import (
-	"bufio"
 	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"net"
 	"net/http"
 	"net/url"
 	"strings"
-	"time"
+	"sync/atomic"
 
 	"github.com/gorilla/websocket"
 	log "github.com/sirupsen/logrus"
@@ -38,6 +35,7 @@ type Server struct {
 
 	upgrader websocket.Upgrader
 	tunnels  *maps.Map[string, *tunnel.Tunnel]
+	streamID atomic.Uint64
 }
 
 func NewServer(ctx context.Context, cfg *config.ServerConfig) (*Server, error) {
@@ -62,25 +60,104 @@ func NewServer(ctx context.Context, cfg *config.ServerConfig) (*Server, error) {
 }
 
 func (s *Server) Start() error {
-	// Raw TCP Listener - This is necessary so we can conditionally either relay
+	// HTTP Server - Uses stdlib http.Server for proper HTTP response handling
-	// the raw TCP connection, or handle conduit control server API requests.
+	// including Content-Length, chunked encoding, and keep-alive semantics.
-	listener, err := net.Listen("tcp", s.cfg.BindAddress)
+	httpServer := &http.Server{
-	if err != nil {
+		Addr:    s.cfg.BindAddress,
+		Handler: s,
+	}
+
+	// Context Cancellation - Gracefully shut down when the context is cancelled.
+	go func() {
+		<-s.ctx.Done()
+		log.Info("conduit server shutting down")
+		httpServer.Close()
+	}()
+
+	// Start Server
+	log.Infof("conduit server listening on %s", s.cfg.BindAddress)
+	if err := httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 		return err
 	}
-	defer listener.Close()
+	return nil
+}
 
-	// Start Listening
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	log.Infof("conduit server listening on %s", s.cfg.BindAddress)
+	// Get True Host
-	for {
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		conn, err := listener.Accept()
+		r.RemoteAddr = xff
-		if err != nil {
-			log.WithError(err).Error("error accepting connection")
-			continue
-		}
-
-		go s.handleRawConnection(conn)
 	}
+
+	// Validate Host
+	if !strings.Contains(r.Host, s.host) {
+		http.Error(w, fmt.Sprintf("unknown host: %s", r.Host), http.StatusBadRequest)
+		return
+	}
+
+	// Extract Subdomain
+	tunnelName := strings.TrimSuffix(strings.Replace(r.Host, s.host, "", 1), ".")
+	if strings.Count(tunnelName, ".") != 0 {
+		http.Error(w, fmt.Sprintf("cannot tunnel nested subdomains: %s", r.Host), http.StatusBadRequest)
+		return
+	}
+
+	// Handle Control Endpoints
+	if tunnelName == "" {
+		s.handleAsHTTP(w, r)
+		return
+	}
+
+	// Handle Tunnel Requests
+	s.handleTunnelRequest(w, r, tunnelName)
+}
+
+func (s *Server) handleTunnelRequest(w http.ResponseWriter, r *http.Request, tunnelName string) {
+	// Get Tunnel
+	conduitTunnel, exists := s.tunnels.Get(tunnelName)
+	if !exists {
+		http.Error(w, fmt.Sprintf("unknown tunnel: %s", tunnelName), http.StatusNotFound)
+		return
+	}
+
+	// Hijack Connection - Take over the raw TCP connection from the HTTP server
+	// so we can forward the full request (including body) through the tunnel.
+	hj, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "hijack not supported", http.StatusInternalServerError)
+		return
+	}
+	conn, bufrw, err := hj.Hijack()
+	if err != nil {
+		http.Error(w, fmt.Sprintf("hijack failed: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	// Re-Serialize Request Headers - The HTTP server already consumed the request
+	// from the connection. We re-serialize it so the tunnel client receives a
+	// complete HTTP request to forward to the local target.
+	var reqBuf bytes.Buffer
+	fmt.Fprintf(&reqBuf, "%s %s %s\r\n", r.Method, r.RequestURI, r.Proto)
+	fmt.Fprintf(&reqBuf, "Host: %s\r\n", r.Host)
+	_ = r.Header.Write(&reqBuf)
+	reqBuf.WriteString("\r\n")
+
+	// Reconstruct Connection - Combine re-serialized headers with any buffered
+	// body data (from the hijacked reader) and the raw connection.
+	reconstructedConn := newReconstructedConn(conn, &reqBuf, bufrw)
+
+	// Create Stream
+	streamID := fmt.Sprintf("stream_%d", s.streamID.Add(1))
+	tunnelStream := tunnel.NewStream(reconstructedConn, r.RemoteAddr, conduitTunnel.Source())
+
+	// Add Stream
+	if err := conduitTunnel.AddStream(tunnelStream, streamID); err != nil {
+		log.WithError(err).Error("failed to add stream")
+		conn.Close()
+		return
+	}
+
+	// Start Stream
+	conduitTunnel.StartStream(s.ctx, tunnelStream, streamID)
 }
 
 func (s *Server) getInfo(w http.ResponseWriter, _ *http.Request) {
@@ -110,79 +187,6 @@ func (s *Server) getInfo(w http.ResponseWriter, _ *http.Request) {
 	_, _ = w.Write(d)
 }
 
-func (s *Server) handleRawConnection(conn net.Conn) {
-	defer conn.Close()
-
-	// Capture Consumed Data - When determining where to route the request, we
-	// have to read the host headers. This requires reading from the buffer, so
-	// if we later decide to tunnel the TCP connection we need to reconstruct the
-	// data from the buffer.
-	var capturedData bytes.Buffer
-	teeReader := io.TeeReader(conn, &capturedData)
-	bufReader := bufio.NewReader(teeReader)
-
-	// Create HTTP Request & Writer
-	w := &rawHTTPResponseWriter{conn: conn}
-	r, err := http.ReadRequest(bufReader)
-	if err != nil {
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-	defer r.Body.Close()
-
-	// Validate Host
-	if !strings.Contains(r.Host, s.host) {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = fmt.Fprintf(w, "unknown host: %s", r.Host)
-		return
-	}
-
-	// Extract Subdomain
-	tunnelName := strings.TrimSuffix(strings.Replace(r.Host, s.host, "", 1), ".")
-	if strings.Count(tunnelName, ".") != 0 {
-		w.WriteHeader(http.StatusBadRequest)
-		_, _ = fmt.Fprintf(w, "cannot tunnel nested subdomains: %s", r.Host)
-		return
-	}
-
-	// Get True Host
-	remoteHost := conn.RemoteAddr().String()
-	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		remoteHost = xff
-	}
-	r.RemoteAddr = remoteHost
-
-	// Handle Control Endpoints
-	if tunnelName == "" {
-		s.handleAsHTTP(w, r)
-		return
-	}
-
-	// Handle Tunnels
-	conduitTunnel, exists := s.tunnels.Get(tunnelName)
-	if !exists {
-		w.WriteHeader(http.StatusNotFound)
-		_, _ = fmt.Fprintf(w, "unknown tunnel: %s", tunnelName)
-		return
-	}
-
-	// Create Stream
-	reconstructedConn := newReconstructedConn(conn, &capturedData)
-	streamID := fmt.Sprintf("stream_%d", time.Now().UnixNano())
-	tunnelStream := tunnel.NewStream(reconstructedConn, r.RemoteAddr, conduitTunnel.Source())
-
-	// Add Stream
-	if err := conduitTunnel.AddStream(tunnelStream, streamID); err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		_, _ = fmt.Fprintf(w, "failed to add stream: %v", err)
-		log.WithError(err).Error("failed to add stream")
-		return
-	}
-
-	// Start Stream
-	conduitTunnel.StartStream(tunnelStream, streamID)
-}
-
 func (s *Server) handleAsHTTP(w http.ResponseWriter, r *http.Request) {
 	// Authorize Control Endpoints
 	apiKey := r.URL.Query().Get("apiKey")
@@ -207,15 +211,13 @@ func (s *Server) createTunnel(w http.ResponseWriter, r *http.Request) {
 	// Get Tunnel Name
 	tunnelName := r.URL.Query().Get("tunnelName")
 	if tunnelName == "" {
-		w.WriteHeader(http.StatusBadRequest)
+		http.Error(w, "Missing tunnelName parameter", http.StatusBadRequest)
-		_, _ = w.Write([]byte("Missing tunnelName parameter"))
 		return
 	}
 
 	// Validate Unique
 	if _, exists := s.tunnels.Get(tunnelName); exists {
-		w.WriteHeader(http.StatusConflict)
+		http.Error(w, "Tunnel already registered", http.StatusConflict)
-		_, _ = w.Write([]byte("Tunnel already registered"))
 		return
 	}
 

store/record.go

@@ -17,13 +17,21 @@ type TunnelRecord struct {
 	Status     int
 	SourceAddr string
 
-	RequestHeaders  http.Header
+	RequestHeaders       http.Header
-	RequestBodyType string
+	RequestBodyType      string
-	RequestBody     []byte
+	RequestBody          []byte
+	RequestBodySize      int64
+	RequestBodyCaptured  bool
+	RequestBodyTruncated bool
+	RequestBodySkipped   string
 
-	ResponseHeaders  http.Header
+	ResponseHeaders       http.Header
-	ResponseBodyType string
+	ResponseBodyType      string
-	ResponseBody     []byte
+	ResponseBody          []byte
+	ResponseBodySize      int64
+	ResponseBodyCaptured  bool
+	ResponseBodyTruncated bool
+	ResponseBodySkipped   string
 }
 
 func (tr *TunnelRecord) MarshalJSON() ([]byte, error) {

store/store.go

@@ -16,6 +16,7 @@ import (
 const (
 	defaultQueueSize = 100
 	maxQueueSize     = 100
+	maxBodyCapture   = 1024 * 1024
 )
 
 var ErrRecordNotFound = errors.New("record not found")
@@ -98,11 +99,15 @@ func (s *tunnelStoreImpl) RecordRequest(req *http.Request, sourceAddress string)
 		SourceAddr:      sourceAddress,
 		RequestHeaders:  req.Header,
 		RequestBodyType: req.Header.Get("Content-Type"),
+		RequestBodySize: req.ContentLength,
 	}
 
-	if bodyData, err := getRequestBody(req); err == nil {
+	bodyData, meta := captureBody(&req.Body, req.Header.Get("Content-Type"), req.ContentLength, false)
-		rec.RequestBody = bodyData
+	rec.RequestBody = bodyData
-	}
+	rec.RequestBodySize = meta.size
+	rec.RequestBodyCaptured = meta.captured
+	rec.RequestBodyTruncated = meta.truncated
+	rec.RequestBodySkipped = meta.skipped
 
 	// Add Record & Truncate
 	s.orderedRecords = append(s.orderedRecords, rec)
@@ -122,10 +127,14 @@ func (s *tunnelStoreImpl) RecordResponse(resp *http.Response) error {
 	rec.Status = resp.StatusCode
 	rec.ResponseHeaders = resp.Header
 	rec.ResponseBodyType = resp.Header.Get("Content-Type")
+	rec.ResponseBodySize = resp.ContentLength
 
-	if bodyData, err := getResponseBody(resp); err == nil {
+	bodyData, meta := captureBody(&resp.Body, resp.Header.Get("Content-Type"), resp.ContentLength, true)
-		rec.ResponseBody = bodyData
+	rec.ResponseBody = bodyData
-	}
+	rec.ResponseBodySize = meta.size
+	rec.ResponseBodyCaptured = meta.captured
+	rec.ResponseBodyTruncated = meta.truncated
+	rec.ResponseBodySkipped = meta.skipped
 
 	s.broadcast(rec)
 
@@ -156,44 +165,71 @@ func (s *tunnelStoreImpl) broadcast(record *TunnelRecord) {
 	s.subs = active
 }
 
-func getRequestBody(req *http.Request) ([]byte, error) {
+type bodyCaptureMeta struct {
-	if req.ContentLength == 0 || req.Body == nil || req.Body == http.NoBody {
+	size      int64
-		return nil, nil
+	captured  bool
-	}
+	truncated bool
-
+	skipped   string
-	if !isTextContentType(req.Header.Get("Content-Type")) {
-		return nil, nil
-	}
-
-	// Read Body
-	bodyBytes, err := io.ReadAll(req.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	// Restore Body
-	req.Body = io.NopCloser(bytes.NewReader(bodyBytes))
-	return bodyBytes, nil
 }
 
-func getResponseBody(resp *http.Response) ([]byte, error) {
+func captureBody(body *io.ReadCloser, contentType string, contentLength int64, allowImages bool) ([]byte, bodyCaptureMeta) {
-	if resp.ContentLength == 0 || resp.Body == nil || resp.Body == http.NoBody {
+	meta := bodyCaptureMeta{size: contentLength}
-		return nil, nil
+	if contentLength == 0 || *body == nil || *body == http.NoBody {
+		return nil, meta
 	}
 
-	if !isTextContentType(resp.Header.Get("Content-Type")) {
+	previewable := isTextContentType(contentType) || (allowImages && isImageContentType(contentType))
-		return nil, nil
+	if !previewable {
+		meta.skipped = "body content type is not previewable"
+		return nil, meta
 	}
 
-	// Read Body
+	if isImageContentType(contentType) && contentLength > maxBodyCapture {
-	bodyBytes, err := io.ReadAll(resp.Body)
+		meta.skipped = "image body is too large to preview"
+		return nil, meta
+	}
+
+	// Capture Bounded Prefix
+	originalBody := *body
+	limit := int64(maxBodyCapture + 1)
+	captured, err := io.ReadAll(io.LimitReader(originalBody, limit))
 	if err != nil {
-		return nil, err
+		meta.skipped = "failed to read body"
+		*body = originalBody
+		return nil, meta
+	}
+
+	if meta.size < 0 && len(captured) <= maxBodyCapture {
+		meta.size = int64(len(captured))
 	}
 
 	// Restore Body
-	resp.Body = io.NopCloser(bytes.NewReader(bodyBytes))
+	*body = &replayReadCloser{
-	return bodyBytes, nil
+		Reader: io.MultiReader(bytes.NewReader(captured), originalBody),
+		closer: originalBody,
+	}
+
+	if len(captured) > maxBodyCapture {
+		meta.truncated = true
+		captured = captured[:maxBodyCapture]
+	}
+
+	if isImageContentType(contentType) && meta.truncated {
+		meta.skipped = "image body is too large to preview"
+		return nil, meta
+	}
+
+	meta.captured = len(captured) > 0
+	return captured, meta
+}
+
+type replayReadCloser struct {
+	io.Reader
+	closer io.Closer
+}
+
+func (r *replayReadCloser) Close() error {
+	return r.closer.Close()
 }
 
 func isTextContentType(contentType string) bool {
@@ -206,14 +242,44 @@ func isTextContentType(contentType string) bool {
 		return true
 	}
 
+	if strings.HasSuffix(mediaType, "+json") || strings.HasSuffix(mediaType, "+xml") {
+		return true
+	}
+
 	switch mediaType {
 	case "application/json":
 		return true
 	case "application/xml":
 		return true
+	case "application/javascript":
+		return true
+	case "application/x-javascript":
+		return true
 	case "application/x-www-form-urlencoded":
 		return true
 	default:
 		return false
 	}
 }
+
+func isImageContentType(contentType string) bool {
+	mediaType, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return false
+	}
+
+	switch mediaType {
+	case "image/png":
+		return true
+	case "image/jpeg":
+		return true
+	case "image/gif":
+		return true
+	case "image/webp":
+		return true
+	case "image/svg+xml":
+		return true
+	default:
+		return false
+	}
+}

tunnel/forwarder.go

@@ -2,7 +2,9 @@ package tunnel
 
 import (
 	"context"
+	"fmt"
 	"net/url"
+	"strings"
 
 	"reichard.io/conduit/store"
 )
@@ -21,23 +23,24 @@ type Forwarder interface {
 }
 
 func NewForwarder(target string, tunnelStore store.TunnelStore) (Forwarder, error) {
-	// Get Target URL
+	if !strings.Contains(target, "://") {
+		return nil, fmt.Errorf("target must include a scheme: tcp://, http://, or https://")
+	}
+
 	targetURL, err := url.Parse(target)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("target is invalid: %w", err)
+	}
+	if targetURL.Host == "" {
+		return nil, fmt.Errorf("target must include a host")
 	}
 
-	// Get Connection Builder
-	var forwarder Forwarder
 	switch targetURL.Scheme {
 	case "http", "https":
-		forwarder, err = newHTTPForwarder(targetURL, tunnelStore)
+		return newHTTPForwarder(targetURL, tunnelStore)
-		if err != nil {
+	case "tcp":
-			return nil, err
+		return newTCPForwarder(targetURL.Host, tunnelStore), nil
-		}
 	default:
-		forwarder = newTCPForwarder(target, tunnelStore)
+		return nil, fmt.Errorf("unsupported target scheme %q: use tcp://, http://, or https://", targetURL.Scheme)
 	}
-
-	return forwarder, nil
 }

tunnel/forwarder_test.go

@@ -0,0 +1,45 @@
+package tunnel
+
+import (
+	"testing"
+
+	"reichard.io/conduit/store"
+)
+
+func TestNewForwarderRequiresExplicitScheme(t *testing.T) {
+	_, err := NewForwarder("localhost:8282", store.NewTunnelStore(1))
+	if err == nil {
+		t.Fatal("expected error for target without scheme")
+	}
+}
+
+func TestNewForwarderSupportsExplicitSchemes(t *testing.T) {
+	tests := []struct {
+		name          string
+		target        string
+		forwarderType ForwarderType
+	}{
+		{name: "http", target: "http://localhost:8282", forwarderType: ForwarderHTTP},
+		{name: "https", target: "https://localhost:8282", forwarderType: ForwarderHTTP},
+		{name: "tcp", target: "tcp://localhost:8282", forwarderType: ForwarderTCP},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			forwarder, err := NewForwarder(tt.target, store.NewTunnelStore(1))
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if forwarder.Type() != tt.forwarderType {
+				t.Fatalf("expected forwarder type %v, got %v", tt.forwarderType, forwarder.Type())
+			}
+		})
+	}
+}
+
+func TestNewForwarderRejectsUnsupportedScheme(t *testing.T) {
+	_, err := NewForwarder("udp://localhost:8282", store.NewTunnelStore(1))
+	if err == nil {
+		t.Fatal("expected error for unsupported scheme")
+	}
+}

tunnel/tunnel.go

@@ -3,6 +3,7 @@ package tunnel
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/url"
 	"sync"
 
@@ -58,15 +59,31 @@ func NewClientTunnel(cfg *config.ClientConfig, forwarder Forwarder) (*Tunnel, er
 
 	return &Tunnel{
 		name:      cfg.TunnelName,
+		publicURL: publicTunnelURL(serverURL, cfg.TunnelName),
 		wsConn:    serverConn,
 		streams:   maps.New[string, Stream](),
 		forwarder: forwarder,
 	}, nil
 }
 
+func publicTunnelURL(serverURL *url.URL, tunnelName string) string {
+	// Build Public Tunnel URL
+	host := serverURL.Hostname()
+	if host == "" {
+		host = serverURL.Host
+	}
+
+	publicHost := tunnelName + "." + host
+	if port := serverURL.Port(); port != "" {
+		publicHost = net.JoinHostPort(publicHost, port)
+	}
+
+	return (&url.URL{Scheme: serverURL.Scheme, Host: publicHost}).String()
+}
+
 type Tunnel struct {
-	ctx       context.Context
 	name      string
+	publicURL string
 	wsConn    *websocket.Conn
 	streams   *maps.Map[string, Stream]
 	forwarder Forwarder
@@ -76,10 +93,11 @@ type Tunnel struct {
 
 func (t *Tunnel) Start(ctx context.Context) {
 	log.Infof("initiated tunnel %q with %s", t.name, t.wsConn.RemoteAddr().String())
+	if t.publicURL != "" {
+		log.Infof("tunnel available at %s", t.publicURL)
+	}
 	defer log.Infof("closed tunnel %q with %s", t.name, t.wsConn.RemoteAddr().String())
 
-	t.ctx = ctx
-
 	// Start Message Receiver
 	for {
 		msg, err := t.readWSWithContext(ctx)
@@ -94,7 +112,7 @@ func (t *Tunnel) Start(ctx context.Context) {
 		}
 
 		// Get Stream
-		stream, err := t.getStream(msg.StreamID, msg.SourceAddr)
+		stream, err := t.getStream(ctx, msg.StreamID, msg.SourceAddr)
 		if err != nil {
 			if msg.Type != types.MessageTypeClose {
 				log.WithError(err).Errorf("failed to get stream %s", msg.StreamID)
@@ -151,13 +169,13 @@ func (t *Tunnel) Source() string {
 	return t.wsConn.RemoteAddr().String()
 }
 
-func (t *Tunnel) StartStream(stream Stream, streamID string) error {
+func (t *Tunnel) StartStream(ctx context.Context, stream Stream, streamID string) error {
 	// Close Stream
 	defer t.closeStream(stream, streamID)
 
 	// Start Stream
 	for {
-		data, err := t.readStreamWithContext(t.ctx, stream)
+		data, err := t.readStreamWithContext(ctx, stream)
 		if err != nil {
 			return err
 		}
@@ -179,7 +197,7 @@ func (t *Tunnel) closeStream(stream Stream, streamID string) error {
 	return stream.Close()
 }
 
-func (t *Tunnel) getStream(streamID, sourceAddress string) (Stream, error) {
+func (t *Tunnel) getStream(ctx context.Context, streamID, sourceAddress string) (Stream, error) {
 	// Check Existing Stream
 	if stream, found := t.streams.Get(streamID); found {
 		return stream, nil
@@ -198,7 +216,7 @@ func (t *Tunnel) getStream(streamID, sourceAddress string) (Stream, error) {
 	if err := t.AddStream(stream, streamID); err != nil {
 		return nil, err
 	}
-	go t.StartStream(stream, streamID)
+	go t.StartStream(ctx, stream, streamID)
 	return stream, nil
 }
 

web/pages/network.go

@@ -1,231 +1,17 @@
 package pages
 
-import (
+import _ "embed"
-	g "maragu.dev/gomponents"
-	h "maragu.dev/gomponents/html"
 
-	_ "embed"
+//go:embed network.html
-)
+var networkHTML string
 
 //go:embed networkScript.js
-var alpineScript string
+var networkScript string
 
-func NetworkPage() g.Node {
+func NetworkHTML() string {
-	return h.Doctype(
+	return networkHTML
-		h.HTML(
-			h.Head(
-				h.Script(g.Raw(alpineScript)),
-				h.Script(g.Attr("src", "//cdn.tailwindcss.com")),
-				h.Script(g.Attr("src", "//cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js")),
-			),
-			h.Body(
-				h.Div(h.Class("bg-gray-900 text-gray-100"),
-					networkMonitor(),
-				),
-			),
-		),
-	)
 }
 
-func networkMonitor() g.Node {
+func NetworkScript() string {
-	return h.Div(
+	return networkScript
-		g.Attr("x-data", "networkMonitor()"),
-		h.Class("h-dvh flex flex-col"),
-
-		// Header
-		h.Div(
-			h.Class("bg-gray-800 border-b border-gray-700 px-4 py-2 flex items-center gap-4"),
-			h.H1(h.Class("text-lg font-semibold"), g.Text("Network")),
-			h.Button(
-				g.Attr("@click", "clear()"),
-				h.Class("px-3 py-1 bg-gray-700 hover:bg-gray-600 rounded text-sm"),
-				g.Text("Clear"),
-			),
-			h.Div(
-				h.Class("ml-auto text-sm text-gray-400"),
-				h.Span(g.Attr("x-text", "requests.length")),
-				g.Text(" requests"),
-			),
-		),
-
-		// Table
-		h.Div(
-			h.Class("flex-1 overflow-auto"),
-			h.Table(
-				h.Class("w-full text-sm"),
-				networkTableHeader(),
-				networkTableBody(),
-			),
-		),
-
-		// Details Panel
-		networkDetailsPanel(),
-	)
-}
-
-func networkTableHeader() g.Node {
-	return h.THead(
-		h.Class("bg-gray-800 sticky top-0 border-b border-gray-700"),
-		h.Tr(
-			h.Class("text-left"),
-			h.Th(h.Class("px-4 py-2 font-medium"), g.Text("Name")),
-			h.Th(h.Class("px-4 py-2 font-medium w-20"), g.Text("Method")),
-			h.Th(h.Class("px-4 py-2 font-medium w-20"), g.Text("Status")),
-			h.Th(h.Class("px-4 py-2 font-medium w-32"), g.Text("Type")),
-			h.Th(h.Class("px-4 py-2 font-medium w-32"), g.Text("Time")),
-		),
-	)
-}
-
-func networkTableBody() g.Node {
-	return h.TBody(
-		h.Template(
-			g.Attr("x-for", "req in requests"),
-			g.Attr(":key", "req.ID"),
-			h.Tr(
-				g.Attr("@click", "selected = req"),
-				g.Attr(":class", "selected?.ID === req.ID ? 'bg-blue-900' : 'hover:bg-gray-800'"),
-				h.Class("border-b border-gray-800 cursor-pointer"),
-				h.Td(
-					h.Class("px-4 py-2 truncate max-w-md"),
-					g.Attr("x-text", "req.URL?.Path || req.URL"),
-				),
-				h.Td(h.Class("px-4 py-2"), g.Attr("x-text", "req.Method")),
-				h.Td(
-					h.Class("px-4 py-2"),
-					h.Span(
-						g.Attr(":class", "statusColor(req.Status)"),
-						g.Attr("x-text", "req.Status || '-'"),
-					),
-				),
-				h.Td(
-					h.Class("px-4 py-2 text-gray-400"),
-					g.Attr("x-text", "req.ResponseBodyType || '-'"),
-				),
-				h.Td(
-					h.Class("px-4 py-2 text-gray-400"),
-					g.Attr("x-text", "formatTime(req.Time)"),
-				),
-			),
-		),
-	)
-}
-func networkDetailsPanel() g.Node {
-	return h.Div(
-		g.Attr("x-show", "selected"),
-		g.Attr("x-data", "{ activeTab: 'general' }"),
-		h.Class("fixed inset-0 bg-black bg-opacity-50 flex items-center justify-center z-50"),
-		g.Attr("@click.self", "selected = null"),
-		h.Div(
-			h.Class("bg-gray-800 rounded-lg shadow-xl w-3/4 h-3/4 flex flex-col"),
-			g.Attr("@click.stop", ""),
-			// Header
-			h.Div(
-				h.Class("flex items-center justify-between p-4 border-b border-gray-700"),
-				h.H2(
-					h.Class("text-lg font-semibold"),
-					g.Attr("x-text", "selected?.URL"),
-				),
-				h.Button(
-					g.Attr("@click", "selected = null"),
-					h.Class("text-gray-400 hover:text-gray-200"),
-					g.Text("X"),
-				),
-			),
-			// Tabs
-			h.Div(
-				h.Class("flex border-b border-gray-700"),
-				tab("general", "General"),
-				tab("request", "Request"),
-				tab("response", "Response"),
-			),
-			// Content
-			h.Div(
-				h.Class("flex-1 overflow-auto p-4"),
-				generalTabContent(),
-				requestTabContent(),
-				responseTabContent(),
-			),
-		),
-	)
-}
-
-func tab(name, label string) g.Node {
-	return h.Button(
-		g.Attr("@click", "activeTab = '"+name+"'"),
-		g.Attr(":class", "activeTab === '"+name+"' ? 'border-b-2 border-blue-500 text-blue-500' : 'text-gray-400 hover:text-gray-200'"),
-		h.Class("px-4 py-2 font-medium"),
-		g.Text(label),
-	)
-}
-
-func generalTabContent() g.Node {
-	return h.Div(
-		g.Attr("x-show", "activeTab === 'general'"),
-		h.Class("space-y-4"),
-		h.H3(h.Class("font-medium"), g.Text("Details")),
-		h.Div(
-			h.Class("text-sm space-y-1 text-gray-300"),
-			detailRow("URL:", "selected?.URL"),
-			detailRow("Source:", "selected?.SourceAddr"),
-			detailRow("Method:", "selected?.Method"),
-			detailRow("Status:", "selected?.Status"),
-		),
-	)
-}
-
-func requestTabContent() g.Node {
-	return h.Div(
-		g.Attr("x-show", "activeTab === 'request'"),
-		h.Class("space-y-4"),
-		h.H3(h.Class("font-medium"), g.Text("Headers")),
-		h.Div(
-			h.Class("text-sm space-y-1 text-gray-300 font-mono"),
-			h.Template(
-				g.Attr("x-for", "(values, key) in selected?.RequestHeaders"),
-				h.Div(
-					h.Span(h.Class("text-gray-500"), g.Attr("x-text", "key + ':'")),
-					g.Text(" "),
-					h.Span(g.Attr("x-text", "values.join(', ')")),
-				),
-			),
-		),
-		h.H3(h.Class("font-medium"), g.Text("Body")),
-		h.Pre(
-			h.Class("text-sm text-gray-300 font-mono bg-gray-900 p-3 rounded overflow-auto max-h-96"),
-			h.Code(g.Attr("x-text", "formatData(selected?.RequestBody)")),
-		),
-	)
-}
-
-func responseTabContent() g.Node {
-	return h.Div(
-		g.Attr("x-show", "activeTab === 'response'"),
-		h.Class("space-y-4"),
-		h.H3(h.Class("font-medium"), g.Text("Headers")),
-		h.Div(
-			h.Class("text-sm space-y-1 text-gray-300 font-mono mb-4"),
-			h.Template(
-				g.Attr("x-for", "(values, key) in selected?.ResponseHeaders"),
-				h.Div(
-					h.Span(h.Class("text-gray-500"), g.Attr("x-text", "key + ':'")),
-					g.Text(" "),
-					h.Span(g.Attr("x-text", "values.join(', ')")),
-				),
-			),
-		),
-		h.H3(h.Class("font-medium"), g.Text("Body")),
-		h.Pre(
-			h.Class("text-sm text-gray-300 font-mono bg-gray-900 p-3 rounded overflow-auto max-h-96"),
-			h.Code(g.Attr("x-text", "formatData(selected?.ResponseBody)")),
-		),
-	)
-}
-
-func detailRow(label, value string) g.Node {
-	return h.Div(
-		h.Span(h.Class("text-gray-500"), g.Text(label)),
-		g.Text(" "),
-		h.Span(g.Attr("x-text", value)),
-	)
 }

web/pages/network.html

@@ -0,0 +1,13 @@
+<!doctype html>
+<html lang="en" class="h-full bg-slate-950">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Conduit Monitor</title>
+  <script src="//cdn.tailwindcss.com"></script>
+</head>
+<body class="h-full bg-slate-950 text-slate-100">
+  <main id="app" class="min-h-full"></main>
+  <script src="/assets/network.js"></script>
+</body>
+</html>

web/pages/networkScript.js

@@ -1,47 +1,444 @@
-function networkMonitor() {
+const state = {
-  return {
+  requests: [],
-    requests: [],
+  selectedID: null,
-    selected: null,
+  activeTab: "preview",
+  query: "",
+  streamStatus: "connecting",
+};
 
-    init() {
+const app = document.getElementById("app");
-      const es = new EventSource("/stream");
-      es.onmessage = (e) => {
-        const record = JSON.parse(e.data);
-        const foundIdx = this.requests.findIndex((r) => r.ID === record.ID);
-        if (foundIdx >= 0) {
-          this.requests[foundIdx] = record;
-        } else {
-          this.requests.unshift(record);
-        }
-      };
-    },
 
-    clear() {
+function init() {
-      this.requests = [];
+  render();
-      this.selected = null;
+  connectStream();
-    },
+}
 
-    statusColor(status) {
+function connectStream() {
-      if (!status) return "text-gray-400";
+  const es = new EventSource("/stream");
-      if (status < 300) return "text-green-400";
-      if (status < 400) return "text-blue-400";
-      if (status < 500) return "text-yellow-400";
-      return "text-red-400";
-    },
 
-    formatTime(time) {
+  es.onopen = () => {
-      return new Date(time).toLocaleTimeString();
+    state.streamStatus = "connected";
-    },
+    render();
+  };
+
+  es.onerror = () => {
+    state.streamStatus = "disconnected";
+    render();
+  };
+
+  es.onmessage = (event) => {
+    const record = JSON.parse(event.data);
+    const foundIdx = state.requests.findIndex((req) => req.ID === record.ID);
+
+    if (foundIdx >= 0) {
+      state.requests[foundIdx] = record;
+    } else {
+      state.requests.unshift(record);
+    }
+
+    render();
   };
 }
 
-function formatData(base64Data) {
+function render() {
-  if (!base64Data) return "";
+  const selected = getSelected();
-  try {
+
-    const decoded = atob(base64Data);
+  app.innerHTML = `
-    const parsed = JSON.parse(decoded);
+    <section class="flex min-h-dvh flex-col bg-slate-950">
-    return JSON.stringify(parsed, null, 2);
+      ${renderHeader()}
-  } catch {
+      <div class="grid min-h-0 flex-1 grid-cols-1 overflow-hidden lg:grid-cols-[28rem_minmax(0,1fr)]">
-    return atob(base64Data);
+        ${renderRequestList()}
+        ${renderInspector(selected, false)}
+      </div>
+      ${selected ? renderMobileSheet(selected) : ""}
+    </section>
+  `;
+
+  bindEvents();
+  renderPreview(selected);
+}
+
+function renderHeader() {
+  return `
+    <header class="border-b border-slate-800 bg-slate-900/80 px-4 py-3 backdrop-blur">
+      <div class="flex flex-wrap items-center gap-3">
+        <div>
+          <h1 class="text-lg font-semibold tracking-tight">Conduit Monitor</h1>
+          <p class="text-xs text-slate-400">Live tunnel traffic inspector</p>
+        </div>
+        <span class="ml-auto rounded-full px-3 py-1 text-xs font-medium ${streamStatusClass()}">${state.streamStatus}</span>
+        <button data-action="clear" class="rounded-lg border border-slate-700 px-3 py-1.5 text-sm text-slate-200 hover:bg-slate-800">Clear</button>
+      </div>
+    </header>
+  `;
+}
+
+function renderRequestList() {
+  const filtered = filteredRequests();
+
+  return `
+    <aside class="min-h-0 border-r border-slate-800 bg-slate-950 lg:flex lg:flex-col">
+      <div class="border-b border-slate-800 p-3">
+        <label class="sr-only" for="search">Search requests</label>
+        <input id="search" data-input="query" value="${escapeAttr(state.query)}" placeholder="Search path, method, status, type..." class="w-full rounded-xl border border-slate-800 bg-slate-900 px-3 py-2 text-sm outline-none ring-blue-500 placeholder:text-slate-500 focus:ring-2" />
+        <div class="mt-2 text-xs text-slate-500">${filtered.length} of ${state.requests.length} requests</div>
+      </div>
+      <div class="max-h-[calc(100dvh-9rem)] overflow-auto lg:max-h-none lg:flex-1">
+        ${filtered.length === 0 ? renderEmptyList() : filtered.map(renderRequestRow).join("")}
+      </div>
+    </aside>
+  `;
+}
+
+function renderRequestRow(req) {
+  const selected = req.ID === state.selectedID;
+  const url = parseURL(req.URL);
+
+  return `
+    <button data-select="${req.ID}" class="block w-full border-b border-slate-900 px-4 py-3 text-left transition ${selected ? "bg-blue-950/70" : "hover:bg-slate-900"}">
+      <div class="flex items-center gap-2">
+        <span class="rounded-md px-2 py-0.5 text-xs font-bold ${methodClass(req.Method)}">${escapeHTML(req.Method || "-")}</span>
+        <span class="rounded-md px-2 py-0.5 text-xs font-semibold ${statusClass(req.Status)}">${req.Status || "pending"}</span>
+        <span class="ml-auto text-xs text-slate-500">${formatTime(req.Time)}</span>
+      </div>
+      <div class="mt-2 truncate font-mono text-sm text-slate-100">${escapeHTML(url.path)}</div>
+      <div class="mt-1 flex items-center gap-2 truncate text-xs text-slate-500">
+        <span class="truncate">${escapeHTML(url.host || req.SourceAddr || "unknown")}</span>
+        <span>•</span>
+        <span class="truncate">${escapeHTML(req.ResponseBodyType || req.RequestBodyType || "no content type")}</span>
+      </div>
+    </button>
+  `;
+}
+
+function renderInspector(selected, mobile) {
+  if (!selected) {
+    return `
+      <section class="hidden min-h-0 items-center justify-center bg-slate-950 p-8 lg:flex">
+        <div class="max-w-md text-center">
+          <div class="mx-auto mb-4 flex h-12 w-12 items-center justify-center rounded-2xl bg-slate-900 text-2xl">↯</div>
+          <h2 class="text-lg font-semibold">No request selected</h2>
+          <p class="mt-2 text-sm text-slate-400">Send traffic through a tunnel, then select a request to inspect headers, bodies, and previews.</p>
+        </div>
+      </section>
+    `;
+  }
+
+  const wrapperClass = mobile ? "flex h-full flex-col bg-slate-950" : "hidden min-h-0 flex-col bg-slate-950 lg:flex";
+  return `
+    <section class="${wrapperClass}">
+      ${renderInspectorHeader(selected, mobile)}
+      ${renderTabs()}
+      <div class="min-h-0 flex-1 overflow-auto p-4">
+        ${renderActiveTab(selected)}
+      </div>
+    </section>
+  `;
+}
+
+function renderMobileSheet(selected) {
+  return `
+    <div class="fixed inset-0 z-50 bg-slate-950 lg:hidden">
+      ${renderInspector(selected, true)}
+    </div>
+  `;
+}
+
+function renderInspectorHeader(req, mobile) {
+  const url = parseURL(req.URL);
+
+  return `
+    <div class="border-b border-slate-800 p-4">
+      <div class="flex items-start gap-3">
+        ${mobile ? `<button data-action="close" class="rounded-lg border border-slate-700 px-3 py-1.5 text-sm">Back</button>` : ""}
+        <div class="min-w-0 flex-1">
+          <div class="flex flex-wrap items-center gap-2">
+            <span class="rounded-md px-2 py-0.5 text-xs font-bold ${methodClass(req.Method)}">${escapeHTML(req.Method || "-")}</span>
+            <span class="rounded-md px-2 py-0.5 text-xs font-semibold ${statusClass(req.Status)}">${req.Status || "pending"}</span>
+            <span class="text-xs text-slate-500">${formatTime(req.Time)}</span>
+          </div>
+          <h2 class="mt-2 truncate font-mono text-base font-semibold">${escapeHTML(url.path)}</h2>
+          <p class="mt-1 truncate text-xs text-slate-500">${escapeHTML(req.URL || "")}</p>
+        </div>
+        <button data-copy="${escapeAttr(req.URL || "")}" class="rounded-lg border border-slate-700 px-3 py-1.5 text-sm hover:bg-slate-800">Copy URL</button>
+      </div>
+    </div>
+  `;
+}
+
+function renderTabs() {
+  return `
+    <nav class="flex gap-1 overflow-x-auto border-b border-slate-800 px-3 py-2">
+      ${["preview", "overview", "request", "response"].map((tab) => `
+        <button data-tab="${tab}" class="rounded-lg px-3 py-1.5 text-sm font-medium capitalize ${state.activeTab === tab ? "bg-blue-600 text-white" : "text-slate-400 hover:bg-slate-900 hover:text-slate-100"}">${tab}</button>
+      `).join("")}
+    </nav>
+  `;
+}
+
+function renderActiveTab(req) {
+  if (state.activeTab === "overview") return renderOverview(req);
+  if (state.activeTab === "request") return renderMessage(req, "Request");
+  if (state.activeTab === "response") return renderMessage(req, "Response");
+  return `<div data-preview-root></div>`;
+}
+
+function renderOverview(req) {
+  return `
+    <div class="grid gap-3 sm:grid-cols-2 xl:grid-cols-3">
+      ${summaryCard("Method", req.Method || "-")}
+      ${summaryCard("Status", req.Status || "pending")}
+      ${summaryCard("Source", req.SourceAddr || "-")}
+      ${summaryCard("Request Body", bodySummary(req, "Request"))}
+      ${summaryCard("Response Body", bodySummary(req, "Response"))}
+      ${summaryCard("Content Type", req.ResponseBodyType || req.RequestBodyType || "-")}
+    </div>
+  `;
+}
+
+function renderMessage(req, prefix) {
+  const headers = req[`${prefix}Headers`] || {};
+  const body = decodeBody(req[`${prefix}Body`]);
+
+  return `
+    <div class="space-y-4">
+      <section>
+        <div class="mb-2 flex items-center justify-between gap-2">
+          <h3 class="font-semibold">Headers</h3>
+          <button data-copy="${escapeAttr(formatHeaders(headers))}" class="rounded-lg border border-slate-700 px-3 py-1 text-xs hover:bg-slate-800">Copy</button>
+        </div>
+        <pre class="overflow-auto rounded-xl border border-slate-800 bg-slate-900 p-3 text-xs text-slate-300">${escapeHTML(formatHeaders(headers) || "No headers")}</pre>
+      </section>
+      <section>
+        <div class="mb-2 flex items-center justify-between gap-2">
+          <h3 class="font-semibold">Body</h3>
+          <button data-copy="${escapeAttr(body)}" class="rounded-lg border border-slate-700 px-3 py-1 text-xs hover:bg-slate-800">Copy</button>
+        </div>
+        <p class="mb-2 text-xs text-slate-500">${escapeHTML(bodySummary(req, prefix))}</p>
+        <pre class="max-h-[32rem] overflow-auto rounded-xl border border-slate-800 bg-slate-900 p-3 text-xs text-slate-300">${escapeHTML(formatBody(body, req[`${prefix}BodyType`]))}</pre>
+      </section>
+    </div>
+  `;
+}
+
+function renderPreview(selected) {
+  const roots = document.querySelectorAll("[data-preview-root]");
+  if (roots.length === 0 || !selected) return;
+
+  roots.forEach((root) => renderPreviewInto(root, selected));
+}
+
+function renderPreviewInto(root, selected) {
+  const contentType = selected.ResponseBodyType || "";
+  const body = selected.ResponseBody;
+
+  if (!selected.ResponseBodyCaptured || !body) {
+    root.innerHTML = renderPreviewEmpty(selected);
+    return;
+  }
+
+  if (isImage(contentType)) {
+    root.innerHTML = `<div class="rounded-xl border border-slate-800 bg-slate-900 p-4"><img class="mx-auto max-h-[70dvh] max-w-full rounded-lg" alt="Response preview" src="data:${escapeAttr(contentType)};base64,${body}" /></div>`;
+    return;
+  }
+
+  const decoded = decodeBody(body);
+  if (isHTML(contentType)) {
+    root.innerHTML = `<iframe title="Response HTML preview" sandbox class="h-[70dvh] w-full rounded-xl border border-slate-800 bg-white"></iframe>`;
+    root.querySelector("iframe").srcdoc = decoded;
+    return;
+  }
+
+  root.innerHTML = `<pre class="max-h-[70dvh] overflow-auto rounded-xl border border-slate-800 bg-slate-900 p-4 text-sm text-slate-300">${escapeHTML(formatBody(decoded, contentType))}</pre>`;
+}
+
+function renderPreviewEmpty(req) {
+  const reason = req.ResponseBodySkipped || "No captured response body is available.";
+  return `
+    <div class="rounded-xl border border-dashed border-slate-700 p-8 text-center">
+      <h3 class="font-semibold">Nothing to preview</h3>
+      <p class="mt-2 text-sm text-slate-400">${escapeHTML(reason)}</p>
+      <p class="mt-1 text-xs text-slate-500">${escapeHTML(bodySummary(req, "Response"))}</p>
+    </div>
+  `;
+}
+
+function bindEvents() {
+  document.querySelectorAll("[data-select]").forEach((el) => {
+    el.addEventListener("click", () => {
+      state.selectedID = el.dataset.select;
+      state.activeTab = "preview";
+      render();
+    });
+  });
+
+  document.querySelectorAll("[data-tab]").forEach((el) => {
+    el.addEventListener("click", () => {
+      state.activeTab = el.dataset.tab;
+      render();
+    });
+  });
+
+  document.querySelectorAll("[data-action='clear']").forEach((el) => {
+    el.addEventListener("click", () => {
+      state.requests = [];
+      state.selectedID = null;
+      render();
+    });
+  });
+
+  document.querySelectorAll("[data-action='close']").forEach((el) => {
+    el.addEventListener("click", () => {
+      state.selectedID = null;
+      render();
+    });
+  });
+
+  document.querySelectorAll("[data-copy]").forEach((el) => {
+    el.addEventListener("click", () => navigator.clipboard?.writeText(el.dataset.copy || ""));
+  });
+
+  const search = document.querySelector("[data-input='query']");
+  if (search) {
+    search.addEventListener("input", (event) => {
+      state.query = event.target.value;
+      render();
+      document.querySelector("[data-input='query']")?.focus();
+    });
   }
 }
+
+function filteredRequests() {
+  const query = state.query.trim().toLowerCase();
+  if (!query) return state.requests;
+
+  return state.requests.filter((req) => [
+    req.URL,
+    req.Method,
+    String(req.Status || "pending"),
+    req.SourceAddr,
+    req.RequestBodyType,
+    req.ResponseBodyType,
+  ].some((value) => String(value || "").toLowerCase().includes(query)));
+}
+
+function getSelected() {
+  return state.requests.find((req) => req.ID === state.selectedID) || null;
+}
+
+function parseURL(raw) {
+  try {
+    const parsed = new URL(raw, window.location.origin);
+    return { host: parsed.host, path: `${parsed.pathname}${parsed.search}` || raw };
+  } catch {
+    return { host: "", path: raw || "-" };
+  }
+}
+
+function decodeBody(base64Data) {
+  if (!base64Data) return "";
+  const binary = atob(base64Data);
+  const bytes = Uint8Array.from(binary, (char) => char.charCodeAt(0));
+  return new TextDecoder().decode(bytes);
+}
+
+function formatBody(body, contentType = "") {
+  if (isJSON(contentType)) {
+    try {
+      return JSON.stringify(JSON.parse(body), null, 2);
+    } catch {
+      return body;
+    }
+  }
+  return body || "No body";
+}
+
+function formatHeaders(headers) {
+  return Object.entries(headers || {})
+    .map(([key, values]) => `${key}: ${Array.isArray(values) ? values.join(", ") : values}`)
+    .join("\n");
+}
+
+function bodySummary(req, prefix) {
+  const size = req[`${prefix}BodySize`];
+  const captured = req[`${prefix}BodyCaptured`];
+  const truncated = req[`${prefix}BodyTruncated`];
+  const skipped = req[`${prefix}BodySkipped`];
+
+  if (captured) return `${formatBytes(size)} captured${truncated ? " (truncated)" : ""}`;
+  if (skipped) return skipped;
+  if (size > 0) return `${formatBytes(size)} not captured`;
+  return "No body";
+}
+
+function summaryCard(label, value) {
+  return `<div class="rounded-xl border border-slate-800 bg-slate-900 p-4"><div class="text-xs uppercase tracking-wide text-slate-500">${escapeHTML(label)}</div><div class="mt-1 break-words text-sm font-medium text-slate-100">${escapeHTML(String(value))}</div></div>`;
+}
+
+function renderEmptyList() {
+  return `<div class="p-8 text-center text-sm text-slate-500">No requests yet. Start sending traffic through your tunnel.</div>`;
+}
+
+function isJSON(contentType) {
+  return /(^|\/)json($|;)|\+json($|;)/i.test(contentType || "");
+}
+
+function isHTML(contentType) {
+  return /text\/html/i.test(contentType || "");
+}
+
+function isImage(contentType) {
+  return /^image\/(png|jpe?g|gif|webp|svg\+xml)/i.test(contentType || "");
+}
+
+function methodClass(method) {
+  return {
+    GET: "bg-emerald-500/15 text-emerald-300",
+    POST: "bg-blue-500/15 text-blue-300",
+    PUT: "bg-amber-500/15 text-amber-300",
+    PATCH: "bg-purple-500/15 text-purple-300",
+    DELETE: "bg-red-500/15 text-red-300",
+  }[method] || "bg-slate-700 text-slate-200";
+}
+
+function statusClass(status) {
+  if (!status) return "bg-slate-700 text-slate-300";
+  if (status < 300) return "bg-emerald-500/15 text-emerald-300";
+  if (status < 400) return "bg-blue-500/15 text-blue-300";
+  if (status < 500) return "bg-amber-500/15 text-amber-300";
+  return "bg-red-500/15 text-red-300";
+}
+
+function streamStatusClass() {
+  if (state.streamStatus === "connected") return "bg-emerald-500/15 text-emerald-300";
+  if (state.streamStatus === "connecting") return "bg-amber-500/15 text-amber-300";
+  return "bg-red-500/15 text-red-300";
+}
+
+function formatTime(time) {
+  if (!time) return "-";
+  return new Date(time).toLocaleTimeString();
+}
+
+function formatBytes(bytes) {
+  if (!bytes || bytes < 0) return "unknown size";
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KiB`;
+  return `${(bytes / 1024 / 1024).toFixed(1)} MiB`;
+}
+
+function escapeHTML(value) {
+  return String(value ?? "").replace(/[&<>'"]/g, (char) => ({
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    "'": "&#39;",
+    '"': "&quot;",
+  })[char]);
+}
+
+function escapeAttr(value) {
+  return escapeHTML(value).replace(/`/g, "&#96;");
+}
+
+init();

web/web.go

@@ -26,6 +26,7 @@ func (s *WebServer) Start(ctx context.Context) error {
 
 	rootMux := http.NewServeMux()
 	rootMux.HandleFunc("/", s.handleRoot)
+	rootMux.HandleFunc("/assets/network.js", s.handleNetworkScript)
 	rootMux.HandleFunc("/stream", s.handleStream)
 
 	s.server = &http.Server{
@@ -69,6 +70,9 @@ func (s *WebServer) handleStream(w http.ResponseWriter, r *http.Request) {
 	ch := s.store.Subscribe()
 	done := r.Context().Done()
 
+	_, _ = fmt.Fprint(w, ": connected\n\n")
+	flusher.Flush()
+
 	for {
 		select {
 		case record, ok := <-ch:
@@ -85,6 +89,11 @@ func (s *WebServer) handleStream(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *WebServer) handleRoot(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "text/html")
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	_ = pages.NetworkPage().Render(w)
+	_, _ = w.Write([]byte(pages.NetworkHTML()))
+}
+
+func (s *WebServer) handleNetworkScript(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/javascript; charset=utf-8")
+	_, _ = w.Write([]byte(pages.NetworkScript()))
 }