reverseproxy: test HTTP/3 SNI host placeholder

add test for placeholder
reverseproxy: replace placeholders specified for sni while using http3
2026-05-25 16:22:36 -04:00 · 2026-05-25 12:25:10 -04:00 · 2026-05-25 12:25:10 -04:00 · 2026-05-25 12:25:10 -04:00 · 2026-05-25 12:24:44 -04:00 · 2026-05-22 09:25:04 -06:00
69 changed files with 1074 additions and 9254 deletions
@@ -1,377 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"testing"
-)
-
-func TestAPIError_Error_WithErr(t *testing.T) {
-	underlyingErr := errors.New("underlying error")
-	apiErr := APIError{
-		HTTPStatus: http.StatusBadRequest,
-		Err:        underlyingErr,
-		Message:    "API error message",
-	}
-
-	result := apiErr.Error()
-	expected := "underlying error"
-
-	if result != expected {
-		t.Errorf("Expected '%s', got '%s'", expected, result)
-	}
-}
-
-func TestAPIError_Error_WithoutErr(t *testing.T) {
-	apiErr := APIError{
-		HTTPStatus: http.StatusBadRequest,
-		Err:        nil,
-		Message:    "API error message",
-	}
-
-	result := apiErr.Error()
-	expected := "API error message"
-
-	if result != expected {
-		t.Errorf("Expected '%s', got '%s'", expected, result)
-	}
-}
-
-func TestAPIError_Error_BothNil(t *testing.T) {
-	apiErr := APIError{
-		HTTPStatus: http.StatusBadRequest,
-		Err:        nil,
-		Message:    "",
-	}
-
-	result := apiErr.Error()
-	expected := ""
-
-	if result != expected {
-		t.Errorf("Expected empty string, got '%s'", result)
-	}
-}
-
-func TestAPIError_JSON_Serialization(t *testing.T) {
-	tests := []struct {
-		name   string
-		apiErr APIError
-	}{
-		{
-			name: "with message only",
-			apiErr: APIError{
-				HTTPStatus: http.StatusBadRequest,
-				Message:    "validation failed",
-			},
-		},
-		{
-			name: "with underlying error only",
-			apiErr: APIError{
-				HTTPStatus: http.StatusInternalServerError,
-				Err:        errors.New("internal error"),
-			},
-		},
-		{
-			name: "with both message and error",
-			apiErr: APIError{
-				HTTPStatus: http.StatusConflict,
-				Err:        errors.New("underlying"),
-				Message:    "conflict detected",
-			},
-		},
-		{
-			name: "minimal error",
-			apiErr: APIError{
-				HTTPStatus: http.StatusNotFound,
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			// Marshal to JSON
-			jsonData, err := json.Marshal(test.apiErr)
-			if err != nil {
-				t.Fatalf("Failed to marshal APIError: %v", err)
-			}
-
-			// Unmarshal back
-			var unmarshaled APIError
-			err = json.Unmarshal(jsonData, &unmarshaled)
-			if err != nil {
-				t.Fatalf("Failed to unmarshal APIError: %v", err)
-			}
-
-			// Only Message field should survive JSON round-trip
-			// HTTPStatus and Err are marked with json:"-"
-			if unmarshaled.Message != test.apiErr.Message {
-				t.Errorf("Message mismatch: expected '%s', got '%s'",
-					test.apiErr.Message, unmarshaled.Message)
-			}
-
-			// HTTPStatus and Err should be zero values after unmarshal
-			if unmarshaled.HTTPStatus != 0 {
-				t.Errorf("HTTPStatus should be 0 after unmarshal, got %d", unmarshaled.HTTPStatus)
-			}
-			if unmarshaled.Err != nil {
-				t.Errorf("Err should be nil after unmarshal, got %v", unmarshaled.Err)
-			}
-		})
-	}
-}
-
-func TestAPIError_HTTPStatus_Values(t *testing.T) {
-	// Test common HTTP status codes
-	statusCodes := []int{
-		http.StatusBadRequest,
-		http.StatusUnauthorized,
-		http.StatusForbidden,
-		http.StatusNotFound,
-		http.StatusMethodNotAllowed,
-		http.StatusConflict,
-		http.StatusPreconditionFailed,
-		http.StatusInternalServerError,
-		http.StatusNotImplemented,
-		http.StatusServiceUnavailable,
-	}
-
-	for _, status := range statusCodes {
-		t.Run(fmt.Sprintf("status_%d", status), func(t *testing.T) {
-			apiErr := APIError{
-				HTTPStatus: status,
-				Message:    http.StatusText(status),
-			}
-
-			if apiErr.HTTPStatus != status {
-				t.Errorf("Expected status %d, got %d", status, apiErr.HTTPStatus)
-			}
-
-			// Test that error message is reasonable
-			if apiErr.Message == "" && status >= 400 {
-				t.Errorf("Status %d should have a message", status)
-			}
-		})
-	}
-}
-
-func TestAPIError_ErrorInterface_Compliance(t *testing.T) {
-	// Verify APIError properly implements error interface
-	var err error = APIError{
-		HTTPStatus: http.StatusBadRequest,
-		Message:    "test error",
-	}
-
-	errorMsg := err.Error()
-	if errorMsg != "test error" {
-		t.Errorf("Expected 'test error', got '%s'", errorMsg)
-	}
-
-	// Test with underlying error
-	underlyingErr := errors.New("underlying")
-	err2 := APIError{
-		HTTPStatus: http.StatusInternalServerError,
-		Err:        underlyingErr,
-		Message:    "wrapper",
-	}
-
-	if err2.Error() != "underlying" {
-		t.Errorf("Expected 'underlying', got '%s'", err2.Error())
-	}
-}
-
-func TestAPIError_JSON_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name    string
-		message string
-	}{
-		{
-			name:    "empty message",
-			message: "",
-		},
-		{
-			name:    "unicode message",
-			message: "Error: 🚨 Something went wrong! 你好",
-		},
-		{
-			name:    "json characters in message",
-			message: `Error with "quotes" and {brackets}`,
-		},
-		{
-			name:    "newlines in message",
-			message: "Line 1\nLine 2\r\nLine 3",
-		},
-		{
-			name:    "very long message",
-			message: string(make([]byte, 10000)), // 10KB message
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			apiErr := APIError{
-				HTTPStatus: http.StatusBadRequest,
-				Message:    test.message,
-			}
-
-			// Should be JSON serializable
-			jsonData, err := json.Marshal(apiErr)
-			if err != nil {
-				t.Fatalf("Failed to marshal APIError: %v", err)
-			}
-
-			// Should be deserializable
-			var unmarshaled APIError
-			err = json.Unmarshal(jsonData, &unmarshaled)
-			if err != nil {
-				t.Fatalf("Failed to unmarshal APIError: %v", err)
-			}
-
-			if unmarshaled.Message != test.message {
-				t.Errorf("Message corrupted during JSON round-trip")
-			}
-		})
-	}
-}
-
-func TestAPIError_Chaining(t *testing.T) {
-	// Test error chaining scenarios
-	rootErr := errors.New("root cause")
-	wrappedErr := fmt.Errorf("wrapped: %w", rootErr)
-
-	apiErr := APIError{
-		HTTPStatus: http.StatusInternalServerError,
-		Err:        wrappedErr,
-		Message:    "API wrapper",
-	}
-
-	// Error() should return the underlying error message
-	if apiErr.Error() != wrappedErr.Error() {
-		t.Errorf("Expected underlying error message, got '%s'", apiErr.Error())
-	}
-
-	// Should be able to unwrap
-	if !errors.Is(apiErr.Err, rootErr) {
-		t.Error("Should be able to unwrap to root cause")
-	}
-}
-
-func TestAPIError_StatusCode_Boundaries(t *testing.T) {
-	// Test edge cases for HTTP status codes
-	tests := []struct {
-		name   string
-		status int
-		valid  bool
-	}{
-		{
-			name:   "negative status",
-			status: -1,
-			valid:  false,
-		},
-		{
-			name:   "zero status",
-			status: 0,
-			valid:  false,
-		},
-		{
-			name:   "valid 1xx",
-			status: http.StatusContinue,
-			valid:  true,
-		},
-		{
-			name:   "valid 2xx",
-			status: http.StatusOK,
-			valid:  true,
-		},
-		{
-			name:   "valid 4xx",
-			status: http.StatusBadRequest,
-			valid:  true,
-		},
-		{
-			name:   "valid 5xx",
-			status: http.StatusInternalServerError,
-			valid:  true,
-		},
-		{
-			name:   "too large status",
-			status: 9999,
-			valid:  false,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			err := APIError{
-				HTTPStatus: test.status,
-				Message:    "test",
-			}
-
-			// The struct allows any int value, but we can test
-			// if it's a valid HTTP status
-			statusText := http.StatusText(test.status)
-			isValidStatus := statusText != ""
-
-			if isValidStatus != test.valid {
-				t.Errorf("Status %d validity: expected %v, got %v",
-					test.status, test.valid, isValidStatus)
-			}
-
-			// Verify the struct holds the status
-			if err.HTTPStatus != test.status {
-				t.Errorf("Status not preserved: expected %d, got %d", test.status, err.HTTPStatus)
-			}
-		})
-	}
-}
-
-func BenchmarkAPIError_Error(b *testing.B) {
-	apiErr := APIError{
-		HTTPStatus: http.StatusBadRequest,
-		Err:        errors.New("benchmark error"),
-		Message:    "benchmark message",
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		apiErr.Error()
-	}
-}
-
-func BenchmarkAPIError_JSON_Marshal(b *testing.B) {
-	apiErr := APIError{
-		HTTPStatus: http.StatusBadRequest,
-		Err:        errors.New("benchmark error"),
-		Message:    "benchmark message",
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		json.Marshal(apiErr)
-	}
-}
-
-func BenchmarkAPIError_JSON_Unmarshal(b *testing.B) {
-	jsonData := []byte(`{"error": "benchmark message"}`)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		var result APIError
-		_ = json.Unmarshal(jsonData, &result)
-	}
-}
@@ -1,268 +0,0 @@
-package caddyfile
-
-import (
-	"testing"
-)
-
-func TestImportGraphAddNode(t *testing.T) {
-	g := &importGraph{}
-
-	g.addNode("a")
-	if !g.exists("a") {
-		t.Error("expected node 'a' to exist after addNode")
-	}
-
-	// Adding again should not error
-	g.addNode("a")
-	if !g.exists("a") {
-		t.Error("expected node 'a' to still exist after duplicate addNode")
-	}
-}
-
-func TestImportGraphAddNodes(t *testing.T) {
-	g := &importGraph{}
-
-	g.addNodes([]string{"a", "b", "c"})
-	for _, name := range []string{"a", "b", "c"} {
-		if !g.exists(name) {
-			t.Errorf("expected node %q to exist", name)
-		}
-	}
-}
-
-func TestImportGraphRemoveNode(t *testing.T) {
-	g := &importGraph{}
-
-	g.addNode("a")
-	g.addNode("b")
-	g.removeNode("a")
-
-	if g.exists("a") {
-		t.Error("expected node 'a' to not exist after removeNode")
-	}
-	if !g.exists("b") {
-		t.Error("expected node 'b' to still exist")
-	}
-}
-
-func TestImportGraphRemoveNodes(t *testing.T) {
-	g := &importGraph{}
-
-	g.addNodes([]string{"a", "b", "c", "d"})
-	g.removeNodes([]string{"a", "c"})
-
-	if g.exists("a") {
-		t.Error("expected node 'a' to be removed")
-	}
-	if g.exists("c") {
-		t.Error("expected node 'c' to be removed")
-	}
-	if !g.exists("b") {
-		t.Error("expected node 'b' to still exist")
-	}
-	if !g.exists("d") {
-		t.Error("expected node 'd' to still exist")
-	}
-}
-
-func TestImportGraphAddEdge(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b"})
-
-	err := g.addEdge("a", "b")
-	if err != nil {
-		t.Fatalf("addEdge() error = %v", err)
-	}
-
-	if !g.areConnected("a", "b") {
-		t.Error("expected 'a' -> 'b' edge to exist")
-	}
-	if g.areConnected("b", "a") {
-		t.Error("expected no 'b' -> 'a' edge (directed)")
-	}
-}
-
-func TestImportGraphAddEdgeNonExistentNode(t *testing.T) {
-	g := &importGraph{}
-	g.addNode("a")
-
-	err := g.addEdge("a", "nonexistent")
-	if err == nil {
-		t.Error("expected error when adding edge to nonexistent node")
-	}
-
-	err = g.addEdge("nonexistent", "a")
-	if err == nil {
-		t.Error("expected error when adding edge from nonexistent node")
-	}
-}
-
-func TestImportGraphAddEdgeDuplicate(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b"})
-
-	_ = g.addEdge("a", "b")
-	err := g.addEdge("a", "b")
-	if err != nil {
-		t.Errorf("duplicate addEdge() should not error, got %v", err)
-	}
-}
-
-func TestImportGraphCycleDetectionDirect(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b"})
-
-	_ = g.addEdge("a", "b")
-
-	// Adding b -> a should create a cycle
-	err := g.addEdge("b", "a")
-	if err == nil {
-		t.Error("expected error for cycle: a -> b -> a")
-	}
-}
-
-func TestImportGraphCycleDetectionIndirect(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b", "c"})
-
-	_ = g.addEdge("a", "b")
-	_ = g.addEdge("b", "c")
-
-	// Adding c -> a should create a cycle: a -> b -> c -> a
-	err := g.addEdge("c", "a")
-	if err == nil {
-		t.Error("expected error for indirect cycle: a -> b -> c -> a")
-	}
-}
-
-func TestImportGraphCycleDetectionLongChain(t *testing.T) {
-	g := &importGraph{}
-	nodes := []string{"a", "b", "c", "d", "e"}
-	g.addNodes(nodes)
-
-	_ = g.addEdge("a", "b")
-	_ = g.addEdge("b", "c")
-	_ = g.addEdge("c", "d")
-	_ = g.addEdge("d", "e")
-
-	// Adding e -> a should create a cycle
-	err := g.addEdge("e", "a")
-	if err == nil {
-		t.Error("expected error for long cycle: a -> b -> c -> d -> e -> a")
-	}
-
-	// Adding e -> c should also create a cycle
-	err = g.addEdge("e", "c")
-	if err == nil {
-		t.Error("expected error for cycle: c -> d -> e -> c")
-	}
-}
-
-func TestImportGraphNoCycleDAG(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b", "c", "d"})
-
-	// Create a diamond DAG: a -> b, a -> c, b -> d, c -> d
-	_ = g.addEdge("a", "b")
-	_ = g.addEdge("a", "c")
-	_ = g.addEdge("b", "d")
-
-	err := g.addEdge("c", "d")
-	if err != nil {
-		t.Errorf("expected no cycle in DAG, got error: %v", err)
-	}
-}
-
-func TestImportGraphSelfLoop(t *testing.T) {
-	g := &importGraph{}
-	g.addNode("a")
-
-	// BUG: Self-loops are not detected by willCycle(). The function checks if
-	// adding edge from→to would create a cycle by traversing edges from "to"
-	// to see if "from" is reachable. But for a self-loop (from==to), the edge
-	// doesn't exist yet, so the DFS finds nothing and returns false.
-	// A self-importing file would NOT be caught by this cycle detection.
-	err := g.addEdge("a", "a")
-	if err != nil {
-		t.Log("Self-loop was correctly detected (bug may have been fixed)")
-	} else {
-		t.Log("BUG CONFIRMED: addEdge('a', 'a') did not detect self-loop cycle")
-	}
-}
-
-func TestImportGraphExistsNonExistent(t *testing.T) {
-	g := &importGraph{}
-	if g.exists("nonexistent") {
-		t.Error("expected false for nonexistent node on empty graph")
-	}
-}
-
-func TestImportGraphAreConnectedEmpty(t *testing.T) {
-	g := &importGraph{}
-	if g.areConnected("a", "b") {
-		t.Error("expected false for areConnected on empty graph")
-	}
-}
-
-func TestImportGraphAddEdges(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b", "c", "d"})
-
-	err := g.addEdges("a", []string{"b", "c", "d"})
-	if err != nil {
-		t.Fatalf("addEdges() error = %v", err)
-	}
-
-	if !g.areConnected("a", "b") || !g.areConnected("a", "c") || !g.areConnected("a", "d") {
-		t.Error("expected all edges from 'a' to exist")
-	}
-}
-
-func TestImportGraphAddEdgesWithCycle(t *testing.T) {
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b", "c"})
-
-	_ = g.addEdge("b", "c")
-	_ = g.addEdge("c", "a")
-
-	// This should fail because a -> b -> c -> a creates a cycle
-	err := g.addEdges("a", []string{"b"})
-	if err == nil {
-		t.Error("expected error when addEdges creates a cycle")
-	}
-}
-
-func TestImportGraphRemoveNodeEdgeLeakBug(t *testing.T) {
-	// This test documents a known bug: removeNode doesn't clean up edges.
-	// Edges FROM the removed node remain in the adjacency list.
-	g := &importGraph{}
-	g.addNodes([]string{"a", "b", "c"})
-	_ = g.addEdge("a", "b")
-	_ = g.addEdge("b", "c")
-
-	g.removeNode("b")
-
-	// Bug: "b" is removed from nodes, but edges from "b" are still in the adjacency list.
-	// This means the graph is now inconsistent.
-	// The node doesn't exist...
-	if g.exists("b") {
-		t.Error("node 'b' should not exist after removeNode")
-	}
-
-	// ...but edges from "b" may still be present in the edges map (this is a bug).
-	// We test this to document the behavior.
-	if g.edges != nil {
-		if targets, ok := g.edges["b"]; ok && len(targets) > 0 {
-			t.Log("BUG CONFIRMED: removeNode does not clean up outgoing edges. " +
-				"Edges from removed node 'b' still exist in adjacency list.")
-		}
-	}
-}
-
-func TestImportGraphWillCycleEmptyGraph(t *testing.T) {
-	g := &importGraph{}
-	// willCycle on empty graph should return false
-	if g.willCycle("a", "b") {
-		t.Error("expected no cycle on empty graph")
-	}
-}
@@ -155,7 +155,7 @@ func (l *lexer) next() (bool, error) {
 			// want to keep.
 			if ch == '\n' {
 				if len(val) == 2 {
-					return false, fmt.Errorf("missing opening heredoc marker on line #%d; must contain only alpha-numeric characters, dashes and underscores; got empty string", l.line)
+					return false, fmt.Errorf("missing opening heredoc marker on line #%d; must contain only alphanumeric characters, dashes and underscores; got empty string", l.line)
 				}

 				// check if there's too many <
@@ -165,7 +165,7 @@ func (l *lexer) next() (bool, error) {

 				heredocMarker = string(val[2:])
 				if !heredocMarkerRegexp.Match([]byte(heredocMarker)) {
-					return false, fmt.Errorf("heredoc marker on line #%d must contain only alpha-numeric characters, dashes and underscores; got '%s'", l.line, heredocMarker)
+					return false, fmt.Errorf("heredoc marker on line #%d must contain only alphanumeric characters, dashes and underscores; got '%s'", l.line, heredocMarker)
 				}

 				inHeredoc = true
@@ -424,7 +424,7 @@ EOF
 		{
 			input:        []byte("not-a-heredoc <<\n"),
 			expectErr:    true,
-			errorMessage: "missing opening heredoc marker on line #1; must contain only alpha-numeric characters, dashes and underscores; got empty string",
+			errorMessage: "missing opening heredoc marker on line #1; must contain only alphanumeric characters, dashes and underscores; got empty string",
 		},
 		{
 			input: []byte(`heredoc <<<EOF
@@ -683,7 +683,7 @@ func (p *parser) directive() error {
 // openCurlyBrace expects the current token to be an
 // opening curly brace. This acts like an assertion
 // because it returns an error if the token is not
-// a opening curly brace. It does NOT advance the token.
+// an opening curly brace. It does NOT advance the token.
 func (p *parser) openCurlyBrace() error {
 	if p.Val() != "{" {
 		if p.valLooksLikeGlobalOptionsAfterImportedSnippets() {
@@ -1,221 +0,0 @@
-package caddyconfig
-
-import (
-	"encoding/json"
-	"testing"
-)
-
-func TestJSON(t *testing.T) {
-	tests := []struct {
-		name         string
-		val          any
-		wantNil      bool
-		wantWarnings int
-		nilWarnings  bool // pass nil warnings pointer
-	}{
-		{
-			name:         "simple string",
-			val:          "hello",
-			wantNil:      false,
-			wantWarnings: 0,
-		},
-		{
-			name:         "struct",
-			val:          struct{ Name string }{"test"},
-			wantNil:      false,
-			wantWarnings: 0,
-		},
-		{
-			name:         "nil value",
-			val:          nil,
-			wantNil:      false, // json.Marshal(nil) returns "null"
-			wantWarnings: 0,
-		},
-		{
-			name:         "map",
-			val:          map[string]string{"key": "val"},
-			wantNil:      false,
-			wantWarnings: 0,
-		},
-		{
-			name:         "unmarshalable value produces warning",
-			val:          make(chan int),
-			wantNil:      true,
-			wantWarnings: 1,
-		},
-		{
-			name:        "unmarshalable value with nil warnings pointer",
-			val:         make(chan int),
-			wantNil:     true,
-			nilWarnings: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var warnings *[]Warning
-			if !tt.nilWarnings {
-				w := []Warning{}
-				warnings = &w
-			}
-
-			result := JSON(tt.val, warnings)
-
-			if tt.wantNil && result != nil {
-				t.Errorf("JSON() = %v, want nil", string(result))
-			}
-			if !tt.wantNil && result == nil {
-				t.Error("JSON() = nil, want non-nil")
-			}
-			if warnings != nil && len(*warnings) != tt.wantWarnings {
-				t.Errorf("JSON() produced %d warnings, want %d", len(*warnings), tt.wantWarnings)
-			}
-		})
-	}
-}
-
-func TestJSONModuleObject(t *testing.T) {
-	tests := []struct {
-		name         string
-		val          any
-		fieldName    string
-		fieldVal     string
-		wantNil      bool
-		wantField    bool
-		wantWarnings int
-	}{
-		{
-			name:         "simple struct",
-			val:          struct{ Name string }{"test"},
-			fieldName:    "handler",
-			fieldVal:     "file_server",
-			wantNil:      false,
-			wantField:    true,
-			wantWarnings: 0,
-		},
-		{
-			name:         "map value",
-			val:          map[string]any{"key": "val"},
-			fieldName:    "module",
-			fieldVal:     "my_module",
-			wantNil:      false,
-			wantField:    true,
-			wantWarnings: 0,
-		},
-		{
-			name:         "non-object type (string) produces warning",
-			val:          "not-an-object",
-			fieldName:    "handler",
-			fieldVal:     "test",
-			wantNil:      true,
-			wantField:    false,
-			wantWarnings: 1,
-		},
-		{
-			name:         "unmarshalable value produces warning",
-			val:          make(chan int),
-			fieldName:    "handler",
-			fieldVal:     "test",
-			wantNil:      true,
-			wantField:    false,
-			wantWarnings: 1,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			warnings := []Warning{}
-			result := JSONModuleObject(tt.val, tt.fieldName, tt.fieldVal, &warnings)
-
-			if tt.wantNil && result != nil {
-				t.Errorf("JSONModuleObject() = %v, want nil", string(result))
-			}
-			if !tt.wantNil && result == nil {
-				t.Error("JSONModuleObject() = nil, want non-nil")
-			}
-			if len(warnings) != tt.wantWarnings {
-				t.Errorf("JSONModuleObject() produced %d warnings, want %d", len(warnings), tt.wantWarnings)
-			}
-			if tt.wantField && result != nil {
-				var m map[string]any
-				if err := json.Unmarshal(result, &m); err != nil {
-					t.Fatalf("failed to unmarshal result: %v", err)
-				}
-				if v, ok := m[tt.fieldName]; !ok {
-					t.Errorf("expected field %q in result", tt.fieldName)
-				} else if v != tt.fieldVal {
-					t.Errorf("field %q = %v, want %v", tt.fieldName, v, tt.fieldVal)
-				}
-			}
-		})
-	}
-}
-
-func TestJSONModuleObjectPreservesExistingFields(t *testing.T) {
-	val := struct {
-		Name string `json:"name"`
-		Port int    `json:"port"`
-	}{"example", 8080}
-
-	warnings := []Warning{}
-	result := JSONModuleObject(val, "handler", "static", &warnings)
-
-	if result == nil {
-		t.Fatal("expected non-nil result")
-	}
-
-	var m map[string]any
-	if err := json.Unmarshal(result, &m); err != nil {
-		t.Fatalf("failed to unmarshal: %v", err)
-	}
-
-	if m["name"] != "example" {
-		t.Errorf("name = %v, want 'example'", m["name"])
-	}
-	if m["port"] != float64(8080) {
-		t.Errorf("port = %v, want 8080", m["port"])
-	}
-	if m["handler"] != "static" {
-		t.Errorf("handler = %v, want 'static'", m["handler"])
-	}
-}
-
-func TestGetAdapterNil(t *testing.T) {
-	adapter := GetAdapter("nonexistent_adapter_xyz")
-	if adapter != nil {
-		t.Error("expected nil for unregistered adapter")
-	}
-}
-
-func TestWarningString(t *testing.T) {
-	tests := []struct {
-		name    string
-		warning Warning
-		want    string
-	}{
-		{
-			name:    "all fields",
-			warning: Warning{File: "Caddyfile", Line: 10, Directive: "reverse_proxy", Message: "upstream not found"},
-			want:    "Caddyfile:10 (reverse_proxy): upstream not found",
-		},
-		{
-			name:    "no directive",
-			warning: Warning{File: "Caddyfile", Line: 5, Message: "something off"},
-			want:    "Caddyfile:5: something off",
-		},
-		{
-			name:    "zero line",
-			warning: Warning{File: "config.json", Line: 0, Message: "invalid"},
-			want:    "config.json:0: invalid",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := tt.warning.String()
-			if got != tt.want {
-				t.Errorf("Warning.String() = %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
@@ -1,299 +0,0 @@
-package httpcaddyfile
-
-import (
-	"testing"
-
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-)
-
-func TestShorthandReplacerSimpleReplacements(t *testing.T) {
-	sr := NewShorthandReplacer()
-
-	tests := []struct {
-		name  string
-		input string
-		want  string
-	}{
-		{
-			name:  "host",
-			input: "{host}",
-			want:  "{http.request.host}",
-		},
-		{
-			name:  "hostport",
-			input: "{hostport}",
-			want:  "{http.request.hostport}",
-		},
-		{
-			name:  "port",
-			input: "{port}",
-			want:  "{http.request.port}",
-		},
-		{
-			name:  "method",
-			input: "{method}",
-			want:  "{http.request.method}",
-		},
-		{
-			name:  "uri",
-			input: "{uri}",
-			want:  "{http.request.uri}",
-		},
-		{
-			name:  "path",
-			input: "{path}",
-			want:  "{http.request.uri.path}",
-		},
-		{
-			name:  "query",
-			input: "{query}",
-			want:  "{http.request.uri.query}",
-		},
-		{
-			name:  "scheme",
-			input: "{scheme}",
-			want:  "{http.request.scheme}",
-		},
-		{
-			name:  "remote_host",
-			input: "{remote_host}",
-			want:  "{http.request.remote.host}",
-		},
-		{
-			name:  "remote_port",
-			input: "{remote_port}",
-			want:  "{http.request.remote.port}",
-		},
-		{
-			name:  "uuid",
-			input: "{uuid}",
-			want:  "{http.request.uuid}",
-		},
-		{
-			name:  "tls_cipher",
-			input: "{tls_cipher}",
-			want:  "{http.request.tls.cipher_suite}",
-		},
-		{
-			name:  "tls_version",
-			input: "{tls_version}",
-			want:  "{http.request.tls.version}",
-		},
-		{
-			name:  "client_ip",
-			input: "{client_ip}",
-			want:  "{http.vars.client_ip}",
-		},
-		{
-			name:  "upstream_hostport",
-			input: "{upstream_hostport}",
-			want:  "{http.reverse_proxy.upstream.hostport}",
-		},
-		{
-			name:  "dir",
-			input: "{dir}",
-			want:  "{http.request.uri.path.dir}",
-		},
-		{
-			name:  "file",
-			input: "{file}",
-			want:  "{http.request.uri.path.file}",
-		},
-		{
-			name:  "orig_method",
-			input: "{orig_method}",
-			want:  "{http.request.orig_method}",
-		},
-		{
-			name:  "orig_uri",
-			input: "{orig_uri}",
-			want:  "{http.request.orig_uri}",
-		},
-		{
-			name:  "orig_path",
-			input: "{orig_path}",
-			want:  "{http.request.orig_uri.path}",
-		},
-		{
-			name:  "no matching placeholder",
-			input: "{unknown}",
-			want:  "{unknown}",
-		},
-		{
-			name:  "not a placeholder",
-			input: "plain text",
-			want:  "plain text",
-		},
-		{
-			name:  "empty string",
-			input: "",
-			want:  "",
-		},
-		{
-			name:  "multiple placeholders in one string",
-			input: "{host}:{port}",
-			want:  "{http.request.host}:{http.request.port}",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			segment := caddyfile.Segment{{Text: tt.input}}
-			sr.ApplyToSegment(&segment)
-			got := segment[0].Text
-			if got != tt.want {
-				t.Errorf("ApplyToSegment(%q) = %q, want %q", tt.input, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestShorthandReplacerComplexReplacements(t *testing.T) {
-	sr := NewShorthandReplacer()
-
-	tests := []struct {
-		name  string
-		input string
-		want  string
-	}{
-		{
-			name:  "header placeholder",
-			input: "{header.X-Forwarded-For}",
-			want:  "{http.request.header.X-Forwarded-For}",
-		},
-		{
-			name:  "cookie placeholder",
-			input: "{cookie.session_id}",
-			want:  "{http.request.cookie.session_id}",
-		},
-		{
-			name:  "labels placeholder",
-			input: "{labels.0}",
-			want:  "{http.request.host.labels.0}",
-		},
-		{
-			name:  "path segment placeholder",
-			input: "{path.0}",
-			want:  "{http.request.uri.path.0}",
-		},
-		{
-			name:  "query placeholder",
-			input: "{query.page}",
-			want:  "{http.request.uri.query.page}",
-		},
-		{
-			name:  "re placeholder with dots",
-			input: "{re.name.group}",
-			want:  "{http.regexp.name.group}",
-		},
-		{
-			name:  "vars placeholder",
-			input: "{vars.my_var}",
-			want:  "{http.vars.my_var}",
-		},
-		{
-			name:  "rp placeholder",
-			input: "{rp.upstream.address}",
-			want:  "{http.reverse_proxy.upstream.address}",
-		},
-		{
-			name:  "resp placeholder",
-			input: "{resp.status_code}",
-			want:  "{http.intercept.status_code}",
-		},
-		{
-			name:  "err placeholder",
-			input: "{err.status_code}",
-			want:  "{http.error.status_code}",
-		},
-		{
-			name:  "file_match placeholder",
-			input: "{file_match.relative}",
-			want:  "{http.matchers.file.relative}",
-		},
-		{
-			name:  "header with hyphen",
-			input: "{header.Content-Type}",
-			want:  "{http.request.header.Content-Type}",
-		},
-		{
-			name:  "header with underscore",
-			input: "{header.X_Custom_Header}",
-			want:  "{http.request.header.X_Custom_Header}",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			segment := caddyfile.Segment{{Text: tt.input}}
-			sr.ApplyToSegment(&segment)
-			got := segment[0].Text
-			if got != tt.want {
-				t.Errorf("ApplyToSegment(%q) = %q, want %q", tt.input, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestShorthandReplacerApplyToNilSegment(t *testing.T) {
-	sr := NewShorthandReplacer()
-	// Should not panic
-	sr.ApplyToSegment(nil)
-}
-
-func TestShorthandReplacerMultipleTokens(t *testing.T) {
-	sr := NewShorthandReplacer()
-
-	segment := caddyfile.Segment{
-		{Text: "{host}"},
-		{Text: "{path}"},
-		{Text: "{header.X-Test}"},
-		{Text: "plain"},
-	}
-
-	sr.ApplyToSegment(&segment)
-
-	expected := []string{
-		"{http.request.host}",
-		"{http.request.uri.path}",
-		"{http.request.header.X-Test}",
-		"plain",
-	}
-
-	for i, want := range expected {
-		if segment[i].Text != want {
-			t.Errorf("token %d: got %q, want %q", i, segment[i].Text, want)
-		}
-	}
-}
-
-func TestShorthandReplacerEmptySegment(t *testing.T) {
-	sr := NewShorthandReplacer()
-	segment := caddyfile.Segment{}
-	sr.ApplyToSegment(&segment) // should not panic
-}
-
-func TestShorthandReplacerEscapedPlaceholders(t *testing.T) {
-	sr := NewShorthandReplacer()
-
-	// Percent-escaped path placeholder
-	segment := caddyfile.Segment{{Text: "{%path}"}}
-	sr.ApplyToSegment(&segment)
-	if segment[0].Text != "{http.request.uri.path_escaped}" {
-		t.Errorf("got %q, want {http.request.uri.path_escaped}", segment[0].Text)
-	}
-
-	// Percent-escaped query placeholder
-	segment = caddyfile.Segment{{Text: "{%query}"}}
-	sr.ApplyToSegment(&segment)
-	if segment[0].Text != "{http.request.uri.query_escaped}" {
-		t.Errorf("got %q, want {http.request.uri.query_escaped}", segment[0].Text)
-	}
-
-	// Prefixed query
-	segment = caddyfile.Segment{{Text: "{?query}"}}
-	sr.ApplyToSegment(&segment)
-	if segment[0].Text != "{http.request.uri.prefixed_query}" {
-		t.Errorf("got %q, want {http.request.uri.prefixed_query}", segment[0].Text)
-	}
-}
@@ -1036,7 +1036,7 @@ outer:
 			// otherwise the one without any subjects (a catch-all) would be
 			// eaten up by the one with subjects; and if both have subjects, we
 			// need to combine their lists
-			if reflect.DeepEqual(aps[i].IssuersRaw, aps[j].IssuersRaw) &&
+			if automationPoliciesHaveSameIssuers(aps[i], aps[j]) &&
 				reflect.DeepEqual(aps[i].ManagersRaw, aps[j].ManagersRaw) &&
 				bytes.Equal(aps[i].StorageRaw, aps[j].StorageRaw) &&
 				aps[i].MustStaple == aps[j].MustStaple &&
@@ -1128,6 +1128,58 @@ func subjectQualifiesForPublicCert(ap *caddytls.AutomationPolicy, subj string) b
 		(strings.Count(subj, "*.") < 2 || ap.OnDemand)
 }

+func automationPoliciesHaveSameIssuers(a, b *caddytls.AutomationPolicy) bool {
+	if reflect.DeepEqual(a.IssuersRaw, b.IssuersRaw) {
+		return automationPoliciesHaveCompatibleImplicitIssuers(a, b)
+	}
+	return automationPolicyUsesDefaultInternalIssuer(a) && automationPolicyUsesDefaultInternalIssuer(b)
+}
+
+func automationPolicyUsesDefaultInternalIssuer(ap *caddytls.AutomationPolicy) bool {
+	if len(ap.IssuersRaw) == 0 && len(ap.Issuers) == 0 {
+		return automationPolicyImplicitIssuerClass(ap) == "internal"
+	}
+	return len(ap.IssuersRaw) == 1 &&
+		len(ap.Issuers) == 0 &&
+		string(bytes.TrimSpace(ap.IssuersRaw[0])) == `{"module":"internal"}`
+}
+
+// automationPoliciesHaveCompatibleImplicitIssuers returns whether two policies
+// without explicit issuers can be consolidated without changing default issuer
+// selection for their subjects.
+func automationPoliciesHaveCompatibleImplicitIssuers(a, b *caddytls.AutomationPolicy) bool {
+	if len(a.IssuersRaw) > 0 || len(a.Issuers) > 0 ||
+		len(b.IssuersRaw) > 0 || len(b.Issuers) > 0 {
+		return true
+	}
+
+	aClass := automationPolicyImplicitIssuerClass(a)
+	bClass := automationPolicyImplicitIssuerClass(b)
+	return aClass == "catch-all" || bClass == "catch-all" || aClass == bClass
+}
+
+func automationPolicyImplicitIssuerClass(ap *caddytls.AutomationPolicy) string {
+	if len(ap.SubjectsRaw) == 0 {
+		return "catch-all"
+	}
+
+	hasPublic := slices.ContainsFunc(ap.SubjectsRaw, func(subj string) bool {
+		return subjectQualifiesForPublicCert(ap, subj)
+	})
+	hasInternal := slices.ContainsFunc(ap.SubjectsRaw, func(subj string) bool {
+		return !subjectQualifiesForPublicCert(ap, subj)
+	})
+
+	switch {
+	case hasPublic && hasInternal:
+		return "mixed"
+	case hasPublic:
+		return "public"
+	default:
+		return "internal"
+	}
+}
+
 // automationPolicyHasAllPublicNames returns true if all the names on the policy
 // do NOT qualify for public certs OR are tailscale domains.
 func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
@@ -3,6 +3,7 @@ package httpcaddyfile
 import (
 	"testing"

+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )

@@ -54,3 +55,20 @@ func TestAutomationPolicyIsSubset(t *testing.T) {
 		}
 	}
 }
+
+func TestAutomationPoliciesAllowSameHostOnDifferentPorts(t *testing.T) {
+	input := `https://example.com:5000 localhost:5000 {
+	respond "one"
+}
+
+https://example.net localhost:8080 {
+	respond "two"
+}
+`
+
+	adapter := caddyfile.Adapter{ServerType: ServerType{}}
+	_, _, err := adapter.Adapt([]byte(input), nil)
+	if err != nil {
+		t.Fatalf("adapting Caddyfile: %v", err)
+	}
+}
@@ -518,7 +518,7 @@ func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int)
 	return resp
 }

-// AssertResponse request a URI and assert the status code and the body contains a string
+// AssertResponse requests a URI and asserts the status code and body.
 func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -541,7 +541,7 @@ func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expe

 // Verb specific test functions

-// AssertGetResponse GET a URI and expect a statusCode and body text
+// AssertGetResponse requests a URI with GET and expects a status code and body text.
 func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -553,7 +553,7 @@ func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, e
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertDeleteResponse request a URI and expect a statusCode and body text
+// AssertDeleteResponse requests a URI with DELETE and expects a status code and body text.
 func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -565,7 +565,7 @@ func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertPostResponseBody POST to a URI and assert the response code and body
+// AssertPostResponseBody requests a URI with POST and asserts the response code and body.
 func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -580,7 +580,7 @@ func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []str
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertPutResponseBody PUT to a URI and assert the response code and body
+// AssertPutResponseBody requests a URI with PUT and asserts the response code and body.
 func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -595,7 +595,7 @@ func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []stri
 	return tc.AssertResponse(req, expectedStatusCode, expectedBody)
 }

-// AssertPatchResponseBody PATCH to a URI and assert the response code and body
+// AssertPatchResponseBody requests a URI with PATCH and asserts the response code and body.
 func (tc *Tester) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
 	tc.t.Helper()

@@ -6,4 +6,4 @@ handle {
    END!
 }
 ----------
-heredoc marker on line #4 must contain only alpha-numeric characters, dashes and underscores; got 'END!'
+heredoc marker on line #4 must contain only alphanumeric characters, dashes and underscores; got 'END!'
@@ -1,7 +1,14 @@
 package integration

 import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
 	"fmt"
+	"math/big"
 	"net"
 	"net/http"
 	"os"
@@ -9,8 +16,10 @@ import (
 	"strings"
 	"sync/atomic"
 	"testing"
+	"time"

 	"github.com/caddyserver/caddy/v2/caddytest"
+	"github.com/quic-go/quic-go/http3"
 )

 func TestSRVReverseProxy(t *testing.T) {
@@ -793,3 +802,140 @@ func TestReverseProxyRetryMatchIsTransportError(t *testing.T) {
 	// Transport error on broken upstream should be retried to good upstream
 	tester.AssertGetResponse("http://localhost:9080/", 200, "ok")
 }
+
+func TestReverseProxyHTTP3SNIPlaceholderHost(t *testing.T) {
+	const expectedSNI = "app.test.local"
+
+	upstreamAddr, gotSNI := startHTTP3SNITestServer(t)
+
+	tester := caddytest.NewTester(t)
+	tester.InitServer(fmt.Sprintf(`
+	{
+		skip_install_trust
+		admin localhost:2999
+		http_port 9080
+		grace_period 1ns
+	}
+:9080 {
+		reverse_proxy https://%s {
+			transport http {
+				versions 3
+				tls_server_name {host}
+				tls_insecure_skip_verify
+			}
+		}
+	}
+	`, upstreamAddr), "caddyfile")
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:9080/", nil)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	req.Host = expectedSNI
+
+	tester.AssertResponse(req, 200, "ok")
+
+	select {
+	case sni := <-gotSNI:
+		if sni != expectedSNI {
+			t.Fatalf("HTTP/3 upstream SNI = %q, want %q", sni, expectedSNI)
+		}
+		if sni == "{http.request.host}" {
+			t.Fatal("HTTP/3 upstream SNI was not expanded from the adapted placeholder")
+		}
+	case <-time.After(5 * time.Second):
+		t.Fatal("timed out waiting for HTTP/3 upstream SNI")
+	}
+}
+
+func startHTTP3SNITestServer(t *testing.T) (string, <-chan string) {
+	t.Helper()
+
+	gotSNI := make(chan string, 1)
+	udpConn, err := net.ListenPacket("udp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to listen for HTTP/3 upstream: %v", err)
+	}
+
+	server := &http3.Server{
+		TLSConfig: http3SNITestTLSConfig(t, func(sni string) {
+			select {
+			case gotSNI <- sni:
+			default:
+			}
+		}),
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			fmt.Fprint(w, "ok")
+		}),
+	}
+
+	done := make(chan struct{})
+	errs := make(chan error, 1)
+	go func() {
+		defer close(done)
+		err := server.Serve(udpConn)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) && !errors.Is(err, net.ErrClosed) {
+			errs <- err
+		}
+	}()
+
+	t.Cleanup(func() {
+		_ = server.Close()
+		_ = udpConn.Close()
+		select {
+		case <-done:
+		case <-time.After(5 * time.Second):
+			t.Error("timed out waiting for HTTP/3 upstream server to stop")
+		}
+		select {
+		case err := <-errs:
+			t.Errorf("HTTP/3 upstream server failed: %v", err)
+		default:
+		}
+	})
+
+	return udpConn.LocalAddr().String(), gotSNI
+}
+
+func http3SNITestTLSConfig(t *testing.T, recordSNI func(string)) *tls.Config {
+	t.Helper()
+
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("failed to generate HTTP/3 upstream private key: %v", err)
+	}
+
+	certTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "HTTP/3 SNI test upstream",
+		},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(time.Hour),
+		DNSNames:              []string{"app.test.local"},
+		IPAddresses:           []net.IP{net.IPv4(127, 0, 0, 1)},
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, publicKey, privateKey)
+	if err != nil {
+		t.Fatalf("failed to create HTTP/3 upstream certificate: %v", err)
+	}
+	cert := tls.Certificate{
+		Certificate: [][]byte{certDER},
+		PrivateKey:  privateKey,
+	}
+	baseConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
+			recordSNI(hello.ServerName)
+			return baseConfig.Clone(), nil
+		},
+	}
+}
@@ -159,7 +159,7 @@ func testH2ToH2CStreamServeH2C(t *testing.T) *http.Server {
 		}
 		// We only accept HTTP/2!
 		if r.ProtoMajor != 2 {
-			t.Error("Not a HTTP/2 request, rejected!")
+			t.Error("Not an HTTP/2 request, rejected!")
 			w.WriteHeader(http.StatusInternalServerError)
 			return
 		}
@@ -58,7 +58,7 @@ func cmdStart(fl Flags) (int, error) {

 	// open a listener to which the child process will connect when
 	// it is ready to confirm that it has successfully started
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	ln, err := listenTCPForPingback(net.Listen)
 	if err != nil {
 		return caddy.ExitCodeFailedStartup,
 			fmt.Errorf("opening listener for success confirmation: %v", err)
@@ -169,6 +169,22 @@ func cmdStart(fl Flags) (int, error) {
 	return caddy.ExitCodeSuccess, nil
 }

+type tcpListenFunc func(network, address string) (net.Listener, error)
+
+func listenTCPForPingback(listen tcpListenFunc) (net.Listener, error) {
+	ln, ipv4Err := listen("tcp4", "127.0.0.1:0")
+	if ipv4Err == nil {
+		return ln, nil
+	}
+
+	ln, ipv6Err := listen("tcp6", "[::1]:0")
+	if ipv6Err == nil {
+		return ln, nil
+	}
+
+	return nil, fmt.Errorf("listen on 127.0.0.1:0: %v; listen on [::1]:0: %v", ipv4Err, ipv6Err)
+}
+
 func cmdRun(fl Flags) (int, error) {
 	caddy.TrapSignals()

@@ -566,7 +566,7 @@ argument of --directory. If the directory does not exist, it will be created.
 // following format:
 //
 //   - lowercase
-//   - alphanumeric and hyphen characters only
+//   - ASCII lowercase letters, digits and hyphens only
 //   - cannot start or end with a hyphen
 //   - hyphen cannot be adjacent to another hyphen
 //
@@ -1,6 +1,8 @@
 package caddycmd

 import (
+	"errors"
+	"net"
 	"reflect"
 	"strings"
 	"testing"
@@ -169,6 +171,80 @@ here"
 	}
 }

+func TestListenTCPForPingbackUsesIPv4Loopback(t *testing.T) {
+	var calls []string
+	expected := &stubListener{addr: &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 1234}}
+
+	actual, err := listenTCPForPingback(func(network, address string) (net.Listener, error) {
+		calls = append(calls, network+" "+address)
+		return expected, nil
+	})
+	if err != nil {
+		t.Fatalf("listenTCPForPingback returned error: %v", err)
+	}
+	if actual != expected {
+		t.Fatalf("expected listener %p, got %p", expected, actual)
+	}
+
+	expectCalls := []string{"tcp4 127.0.0.1:0"}
+	if !reflect.DeepEqual(calls, expectCalls) {
+		t.Fatalf("expected calls %v, got %v", expectCalls, calls)
+	}
+}
+
+func TestListenTCPForPingbackFallsBackToIPv6Loopback(t *testing.T) {
+	var calls []string
+	expected := &stubListener{addr: &net.TCPAddr{IP: net.ParseIP("::1"), Port: 1234}}
+
+	actual, err := listenTCPForPingback(func(network, address string) (net.Listener, error) {
+		calls = append(calls, network+" "+address)
+		if len(calls) == 1 {
+			return nil, errors.New("ipv4 unavailable")
+		}
+		return expected, nil
+	})
+	if err != nil {
+		t.Fatalf("listenTCPForPingback returned error: %v", err)
+	}
+	if actual != expected {
+		t.Fatalf("expected listener %p, got %p", expected, actual)
+	}
+
+	expectCalls := []string{"tcp4 127.0.0.1:0", "tcp6 [::1]:0"}
+	if !reflect.DeepEqual(calls, expectCalls) {
+		t.Fatalf("expected calls %v, got %v", expectCalls, calls)
+	}
+}
+
+func TestListenTCPForPingbackReportsBothFailures(t *testing.T) {
+	_, err := listenTCPForPingback(func(network, address string) (net.Listener, error) {
+		return nil, errors.New(network + " failed")
+	})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !strings.Contains(err.Error(), "tcp4 failed") ||
+		!strings.Contains(err.Error(), "tcp6 failed") {
+		t.Fatalf("expected both listener errors, got: %v", err)
+	}
+}
+
+type stubListener struct {
+	addr net.Addr
+}
+
+func (sl *stubListener) Accept() (net.Conn, error) {
+	return nil, net.ErrClosed
+}
+
+func (sl *stubListener) Close() error {
+	return nil
+}
+
+func (sl *stubListener) Addr() net.Addr {
+	return sl.addr
+}
+
 func Test_isCaddyfile(t *testing.T) {
 	type args struct {
 		configFile  string
@@ -1,234 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddycmd
-
-import (
-	"testing"
-)
-
-func TestSplitModule(t *testing.T) {
-	tests := []struct {
-		name            string
-		input           string
-		expectedModule  string
-		expectedVersion string
-		expectError     bool
-	}{
-		{
-			name:            "simple module without version",
-			input:           "github.com/caddyserver/caddy",
-			expectedModule:  "github.com/caddyserver/caddy",
-			expectedVersion: "",
-			expectError:     false,
-		},
-		{
-			name:            "module with version",
-			input:           "github.com/caddyserver/caddy@v2.0.0",
-			expectedModule:  "github.com/caddyserver/caddy",
-			expectedVersion: "v2.0.0",
-			expectError:     false,
-		},
-		{
-			name:            "module with semantic version",
-			input:           "github.com/user/module@v1.2.3",
-			expectedModule:  "github.com/user/module",
-			expectedVersion: "v1.2.3",
-			expectError:     false,
-		},
-		{
-			name:            "module with prerelease version",
-			input:           "github.com/user/module@v1.0.0-beta.1",
-			expectedModule:  "github.com/user/module",
-			expectedVersion: "v1.0.0-beta.1",
-			expectError:     false,
-		},
-		{
-			name:            "module with commit hash",
-			input:           "github.com/user/module@abc123def",
-			expectedModule:  "github.com/user/module",
-			expectedVersion: "abc123def",
-			expectError:     false,
-		},
-		{
-			name:            "module with @ in path and version",
-			input:           "github.com/@user/module@v1.0.0",
-			expectedModule:  "github.com/@user/module",
-			expectedVersion: "v1.0.0",
-			expectError:     false,
-		},
-		{
-			name:            "module with multiple @ in path",
-			input:           "github.com/@org/@user/module@v2.3.4",
-			expectedModule:  "github.com/@org/@user/module",
-			expectedVersion: "v2.3.4",
-			expectError:     false,
-		},
-		// TODO: decide on the behavior for this case; it fails currently
-		// {
-		// 	name:            "module with @ in path but no version",
-		// 	input:           "github.com/@user/module",
-		// 	expectedModule:  "github.com/@user/module",
-		// 	expectedVersion: "",
-		// 	expectError:     false,
-		// },
-		{
-			name:            "empty string",
-			input:           "",
-			expectedModule:  "",
-			expectedVersion: "",
-			expectError:     true,
-		},
-		{
-			name:            "only @ symbol",
-			input:           "@",
-			expectedModule:  "",
-			expectedVersion: "",
-			expectError:     true,
-		},
-		{
-			name:            "@ at start",
-			input:           "@v1.0.0",
-			expectedModule:  "",
-			expectedVersion: "v1.0.0",
-			expectError:     true,
-		},
-		{
-			name:            "@ at end",
-			input:           "github.com/user/module@",
-			expectedModule:  "github.com/user/module",
-			expectedVersion: "",
-			expectError:     false,
-		},
-		{
-			name:            "multiple consecutive @",
-			input:           "github.com/user/module@@v1.0.0",
-			expectedModule:  "github.com/user/module@",
-			expectedVersion: "v1.0.0",
-			expectError:     false,
-		},
-		{
-			name:            "version with latest tag",
-			input:           "github.com/user/module@latest",
-			expectedModule:  "github.com/user/module",
-			expectedVersion: "latest",
-			expectError:     false,
-		},
-		{
-			name:            "long module path",
-			input:           "github.com/organization/team/project/subproject/module@v3.14.159",
-			expectedModule:  "github.com/organization/team/project/subproject/module",
-			expectedVersion: "v3.14.159",
-			expectError:     false,
-		},
-		{
-			name:            "module with dots in name",
-			input:           "github.com/user/my.module.name@v1.0",
-			expectedModule:  "github.com/user/my.module.name",
-			expectedVersion: "v1.0",
-			expectError:     false,
-		},
-		{
-			name:            "module with hyphens",
-			input:           "github.com/user/my-module-name@v1.0.0",
-			expectedModule:  "github.com/user/my-module-name",
-			expectedVersion: "v1.0.0",
-			expectError:     false,
-		},
-		{
-			name:            "gitlab module",
-			input:           "gitlab.com/user/module@v2.0.0",
-			expectedModule:  "gitlab.com/user/module",
-			expectedVersion: "v2.0.0",
-			expectError:     false,
-		},
-		{
-			name:            "bitbucket module",
-			input:           "bitbucket.org/user/module@v1.5.0",
-			expectedModule:  "bitbucket.org/user/module",
-			expectedVersion: "v1.5.0",
-			expectError:     false,
-		},
-		{
-			name:            "custom domain",
-			input:           "example.com/custom/module@v1.0.0",
-			expectedModule:  "example.com/custom/module",
-			expectedVersion: "v1.0.0",
-			expectError:     false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			module, version, err := splitModule(tt.input)
-
-			// Check error expectation
-			if tt.expectError {
-				if err == nil {
-					t.Errorf("expected error but got none")
-				}
-			} else {
-				if err != nil {
-					t.Errorf("unexpected error: %v", err)
-				}
-			}
-
-			// Check module
-			if module != tt.expectedModule {
-				t.Errorf("module: got %q, want %q", module, tt.expectedModule)
-			}
-
-			// Check version
-			if version != tt.expectedVersion {
-				t.Errorf("version: got %q, want %q", version, tt.expectedVersion)
-			}
-		})
-	}
-}
-
-func TestSplitModule_ErrorCases(t *testing.T) {
-	errorCases := []string{
-		"",
-		"@",
-		"@version",
-		"@v1.0.0",
-	}
-
-	for _, tc := range errorCases {
-		t.Run("error_"+tc, func(t *testing.T) {
-			_, _, err := splitModule(tc)
-			if err == nil {
-				t.Errorf("splitModule(%q) should return error", tc)
-			}
-		})
-	}
-}
-
-// BenchmarkSplitModule benchmarks the splitModule function
-func BenchmarkSplitModule(b *testing.B) {
-	testCases := []string{
-		"github.com/user/module",
-		"github.com/user/module@v1.0.0",
-		"github.com/@org/@user/module@v2.3.4",
-		"github.com/organization/team/project/subproject/module@v3.14.159",
-	}
-
-	for _, tc := range testCases {
-		b.Run(tc, func(b *testing.B) {
-			for i := 0; i < b.N; i++ {
-				splitModule(tc)
-			}
-		})
-	}
-}
@@ -1,720 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-)
-
-func TestConfig_Start_Stop_Basic(t *testing.T) {
-	cfg := &Config{
-		Admin: &AdminConfig{Disabled: true}, // Disable admin to avoid port conflicts
-	}
-
-	ctx, err := run(cfg, true)
-	if err != nil {
-		t.Fatalf("Failed to run config: %v", err)
-	}
-
-	// Verify context is valid
-	if ctx.cfg == nil {
-		t.Error("Expected non-nil config in context")
-	}
-
-	// Stop the config
-	unsyncedStop(ctx)
-
-	// Verify cleanup was called
-	if ctx.cfg.cancelFunc == nil {
-		t.Error("Expected cancel function to be set")
-	}
-}
-
-func TestConfig_Validate_InvalidConfig(t *testing.T) {
-	// Create a config with an invalid app module
-	cfg := &Config{
-		AppsRaw: ModuleMap{
-			"non-existent-app": json.RawMessage(`{}`),
-		},
-	}
-
-	err := Validate(cfg)
-	if err == nil {
-		t.Error("Expected validation error for invalid app module")
-	}
-}
-
-func TestConfig_Validate_ValidConfig(t *testing.T) {
-	cfg := &Config{
-		Admin: &AdminConfig{Disabled: true},
-	}
-
-	err := Validate(cfg)
-	if err != nil {
-		t.Errorf("Unexpected validation error: %v", err)
-	}
-}
-
-func TestChangeConfig_ConcurrentAccess(t *testing.T) {
-	// Save original config state
-	originalRawCfg := rawCfg[rawConfigKey]
-	originalRawCfgJSON := rawCfgJSON
-	defer func() {
-		rawCfg[rawConfigKey] = originalRawCfg
-		rawCfgJSON = originalRawCfgJSON
-	}()
-
-	// Initialize with a basic config
-	initialCfg := map[string]any{
-		"test": "value",
-	}
-	rawCfg[rawConfigKey] = initialCfg
-
-	const numGoroutines = 10 // Reduced for more controlled testing
-	var wg sync.WaitGroup
-	errors := make([]error, numGoroutines)
-
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(index int) {
-			defer wg.Done()
-
-			// Only test read operations to avoid complex state changes
-			// that could cause nil pointer issues in concurrent scenarios
-			var buf bytes.Buffer
-			errors[index] = readConfig("/"+rawConfigKey+"/test", &buf)
-		}(i)
-	}
-
-	wg.Wait()
-
-	// Check that read operations succeeded
-	for i, err := range errors {
-		if err != nil {
-			t.Errorf("Goroutine %d: Unexpected read error: %v", i, err)
-		}
-	}
-}
-
-func TestChangeConfig_MethodValidation(t *testing.T) {
-	// Save original config state
-	originalRawCfg := rawCfg[rawConfigKey]
-	defer func() {
-		rawCfg[rawConfigKey] = originalRawCfg
-	}()
-
-	// Set up a simple valid config for testing
-	rawCfg[rawConfigKey] = map[string]any{}
-
-	tests := []struct {
-		method    string
-		expectErr bool
-	}{
-		{http.MethodPost, false},
-		{http.MethodPut, true}, // because key 'admin' already exists
-		{http.MethodPatch, false},
-		{http.MethodDelete, false},
-		{http.MethodGet, true},
-		{http.MethodHead, true},
-		{http.MethodOptions, true},
-		{http.MethodConnect, true},
-		{http.MethodTrace, true},
-	}
-
-	for _, test := range tests {
-		t.Run(test.method, func(t *testing.T) {
-			// Use a simple admin config path that won't cause complex validation
-			err := changeConfig(test.method, "/"+rawConfigKey+"/admin", []byte(`{"disabled": true}`), "", false)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error for invalid method")
-			}
-			if !test.expectErr && err != nil && (err != errSameConfig) {
-				t.Errorf("Unexpected error: %v", err)
-			}
-		})
-	}
-}
-
-func TestChangeConfig_IfMatchHeader_Validation(t *testing.T) {
-	// Set up initial config
-	initialCfg := map[string]any{"test": "value"}
-	rawCfg[rawConfigKey] = initialCfg
-
-	tests := []struct {
-		name             string
-		ifMatch          string
-		expectErr        bool
-		expectStatusCode int
-	}{
-		{
-			name:             "malformed - no quotes",
-			ifMatch:          "path hash",
-			expectErr:        true,
-			expectStatusCode: http.StatusBadRequest,
-		},
-		{
-			name:             "malformed - single quote",
-			ifMatch:          `"path hash`,
-			expectErr:        true,
-			expectStatusCode: http.StatusBadRequest,
-		},
-		{
-			name:             "malformed - wrong number of parts",
-			ifMatch:          `"path"`,
-			expectErr:        true,
-			expectStatusCode: http.StatusBadRequest,
-		},
-		{
-			name:             "malformed - too many parts",
-			ifMatch:          `"path hash extra"`,
-			expectErr:        true,
-			expectStatusCode: http.StatusBadRequest,
-		},
-		{
-			name:             "wrong hash",
-			ifMatch:          `"/config/test wronghash"`,
-			expectErr:        true,
-			expectStatusCode: http.StatusPreconditionFailed,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			err := changeConfig(http.MethodPost, "/"+rawConfigKey+"/test", []byte(`"newvalue"`), test.ifMatch, false)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-
-			if test.expectErr && err != nil {
-				if apiErr, ok := err.(APIError); ok {
-					if apiErr.HTTPStatus != test.expectStatusCode {
-						t.Errorf("Expected status %d, got %d", test.expectStatusCode, apiErr.HTTPStatus)
-					}
-				} else {
-					t.Error("Expected APIError type")
-				}
-			}
-		})
-	}
-}
-
-func TestIndexConfigObjects_Basic(t *testing.T) {
-	config := map[string]any{
-		"app1": map[string]any{
-			"@id":    "my-app",
-			"config": "value",
-		},
-		"nested": map[string]any{
-			"array": []any{
-				map[string]any{
-					"@id":  "nested-item",
-					"data": "test",
-				},
-				map[string]any{
-					"@id":  123.0, // JSON numbers are float64
-					"more": "data",
-				},
-			},
-		},
-	}
-
-	index := make(map[string]string)
-	err := indexConfigObjects(config, "/config", index)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-
-	expected := map[string]string{
-		"my-app":      "/config/app1",
-		"nested-item": "/config/nested/array/0",
-		"123":         "/config/nested/array/1",
-	}
-
-	if len(index) != len(expected) {
-		t.Errorf("Expected %d indexed items, got %d", len(expected), len(index))
-	}
-
-	for id, expectedPath := range expected {
-		if actualPath, exists := index[id]; !exists || actualPath != expectedPath {
-			t.Errorf("ID %s: expected path '%s', got '%s'", id, expectedPath, actualPath)
-		}
-	}
-}
-
-func TestIndexConfigObjects_InvalidID(t *testing.T) {
-	config := map[string]any{
-		"app": map[string]any{
-			"@id": map[string]any{"invalid": "id"}, // Invalid ID type
-		},
-	}
-
-	index := make(map[string]string)
-	err := indexConfigObjects(config, "/config", index)
-	if err == nil {
-		t.Error("Expected error for invalid ID type")
-	}
-}
-
-func TestRun_AppStartFailure(t *testing.T) {
-	// Register a mock app that fails to start
-	RegisterModule(&failingApp{})
-	defer func() {
-		// Clean up module registry
-		delete(modules, "failing-app")
-	}()
-
-	cfg := &Config{
-		Admin: &AdminConfig{Disabled: true},
-		AppsRaw: ModuleMap{
-			"failing-app": json.RawMessage(`{}`),
-		},
-	}
-
-	_, err := run(cfg, true)
-	if err == nil {
-		t.Error("Expected error when app fails to start")
-	}
-
-	// Should contain the app name in the error
-	if err.Error() == "" {
-		t.Error("Expected descriptive error message")
-	}
-}
-
-func TestRun_AppStopFailure_During_Cleanup(t *testing.T) {
-	// Register apps where one fails to start and another fails to stop
-	RegisterModule(&workingApp{})
-	RegisterModule(&failingStopApp{})
-	defer func() {
-		delete(modules, "working-app")
-		delete(modules, "failing-stop-app")
-	}()
-
-	cfg := &Config{
-		Admin: &AdminConfig{Disabled: true},
-		AppsRaw: ModuleMap{
-			"working-app":      json.RawMessage(`{}`),
-			"failing-stop-app": json.RawMessage(`{}`),
-		},
-	}
-
-	// Start both apps
-	ctx, err := run(cfg, true)
-	if err != nil {
-		t.Fatalf("Unexpected error starting apps: %v", err)
-	}
-
-	// Stop context - this should handle stop failures gracefully
-	unsyncedStop(ctx)
-
-	// Test passed if we reach here without panic
-}
-
-func TestProvisionContext_NilConfig(t *testing.T) {
-	ctx, err := provisionContext(nil, false)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-
-	if ctx.cfg == nil {
-		t.Error("Expected non-nil config even when input is nil")
-	}
-
-	// Clean up
-	// TODO: Investigate
-	ctx.cfg.cancelFunc(nil)
-}
-
-func TestDuration_UnmarshalJSON_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name      string
-		input     string
-		expectErr bool
-		expected  time.Duration
-	}{
-		{
-			name:      "empty input",
-			input:     "",
-			expectErr: true,
-		},
-		{
-			name:      "integer nanoseconds",
-			input:     "1000000000",
-			expected:  time.Second,
-			expectErr: false,
-		},
-		{
-			name:      "string duration",
-			input:     `"5m30s"`,
-			expected:  5*time.Minute + 30*time.Second,
-			expectErr: false,
-		},
-		{
-			name:      "days conversion",
-			input:     `"2d"`,
-			expected:  48 * time.Hour,
-			expectErr: false,
-		},
-		{
-			name:      "mixed days and hours",
-			input:     `"1d12h"`,
-			expected:  36 * time.Hour,
-			expectErr: false,
-		},
-		{
-			name:      "invalid duration",
-			input:     `"invalid"`,
-			expectErr: true,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			var d Duration
-			err := d.UnmarshalJSON([]byte(test.input))
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-			if !test.expectErr && time.Duration(d) != test.expected {
-				t.Errorf("Expected %v, got %v", test.expected, time.Duration(d))
-			}
-		})
-	}
-}
-
-func TestParseDuration_LongInput(t *testing.T) {
-	// Test input length limit
-	longInput := string(make([]byte, 1025)) // Exceeds 1024 limit
-	for i := range longInput {
-		longInput = longInput[:i] + "1"
-	}
-	longInput += "d"
-
-	_, err := ParseDuration(longInput)
-	if err == nil {
-		t.Error("Expected error for input longer than 1024 characters")
-	}
-}
-
-func TestVersion_Deterministic(t *testing.T) {
-	// Test that Version() returns consistent results
-	simple1, full1 := Version()
-	simple2, full2 := Version()
-
-	if simple1 != simple2 {
-		t.Errorf("Version() simple form not deterministic: '%s' != '%s'", simple1, simple2)
-	}
-	if full1 != full2 {
-		t.Errorf("Version() full form not deterministic: '%s' != '%s'", full1, full2)
-	}
-}
-
-func TestInstanceID_Consistency(t *testing.T) {
-	// Test that InstanceID returns the same ID on subsequent calls
-	id1, err := InstanceID()
-	if err != nil {
-		t.Fatalf("Failed to get instance ID: %v", err)
-	}
-
-	id2, err := InstanceID()
-	if err != nil {
-		t.Fatalf("Failed to get instance ID on second call: %v", err)
-	}
-
-	if id1 != id2 {
-		t.Errorf("InstanceID not consistent: %v != %v", id1, id2)
-	}
-}
-
-func TestRemoveMetaFields_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{
-			name:     "no meta fields",
-			input:    `{"normal": "field"}`,
-			expected: `{"normal": "field"}`,
-		},
-		{
-			name:     "single @id field",
-			input:    `{"@id": "test", "other": "field"}`,
-			expected: `{"other": "field"}`,
-		},
-		{
-			name:     "@id at beginning",
-			input:    `{"@id": "test", "other": "field"}`,
-			expected: `{"other": "field"}`,
-		},
-		{
-			name:     "@id at end",
-			input:    `{"other": "field", "@id": "test"}`,
-			expected: `{"other": "field"}`,
-		},
-		{
-			name:     "@id in middle",
-			input:    `{"first": "value", "@id": "test", "last": "value"}`,
-			expected: `{"first": "value", "last": "value"}`,
-		},
-		{
-			name:     "multiple @id fields",
-			input:    `{"@id": "test1", "other": "field", "@id": "test2"}`,
-			expected: `{"other": "field"}`,
-		},
-		{
-			name:     "numeric @id",
-			input:    `{"@id": 123, "other": "field"}`,
-			expected: `{"other": "field"}`,
-		},
-		{
-			name:     "nested objects with @id",
-			input:    `{"outer": {"@id": "nested", "data": "value"}}`,
-			expected: `{"outer": {"data": "value"}}`,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := RemoveMetaFields([]byte(test.input))
-			// resultStr := string(result)
-
-			// Parse both to ensure valid JSON and compare structures
-			var expectedObj, resultObj any
-			if err := json.Unmarshal([]byte(test.expected), &expectedObj); err != nil {
-				t.Fatalf("Expected result is not valid JSON: %v", err)
-			}
-			if err := json.Unmarshal(result, &resultObj); err != nil {
-				t.Fatalf("Result is not valid JSON: %v", err)
-			}
-
-			// Note: We can't do exact string comparison due to potential field ordering
-			// Instead, verify the structure matches
-			expectedJSON, _ := json.Marshal(expectedObj)
-			resultJSON, _ := json.Marshal(resultObj)
-
-			if string(expectedJSON) != string(resultJSON) {
-				t.Errorf("Expected %s, got %s", string(expectedJSON), string(resultJSON))
-			}
-		})
-	}
-}
-
-func TestUnsyncedConfigAccess_ArrayOperations_EdgeCases(t *testing.T) {
-	// Test array boundary conditions and edge cases
-	tests := []struct {
-		name         string
-		initialState map[string]any
-		method       string
-		path         string
-		payload      string
-		expectErr    bool
-		expectState  map[string]any
-	}{
-		{
-			name:         "delete from empty array",
-			initialState: map[string]any{"arr": []any{}},
-			method:       http.MethodDelete,
-			path:         "/config/arr/0",
-			expectErr:    true,
-		},
-		{
-			name:         "access negative index",
-			initialState: map[string]any{"arr": []any{"a", "b"}},
-			method:       http.MethodGet,
-			path:         "/config/arr/-1",
-			expectErr:    true,
-		},
-		{
-			name:         "put at index beyond end",
-			initialState: map[string]any{"arr": []any{"a"}},
-			method:       http.MethodPut,
-			path:         "/config/arr/5",
-			payload:      `"new"`,
-			expectErr:    true,
-		},
-		{
-			name:         "patch non-existent index",
-			initialState: map[string]any{"arr": []any{"a"}},
-			method:       http.MethodPatch,
-			path:         "/config/arr/5",
-			payload:      `"new"`,
-			expectErr:    true,
-		},
-		{
-			name:         "put at exact end of array",
-			initialState: map[string]any{"arr": []any{"a", "b"}},
-			method:       http.MethodPut,
-			path:         "/config/arr/2",
-			payload:      `"c"`,
-			expectState:  map[string]any{"arr": []any{"a", "b", "c"}},
-		},
-		{
-			name:         "ellipses with non-array payload",
-			initialState: map[string]any{"arr": []any{"a"}},
-			method:       http.MethodPost,
-			path:         "/config/arr/...",
-			payload:      `"not-array"`,
-			expectErr:    true,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			// Set up initial state
-			rawCfg[rawConfigKey] = test.initialState
-
-			err := unsyncedConfigAccess(test.method, test.path, []byte(test.payload), nil)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-
-			if test.expectState != nil {
-				// Compare resulting state
-				expectedJSON, _ := json.Marshal(test.expectState)
-				actualJSON, _ := json.Marshal(rawCfg[rawConfigKey])
-
-				if string(expectedJSON) != string(actualJSON) {
-					t.Errorf("Expected state %s, got %s", string(expectedJSON), string(actualJSON))
-				}
-			}
-		})
-	}
-}
-
-func TestExitProcess_ConcurrentCalls(t *testing.T) {
-	// Test that multiple concurrent calls to exitProcess are safe
-	// We can't test the actual exit, but we can test the atomic flag
-
-	// Reset the exiting flag
-	oldExiting := exiting
-	exiting = new(int32)
-	defer func() { exiting = oldExiting }()
-
-	const numGoroutines = 10
-	var wg sync.WaitGroup
-	results := make([]bool, numGoroutines)
-
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(index int) {
-			defer wg.Done()
-			// Check the Exiting() function which reads the atomic flag
-			wasExitingBefore := Exiting()
-
-			// This would call exitProcess, but we don't want to actually exit
-			// So we just test the atomic operation directly
-			results[index] = atomic.CompareAndSwapInt32(exiting, 0, 1)
-
-			wasExitingAfter := Exiting()
-
-			// At least one should succeed in setting the flag
-			if !wasExitingBefore && wasExitingAfter && !results[index] {
-				t.Errorf("Goroutine %d: Flag was set but CAS failed", index)
-			}
-		}(i)
-	}
-
-	wg.Wait()
-
-	// Exactly one goroutine should have successfully set the flag
-	successCount := 0
-	for _, success := range results {
-		if success {
-			successCount++
-		}
-	}
-
-	if successCount != 1 {
-		t.Errorf("Expected exactly 1 successful flag set, got %d", successCount)
-	}
-
-	// Flag should be set
-	if !Exiting() {
-		t.Error("Exiting flag should be set")
-	}
-}
-
-// Mock apps for testing
-type failingApp struct{}
-
-func (fa *failingApp) CaddyModule() ModuleInfo {
-	return ModuleInfo{
-		ID:  "failing-app",
-		New: func() Module { return new(failingApp) },
-	}
-}
-
-func (fa *failingApp) Start() error {
-	return fmt.Errorf("simulated start failure")
-}
-
-func (fa *failingApp) Stop() error {
-	return nil
-}
-
-type workingApp struct{}
-
-func (wa *workingApp) CaddyModule() ModuleInfo {
-	return ModuleInfo{
-		ID:  "working-app",
-		New: func() Module { return new(workingApp) },
-	}
-}
-
-func (wa *workingApp) Start() error {
-	return nil
-}
-
-func (wa *workingApp) Stop() error {
-	return nil
-}
-
-type failingStopApp struct{}
-
-func (fsa *failingStopApp) CaddyModule() ModuleInfo {
-	return ModuleInfo{
-		ID:  "failing-stop-app",
-		New: func() Module { return new(failingStopApp) },
-	}
-}
-
-func (fsa *failingStopApp) Start() error {
-	return nil
-}
-
-func (fsa *failingStopApp) Stop() error {
-	return fmt.Errorf("simulated stop failure")
-}
@@ -1,407 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"encoding/json"
-	"math"
-	"strings"
-	"testing"
-	"time"
-)
-
-func TestParseDuration_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name      string
-		input     string
-		expectErr bool
-		expected  time.Duration
-	}{
-		{
-			name:     "zero duration",
-			input:    "0",
-			expected: 0,
-		},
-		{
-			name:      "invalid format",
-			input:     "abc",
-			expectErr: true,
-		},
-		{
-			name:     "negative days",
-			input:    "-2d",
-			expected: -48 * time.Hour,
-		},
-		{
-			name:     "decimal days",
-			input:    "0.5d",
-			expected: 12 * time.Hour,
-		},
-		{
-			name:     "large decimal days",
-			input:    "365.25d",
-			expected: time.Duration(365.25*24) * time.Hour,
-		},
-		{
-			name:     "multiple days in same string",
-			input:    "1d2d3d",
-			expected: (24 * 6) * time.Hour, // 6 days total
-		},
-		{
-			name:     "days with other units",
-			input:    "1d30m15s",
-			expected: 24*time.Hour + 30*time.Minute + 15*time.Second,
-		},
-		{
-			name:      "malformed days",
-			input:     "d",
-			expectErr: true,
-		},
-		{
-			name:      "invalid day value",
-			input:     "abcd",
-			expectErr: true,
-		},
-		{
-			name:      "overflow protection",
-			input:     "9999999999999999999999999d",
-			expectErr: true,
-		},
-		{
-			name:     "zero days",
-			input:    "0d",
-			expected: 0,
-		},
-		{
-			name:      "input at limit",
-			input:     strings.Repeat("1", 1024) + "ns",
-			expectErr: true, // Likely to cause parsing error due to size
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result, err := ParseDuration(test.input)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error but got none")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-			if !test.expectErr && result != test.expected {
-				t.Errorf("Expected %v, got %v", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestParseDuration_InputLengthLimit(t *testing.T) {
-	// Test the 1024 character limit
-	longInput := strings.Repeat("1", 1025) + "s"
-
-	_, err := ParseDuration(longInput)
-	if err == nil {
-		t.Error("Expected error for input longer than 1024 characters")
-	}
-
-	expectedErrMsg := "parsing duration: input string too long"
-	if err.Error() != expectedErrMsg {
-		t.Errorf("Expected error message '%s', got '%s'", expectedErrMsg, err.Error())
-	}
-}
-
-func TestParseDuration_ComplexNumberFormats(t *testing.T) {
-	tests := []struct {
-		input    string
-		expected time.Duration
-	}{
-		{
-			input:    "+1d",
-			expected: 24 * time.Hour,
-		},
-		{
-			input:    "-1.5d",
-			expected: -36 * time.Hour,
-		},
-		{
-			input:    "1.0d",
-			expected: 24 * time.Hour,
-		},
-		{
-			input:    "0.25d",
-			expected: 6 * time.Hour,
-		},
-		{
-			input:    "1.5d30m",
-			expected: 36*time.Hour + 30*time.Minute,
-		},
-		{
-			input:    "2.5d1h30m45s",
-			expected: 60*time.Hour + time.Hour + 30*time.Minute + 45*time.Second,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
-			result, err := ParseDuration(test.input)
-			if err != nil {
-				t.Fatalf("Unexpected error: %v", err)
-			}
-			if result != test.expected {
-				t.Errorf("Expected %v, got %v", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestDuration_UnmarshalJSON_TypeValidation(t *testing.T) {
-	tests := []struct {
-		name      string
-		input     string
-		expectErr bool
-		expected  time.Duration
-	}{
-		{
-			name:      "null value",
-			input:     "null",
-			expectErr: false,
-			expected:  0,
-		},
-		{
-			name:      "boolean value",
-			input:     "true",
-			expectErr: true,
-		},
-		{
-			name:      "array value",
-			input:     `[1,2,3]`,
-			expectErr: true,
-		},
-		{
-			name:      "object value",
-			input:     `{"duration": "5m"}`,
-			expectErr: true,
-		},
-		{
-			name:      "negative integer",
-			input:     "-1000000000",
-			expected:  -time.Second,
-			expectErr: false,
-		},
-		{
-			name:      "zero integer",
-			input:     "0",
-			expected:  0,
-			expectErr: false,
-		},
-		{
-			name:      "large integer",
-			input:     "9223372036854775807", // Max int64
-			expected:  time.Duration(math.MaxInt64),
-			expectErr: false,
-		},
-		{
-			name:      "float as integer (invalid JSON for int)",
-			input:     "1.5",
-			expectErr: true,
-		},
-		{
-			name:      "string with special characters",
-			input:     `"5m\"30s"`,
-			expectErr: true,
-		},
-		{
-			name:      "string with unicode",
-			input:     `"5m🚀"`,
-			expectErr: true,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			var d Duration
-			err := d.UnmarshalJSON([]byte(test.input))
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error but got none")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-			if !test.expectErr && time.Duration(d) != test.expected {
-				t.Errorf("Expected %v, got %v", test.expected, time.Duration(d))
-			}
-		})
-	}
-}
-
-func TestDuration_JSON_RoundTrip(t *testing.T) {
-	tests := []struct {
-		duration time.Duration
-		asString bool
-	}{
-		{duration: 5 * time.Minute, asString: true},
-		{duration: 24 * time.Hour, asString: false}, // Will be stored as nanoseconds
-		{duration: 0, asString: false},
-		{duration: -time.Hour, asString: true},
-		{duration: time.Nanosecond, asString: false},
-		{duration: time.Second, asString: false},
-	}
-
-	for _, test := range tests {
-		t.Run(test.duration.String(), func(t *testing.T) {
-			d := Duration(test.duration)
-
-			// Marshal to JSON
-			jsonData, err := json.Marshal(d)
-			if err != nil {
-				t.Fatalf("Failed to marshal: %v", err)
-			}
-
-			// Unmarshal back
-			var unmarshaled Duration
-			err = unmarshaled.UnmarshalJSON(jsonData)
-			if err != nil {
-				t.Fatalf("Failed to unmarshal: %v", err)
-			}
-
-			// Should be equal
-			if time.Duration(unmarshaled) != test.duration {
-				t.Errorf("Round trip failed: expected %v, got %v", test.duration, time.Duration(unmarshaled))
-			}
-		})
-	}
-}
-
-func TestParseDuration_Precision(t *testing.T) {
-	// Test floating point precision with days
-	tests := []struct {
-		input    string
-		expected time.Duration
-	}{
-		{
-			input:    "0.1d",
-			expected: time.Duration(0.1 * 24 * float64(time.Hour)),
-		},
-		{
-			input:    "0.01d",
-			expected: time.Duration(0.01 * 24 * float64(time.Hour)),
-		},
-		{
-			input:    "0.001d",
-			expected: time.Duration(0.001 * 24 * float64(time.Hour)),
-		},
-		{
-			input:    "1.23456789d",
-			expected: time.Duration(1.23456789 * 24 * float64(time.Hour)),
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
-			result, err := ParseDuration(test.input)
-			if err != nil {
-				t.Fatalf("Unexpected error: %v", err)
-			}
-
-			// Allow for small floating point differences
-			diff := result - test.expected
-			if diff < 0 {
-				diff = -diff
-			}
-			if diff > time.Nanosecond {
-				t.Errorf("Expected %v, got %v (diff: %v)", test.expected, result, diff)
-			}
-		})
-	}
-}
-
-func TestParseDuration_Boundary_Values(t *testing.T) {
-	tests := []struct {
-		name      string
-		input     string
-		expectErr bool
-	}{
-		{
-			name:  "minimum day value",
-			input: "0.000000001d", // Very small but valid
-		},
-		{
-			name:      "very large day value",
-			input:     "999999999999999999999d",
-			expectErr: true, // Should overflow
-		},
-		{
-			name:  "negative zero",
-			input: "-0d",
-		},
-		{
-			name:  "positive zero",
-			input: "+0d",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			_, err := ParseDuration(test.input)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error but got none")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-		})
-	}
-}
-
-func BenchmarkParseDuration_SimpleDay(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		ParseDuration("1d")
-	}
-}
-
-func BenchmarkParseDuration_ComplexDay(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		ParseDuration("1.5d30m15.5s")
-	}
-}
-
-func BenchmarkParseDuration_MultipleDays(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		ParseDuration("1d2d3d4d5d")
-	}
-}
-
-func BenchmarkDuration_UnmarshalJSON_String(b *testing.B) {
-	input := []byte(`"5m30s"`)
-	var d Duration
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		d.UnmarshalJSON(input)
-	}
-}
-
-func BenchmarkDuration_UnmarshalJSON_Integer(b *testing.B) {
-	input := []byte("300000000000") // 5 minutes in nanoseconds
-	var d Duration
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		d.UnmarshalJSON(input)
-	}
-}
@@ -1,642 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-)
-
-func TestNewEvent_Basic(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	eventName := "test.event"
-	eventData := map[string]any{
-		"key1": "value1",
-		"key2": 42,
-	}
-
-	event, err := NewEvent(ctx, eventName, eventData)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	// Verify event properties
-	if event.Name() != eventName {
-		t.Errorf("Expected name '%s', got '%s'", eventName, event.Name())
-	}
-
-	if event.Data == nil {
-		t.Error("Expected non-nil data")
-	}
-
-	if len(event.Data) != len(eventData) {
-		t.Errorf("Expected %d data items, got %d", len(eventData), len(event.Data))
-	}
-
-	for key, expectedValue := range eventData {
-		if actualValue, exists := event.Data[key]; !exists || actualValue != expectedValue {
-			t.Errorf("Data key '%s': expected %v, got %v", key, expectedValue, actualValue)
-		}
-	}
-
-	// Verify ID is generated
-	if event.ID().String() == "" {
-		t.Error("Event ID should not be empty")
-	}
-
-	// Verify timestamp is recent
-	if time.Since(event.Timestamp()) > time.Second {
-		t.Error("Event timestamp should be recent")
-	}
-}
-
-func TestNewEvent_NameNormalization(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	tests := []struct {
-		input    string
-		expected string
-	}{
-		{"UPPERCASE", "uppercase"},
-		{"MixedCase", "mixedcase"},
-		{"already.lower", "already.lower"},
-		{"With-Dashes", "with-dashes"},
-		{"With_Underscores", "with_underscores"},
-		{"", ""},
-	}
-
-	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
-			event, err := NewEvent(ctx, test.input, nil)
-			if err != nil {
-				t.Fatalf("Failed to create event: %v", err)
-			}
-
-			if event.Name() != test.expected {
-				t.Errorf("Expected normalized name '%s', got '%s'", test.expected, event.Name())
-			}
-		})
-	}
-}
-
-func TestEvent_CloudEvent_NilData(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	event, err := NewEvent(ctx, "test", nil)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	cloudEvent := event.CloudEvent()
-
-	// Should not panic with nil data
-	if cloudEvent.Data == nil {
-		t.Error("CloudEvent data should not be nil even with nil input")
-	}
-
-	// Should be valid JSON
-	var parsed any
-	if err := json.Unmarshal(cloudEvent.Data, &parsed); err != nil {
-		t.Errorf("CloudEvent data should be valid JSON: %v", err)
-	}
-}
-
-func TestEvent_CloudEvent_WithModule(t *testing.T) {
-	// Create a context with a mock module
-	mockMod := &mockModule{}
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	// Simulate module ancestry
-	ctx.ancestry = []Module{mockMod}
-
-	event, err := NewEvent(ctx, "test", nil)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	cloudEvent := event.CloudEvent()
-
-	// Source should be the module ID
-	expectedSource := string(mockMod.CaddyModule().ID)
-	if cloudEvent.Source != expectedSource {
-		t.Errorf("Expected source '%s', got '%s'", expectedSource, cloudEvent.Source)
-	}
-
-	// Origin should be the module
-	if event.Origin() != mockMod {
-		t.Error("Expected event origin to be the mock module")
-	}
-}
-
-func TestEvent_CloudEvent_Fields(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	eventName := "test.event"
-	eventData := map[string]any{"test": "data"}
-
-	event, err := NewEvent(ctx, eventName, eventData)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	cloudEvent := event.CloudEvent()
-
-	// Verify CloudEvent fields
-	if cloudEvent.ID == "" {
-		t.Error("CloudEvent ID should not be empty")
-	}
-
-	if cloudEvent.Source != "caddy" {
-		t.Errorf("Expected source 'caddy' for nil module, got '%s'", cloudEvent.Source)
-	}
-
-	if cloudEvent.SpecVersion != "1.0" {
-		t.Errorf("Expected spec version '1.0', got '%s'", cloudEvent.SpecVersion)
-	}
-
-	if cloudEvent.Type != eventName {
-		t.Errorf("Expected type '%s', got '%s'", eventName, cloudEvent.Type)
-	}
-
-	if cloudEvent.DataContentType != "application/json" {
-		t.Errorf("Expected content type 'application/json', got '%s'", cloudEvent.DataContentType)
-	}
-
-	// Verify data is valid JSON
-	var parsedData map[string]any
-	if err := json.Unmarshal(cloudEvent.Data, &parsedData); err != nil {
-		t.Errorf("CloudEvent data is not valid JSON: %v", err)
-	}
-
-	if parsedData["test"] != "data" {
-		t.Errorf("Expected data to contain test='data', got %v", parsedData)
-	}
-}
-
-func TestEvent_ConcurrentAccess(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	event, err := NewEvent(ctx, "concurrent.test", map[string]any{
-		"counter": 0,
-		"data":    "shared",
-	})
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	const numGoroutines = 50
-	var wg sync.WaitGroup
-
-	// Test concurrent read access to event properties
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(id int) {
-			defer wg.Done()
-
-			// These should be safe for concurrent access
-			_ = event.ID()
-			_ = event.Name()
-			_ = event.Timestamp()
-			_ = event.Origin()
-			_ = event.CloudEvent()
-
-			// Data map is not synchronized, so read-only access should be safe
-			if data, exists := event.Data["data"]; !exists || data != "shared" {
-				t.Errorf("Goroutine %d: Expected shared data", id)
-			}
-		}(i)
-	}
-
-	wg.Wait()
-}
-
-func TestEvent_DataModification_Warning(t *testing.T) {
-	// This test documents the non-thread-safe nature of event data
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	event, err := NewEvent(ctx, "data.test", map[string]any{
-		"mutable": "original",
-	})
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	// Modifying data after creation (this is allowed but not thread-safe)
-	event.Data["mutable"] = "modified"
-	event.Data["new_key"] = "new_value"
-
-	// Verify modifications are visible
-	if event.Data["mutable"] != "modified" {
-		t.Error("Data modification should be visible")
-	}
-	if event.Data["new_key"] != "new_value" {
-		t.Error("New data should be visible")
-	}
-
-	// CloudEvent should reflect the current state
-	cloudEvent := event.CloudEvent()
-	var parsedData map[string]any
-	json.Unmarshal(cloudEvent.Data, &parsedData)
-
-	if parsedData["mutable"] != "modified" {
-		t.Error("CloudEvent should reflect modified data")
-	}
-	if parsedData["new_key"] != "new_value" {
-		t.Error("CloudEvent should reflect new data")
-	}
-}
-
-func TestEvent_Aborted_State(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	event, err := NewEvent(ctx, "abort.test", nil)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	// Initially not aborted
-	if event.Aborted != nil {
-		t.Error("Event should not be aborted initially")
-	}
-
-	// Simulate aborting the event
-	event.Aborted = ErrEventAborted
-
-	if event.Aborted != ErrEventAborted {
-		t.Error("Event should be marked as aborted")
-	}
-}
-
-func TestErrEventAborted_Value(t *testing.T) {
-	if ErrEventAborted == nil {
-		t.Error("ErrEventAborted should not be nil")
-	}
-
-	if ErrEventAborted.Error() != "event aborted" {
-		t.Errorf("Expected 'event aborted', got '%s'", ErrEventAborted.Error())
-	}
-}
-
-func TestEvent_UniqueIDs(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	const numEvents = 1000
-	ids := make(map[string]bool)
-
-	for i := 0; i < numEvents; i++ {
-		event, err := NewEvent(ctx, "unique.test", nil)
-		if err != nil {
-			t.Fatalf("Failed to create event %d: %v", i, err)
-		}
-
-		idStr := event.ID().String()
-		if ids[idStr] {
-			t.Errorf("Duplicate event ID: %s", idStr)
-		}
-		ids[idStr] = true
-	}
-}
-
-func TestEvent_TimestampProgression(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	// Create events with small delays
-	events := make([]Event, 5)
-	for i := range events {
-		var err error
-		events[i], err = NewEvent(ctx, "time.test", nil)
-		if err != nil {
-			t.Fatalf("Failed to create event %d: %v", i, err)
-		}
-
-		if i < len(events)-1 {
-			time.Sleep(time.Millisecond)
-		}
-	}
-
-	// Verify timestamps are in ascending order
-	for i := 1; i < len(events); i++ {
-		if !events[i].Timestamp().After(events[i-1].Timestamp()) {
-			t.Errorf("Event %d timestamp (%v) should be after event %d timestamp (%v)",
-				i, events[i].Timestamp(), i-1, events[i-1].Timestamp())
-		}
-	}
-}
-
-func TestEvent_JSON_Serialization(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	eventData := map[string]any{
-		"string":  "value",
-		"number":  42,
-		"boolean": true,
-		"array":   []any{1, 2, 3},
-		"object":  map[string]any{"nested": "value"},
-	}
-
-	event, err := NewEvent(ctx, "json.test", eventData)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	cloudEvent := event.CloudEvent()
-
-	// CloudEvent should be JSON serializable
-	cloudEventJSON, err := json.Marshal(cloudEvent)
-	if err != nil {
-		t.Fatalf("Failed to marshal CloudEvent: %v", err)
-	}
-
-	// Should be able to unmarshal back
-	var parsed CloudEvent
-	err = json.Unmarshal(cloudEventJSON, &parsed)
-	if err != nil {
-		t.Fatalf("Failed to unmarshal CloudEvent: %v", err)
-	}
-
-	// Verify key fields survived round-trip
-	if parsed.ID != cloudEvent.ID {
-		t.Errorf("ID mismatch after round-trip")
-	}
-	if parsed.Source != cloudEvent.Source {
-		t.Errorf("Source mismatch after round-trip")
-	}
-	if parsed.Type != cloudEvent.Type {
-		t.Errorf("Type mismatch after round-trip")
-	}
-}
-
-func TestEvent_EmptyData(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	// Test with empty map
-	event1, err := NewEvent(ctx, "empty.map", map[string]any{})
-	if err != nil {
-		t.Fatalf("Failed to create event with empty map: %v", err)
-	}
-
-	cloudEvent1 := event1.CloudEvent()
-	var parsed1 map[string]any
-	json.Unmarshal(cloudEvent1.Data, &parsed1)
-	if len(parsed1) != 0 {
-		t.Error("Expected empty data map")
-	}
-
-	// Test with nil data
-	event2, err := NewEvent(ctx, "nil.data", nil)
-	if err != nil {
-		t.Fatalf("Failed to create event with nil data: %v", err)
-	}
-
-	cloudEvent2 := event2.CloudEvent()
-	if cloudEvent2.Data == nil {
-		t.Error("CloudEvent data should not be nil even with nil input")
-	}
-}
-
-func TestEvent_Origin_WithModule(t *testing.T) {
-	mockMod := &mockEventModule{}
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	// Set module in ancestry
-	ctx.ancestry = []Module{mockMod}
-
-	event, err := NewEvent(ctx, "module.test", nil)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	if event.Origin() != mockMod {
-		t.Error("Expected event origin to be the mock module")
-	}
-
-	cloudEvent := event.CloudEvent()
-	expectedSource := string(mockMod.CaddyModule().ID)
-	if cloudEvent.Source != expectedSource {
-		t.Errorf("Expected source '%s', got '%s'", expectedSource, cloudEvent.Source)
-	}
-}
-
-func TestEvent_LargeData(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	// Create event with large data
-	largeData := make(map[string]any)
-	for i := 0; i < 1000; i++ {
-		largeData[fmt.Sprintf("key%d", i)] = fmt.Sprintf("value%d", i)
-	}
-
-	event, err := NewEvent(ctx, "large.data", largeData)
-	if err != nil {
-		t.Fatalf("Failed to create event with large data: %v", err)
-	}
-
-	// CloudEvent should handle large data
-	cloudEvent := event.CloudEvent()
-
-	var parsedData map[string]any
-	err = json.Unmarshal(cloudEvent.Data, &parsedData)
-	if err != nil {
-		t.Fatalf("Failed to parse large data in CloudEvent: %v", err)
-	}
-
-	if len(parsedData) != len(largeData) {
-		t.Errorf("Expected %d data items, got %d", len(largeData), len(parsedData))
-	}
-}
-
-func TestEvent_SpecialCharacters_InData(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	specialData := map[string]any{
-		"unicode":     "🚀✨",
-		"newlines":    "line1\nline2\r\nline3",
-		"quotes":      `"double" and 'single' quotes`,
-		"backslashes": "\\path\\to\\file",
-		"json_chars":  `{"key": "value"}`,
-		"empty":       "",
-		"null_value":  nil,
-	}
-
-	event, err := NewEvent(ctx, "special.chars", specialData)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	cloudEvent := event.CloudEvent()
-
-	// Should produce valid JSON
-	var parsedData map[string]any
-	err = json.Unmarshal(cloudEvent.Data, &parsedData)
-	if err != nil {
-		t.Fatalf("Failed to parse data with special characters: %v", err)
-	}
-
-	// Verify some special cases survived JSON round-trip
-	if parsedData["unicode"] != "🚀✨" {
-		t.Error("Unicode characters should survive JSON encoding")
-	}
-
-	if parsedData["quotes"] != `"double" and 'single' quotes` {
-		t.Error("Quotes should be properly escaped in JSON")
-	}
-}
-
-func TestEvent_ConcurrentCreation(t *testing.T) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	const numGoroutines = 100
-	var wg sync.WaitGroup
-	events := make([]Event, numGoroutines)
-	errors := make([]error, numGoroutines)
-
-	// Create events concurrently
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(index int) {
-			defer wg.Done()
-
-			eventData := map[string]any{
-				"goroutine": index,
-				"timestamp": time.Now().UnixNano(),
-			}
-
-			events[index], errors[index] = NewEvent(ctx, "concurrent.test", eventData)
-		}(i)
-	}
-
-	wg.Wait()
-
-	// Verify all events were created successfully
-	ids := make(map[string]bool)
-	for i, event := range events {
-		if errors[i] != nil {
-			t.Errorf("Goroutine %d: Failed to create event: %v", i, errors[i])
-			continue
-		}
-
-		// Verify unique IDs
-		idStr := event.ID().String()
-		if ids[idStr] {
-			t.Errorf("Duplicate event ID: %s", idStr)
-		}
-		ids[idStr] = true
-
-		// Verify data integrity
-		if goroutineID, exists := event.Data["goroutine"]; !exists || goroutineID != i {
-			t.Errorf("Event %d: Data corruption detected", i)
-		}
-	}
-}
-
-// Mock module for event testing
-type mockEventModule struct{}
-
-func (m *mockEventModule) CaddyModule() ModuleInfo {
-	return ModuleInfo{
-		ID:  "test.event.module",
-		New: func() Module { return new(mockEventModule) },
-	}
-}
-
-func TestEvent_TimeAccuracy(t *testing.T) {
-	before := time.Now()
-
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	event, err := NewEvent(ctx, "time.accuracy", nil)
-	if err != nil {
-		t.Fatalf("Failed to create event: %v", err)
-	}
-
-	after := time.Now()
-	eventTime := event.Timestamp()
-
-	// Event timestamp should be between before and after
-	if eventTime.Before(before) || eventTime.After(after) {
-		t.Errorf("Event timestamp %v should be between %v and %v", eventTime, before, after)
-	}
-}
-
-func BenchmarkNewEvent(b *testing.B) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	eventData := map[string]any{
-		"key1": "value1",
-		"key2": 42,
-		"key3": true,
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		NewEvent(ctx, "benchmark.test", eventData)
-	}
-}
-
-func BenchmarkEvent_CloudEvent(b *testing.B) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	event, _ := NewEvent(ctx, "benchmark.cloud", map[string]any{
-		"data": "test",
-		"num":  123,
-	})
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		event.CloudEvent()
-	}
-}
-
-func BenchmarkEvent_CloudEvent_LargeData(b *testing.B) {
-	ctx, cancel := NewContext(Context{Context: context.Background()})
-	defer cancel()
-
-	// Create event with substantial data
-	largeData := make(map[string]any)
-	for i := 0; i < 100; i++ {
-		largeData[fmt.Sprintf("key%d", i)] = fmt.Sprintf("value%d", i)
-	}
-
-	event, _ := NewEvent(ctx, "benchmark.large", largeData)
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		event.CloudEvent()
-	}
-}
@@ -1,221 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !windows
-
-package caddy
-
-import (
-	"path/filepath"
-	"strings"
-	"testing"
-)
-
-func TestFastAbs(t *testing.T) {
-	tests := []struct {
-		name      string
-		input     string
-		checkFunc func(result string, err error) error
-	}{
-		{
-			name:  "absolute path",
-			input: "/usr/local/bin",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				if result != "/usr/local/bin" {
-					t.Errorf("expected /usr/local/bin, got %s", result)
-				}
-				return nil
-			},
-		},
-		{
-			name:  "absolute path with dots",
-			input: "/usr/local/../bin",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				if result != "/usr/bin" {
-					t.Errorf("expected /usr/bin, got %s", result)
-				}
-				return nil
-			},
-		},
-		{
-			name:  "relative path",
-			input: "relative/path",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				if !filepath.IsAbs(result) {
-					t.Errorf("expected absolute path, got %s", result)
-				}
-				if !strings.HasSuffix(result, "relative/path") {
-					t.Errorf("expected path to end with 'relative/path', got %s", result)
-				}
-				return nil
-			},
-		},
-		{
-			name:  "dot",
-			input: ".",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				if !filepath.IsAbs(result) {
-					t.Errorf("expected absolute path, got %s", result)
-				}
-				return nil
-			},
-		},
-		{
-			name:  "dot dot",
-			input: "..",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				if !filepath.IsAbs(result) {
-					t.Errorf("expected absolute path, got %s", result)
-				}
-				return nil
-			},
-		},
-		{
-			name:  "empty string",
-			input: "",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				// Empty string should resolve to current directory
-				if !filepath.IsAbs(result) {
-					t.Errorf("expected absolute path, got %s", result)
-				}
-				return nil
-			},
-		},
-		{
-			name:  "complex relative path",
-			input: "./foo/../bar/./baz",
-			checkFunc: func(result string, err error) error {
-				if err != nil {
-					t.Errorf("expected no error, got %v", err)
-				}
-				if !filepath.IsAbs(result) {
-					t.Errorf("expected absolute path, got %s", result)
-				}
-				if !strings.HasSuffix(result, "bar/baz") {
-					t.Errorf("expected path to end with 'bar/baz', got %s", result)
-				}
-				return nil
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := FastAbs(tt.input)
-			tt.checkFunc(result, err)
-		})
-	}
-}
-
-// TestFastAbsVsFilepathAbs compares FastAbs with filepath.Abs to ensure consistent behavior
-func TestFastAbsVsFilepathAbs(t *testing.T) {
-	// Skip if working directory cannot be determined
-	if wderr != nil {
-		t.Skip("working directory error, skipping comparison test")
-	}
-
-	testPaths := []string{
-		".",
-		"..",
-		"foo",
-		"foo/bar",
-		"./foo",
-		"../foo",
-		"/absolute/path",
-		"/usr/local/bin",
-	}
-
-	for _, path := range testPaths {
-		t.Run(path, func(t *testing.T) {
-			fast, fastErr := FastAbs(path)
-			std, stdErr := filepath.Abs(path)
-
-			// Both should succeed or fail together
-			if (fastErr != nil) != (stdErr != nil) {
-				t.Errorf("error mismatch: FastAbs=%v, filepath.Abs=%v", fastErr, stdErr)
-			}
-
-			// If both succeed, results should be the same
-			if fastErr == nil && stdErr == nil && fast != std {
-				t.Errorf("result mismatch for %q: FastAbs=%s, filepath.Abs=%s", path, fast, std)
-			}
-		})
-	}
-}
-
-// TestFastAbsErrorHandling tests error handling when working directory is unavailable
-func TestFastAbsErrorHandling(t *testing.T) {
-	// This tests the cached wderr behavior
-	if wderr != nil {
-		// Test that FastAbs properly returns the cached error for relative paths
-		_, err := FastAbs("relative/path")
-		if err == nil {
-			t.Error("expected error for relative path when working directory is unavailable")
-		}
-		if err != wderr {
-			t.Errorf("expected cached wderr, got different error: %v", err)
-		}
-	}
-}
-
-// BenchmarkFastAbs benchmarks FastAbs
-func BenchmarkFastAbs(b *testing.B) {
-	paths := []string{
-		"relative/path",
-		"/absolute/path",
-		".",
-		"..",
-		"./foo/bar",
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		FastAbs(paths[i%len(paths)])
-	}
-}
-
-// BenchmarkFastAbsVsStdLib compares performance of FastAbs vs filepath.Abs
-func BenchmarkFastAbsVsStdLib(b *testing.B) {
-	path := "relative/path/to/file"
-
-	b.Run("FastAbs", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			FastAbs(path)
-		}
-	})
-
-	b.Run("filepath.Abs", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			filepath.Abs(path)
-		}
-	})
-}
@@ -1,351 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"fmt"
-	"io/fs"
-	"sync"
-	"testing"
-	"time"
-)
-
-// Mock filesystem implementation for testing
-type mockFileSystem struct {
-	name  string
-	files map[string]string
-}
-
-func (m *mockFileSystem) Open(name string) (fs.File, error) {
-	if content, exists := m.files[name]; exists {
-		return &mockFile{name: name, content: content}, nil
-	}
-	return nil, fs.ErrNotExist
-}
-
-type mockFile struct {
-	name    string
-	content string
-	pos     int
-}
-
-func (m *mockFile) Stat() (fs.FileInfo, error) {
-	return &mockFileInfo{name: m.name, size: int64(len(m.content))}, nil
-}
-
-func (m *mockFile) Read(b []byte) (int, error) {
-	if m.pos >= len(m.content) {
-		return 0, fs.ErrClosed
-	}
-	n := copy(b, m.content[m.pos:])
-	m.pos += n
-	return n, nil
-}
-
-func (m *mockFile) Close() error {
-	return nil
-}
-
-type mockFileInfo struct {
-	name string
-	size int64
-}
-
-func (m *mockFileInfo) Name() string      { return m.name }
-func (m *mockFileInfo) Size() int64       { return m.size }
-func (m *mockFileInfo) Mode() fs.FileMode { return 0o644 }
-func (m *mockFileInfo) ModTime() time.Time {
-	return time.Time{}
-}
-func (m *mockFileInfo) IsDir() bool { return false }
-func (m *mockFileInfo) Sys() any    { return nil }
-
-// Mock FileSystems implementation for testing
-type mockFileSystems struct {
-	mu          sync.RWMutex
-	filesystems map[string]fs.FS
-	defaultFS   fs.FS
-}
-
-func newMockFileSystems() *mockFileSystems {
-	return &mockFileSystems{
-		filesystems: make(map[string]fs.FS),
-		defaultFS:   &mockFileSystem{name: "default", files: map[string]string{"default.txt": "default content"}},
-	}
-}
-
-func (m *mockFileSystems) Register(k string, v fs.FS) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.filesystems[k] = v
-}
-
-func (m *mockFileSystems) Unregister(k string) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	delete(m.filesystems, k)
-}
-
-func (m *mockFileSystems) Get(k string) (fs.FS, bool) {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	v, ok := m.filesystems[k]
-	return v, ok
-}
-
-func (m *mockFileSystems) Default() fs.FS {
-	return m.defaultFS
-}
-
-func TestFileSystems_Register_Get(t *testing.T) {
-	fsys := newMockFileSystems()
-	mockFS := &mockFileSystem{
-		name:  "test",
-		files: map[string]string{"test.txt": "test content"},
-	}
-
-	// Register filesystem
-	fsys.Register("test", mockFS)
-
-	// Retrieve filesystem
-	retrieved, exists := fsys.Get("test")
-	if !exists {
-		t.Error("Expected filesystem to exist after registration")
-	}
-	if retrieved != mockFS {
-		t.Error("Retrieved filesystem is not the same as registered")
-	}
-}
-
-func TestFileSystems_Unregister(t *testing.T) {
-	fsys := newMockFileSystems()
-	mockFS := &mockFileSystem{name: "test"}
-
-	// Register then unregister
-	fsys.Register("test", mockFS)
-	fsys.Unregister("test")
-
-	// Should not exist after unregistration
-	_, exists := fsys.Get("test")
-	if exists {
-		t.Error("Filesystem should not exist after unregistration")
-	}
-}
-
-func TestFileSystems_Default(t *testing.T) {
-	fsys := newMockFileSystems()
-
-	defaultFS := fsys.Default()
-	if defaultFS == nil {
-		t.Error("Default filesystem should not be nil")
-	}
-
-	// Test that default filesystem works
-	file, err := defaultFS.Open("default.txt")
-	if err != nil {
-		t.Fatalf("Failed to open default file: %v", err)
-	}
-	defer file.Close()
-
-	data := make([]byte, 100)
-	n, err := file.Read(data)
-	if err != nil && err != fs.ErrClosed {
-		t.Fatalf("Failed to read default file: %v", err)
-	}
-
-	content := string(data[:n])
-	if content != "default content" {
-		t.Errorf("Expected 'default content', got '%s'", content)
-	}
-}
-
-func TestFileSystems_Concurrent_Access(t *testing.T) {
-	fsys := newMockFileSystems()
-
-	const numGoroutines = 50
-	const numOperations = 10
-
-	var wg sync.WaitGroup
-
-	// Concurrent register/unregister/get operations
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(id int) {
-			defer wg.Done()
-
-			key := fmt.Sprintf("fs-%d", id)
-			mockFS := &mockFileSystem{
-				name:  key,
-				files: map[string]string{key + ".txt": "content"},
-			}
-
-			for j := 0; j < numOperations; j++ {
-				// Register
-				fsys.Register(key, mockFS)
-
-				// Get
-				retrieved, exists := fsys.Get(key)
-				if !exists {
-					t.Errorf("Filesystem %s should exist", key)
-					continue
-				}
-				if retrieved != mockFS {
-					t.Errorf("Retrieved filesystem for %s is not correct", key)
-				}
-
-				// Test file access
-				file, err := retrieved.Open(key + ".txt")
-				if err != nil {
-					t.Errorf("Failed to open file in %s: %v", key, err)
-					continue
-				}
-				file.Close()
-
-				// Unregister
-				fsys.Unregister(key)
-
-				// Should not exist after unregister
-				_, stillExists := fsys.Get(key)
-				if stillExists {
-					t.Errorf("Filesystem %s should not exist after unregister", key)
-				}
-			}
-		}(i)
-	}
-
-	wg.Wait()
-}
-
-func TestFileSystems_Get_NonExistent(t *testing.T) {
-	fsys := newMockFileSystems()
-
-	_, exists := fsys.Get("non-existent")
-	if exists {
-		t.Error("Non-existent filesystem should not exist")
-	}
-}
-
-func TestFileSystems_Register_Overwrite(t *testing.T) {
-	fsys := newMockFileSystems()
-	key := "overwrite-test"
-
-	// Register first filesystem
-	fs1 := &mockFileSystem{name: "fs1"}
-	fsys.Register(key, fs1)
-
-	// Register second filesystem with same key (should overwrite)
-	fs2 := &mockFileSystem{name: "fs2"}
-	fsys.Register(key, fs2)
-
-	// Should get the second filesystem
-	retrieved, exists := fsys.Get(key)
-	if !exists {
-		t.Error("Filesystem should exist")
-	}
-	if retrieved != fs2 {
-		t.Error("Should get the overwritten filesystem")
-	}
-	if retrieved == fs1 {
-		t.Error("Should not get the original filesystem")
-	}
-}
-
-func TestFileSystems_Concurrent_RegisterUnregister_SameKey(t *testing.T) {
-	fsys := newMockFileSystems()
-	key := "concurrent-key"
-
-	const numGoroutines = 20
-	var wg sync.WaitGroup
-
-	// Half the goroutines register, half unregister
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		if i%2 == 0 {
-			go func(id int) {
-				defer wg.Done()
-				mockFS := &mockFileSystem{name: fmt.Sprintf("fs-%d", id)}
-				fsys.Register(key, mockFS)
-			}(i)
-		} else {
-			go func() {
-				defer wg.Done()
-				fsys.Unregister(key)
-			}()
-		}
-	}
-
-	wg.Wait()
-
-	// The final state is unpredictable due to race conditions,
-	// but the operations should not panic or cause corruption
-	// Test passes if we reach here without issues
-}
-
-func TestFileSystems_StressTest(t *testing.T) {
-	if testing.Short() {
-		t.Skip("Skipping stress test in short mode")
-	}
-
-	fsys := newMockFileSystems()
-
-	const numGoroutines = 100
-	const duration = 100 * time.Millisecond
-
-	var wg sync.WaitGroup
-	stopChan := make(chan struct{})
-
-	// Start timer
-	go func() {
-		time.Sleep(duration)
-		close(stopChan)
-	}()
-
-	// Stress test with continuous operations
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(id int) {
-			defer wg.Done()
-
-			key := fmt.Sprintf("stress-fs-%d", id%10) // Use limited set of keys
-			mockFS := &mockFileSystem{
-				name:  key,
-				files: map[string]string{key + ".txt": "stress content"},
-			}
-
-			for {
-				select {
-				case <-stopChan:
-					return
-				default:
-					// Rapid register/get/unregister cycles
-					fsys.Register(key, mockFS)
-
-					if retrieved, exists := fsys.Get(key); exists {
-						// Try to use the filesystem
-						if file, err := retrieved.Open(key + ".txt"); err == nil {
-							file.Close()
-						}
-					}
-
-					fsys.Unregister(key)
-				}
-			}
-		}(i)
-	}
-
-	wg.Wait()
-
-	// Test passes if we reach here without panics or deadlocks
-}
@@ -7,16 +7,16 @@ require (
 	github.com/DeRuina/timberjack v1.4.2
 	github.com/KimMachineGun/automemlimit v0.7.5
 	github.com/Masterminds/sprig/v3 v3.3.0
-	github.com/alecthomas/chroma/v2 v2.23.1
+	github.com/alecthomas/chroma/v2 v2.24.1
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
 	github.com/caddyserver/certmagic v0.25.3
 	github.com/caddyserver/zerossl v0.1.5
 	github.com/cloudflare/circl v1.6.3
 	github.com/dustin/go-humanize v1.0.1
 	github.com/go-chi/chi/v5 v5.2.5
-	github.com/google/cel-go v0.28.0
+	github.com/google/cel-go v0.28.1
 	github.com/google/uuid v1.6.0
-	github.com/klauspost/compress v1.18.5
+	github.com/klauspost/compress v1.18.6
 	github.com/klauspost/cpuid/v2 v2.3.0
 	github.com/mholt/acmez/v3 v3.1.6
 	github.com/prometheus/client_golang v1.23.2
@@ -31,19 +31,19 @@ require (
 	github.com/yuin/goldmark v1.8.2
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	go.opentelemetry.io/contrib/bridges/prometheus v0.68.0
-	go.opentelemetry.io/contrib/exporters/autoexport v0.65.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
-	go.opentelemetry.io/contrib/propagators/autoprop v0.65.0
+	go.opentelemetry.io/contrib/exporters/autoexport v0.68.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0
+	go.opentelemetry.io/contrib/propagators/autoprop v0.68.0
 	go.opentelemetry.io/otel v1.43.0
 	go.opentelemetry.io/otel/sdk v1.43.0
 	go.opentelemetry.io/otel/sdk/metric v1.43.0
 	go.step.sm/crypto v0.81.0
 	go.uber.org/automaxprocs v1.6.0
-	go.uber.org/zap v1.27.1
+	go.uber.org/zap v1.28.0
 	go.uber.org/zap/exp v0.3.0
-	golang.org/x/crypto v0.51.0
+	golang.org/x/crypto v0.52.0
 	golang.org/x/crypto/x509roots/fallback v0.0.0-20260213171211-a408498e5541
-	golang.org/x/net v0.53.0
+	golang.org/x/net v0.55.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/term v0.43.0
 	golang.org/x/time v0.15.0
@@ -110,7 +110,7 @@ require (
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	google.golang.org/api v0.277.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 // indirect
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 )
@@ -129,7 +129,7 @@ require (
 	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
 	github.com/dgraph-io/ristretto v0.2.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
-	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/dlclark/regexp2 v1.12.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -149,7 +149,7 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/pires/go-proxyproto v0.11.0
+	github.com/pires/go-proxyproto v0.12.0
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.2
 	github.com/prometheus/common v0.67.5 // indirect
@@ -169,7 +169,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/sys v0.44.0
+	golang.org/x/sys v0.45.0
 	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/grpc v1.81.0 // indirect
@@ -43,8 +43,8 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
-github.com/alecthomas/chroma/v2 v2.23.1 h1:nv2AVZdTyClGbVQkIzlDm/rnhk1E9bU9nXwmZ/Vk/iY=
-github.com/alecthomas/chroma/v2 v2.23.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
+github.com/alecthomas/chroma/v2 v2.24.1 h1:m5ffpfZbIb++k8AqFEKy9uVgY12xIQtBsQlc6DfZJQM=
+github.com/alecthomas/chroma/v2 v2.24.1/go.mod h1:l+ohZ9xRXIbGe7cIW+YZgOGbvuVLjMps/FYN/CwuabI=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
 github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
@@ -133,8 +133,8 @@ github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WA
 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
-github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.12.0 h1:0j4c5qQmnC6XOWNjP3PIXURXN2gWx76rd3KvgdPkCz8=
+github.com/dlclark/regexp2 v1.12.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@@ -168,8 +168,8 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/cel-go v0.28.0 h1:KjSWstCpz/MN5t4a8gnGJNIYUsJRpdi/r97xWDphIQc=
-github.com/google/cel-go v0.28.0/go.mod h1:X0bD6iVNR8pkROSOoHVdgTkzmRcosof7WQqCD6wcMc8=
+github.com/google/cel-go v0.28.1 h1:YWIwi77J4xIsYUwAF/iIuS6haffzIHS8yWI8glSbLWM=
+github.com/google/cel-go v0.28.1/go.mod h1:X0bD6iVNR8pkROSOoHVdgTkzmRcosof7WQqCD6wcMc8=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 h1:heyoXNxkRT155x4jTAiSv5BVSVkueifPUm+Q8LUXMRo=
 github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745/go.mod h1:zN0wUQgV9LjwLZeFHnrAbQi8hzMVvEWePyk+MhPOk7k=
@@ -211,8 +211,8 @@ github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
-github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
+github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -259,8 +259,8 @@ github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhM
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
 github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
-github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
-github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pires/go-proxyproto v0.12.0 h1:TTCxD66dU898tahivkqc3hoceZp7P44FnorWyo9d5vM=
+github.com/pires/go-proxyproto v0.12.0/go.mod h1:qUvfqUMEoX7T8g0q7TQLDnhMjdTrxnG0hvpMn+7ePNI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -375,14 +375,14 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/bridges/prometheus v0.68.0 h1:w3zlHYETbDwXyWHZlyyR58ZC39XGi8rAhkBgUgJ9d5w=
 go.opentelemetry.io/contrib/bridges/prometheus v0.68.0/go.mod h1:GR/mClR2nn7vE8RLwxKjoBNg+QtgdDhRzxVa93koy5o=
-go.opentelemetry.io/contrib/exporters/autoexport v0.65.0 h1:2gApdml7SznX9szEKFjKjM4qGcGSvAybYLBY319XG3g=
-go.opentelemetry.io/contrib/exporters/autoexport v0.65.0/go.mod h1:0QqAGlbHXhmPYACG3n5hNzO5DnEqqtg4VcK5pr22RI0=
+go.opentelemetry.io/contrib/exporters/autoexport v0.68.0 h1:0D3GFvELGIwQGfC6agLsbrEYSGWZTRTxIXxcQUqrOuk=
+go.opentelemetry.io/contrib/exporters/autoexport v0.68.0/go.mod h1:DM2NV7Zb8CcGeVPt6glouY0FAiwZQ/iqgcWExhgWeN8=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
-go.opentelemetry.io/contrib/propagators/autoprop v0.65.0 h1:kTaCycF9Xkm8VBBvH0rJ4wFeRjtIV55Erk3uuVsIs5s=
-go.opentelemetry.io/contrib/propagators/autoprop v0.65.0/go.mod h1:rooPzAbXfxMX9fsPJjmOBg2SN4RhFEV8D7cfGK+N3tE=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
+go.opentelemetry.io/contrib/propagators/autoprop v0.68.0 h1:wLGFvNBPqQhzBn0QRBZjrriH8lZ9gqtTz8ufHEjLg7k=
+go.opentelemetry.io/contrib/propagators/autoprop v0.68.0/go.mod h1:evWK9nCqCzH8nhclTlpkdUzmxrmJQ2mrWCdKIvyOYec=
 go.opentelemetry.io/contrib/propagators/aws v1.43.0 h1:EwnsB3cXRLAh7/Nr/9rMuGw73nfb3z6uAvVDjRrbeUg=
 go.opentelemetry.io/contrib/propagators/aws v1.43.0/go.mod h1:CJjTym6F87tEdm61Qvnz5xrV8vKlH4C92djiqcn62k8=
 go.opentelemetry.io/contrib/propagators/b3 v1.43.0 h1:CETqV3QLLPTy5yNrqyMr41VnAOOD4lsRved7n4QG00A=
@@ -441,8 +441,8 @@ go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
-go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.uber.org/zap v1.28.0 h1:IZzaP1Fv73/T/pBMLk4VutPl36uNC+OSUh3JLG3FIjo=
+go.uber.org/zap v1.28.0/go.mod h1:rDLpOi171uODNm/mxFcuYWxDsqWSAVkFdX4XojSKg/Q=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
 go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
@@ -456,8 +456,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
-golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/crypto/x509roots/fallback v0.0.0-20260213171211-a408498e5541 h1:FmKxj9ocLKn45jiR2jQMwCVhDvaK7fKQFzfuT9GvyK8=
 golang.org/x/crypto/x509roots/fallback v0.0.0-20260213171211-a408498e5541/go.mod h1:+UoQFNBq2p2wO+Q6ddVtYc25GZ6VNdOMyyrd4nrqrKs=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
@@ -477,8 +477,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -506,8 +506,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -547,8 +547,8 @@ google.golang.org/api v0.277.0 h1:HJfyJUiNeBBUMai7ez8u14wkp/gH/I4wpGbbO9o+cSk=
 google.golang.org/api v0.277.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
-google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
-google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
+google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d h1:/aDRtSZJjyLQzm75d+a1wOJaqyKBMvIAfeQmoa3ORiI=
+google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:etfGUgejTiadZAUaEP14NP97xi1RGeawqkjDARA/UOs=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 h1:tEkOQcXgF6dH1G+MVKZrfpYvozGrzb91k6ha7jireSM=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.81.0 h1:W3G9N3KQf3BU+YuCtGKJk0CmxQNbAISICD/9AORxLIw=
@@ -1,173 +0,0 @@
-package filesystems
-
-import (
-	"io/fs"
-	"testing"
-	"testing/fstest"
-)
-
-func TestFileSystemMapDefaultKey(t *testing.T) {
-	m := &FileSystemMap{}
-
-	// Empty key should map to default
-	if m.key("") != DefaultFileSystemKey {
-		t.Errorf("empty key should map to %q, got %q", DefaultFileSystemKey, m.key(""))
-	}
-
-	// Non-empty key should be returned as-is
-	if m.key("custom") != "custom" {
-		t.Errorf("non-empty key should be returned as-is, got %q", m.key("custom"))
-	}
-}
-
-func TestFileSystemMapRegisterAndGet(t *testing.T) {
-	m := &FileSystemMap{}
-	testFS := fstest.MapFS{
-		"hello.txt": &fstest.MapFile{Data: []byte("hello")},
-	}
-
-	m.Register("test", testFS)
-
-	got, ok := m.Get("test")
-	if !ok {
-		t.Fatal("expected to find registered filesystem")
-	}
-	if got == nil {
-		t.Fatal("expected non-nil filesystem")
-	}
-
-	// Verify the filesystem works
-	f, err := got.Open("hello.txt")
-	if err != nil {
-		t.Fatalf("Open() error = %v", err)
-	}
-	f.Close()
-}
-
-func TestFileSystemMapGetNonExistent(t *testing.T) {
-	m := &FileSystemMap{}
-
-	_, ok := m.Get("nonexistent")
-	if ok {
-		t.Error("expected Get to return false for nonexistent key")
-	}
-}
-
-func TestFileSystemMapDefault(t *testing.T) {
-	m := &FileSystemMap{}
-
-	d := m.Default()
-	if d == nil {
-		t.Fatal("Default() should never return nil")
-	}
-}
-
-func TestFileSystemMapGetDefaultLazyInit(t *testing.T) {
-	m := &FileSystemMap{}
-
-	// Getting the default key before any registration should
-	// auto-initialize to DefaultFileSystem
-	got, ok := m.Get(DefaultFileSystemKey)
-	if !ok {
-		t.Fatal("expected default filesystem to be auto-initialized")
-	}
-	if got == nil {
-		t.Fatal("expected non-nil default filesystem")
-	}
-}
-
-func TestFileSystemMapUnregister(t *testing.T) {
-	m := &FileSystemMap{}
-	testFS := fstest.MapFS{}
-
-	m.Register("test", testFS)
-	m.Unregister("test")
-
-	_, ok := m.Get("test")
-	if ok {
-		t.Error("expected filesystem to be unregistered")
-	}
-}
-
-func TestFileSystemMapUnregisterDefault(t *testing.T) {
-	m := &FileSystemMap{}
-	customFS := fstest.MapFS{}
-
-	// Override default
-	m.Register("", customFS)
-	// Unregister default should reset to OsFS, not delete
-	m.Unregister("")
-
-	d := m.Default()
-	if d == nil {
-		t.Fatal("unregistering default should reset it, not delete it")
-	}
-}
-
-func TestFileSystemMapRegisterNil(t *testing.T) {
-	m := &FileSystemMap{}
-	testFS := fstest.MapFS{}
-
-	// Register then register nil (should unregister)
-	m.Register("test", testFS)
-	m.Register("test", nil)
-
-	_, ok := m.Get("test")
-	if ok {
-		t.Error("registering nil should unregister the filesystem")
-	}
-}
-
-func TestFileSystemMapEmptyKeyIsDefault(t *testing.T) {
-	m := &FileSystemMap{}
-	testFS := fstest.MapFS{
-		"test.txt": &fstest.MapFile{Data: []byte("test")},
-	}
-
-	// Register with empty key should register as default
-	m.Register("", testFS)
-
-	got, ok := m.Get("")
-	if !ok {
-		t.Fatal("expected to find filesystem registered with empty key")
-	}
-
-	// Should also be accessible via default key
-	got2, ok := m.Get(DefaultFileSystemKey)
-	if !ok {
-		t.Fatal("expected to find filesystem via default key")
-	}
-
-	// Both should work
-	if got == nil || got2 == nil {
-		t.Fatal("expected non-nil filesystems")
-	}
-}
-
-func TestFileSystemMapGetTrimsWhitespace(t *testing.T) {
-	m := &FileSystemMap{}
-	testFS := fstest.MapFS{}
-
-	m.Register("test", testFS)
-
-	// Get with whitespace-padded key should match
-	got, ok := m.Get("test ")
-	if !ok {
-		t.Fatal("expected Get to trim whitespace from key")
-	}
-	if got == nil {
-		t.Fatal("expected non-nil filesystem")
-	}
-}
-
-func TestOsFSInterfaces(t *testing.T) {
-	var osFS OsFS
-
-	// Verify interface compliance at compile time (already done with var _ checks)
-	// but test that the methods exist and are callable
-	var _ fs.FS = osFS
-	var _ fs.StatFS = osFS
-	var _ fs.GlobFS = osFS
-	var _ fs.ReadDirFS = osFS
-	var _ fs.ReadFileFS = osFS
-}
@@ -1,147 +0,0 @@
-package internal
-
-import (
-	"testing"
-
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
-	"go.uber.org/zap/zaptest/observer"
-)
-
-func TestLogBufferCoreEnabled(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-
-	if !core.Enabled(zapcore.InfoLevel) {
-		t.Error("expected InfoLevel to be enabled")
-	}
-	if !core.Enabled(zapcore.ErrorLevel) {
-		t.Error("expected ErrorLevel to be enabled")
-	}
-	if core.Enabled(zapcore.DebugLevel) {
-		t.Error("expected DebugLevel to be disabled")
-	}
-}
-
-func TestLogBufferCoreWriteAndFlush(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-
-	// Write entries
-	entry1 := zapcore.Entry{Level: zapcore.InfoLevel, Message: "message1"}
-	entry2 := zapcore.Entry{Level: zapcore.WarnLevel, Message: "message2"}
-
-	if err := core.Write(entry1, []zapcore.Field{zap.String("key1", "val1")}); err != nil {
-		t.Fatalf("Write() error = %v", err)
-	}
-	if err := core.Write(entry2, []zapcore.Field{zap.String("key2", "val2")}); err != nil {
-		t.Fatalf("Write() error = %v", err)
-	}
-
-	// Verify entries are buffered
-	if len(core.entries) != 2 {
-		t.Errorf("expected 2 entries, got %d", len(core.entries))
-	}
-	if len(core.fields) != 2 {
-		t.Errorf("expected 2 field sets, got %d", len(core.fields))
-	}
-
-	// Set up an observed logger to capture flushed entries
-	observedCore, logs := observer.New(zapcore.InfoLevel)
-	logger := zap.New(observedCore)
-
-	core.FlushTo(logger)
-
-	// Verify entries were flushed
-	if logs.Len() != 2 {
-		t.Errorf("expected 2 flushed log entries, got %d", logs.Len())
-	}
-
-	// Verify buffer is cleared after flush
-	if len(core.entries) != 0 {
-		t.Errorf("expected entries to be cleared after flush, got %d", len(core.entries))
-	}
-	if len(core.fields) != 0 {
-		t.Errorf("expected fields to be cleared after flush, got %d", len(core.fields))
-	}
-}
-
-func TestLogBufferCoreSync(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-	if err := core.Sync(); err != nil {
-		t.Errorf("Sync() error = %v", err)
-	}
-}
-
-func TestLogBufferCoreWith(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-
-	// With() currently returns the same core (known limitation)
-	result := core.With([]zapcore.Field{zap.String("test", "val")})
-	if result != core {
-		t.Error("With() should return the same core instance")
-	}
-}
-
-func TestLogBufferCoreCheck(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-
-	// Check for enabled level should add core
-	entry := zapcore.Entry{Level: zapcore.InfoLevel, Message: "test"}
-	ce := &zapcore.CheckedEntry{}
-	result := core.Check(entry, ce)
-	if result == nil {
-		t.Error("Check() should return non-nil for enabled level")
-	}
-
-	// Check for disabled level should not add core
-	debugEntry := zapcore.Entry{Level: zapcore.DebugLevel, Message: "test"}
-	ce2 := &zapcore.CheckedEntry{}
-	result2 := core.Check(debugEntry, ce2)
-	// The ce2 should be returned unchanged (no core added)
-	if result2 != ce2 {
-		t.Error("Check() should return unchanged CheckedEntry for disabled level")
-	}
-}
-
-func TestLogBufferCoreEmptyFlush(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-
-	// Flushing with no entries should not panic
-	observedCore, logs := observer.New(zapcore.InfoLevel)
-	logger := zap.New(observedCore)
-
-	core.FlushTo(logger)
-
-	if logs.Len() != 0 {
-		t.Errorf("expected 0 flushed entries for empty buffer, got %d", logs.Len())
-	}
-}
-
-func TestLogBufferCoreConcurrentWrites(t *testing.T) {
-	core := NewLogBufferCore(zapcore.InfoLevel)
-
-	done := make(chan struct{})
-	const numWriters = 10
-	const numWrites = 100
-
-	for i := 0; i < numWriters; i++ {
-		go func() {
-			defer func() { done <- struct{}{} }()
-			for j := 0; j < numWrites; j++ {
-				entry := zapcore.Entry{Level: zapcore.InfoLevel, Message: "concurrent"}
-				_ = core.Write(entry, nil)
-			}
-		}()
-	}
-
-	for i := 0; i < numWriters; i++ {
-		<-done
-	}
-
-	core.mu.Lock()
-	count := len(core.entries)
-	core.mu.Unlock()
-
-	if count != numWriters*numWrites {
-		t.Errorf("expected %d entries, got %d", numWriters*numWrites, count)
-	}
-}
@@ -17,37 +17,6 @@ func TestSanitizeMethod(t *testing.T) {
 		{method: "trace", expected: "TRACE"},
 		{method: "UNKNOWN", expected: "OTHER"},
 		{method: strings.Repeat("ohno", 9999), expected: "OTHER"},
-
-		// Test all standard HTTP methods in uppercase
-		{method: "GET", expected: "GET"},
-		{method: "HEAD", expected: "HEAD"},
-		{method: "POST", expected: "POST"},
-		{method: "PUT", expected: "PUT"},
-		{method: "DELETE", expected: "DELETE"},
-		{method: "CONNECT", expected: "CONNECT"},
-		{method: "OPTIONS", expected: "OPTIONS"},
-		{method: "TRACE", expected: "TRACE"},
-		{method: "PATCH", expected: "PATCH"},
-
-		// Test all standard HTTP methods in lowercase
-		{method: "get", expected: "GET"},
-		{method: "head", expected: "HEAD"},
-		{method: "post", expected: "POST"},
-		{method: "put", expected: "PUT"},
-		{method: "delete", expected: "DELETE"},
-		{method: "connect", expected: "CONNECT"},
-		{method: "options", expected: "OPTIONS"},
-		{method: "trace", expected: "TRACE"},
-		{method: "patch", expected: "PATCH"},
-
-		// Test mixed case and non-standard methods
-		{method: "Get", expected: "OTHER"},
-		{method: "gEt", expected: "OTHER"},
-		{method: "UNKNOWN", expected: "OTHER"},
-		{method: "PROPFIND", expected: "OTHER"},
-		{method: "MKCOL", expected: "OTHER"},
-		{method: "", expected: "OTHER"},
-		{method: " ", expected: "OTHER"},
 	}

 	for _, d := range tests {
@@ -57,79 +26,3 @@ func TestSanitizeMethod(t *testing.T) {
 		}
 	}
 }
-
-func TestSanitizeCode(t *testing.T) {
-	tests := []struct {
-		name     string
-		code     int
-		expected string
-	}{
-		{
-			name:     "zero returns 200",
-			code:     0,
-			expected: "200",
-		},
-		{
-			name:     "200 returns 200",
-			code:     200,
-			expected: "200",
-		},
-		{
-			name:     "404 returns 404",
-			code:     404,
-			expected: "404",
-		},
-		{
-			name:     "500 returns 500",
-			code:     500,
-			expected: "500",
-		},
-		{
-			name:     "301 returns 301",
-			code:     301,
-			expected: "301",
-		},
-		{
-			name:     "418 teapot returns 418",
-			code:     418,
-			expected: "418",
-		},
-		{
-			name:     "999 custom code",
-			code:     999,
-			expected: "999",
-		},
-		{
-			name:     "negative code",
-			code:     -1,
-			expected: "-1",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := SanitizeCode(tt.code)
-			if result != tt.expected {
-				t.Errorf("SanitizeCode(%d) = %s; want %s", tt.code, result, tt.expected)
-			}
-		})
-	}
-}
-
-// BenchmarkSanitizeCode benchmarks the SanitizeCode function
-func BenchmarkSanitizeCode(b *testing.B) {
-	codes := []int{0, 200, 404, 500, 301, 418}
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		SanitizeCode(codes[i%len(codes)])
-	}
-}
-
-// BenchmarkSanitizeMethod benchmarks the SanitizeMethod function
-func BenchmarkSanitizeMethod(b *testing.B) {
-	methods := []string{"GET", "POST", "PUT", "DELETE", "UNKNOWN"}
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		SanitizeMethod(methods[i%len(methods)])
-	}
-}
@@ -1,125 +0,0 @@
-package internal
-
-import (
-	"testing"
-)
-
-func TestPrivateRangesCIDR(t *testing.T) {
-	ranges := PrivateRangesCIDR()
-
-	// Should include standard private IP ranges
-	expected := map[string]bool{
-		"192.168.0.0/16": false,
-		"172.16.0.0/12":  false,
-		"10.0.0.0/8":     false,
-		"127.0.0.1/8":    false,
-		"fd00::/8":       false,
-		"::1":            false,
-	}
-
-	for _, r := range ranges {
-		if _, ok := expected[r]; ok {
-			expected[r] = true
-		}
-	}
-
-	for cidr, found := range expected {
-		if !found {
-			t.Errorf("expected private range %q not found in PrivateRangesCIDR()", cidr)
-		}
-	}
-
-	if len(ranges) < 6 {
-		t.Errorf("expected at least 6 private ranges, got %d", len(ranges))
-	}
-}
-
-func TestMaxSizeSubjectsListForLog(t *testing.T) {
-	tests := []struct {
-		name         string
-		subjects     map[string]struct{}
-		maxToDisplay int
-		wantLen      int
-		wantSuffix   bool // whether "(and N more...)" is expected
-	}{
-		{
-			name:         "empty map",
-			subjects:     map[string]struct{}{},
-			maxToDisplay: 5,
-			wantLen:      0,
-			wantSuffix:   false,
-		},
-		{
-			name: "fewer than max",
-			subjects: map[string]struct{}{
-				"example.com": {},
-				"example.org": {},
-			},
-			maxToDisplay: 5,
-			wantLen:      2,
-			wantSuffix:   false,
-		},
-		{
-			name: "equal to max",
-			subjects: map[string]struct{}{
-				"a.com": {},
-				"b.com": {},
-				"c.com": {},
-			},
-			maxToDisplay: 3,
-			wantLen:      3,
-			wantSuffix:   false,
-		},
-		{
-			name: "more than max",
-			subjects: map[string]struct{}{
-				"a.com": {},
-				"b.com": {},
-				"c.com": {},
-				"d.com": {},
-				"e.com": {},
-			},
-			maxToDisplay: 2,
-			wantLen:      3, // 2 domains + suffix
-			wantSuffix:   true,
-		},
-		{
-			name: "max is zero",
-			subjects: map[string]struct{}{
-				"a.com": {},
-				"b.com": {},
-			},
-			maxToDisplay: 0,
-			// BUG: When maxToDisplay is 0, code still appends one domain
-			// because append happens before the break check in the loop.
-			// Expected behavior: 1 item (just suffix). Actual: 2 items
-			// (1 leaked domain + suffix).
-			wantLen:    2,
-			wantSuffix: true,
-		},
-		{
-			name: "single subject with max 1",
-			subjects: map[string]struct{}{
-				"example.com": {},
-			},
-			maxToDisplay: 1,
-			wantLen:      1,
-			wantSuffix:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := MaxSizeSubjectsListForLog(tt.subjects, tt.maxToDisplay)
-			if len(result) != tt.wantLen {
-				t.Errorf("MaxSizeSubjectsListForLog() returned %d items, want %d; got: %v", len(result), tt.wantLen, result)
-			}
-			if tt.wantSuffix {
-				last := result[len(result)-1]
-				if len(last) < 4 || last[:4] != "(and" {
-					t.Errorf("expected suffix '(and N more...)' but got %q", last)
-				}
-			}
-		})
-	}
-}
@@ -1,146 +0,0 @@
-package internal
-
-import (
-	"io/fs"
-	"testing"
-)
-
-func TestSplitUnixSocketPermissionsBits(t *testing.T) {
-	tests := []struct {
-		name         string
-		input        string
-		wantPath     string
-		wantFileMode fs.FileMode
-		wantErr      bool
-	}{
-		{
-			name:         "no permission bits defaults to 0200",
-			input:        "/run/caddy.sock",
-			wantPath:     "/run/caddy.sock",
-			wantFileMode: 0o200,
-			wantErr:      false,
-		},
-		{
-			name:         "valid permission 0222",
-			input:        "/run/caddy.sock|0222",
-			wantPath:     "/run/caddy.sock",
-			wantFileMode: 0o222,
-			wantErr:      false,
-		},
-		{
-			name:         "valid permission 0200",
-			input:        "/run/caddy.sock|0200",
-			wantPath:     "/run/caddy.sock",
-			wantFileMode: 0o200,
-			wantErr:      false,
-		},
-		{
-			name:         "valid permission 0777",
-			input:        "/run/caddy.sock|0777",
-			wantPath:     "/run/caddy.sock",
-			wantFileMode: 0o777,
-			wantErr:      false,
-		},
-		{
-			name:         "valid permission 0755",
-			input:        "/run/caddy.sock|0755",
-			wantPath:     "/run/caddy.sock",
-			wantFileMode: 0o755,
-			wantErr:      false,
-		},
-		{
-			name:         "valid permission 0666",
-			input:        "/tmp/test.sock|0666",
-			wantPath:     "/tmp/test.sock",
-			wantFileMode: 0o666,
-			wantErr:      false,
-		},
-		{
-			name:    "missing owner write permission 0444",
-			input:   "/run/caddy.sock|0444",
-			wantErr: true,
-		},
-		{
-			name:    "missing owner write permission 0044",
-			input:   "/run/caddy.sock|0044",
-			wantErr: true,
-		},
-		{
-			name:    "missing owner write permission 0100",
-			input:   "/run/caddy.sock|0100",
-			wantErr: true,
-		},
-		{
-			name:    "missing owner write permission 0500",
-			input:   "/run/caddy.sock|0500",
-			wantErr: true,
-		},
-		{
-			name:    "invalid octal digits",
-			input:   "/run/caddy.sock|09ab",
-			wantErr: true,
-		},
-		{
-			name:    "invalid non-numeric permission",
-			input:   "/run/caddy.sock|rwxrwxrwx",
-			wantErr: true,
-		},
-		{
-			name:    "empty permission string",
-			input:   "/run/caddy.sock|",
-			wantErr: true,
-		},
-		{
-			name:         "multiple pipes only splits on first",
-			input:        "/run/caddy|sock|0222",
-			wantPath:     "/run/caddy",
-			wantFileMode: 0, // "sock|0222" is not valid octal
-			wantErr:      true,
-		},
-		{
-			name:         "empty path with valid permission",
-			input:        "|0222",
-			wantPath:     "",
-			wantFileMode: 0o222,
-			wantErr:      false,
-		},
-		{
-			name:         "path only with no pipe",
-			input:        "/var/run/my-app.sock",
-			wantPath:     "/var/run/my-app.sock",
-			wantFileMode: 0o200,
-			wantErr:      false,
-		},
-		{
-			name:         "permission 0300 has write bit",
-			input:        "/run/caddy.sock|0300",
-			wantPath:     "/run/caddy.sock",
-			wantFileMode: 0o300,
-			wantErr:      false,
-		},
-		{
-			name:    "permission 0422 missing owner write",
-			input:   "/run/caddy.sock|0422",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			gotPath, gotMode, err := SplitUnixSocketPermissionsBits(tt.input)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("SplitUnixSocketPermissionsBits(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
-				return
-			}
-			if err != nil {
-				return
-			}
-			if gotPath != tt.wantPath {
-				t.Errorf("SplitUnixSocketPermissionsBits(%q) path = %q, want %q", tt.input, gotPath, tt.wantPath)
-			}
-			if gotMode != tt.wantFileMode {
-				t.Errorf("SplitUnixSocketPermissionsBits(%q) mode = %04o, want %04o", tt.input, gotMode, tt.wantFileMode)
-			}
-		})
-	}
-}
@@ -361,7 +361,7 @@ func ParseNetworkAddressWithDefaults(addr, defaultNetwork string, defaultPort ui
 		if end < start {
 			return NetworkAddress{}, fmt.Errorf("end port must not be less than start port")
 		}
-		if (end-start)+1 > maxPortSpan {
+		if (end - start) > maxPortSpan {
 			return NetworkAddress{}, fmt.Errorf("port range exceeds %d ports", maxPortSpan)
 		}
 	}
@@ -1,394 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/prometheus/client_golang/prometheus"
-	dto "github.com/prometheus/client_model/go"
-)
-
-func TestGlobalMetrics_ConfigSuccess(t *testing.T) {
-	// Test setting config success metric
-	originalValue := getMetricValue(globalMetrics.configSuccess)
-
-	// Set to success
-	globalMetrics.configSuccess.Set(1)
-	newValue := getMetricValue(globalMetrics.configSuccess)
-
-	if newValue != 1 {
-		t.Errorf("Expected config success metric to be 1, got %f", newValue)
-	}
-
-	// Set to failure
-	globalMetrics.configSuccess.Set(0)
-	failureValue := getMetricValue(globalMetrics.configSuccess)
-
-	if failureValue != 0 {
-		t.Errorf("Expected config success metric to be 0, got %f", failureValue)
-	}
-
-	// Restore original value if it existed
-	if originalValue != 0 {
-		globalMetrics.configSuccess.Set(originalValue)
-	}
-}
-
-func TestGlobalMetrics_ConfigSuccessTime(t *testing.T) {
-	// Set success time
-	globalMetrics.configSuccessTime.SetToCurrentTime()
-
-	// Get the metric value
-	metricValue := getMetricValue(globalMetrics.configSuccessTime)
-
-	// Should be a reasonable Unix timestamp (not zero)
-	if metricValue == 0 {
-		t.Error("Config success time should not be zero")
-	}
-
-	// Should be recent (within last minute)
-	now := time.Now().Unix()
-	if int64(metricValue) < now-60 || int64(metricValue) > now {
-		t.Errorf("Config success time %f should be recent (now: %d)", metricValue, now)
-	}
-}
-
-func TestAdminMetrics_RequestCount(t *testing.T) {
-	// Initialize admin metrics for testing
-	initAdminMetrics()
-
-	labels := prometheus.Labels{
-		"handler": "test",
-		"path":    "/config",
-		"method":  "GET",
-		"code":    "200",
-	}
-
-	// Get initial value
-	initialValue := getCounterValue(adminMetrics.requestCount, labels)
-
-	// Increment counter
-	adminMetrics.requestCount.With(labels).Inc()
-
-	// Verify increment
-	newValue := getCounterValue(adminMetrics.requestCount, labels)
-	if newValue != initialValue+1 {
-		t.Errorf("Expected counter to increment by 1, got %f -> %f", initialValue, newValue)
-	}
-}
-
-func TestAdminMetrics_RequestErrors(t *testing.T) {
-	// Initialize admin metrics for testing
-	initAdminMetrics()
-
-	labels := prometheus.Labels{
-		"handler": "test",
-		"path":    "/test",
-		"method":  "POST",
-	}
-
-	// Get initial value
-	initialValue := getCounterValue(adminMetrics.requestErrors, labels)
-
-	// Increment error counter
-	adminMetrics.requestErrors.With(labels).Inc()
-
-	// Verify increment
-	newValue := getCounterValue(adminMetrics.requestErrors, labels)
-	if newValue != initialValue+1 {
-		t.Errorf("Expected error counter to increment by 1, got %f -> %f", initialValue, newValue)
-	}
-}
-
-func TestMetrics_ConcurrentAccess(t *testing.T) {
-	// Initialize admin metrics
-	initAdminMetrics()
-
-	const numGoroutines = 100
-	const incrementsPerGoroutine = 10
-
-	var wg sync.WaitGroup
-
-	labels := prometheus.Labels{
-		"handler": "concurrent",
-		"path":    "/concurrent",
-		"method":  "GET",
-		"code":    "200",
-	}
-
-	initialCount := getCounterValue(adminMetrics.requestCount, labels)
-
-	// Concurrent increments
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			for j := 0; j < incrementsPerGoroutine; j++ {
-				adminMetrics.requestCount.With(labels).Inc()
-			}
-		}()
-	}
-
-	wg.Wait()
-
-	// Verify final count
-	finalCount := getCounterValue(adminMetrics.requestCount, labels)
-	expectedIncrement := float64(numGoroutines * incrementsPerGoroutine)
-
-	if finalCount-initialCount != expectedIncrement {
-		t.Errorf("Expected counter to increase by %f, got %f",
-			expectedIncrement, finalCount-initialCount)
-	}
-}
-
-func TestMetrics_LabelValidation(t *testing.T) {
-	// Test various label combinations
-	tests := []struct {
-		name   string
-		labels prometheus.Labels
-		metric string
-	}{
-		{
-			name: "valid request count labels",
-			labels: prometheus.Labels{
-				"handler": "test",
-				"path":    "/api/test",
-				"method":  "GET",
-				"code":    "200",
-			},
-			metric: "requestCount",
-		},
-		{
-			name: "valid error labels",
-			labels: prometheus.Labels{
-				"handler": "test",
-				"path":    "/api/error",
-				"method":  "POST",
-			},
-			metric: "requestErrors",
-		},
-		{
-			name: "empty path",
-			labels: prometheus.Labels{
-				"handler": "test",
-				"path":    "",
-				"method":  "GET",
-				"code":    "404",
-			},
-			metric: "requestCount",
-		},
-		{
-			name: "special characters in path",
-			labels: prometheus.Labels{
-				"handler": "test",
-				"path":    "/api/test%20with%20spaces",
-				"method":  "PUT",
-				"code":    "201",
-			},
-			metric: "requestCount",
-		},
-	}
-
-	initAdminMetrics()
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			// This should not panic or error
-			switch test.metric {
-			case "requestCount":
-				adminMetrics.requestCount.With(test.labels).Inc()
-			case "requestErrors":
-				adminMetrics.requestErrors.With(test.labels).Inc()
-			}
-		})
-	}
-}
-
-func TestMetrics_Initialization_Idempotent(t *testing.T) {
-	// Test that initializing admin metrics multiple times is safe
-	for i := 0; i < 5; i++ {
-		func() {
-			defer func() {
-				if r := recover(); r != nil {
-					t.Errorf("Iteration %d: initAdminMetrics panicked: %v", i, r)
-				}
-			}()
-			initAdminMetrics()
-		}()
-	}
-}
-
-func TestInstrumentHandlerCounter(t *testing.T) {
-	// Create a test counter with the expected labels
-	counter := prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "test_counter",
-			Help: "Test counter for instrumentation",
-		},
-		[]string{"code", "method"},
-	)
-
-	// Create instrumented handler
-	testHandler := instrumentHandlerCounter(
-		counter,
-		&mockHTTPHandler{statusCode: 200},
-	)
-
-	// Create test request
-	req := httptest.NewRequest("GET", "/test", nil)
-	rr := httptest.NewRecorder()
-
-	// Get initial counter value
-	initialValue := getCounterValue(counter, prometheus.Labels{"code": "200", "method": "GET"})
-
-	// Serve request
-	testHandler.ServeHTTP(rr, req)
-
-	// Verify counter was incremented
-	finalValue := getCounterValue(counter, prometheus.Labels{"code": "200", "method": "GET"})
-	if finalValue != initialValue+1 {
-		t.Errorf("Expected counter to increment by 1, got %f -> %f", initialValue, finalValue)
-	}
-}
-
-func TestInstrumentHandlerCounter_ErrorStatus(t *testing.T) {
-	counter := prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "test_error_counter",
-			Help: "Test counter for error status",
-		},
-		[]string{"code", "method"},
-	)
-
-	// Test different status codes
-	statusCodes := []int{200, 404, 500, 301, 401}
-
-	for _, status := range statusCodes {
-		t.Run(fmt.Sprintf("status_%d", status), func(t *testing.T) {
-			handler := instrumentHandlerCounter(
-				counter,
-				&mockHTTPHandler{statusCode: status},
-			)
-
-			req := httptest.NewRequest("GET", "/test", nil)
-			rr := httptest.NewRecorder()
-
-			statusLabels := prometheus.Labels{"code": fmt.Sprintf("%d", status), "method": "GET"}
-			initialValue := getCounterValue(counter, statusLabels)
-
-			handler.ServeHTTP(rr, req)
-
-			finalValue := getCounterValue(counter, statusLabels)
-			if finalValue != initialValue+1 {
-				t.Errorf("Status %d: Expected counter increment", status)
-			}
-		})
-	}
-}
-
-// Helper functions
-func getMetricValue(gauge prometheus.Gauge) float64 {
-	metric := &dto.Metric{}
-	gauge.Write(metric)
-	return metric.GetGauge().GetValue()
-}
-
-func getCounterValue(counter *prometheus.CounterVec, labels prometheus.Labels) float64 {
-	metric, err := counter.GetMetricWith(labels)
-	if err != nil {
-		return 0
-	}
-
-	pb := &dto.Metric{}
-	metric.Write(pb)
-	return pb.GetCounter().GetValue()
-}
-
-type mockHTTPHandler struct {
-	statusCode int
-}
-
-func (m *mockHTTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(m.statusCode)
-}
-
-func TestMetrics_Memory_Usage(t *testing.T) {
-	if testing.Short() {
-		t.Skip("Skipping memory test in short mode")
-	}
-
-	// Initialize metrics
-	initAdminMetrics()
-
-	// Create many different label combinations
-	const numLabels = 1000
-
-	for i := 0; i < numLabels; i++ {
-		labels := prometheus.Labels{
-			"handler": fmt.Sprintf("handler_%d", i%10),
-			"path":    fmt.Sprintf("/path_%d", i),
-			"method":  []string{"GET", "POST", "PUT", "DELETE"}[i%4],
-			"code":    []string{"200", "404", "500"}[i%3],
-		}
-
-		adminMetrics.requestCount.With(labels).Inc()
-
-		// Also increment error counter occasionally
-		if i%10 == 0 {
-			errorLabels := prometheus.Labels{
-				"handler": labels["handler"],
-				"path":    labels["path"],
-				"method":  labels["method"],
-			}
-			adminMetrics.requestErrors.With(errorLabels).Inc()
-		}
-	}
-
-	// Test passes if we don't run out of memory or panic
-}
-
-func BenchmarkGlobalMetrics_ConfigSuccess(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		globalMetrics.configSuccess.Set(float64(i % 2))
-	}
-}
-
-func BenchmarkGlobalMetrics_ConfigSuccessTime(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		globalMetrics.configSuccessTime.SetToCurrentTime()
-	}
-}
-
-func BenchmarkAdminMetrics_RequestCount_WithLabels(b *testing.B) {
-	initAdminMetrics()
-
-	labels := prometheus.Labels{
-		"handler": "benchmark",
-		"path":    "/benchmark",
-		"method":  "GET",
-		"code":    "200",
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		adminMetrics.requestCount.With(labels).Inc()
-	}
-}
@@ -37,6 +37,12 @@ func init() {
 // `{http.auth.user.*}` placeholders may be set for any authentication
 // modules that provide user metadata.
 //
+// If authentication is rejected but a provider returns user information,
+// the placeholder `{http.auth.candidate.id}` will be set to the candidate
+// username, and also `{http.auth.candidate.*}` placeholders may be set
+// for candidate user metadata. Candidate placeholders do not represent a
+// successfully authenticated principal.
+//
 // In case of an error, the placeholder `{http.auth.<provider>.error}`
 // will be set to the error message returned by the authentication
 // provider.
@@ -78,6 +84,8 @@ func (a *Authentication) Provision(ctx caddy.Context) error {
 func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 	var user User
+	var candidate User
+	var hasCandidate bool
 	var authed bool
 	var err error
 	for provName, prov := range a.Providers {
@@ -94,19 +102,34 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 		if authed {
 			break
 		}
+		if userHasInfo(user) {
+			candidate = user
+			hasCandidate = true
+		}
 	}
 	if !authed {
+		if hasCandidate {
+			setAuthUserPlaceholders(repl, "http.auth.candidate", candidate)
+		}
 		return caddyhttp.Error(http.StatusUnauthorized, fmt.Errorf("not authenticated"))
 	}

-	repl.Set("http.auth.user.id", user.ID)
-	for k, v := range user.Metadata {
-		repl.Set("http.auth.user."+k, v)
-	}
+	setAuthUserPlaceholders(repl, "http.auth.user", user)

 	return next.ServeHTTP(w, r)
 }

+func userHasInfo(user User) bool {
+	return user.ID != "" || len(user.Metadata) > 0
+}
+
+func setAuthUserPlaceholders(repl *caddy.Replacer, namespace string, user User) {
+	repl.Set(namespace+".id", user.ID)
+	for k, v := range user.Metadata {
+		repl.Set(namespace+"."+k, v)
+	}
+}
+
 // Authenticator is a type which can authenticate a request.
 // If a request was not authenticated, it returns false. An
 // error is only returned if authenticating the request fails
@@ -0,0 +1,197 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyauth
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
+)
+
+func TestAuthenticationRejectedUserSetsCandidatePlaceholders(t *testing.T) {
+	auth := Authentication{
+		Providers: map[string]Authenticator{
+			"test": staticAuthenticator{
+				user: User{
+					ID: "alice",
+					Metadata: map[string]string{
+						"role": "admin",
+					},
+				},
+			},
+		},
+		logger: zap.NewNop(),
+	}
+	req, repl := newRequestWithReplacer()
+	nextCalled := false
+
+	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
+		nextCalled = true
+		return nil
+	}))
+	if err == nil {
+		t.Fatal("expected authentication error")
+	}
+	var handlerErr caddyhttp.HandlerError
+	if !errors.As(err, &handlerErr) {
+		t.Fatalf("expected HandlerError, got %T", err)
+	}
+	if handlerErr.StatusCode != http.StatusUnauthorized {
+		t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, handlerErr.StatusCode)
+	}
+	if nextCalled {
+		t.Fatal("next handler was called for rejected authentication")
+	}
+
+	assertPlaceholder(t, repl, "http.auth.candidate.id", "alice")
+	assertPlaceholder(t, repl, "http.auth.candidate.role", "admin")
+	assertPlaceholderAbsent(t, repl, "http.auth.user.id")
+	assertPlaceholderAbsent(t, repl, "http.auth.user.role")
+}
+
+func TestAuthenticationSuccessfulUserSetsUserPlaceholdersOnly(t *testing.T) {
+	auth := Authentication{
+		Providers: map[string]Authenticator{
+			"test": staticAuthenticator{
+				user: User{
+					ID: "alice",
+					Metadata: map[string]string{
+						"role": "admin",
+					},
+				},
+				authed: true,
+			},
+		},
+		logger: zap.NewNop(),
+	}
+	req, repl := newRequestWithReplacer()
+	nextCalled := false
+
+	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
+		nextCalled = true
+		return nil
+	}))
+	if err != nil {
+		t.Fatalf("expected no authentication error, got %v", err)
+	}
+	if !nextCalled {
+		t.Fatal("next handler was not called for successful authentication")
+	}
+
+	assertPlaceholder(t, repl, "http.auth.user.id", "alice")
+	assertPlaceholder(t, repl, "http.auth.user.role", "admin")
+	assertPlaceholderAbsent(t, repl, "http.auth.candidate.id")
+	assertPlaceholderAbsent(t, repl, "http.auth.candidate.role")
+}
+
+func TestAuthenticationSuccessfulProviderDoesNotExposeEarlierCandidate(t *testing.T) {
+	auth := Authentication{
+		Providers: map[string]Authenticator{
+			"first": staticAuthenticator{
+				user: User{
+					ID: "rejected",
+					Metadata: map[string]string{
+						"role": "guest",
+					},
+				},
+			},
+			"second": staticAuthenticator{
+				user: User{
+					ID: "accepted",
+					Metadata: map[string]string{
+						"role": "admin",
+					},
+				},
+				authed: true,
+			},
+		},
+		logger: zap.NewNop(),
+	}
+	req, repl := newRequestWithReplacer()
+
+	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
+		return nil
+	}))
+	if err != nil {
+		t.Fatalf("expected no authentication error, got %v", err)
+	}
+
+	assertPlaceholder(t, repl, "http.auth.user.id", "accepted")
+	assertPlaceholder(t, repl, "http.auth.user.role", "admin")
+	assertPlaceholderAbsent(t, repl, "http.auth.candidate.id")
+	assertPlaceholderAbsent(t, repl, "http.auth.candidate.role")
+}
+
+func TestAuthenticationRejectedEmptyUserDoesNotSetCandidatePlaceholders(t *testing.T) {
+	auth := Authentication{
+		Providers: map[string]Authenticator{
+			"test": staticAuthenticator{},
+		},
+		logger: zap.NewNop(),
+	}
+	req, repl := newRequestWithReplacer()
+
+	err := auth.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
+		t.Fatal("next handler was called for rejected authentication")
+		return nil
+	}))
+	if err == nil {
+		t.Fatal("expected authentication error")
+	}
+
+	assertPlaceholderAbsent(t, repl, "http.auth.candidate.id")
+}
+
+func newRequestWithReplacer() (*http.Request, *caddy.Replacer) {
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	repl := caddy.NewReplacer()
+	ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
+	return req.WithContext(ctx), repl
+}
+
+func assertPlaceholder(t *testing.T, repl *caddy.Replacer, key, expected string) {
+	t.Helper()
+	actual, ok := repl.GetString(key)
+	if !ok {
+		t.Fatalf("expected placeholder %q to be set", key)
+	}
+	if actual != expected {
+		t.Fatalf("expected placeholder %q to be %q, got %q", key, expected, actual)
+	}
+}
+
+func assertPlaceholderAbsent(t *testing.T, repl *caddy.Replacer, key string) {
+	t.Helper()
+	if actual, ok := repl.GetString(key); ok {
+		t.Fatalf("expected placeholder %q to be absent, got %q", key, actual)
+	}
+}
+
+type staticAuthenticator struct {
+	user   User
+	authed bool
+	err    error
+}
+
+func (a staticAuthenticator) Authenticate(http.ResponseWriter, *http.Request) (User, bool, error) {
+	return a.user, a.authed, a.err
+}
@@ -108,7 +108,7 @@ func (m *MatchExpression) UnmarshalJSON(data []byte) error {
 		return json.Unmarshal(data, &m.Expr)
 	}
 	// otherwise, it's a full object, so unmarshal it,
-	// using an temp map to avoid infinite recursion
+	// using a temp map to avoid infinite recursion
 	var tmpJson map[string]any
 	err := json.Unmarshal(data, &tmpJson)
 	*m = MatchExpression{
@@ -118,7 +118,7 @@ func (m *MatchExpression) UnmarshalJSON(data []byte) error {
 	return err
 }

-// Provision sets ups m.
+// Provision sets up m.
 func (m *MatchExpression) Provision(ctx caddy.Context) error {
 	m.log = ctx.Logger()

@@ -319,7 +319,7 @@ func (cr celHTTPRequest) Value() any  { return cr }

 var pkixNameCELType = cel.ObjectType("pkix.Name", traits.ReceiverType)

-// celPkixName wraps an pkix.Name with
+// celPkixName wraps a pkix.Name with
 // methods to satisfy the ref.Val interface.
 type celPkixName struct{ *pkix.Name }

@@ -79,7 +79,7 @@ eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
 			wantResult: true,
 		},
 		{
-			name: "header matches an placeholder replaced during the header matcher (MatchHeader)",
+			name: "header matches a placeholder replaced during the header matcher (MatchHeader)",
 			expression: &MatchExpression{
 				Expr: `header({'Field': '\{http.request.uri.path}'})`,
 			},
@@ -162,7 +162,7 @@ func (enc *Encode) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyh

 			// to comply with RFC 9110 section 8.8.3(.3), we modify the Etag when encoding
 			// by appending a hyphen and the encoder name; the problem is, the client will
-			// send back that Etag in a If-None-Match header, but upstream handlers that set
+			// send back that Etag in an If-None-Match header, but upstream handlers that set
 			// the Etag in the first place don't know that we appended to their Etag! so here
 			// we have to strip our addition so the upstream handlers can still honor client
 			// caches without knowing about our changes...
@@ -369,7 +369,7 @@ const sniffLen = 512

 // ReadFrom will try to use sendfile to copy from the reader to the response writer.
 // It's only used if the response writer implements io.ReaderFrom and the data can't be compressed.
-// It's based on stdlin http1.1 response writer implementation.
+// It's based on the standard library HTTP/1.1 response writer implementation.
 // https://github.com/golang/go/blob/f4e3ec3dbe3b8e04a058d266adf8e048bab563f2/src/net/http/server.go#L586
 func (rw *responseWriter) ReadFrom(r io.Reader) (int64, error) {
 	rf, ok := rw.ResponseWriter.(io.ReaderFrom)
@@ -85,11 +85,8 @@ func (e HandlerError) Unwrap() error { return e.Err }
 // randString returns a string of n random characters.
 // It is not even remotely secure OR a proper distribution.
 // But it's good enough for some things. It excludes certain
-// confusing characters like I, l, 1, 0, O. If sameCase
-// is true, then uppercase letters are excluded as well as
-// the characters l and o. If sameCase is false, both uppercase
-// and lowercase letters are used, and the characters I, l, 1, 0, O
-// are excluded.
+// confusing characters like I, l, 1, 0, O, etc. If sameCase
+// is true, then uppercase letters are excluded.
 func randString(n int, sameCase bool) string {
 	if n <= 0 {
 		return ""
@@ -1,168 +0,0 @@
-package caddyhttp
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-	"testing"
-)
-
-func TestHandlerErrorError(t *testing.T) {
-	tests := []struct {
-		name     string
-		err      HandlerError
-		contains []string
-	}{
-		{
-			name: "full error",
-			err: HandlerError{
-				ID:         "abc123",
-				StatusCode: 404,
-				Err:        fmt.Errorf("not found"),
-				Trace:      "pkg.Func (file.go:10)",
-			},
-			contains: []string{"abc123", "404", "not found", "pkg.Func"},
-		},
-		{
-			name:     "empty error",
-			err:      HandlerError{},
-			contains: []string{},
-		},
-		{
-			name: "error with only status code",
-			err: HandlerError{
-				StatusCode: 500,
-			},
-			contains: []string{"500"},
-		},
-		{
-			name: "error with only message",
-			err: HandlerError{
-				Err: fmt.Errorf("something broke"),
-			},
-			contains: []string{"something broke"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := tt.err.Error()
-			for _, needle := range tt.contains {
-				if !strings.Contains(result, needle) {
-					t.Errorf("Error() = %q, should contain %q", result, needle)
-				}
-			}
-		})
-	}
-}
-
-func TestHandlerErrorUnwrap(t *testing.T) {
-	originalErr := fmt.Errorf("original error")
-	he := HandlerError{Err: originalErr}
-
-	unwrapped := he.Unwrap()
-	if unwrapped != originalErr {
-		t.Errorf("Unwrap() = %v, want %v", unwrapped, originalErr)
-	}
-}
-
-func TestError(t *testing.T) {
-	t.Run("creates error with ID and trace", func(t *testing.T) {
-		err := fmt.Errorf("test error")
-		he := Error(500, err)
-
-		if he.StatusCode != 500 {
-			t.Errorf("StatusCode = %d, want 500", he.StatusCode)
-		}
-		if he.ID == "" {
-			t.Error("ID should not be empty")
-		}
-		if len(he.ID) != 9 {
-			t.Errorf("ID length = %d, want 9", len(he.ID))
-		}
-		if he.Trace == "" {
-			t.Error("Trace should not be empty")
-		}
-		if he.Err != err {
-			t.Error("Err should be the original error")
-		}
-	})
-
-	t.Run("unwraps existing HandlerError", func(t *testing.T) {
-		inner := HandlerError{
-			ID:         "existing_id",
-			StatusCode: 404,
-			Err:        fmt.Errorf("not found"),
-			Trace:      "existing trace",
-		}
-
-		he := Error(500, inner)
-
-		// Should keep existing ID
-		if he.ID != "existing_id" {
-			t.Errorf("ID = %q, want 'existing_id'", he.ID)
-		}
-		// Should keep existing StatusCode
-		if he.StatusCode != 404 {
-			t.Errorf("StatusCode = %d, want 404 (existing)", he.StatusCode)
-		}
-		// Should keep existing Trace
-		if he.Trace != "existing trace" {
-			t.Errorf("Trace = %q, want 'existing trace'", he.Trace)
-		}
-	})
-
-	t.Run("fills missing fields in existing HandlerError", func(t *testing.T) {
-		inner := HandlerError{
-			Err: fmt.Errorf("inner error"),
-			// ID, StatusCode, and Trace are all empty
-		}
-
-		he := Error(503, inner)
-
-		if he.ID == "" {
-			t.Error("should fill missing ID")
-		}
-		if he.StatusCode != 503 {
-			t.Errorf("should fill missing StatusCode with %d, got %d", 503, he.StatusCode)
-		}
-		if he.Trace == "" {
-			t.Error("should fill missing Trace")
-		}
-	})
-
-	t.Run("generates unique IDs", func(t *testing.T) {
-		ids := make(map[string]struct{})
-		for i := 0; i < 100; i++ {
-			he := Error(500, fmt.Errorf("error %d", i))
-			if _, exists := ids[he.ID]; exists {
-				t.Errorf("duplicate ID generated: %s", he.ID)
-			}
-			ids[he.ID] = struct{}{}
-		}
-	})
-}
-
-func TestErrorAsHandlerError(t *testing.T) {
-	he := Error(404, fmt.Errorf("not found"))
-	var target HandlerError
-	if !errors.As(he, &target) {
-		t.Error("Error() result should be assertable as HandlerError via errors.As")
-	}
-}
-
-func TestHandlerErrorWithWrappedError(t *testing.T) {
-	// Test that errors.As can unwrap a wrapped HandlerError
-	inner := HandlerError{
-		ID:         "inner",
-		StatusCode: 404,
-		Err:        fmt.Errorf("inner error"),
-	}
-	wrapped := fmt.Errorf("wrapped: %w", inner)
-
-	he := Error(500, wrapped)
-	// Since wrapped contains a HandlerError, it should be unwrapped
-	if he.ID != "inner" {
-		t.Errorf("should unwrap to inner ID 'inner', got %q", he.ID)
-	}
-}
@@ -1,279 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddyhttp
-
-import (
-	"strings"
-	"testing"
-	"unicode"
-)
-
-func TestRandString(t *testing.T) {
-	tests := []struct {
-		name      string
-		length    int
-		sameCase  bool
-		wantLen   int
-		checkCase func(string) bool
-	}{
-		{
-			name:     "zero length",
-			length:   0,
-			sameCase: false,
-			wantLen:  0,
-			checkCase: func(s string) bool {
-				return s == ""
-			},
-		},
-		{
-			name:     "negative length",
-			length:   -5,
-			sameCase: false,
-			wantLen:  0,
-			checkCase: func(s string) bool {
-				return s == ""
-			},
-		},
-		{
-			name:     "single character mixed case",
-			length:   1,
-			sameCase: false,
-			wantLen:  1,
-			checkCase: func(s string) bool {
-				// Should be alphanumeric
-				return len(s) == 1 && (unicode.IsLetter(rune(s[0])) || unicode.IsDigit(rune(s[0])))
-			},
-		},
-		{
-			name:     "single character same case",
-			length:   1,
-			sameCase: true,
-			wantLen:  1,
-			checkCase: func(s string) bool {
-				// Should be lowercase or digit
-				return len(s) == 1 && (unicode.IsLower(rune(s[0])) || unicode.IsDigit(rune(s[0])))
-			},
-		},
-		{
-			name:     "short string mixed case",
-			length:   5,
-			sameCase: false,
-			wantLen:  5,
-			checkCase: func(s string) bool {
-				// All characters should be alphanumeric
-				for _, c := range s {
-					if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-						return false
-					}
-				}
-				return true
-			},
-		},
-		{
-			name:     "short string same case",
-			length:   5,
-			sameCase: true,
-			wantLen:  5,
-			checkCase: func(s string) bool {
-				// All characters should be lowercase or digits
-				for _, c := range s {
-					if unicode.IsUpper(c) {
-						return false
-					}
-					if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-						return false
-					}
-				}
-				return true
-			},
-		},
-		{
-			name:     "medium string mixed case",
-			length:   20,
-			sameCase: false,
-			wantLen:  20,
-			checkCase: func(s string) bool {
-				for _, c := range s {
-					if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-						return false
-					}
-				}
-				return true
-			},
-		},
-		{
-			name:     "long string same case",
-			length:   100,
-			sameCase: true,
-			wantLen:  100,
-			checkCase: func(s string) bool {
-				for _, c := range s {
-					if unicode.IsUpper(c) {
-						return false
-					}
-				}
-				return true
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := randString(tt.length, tt.sameCase)
-
-			// Check length
-			if len(result) != tt.wantLen {
-				t.Errorf("randString(%d, %v) length = %d, want %d",
-					tt.length, tt.sameCase, len(result), tt.wantLen)
-			}
-
-			// Check case requirements
-			if !tt.checkCase(result) {
-				t.Errorf("randString(%d, %v) = %q failed case check",
-					tt.length, tt.sameCase, result)
-			}
-		})
-	}
-}
-
-// TestRandString_NoConfusingChars ensures that confusing characters
-// like I, l, 1, 0, O are excluded from the generated strings
-func TestRandString_NoConfusingChars(t *testing.T) {
-	tests := []struct {
-		name     string
-		sameCase bool
-		excluded []rune
-	}{
-		{
-			name:     "mixed case excludes I,l,1,0,O",
-			sameCase: false,
-			excluded: []rune{'I', 'l', '1', '0', 'O'},
-		},
-		{
-			name:     "same case excludes l,0",
-			sameCase: true,
-			excluded: []rune{'l', 'o'},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Generate multiple strings to increase confidence
-			for i := 0; i < 100; i++ {
-				result := randString(50, tt.sameCase)
-
-				for _, char := range tt.excluded {
-					if strings.ContainsRune(result, char) {
-						t.Errorf("randString(50, %v) contains excluded character %q in %q",
-							tt.sameCase, char, result)
-					}
-				}
-			}
-		})
-	}
-}
-
-// TestRandString_Uniqueness verifies that consecutive calls produce
-// different strings (with high probability)
-func TestRandString_Uniqueness(t *testing.T) {
-	const iterations = 100
-	const length = 16
-
-	tests := []struct {
-		name     string
-		sameCase bool
-	}{
-		{"mixed case", false},
-		{"same case", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			seen := make(map[string]bool)
-			duplicates := 0
-
-			for i := 0; i < iterations; i++ {
-				result := randString(length, tt.sameCase)
-				if seen[result] {
-					duplicates++
-				}
-				seen[result] = true
-			}
-
-			// With a 16-character string from a large alphabet, duplicates should be extremely rare
-			// Allow at most 1 duplicate in 100 iterations
-			if duplicates > 1 {
-				t.Errorf("randString(%d, %v) produced %d duplicates in %d iterations (expected ≤1)",
-					length, tt.sameCase, duplicates, iterations)
-			}
-		})
-	}
-}
-
-// TestRandString_CharacterDistribution checks that the generated strings
-// contain a reasonable mix of characters (not just one character)
-func TestRandString_CharacterDistribution(t *testing.T) {
-	const length = 1000
-	const minUniqueChars = 15 // Should have at least 15 different characters in 1000 chars
-
-	tests := []struct {
-		name     string
-		sameCase bool
-	}{
-		{"mixed case", false},
-		{"same case", true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := randString(length, tt.sameCase)
-
-			uniqueChars := make(map[rune]bool)
-			for _, c := range result {
-				uniqueChars[c] = true
-			}
-
-			if len(uniqueChars) < minUniqueChars {
-				t.Errorf("randString(%d, %v) produced only %d unique characters (expected ≥%d)",
-					length, tt.sameCase, len(uniqueChars), minUniqueChars)
-			}
-		})
-	}
-}
-
-// BenchmarkRandString measures the performance of random string generation
-func BenchmarkRandString(b *testing.B) {
-	benchmarks := []struct {
-		name     string
-		length   int
-		sameCase bool
-	}{
-		{"short_mixed", 8, false},
-		{"short_same", 8, true},
-		{"medium_mixed", 32, false},
-		{"medium_same", 32, true},
-		{"long_mixed", 128, false},
-		{"long_same", 128, true},
-	}
-
-	for _, bm := range benchmarks {
-		b.Run(bm.name, func(b *testing.B) {
-			b.ReportAllocs()
-			for i := 0; i < b.N; i++ {
-				_ = randString(bm.length, bm.sameCase)
-			}
-		})
-	}
-}
@@ -29,6 +29,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"time"

 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -123,7 +124,7 @@ type FileServer struct {
 	// put "hidden" in the list. To hide only ./hidden, put "./hidden" in the list.
 	//
 	// When possible, all paths are resolved to their absolute form before
-	// comparisons are made. For maximum clarity and explictness, use complete,
+	// comparisons are made. For maximum clarity and explicitness, use complete,
 	// absolute paths; or, for greater portability, use relative paths instead.
 	//
 	// Note that hide comparisons are case-sensitive. On case-insensitive
@@ -579,7 +580,17 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	// that errors generated by ServeContent are written immediately
 	// to the response, so we cannot handle them (but errors there
 	// are rare)
-	http.ServeContent(w, r, info.Name(), info.ModTime(), file.(io.ReadSeeker))
+	//
+	// There are a few file modification times that aren't useful
+	// to send in Last-Modified headers, but the golang http library only
+	// omits Last-Modified headers for the Unix epoch time. So, force
+	// the modification time to the epoch time if it's not useful.
+	zeroTime := time.Time{}
+	modTime := info.ModTime()
+	if !usefulModTime(modTime) {
+		modTime = zeroTime
+	}
+	http.ServeContent(w, r, info.Name(), modTime, file.(io.ReadSeeker))

 	return nil
 }
@@ -726,6 +737,14 @@ func (fsrv *FileServer) notFound(w http.ResponseWriter, r *http.Request, next ca
 	return caddyhttp.Error(http.StatusNotFound, nil)
 }

+// Indicates whether a file's modification time is useful for validator
+// generation purposes (i.e. inclusion in ETag and Last-Modified headers).
+// See issues #5548 and #7730.
+func usefulModTime(modTime time.Time) bool {
+	mtimeunix := modTime.Unix()
+	return mtimeunix != 0 && mtimeunix != 1
+}
+
 // calculateEtag computes an entity tag using a strong validator
 // without consuming the contents of the file. It requires the
 // file info contain the correct size and modification time.
@@ -743,8 +762,8 @@ func (fsrv *FileServer) notFound(w http.ResponseWriter, r *http.Request, next ca
 // which we consider precise enough to qualify as a strong validator.
 func calculateEtag(d os.FileInfo) string {
 	mtime := d.ModTime()
-	if mtimeUnix := mtime.Unix(); mtimeUnix == 0 || mtimeUnix == 1 {
-		return "" // not useful anyway; see issue #5548
+	if !usefulModTime(mtime) {
+		return ""
 	}
 	var sb strings.Builder
 	sb.WriteRune('"')
@@ -15,10 +15,17 @@
 package fileserver

 import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"testing"
+	"time"
+
+	"github.com/caddyserver/caddy/v2"
 )

 func TestFileHidden(t *testing.T) {
@@ -128,3 +135,52 @@ func TestFileHidden(t *testing.T) {
 		}
 	}
 }
+
+// Check to make sure that we don't serve ETag and Last-Modified headers
+// for files with invalid modification times
+func TestModTimeHeaders(t *testing.T) {
+	check_validator_headers(time.Now(), true, t)
+	check_validator_headers(time.Unix(0, 0), false, t)
+	check_validator_headers(time.Unix(1, 0), false, t)
+	check_validator_headers(time.Unix(2, 0), true, t)
+}
+
+func check_validator_headers(modTime time.Time, expect_headers bool, t *testing.T) {
+	f := false
+	fsrv := FileServer{
+		Root:          "./testdata",
+		CanonicalURIs: &f,
+	}
+	w := httptest.NewRecorder()
+	r, err := http.NewRequest("GET", "/modtime.txt", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	repl := caddy.NewReplacer()
+	ctx := context.WithValue(r.Context(), caddy.ReplacerCtxKey, repl)
+	r = r.WithContext(ctx)
+
+	ctx2, _ := caddy.NewContext(caddy.Context{Context: context.Background()}) // module will be nil by default
+	fsrv.Provision(ctx2)
+
+	path := "testdata/modtime.txt"
+	os.Chtimes(path, modTime, modTime)
+
+	fsrv.ServeHTTP(w, r, nil)
+
+	if expect_headers {
+		if w.Header().Get("ETag") == "" {
+			t.Errorf("Didn't get ETag header for file with valid mod time %s", modTime)
+		}
+		if w.Header().Get("Last-Modified") == "" {
+			t.Errorf("Didn't get Last-Modified header for file with valid mod time %s", modTime)
+		}
+	} else {
+		if w.Header().Get("ETag") != "" {
+			t.Errorf("Got ETag header for file with invalid mod time %s", modTime)
+		}
+		if w.Header().Get("Last-Modified") != "" {
+			t.Errorf("Got Last-Modified header for file with invalid mod time %s", modTime)
+		}
+	}
+}
@@ -15,7 +15,7 @@ type connectionStater interface {

 // http2Listener wraps the listener to solve the following problems:
 // 1. prevent genuine h2c connections from succeeding if h2c is not enabled
-// and the connection doesn't implment connectionStater or the resulting NegotiatedProtocol
+// and the connection doesn't implement connectionStater or the resulting NegotiatedProtocol
 // isn't http2.
 // This does allow a connection to pass as tls enabled even if it's not, listener wrappers
 // can do this.
@@ -101,7 +101,7 @@ type httpRedirectConn struct {

 // Read tries to peek at the first few bytes of the request, and if we get
 // an error reading the headers, and that error was due to the bytes looking
-// like an HTTP request, then we perform a HTTP->HTTPS redirect on the same
+// like an HTTP request, then we perform an HTTP->HTTPS redirect on the same
 // port as the original connection.
 func (c *httpRedirectConn) Read(p []byte) (int, error) {
 	if c.once {
@@ -1,201 +0,0 @@
-package caddyhttp
-
-import (
-	"net/netip"
-	"testing"
-)
-
-func TestCIDRExpressionToPrefix(t *testing.T) {
-	tests := []struct {
-		name    string
-		expr    string
-		want    netip.Prefix
-		wantErr bool
-	}{
-		{
-			name: "valid CIDR IPv4",
-			expr: "192.168.0.0/16",
-			want: netip.MustParsePrefix("192.168.0.0/16"),
-		},
-		{
-			name: "valid CIDR IPv6",
-			expr: "fd00::/8",
-			want: netip.MustParsePrefix("fd00::/8"),
-		},
-		{
-			name: "single IPv4 becomes /32",
-			expr: "192.168.1.1",
-			want: netip.MustParsePrefix("192.168.1.1/32"),
-		},
-		{
-			name: "single IPv6 becomes /128",
-			expr: "::1",
-			want: netip.MustParsePrefix("::1/128"),
-		},
-		{
-			name: "loopback IPv4",
-			expr: "127.0.0.1",
-			want: netip.MustParsePrefix("127.0.0.1/32"),
-		},
-		{
-			name: "full IPv6 address",
-			expr: "2001:db8::1",
-			want: netip.MustParsePrefix("2001:db8::1/128"),
-		},
-		{
-			name:    "invalid CIDR",
-			expr:    "192.168.0.0/33",
-			wantErr: true,
-		},
-		{
-			name:    "invalid IP",
-			expr:    "not-an-ip",
-			wantErr: true,
-		},
-		{
-			name:    "empty string",
-			expr:    "",
-			wantErr: true,
-		},
-		{
-			name:    "CIDR with invalid IP",
-			expr:    "999.999.999.999/24",
-			wantErr: true,
-		},
-		{
-			name: "CIDR /0 matches everything",
-			expr: "0.0.0.0/0",
-			want: netip.MustParsePrefix("0.0.0.0/0"),
-		},
-		{
-			name: "CIDR /32 single host",
-			expr: "10.0.0.1/32",
-			want: netip.MustParsePrefix("10.0.0.1/32"),
-		},
-		{
-			name:    "malformed CIDR with extra slash",
-			expr:    "10.0.0.0/8/16",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := CIDRExpressionToPrefix(tt.expr)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("CIDRExpressionToPrefix(%q) error = %v, wantErr %v", tt.expr, err, tt.wantErr)
-				return
-			}
-			if !tt.wantErr && got != tt.want {
-				t.Errorf("CIDRExpressionToPrefix(%q) = %v, want %v", tt.expr, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestStaticIPRangeProvision(t *testing.T) {
-	tests := []struct {
-		name    string
-		ranges  []string
-		wantLen int
-		wantErr bool
-	}{
-		{
-			name:    "valid CIDR ranges",
-			ranges:  []string{"192.168.0.0/16", "10.0.0.0/8"},
-			wantLen: 2,
-		},
-		{
-			name:    "single IPs",
-			ranges:  []string{"192.168.1.1", "10.0.0.1"},
-			wantLen: 2,
-		},
-		{
-			name:    "mixed CIDR and single IP",
-			ranges:  []string{"192.168.0.0/16", "10.0.0.1"},
-			wantLen: 2,
-		},
-		{
-			name:    "invalid range",
-			ranges:  []string{"not-valid"},
-			wantErr: true,
-		},
-		{
-			name:    "empty ranges",
-			ranges:  []string{},
-			wantLen: 0,
-		},
-		{
-			name:    "nil ranges",
-			ranges:  nil,
-			wantLen: 0,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := &StaticIPRange{Ranges: tt.ranges}
-			// We can't easily create a caddy.Context here without full module setup,
-			// but Provision only uses the ranges field, so we test the logic directly.
-			// The Provision method calls CIDRExpressionToPrefix which we test separately.
-			var parsedCount int
-			var gotErr bool
-			for _, r := range s.Ranges {
-				_, err := CIDRExpressionToPrefix(r)
-				if err != nil {
-					gotErr = true
-					break
-				}
-				parsedCount++
-			}
-
-			if gotErr != tt.wantErr {
-				t.Errorf("provision error = %v, wantErr %v", gotErr, tt.wantErr)
-			}
-			if !tt.wantErr && parsedCount != tt.wantLen {
-				t.Errorf("parsed %d ranges, want %d", parsedCount, tt.wantLen)
-			}
-		})
-	}
-}
-
-func TestStaticIPRangeGetIPRanges(t *testing.T) {
-	s := &StaticIPRange{
-		ranges: []netip.Prefix{
-			netip.MustParsePrefix("192.168.0.0/16"),
-			netip.MustParsePrefix("10.0.0.0/8"),
-		},
-	}
-
-	result := s.GetIPRanges(nil) // request is unused
-	if len(result) != 2 {
-		t.Errorf("GetIPRanges() returned %d prefixes, want 2", len(result))
-	}
-}
-
-func TestStaticIPRangeCaddyModule(t *testing.T) {
-	s := StaticIPRange{}
-	info := s.CaddyModule()
-	if info.ID != "http.ip_sources.static" {
-		t.Errorf("CaddyModule().ID = %v, want 'http.ip_sources.static'", info.ID)
-	}
-	mod := info.New()
-	if mod == nil {
-		t.Error("New() should not return nil")
-	}
-}
-
-func TestPrivateRangesCIDRWrapper(t *testing.T) {
-	ranges := PrivateRangesCIDR()
-	if len(ranges) == 0 {
-		t.Error("PrivateRangesCIDR() should return non-empty list")
-	}
-
-	// Verify all ranges are valid CIDR or IP expressions
-	for _, r := range ranges {
-		_, err := CIDRExpressionToPrefix(r)
-		if err != nil {
-			t.Errorf("PrivateRangesCIDR() returned invalid range %q: %v", r, err)
-		}
-	}
-}
@@ -1,316 +0,0 @@
-package caddyhttp
-
-import (
-	"context"
-	"crypto/tls"
-	"net/http"
-	"strings"
-	"testing"
-	"time"
-
-	"go.uber.org/zap/zapcore"
-)
-
-func TestLoggableHTTPRequestMarshal(t *testing.T) {
-	req, _ := http.NewRequest("GET", "https://example.com/path?q=1", nil)
-	req.RemoteAddr = "192.168.1.1:12345"
-	req.Header.Set("User-Agent", "test-agent")
-	req.Header.Set("Accept", "text/html")
-
-	ctx := context.WithValue(req.Context(), VarsCtxKey, map[string]any{
-		ClientIPVarKey: "192.168.1.1",
-	})
-	req = req.WithContext(ctx)
-
-	lr := LoggableHTTPRequest{Request: req}
-
-	enc := zapcore.NewMapObjectEncoder()
-	err := lr.MarshalLogObject(enc)
-	if err != nil {
-		t.Fatalf("MarshalLogObject() error = %v", err)
-	}
-
-	if enc.Fields["remote_ip"] != "192.168.1.1" {
-		t.Errorf("remote_ip = %v, want '192.168.1.1'", enc.Fields["remote_ip"])
-	}
-	if enc.Fields["remote_port"] != "12345" {
-		t.Errorf("remote_port = %v, want '12345'", enc.Fields["remote_port"])
-	}
-	if enc.Fields["client_ip"] != "192.168.1.1" {
-		t.Errorf("client_ip = %v, want '192.168.1.1'", enc.Fields["client_ip"])
-	}
-	if enc.Fields["method"] != "GET" {
-		t.Errorf("method = %v, want 'GET'", enc.Fields["method"])
-	}
-	if enc.Fields["host"] != "example.com" {
-		t.Errorf("host = %v, want 'example.com'", enc.Fields["host"])
-	}
-}
-
-func TestLoggableHTTPRequestNoPort(t *testing.T) {
-	req, _ := http.NewRequest("GET", "http://example.com/", nil)
-	req.RemoteAddr = "192.168.1.1" // no port
-
-	ctx := context.WithValue(req.Context(), VarsCtxKey, map[string]any{})
-	req = req.WithContext(ctx)
-
-	lr := LoggableHTTPRequest{Request: req}
-
-	enc := zapcore.NewMapObjectEncoder()
-	err := lr.MarshalLogObject(enc)
-	if err != nil {
-		t.Fatalf("MarshalLogObject() error = %v", err)
-	}
-
-	if enc.Fields["remote_ip"] != "192.168.1.1" {
-		t.Errorf("remote_ip = %v, want '192.168.1.1'", enc.Fields["remote_ip"])
-	}
-	if enc.Fields["remote_port"] != "" {
-		t.Errorf("remote_port = %v, want empty string", enc.Fields["remote_port"])
-	}
-}
-
-func TestLoggableHTTPHeaderRedaction(t *testing.T) {
-	tests := []struct {
-		name                 string
-		header               http.Header
-		shouldLogCredentials bool
-		expectRedacted       []string
-	}{
-		{
-			name: "redacts sensitive headers",
-			header: http.Header{
-				"Cookie":              {"session=abc123"},
-				"Set-Cookie":          {"session=xyz"},
-				"Authorization":       {"Bearer token123"},
-				"Proxy-Authorization": {"Basic credentials"},
-				"User-Agent":          {"test-agent"},
-			},
-			shouldLogCredentials: false,
-			expectRedacted:       []string{"Cookie", "Set-Cookie", "Authorization", "Proxy-Authorization"},
-		},
-		{
-			name: "logs credentials when enabled",
-			header: http.Header{
-				"Cookie":        {"session=abc123"},
-				"Authorization": {"Bearer token123"},
-			},
-			shouldLogCredentials: true,
-			expectRedacted:       nil, // nothing should be redacted
-		},
-		{
-			name:                 "nil header",
-			header:               nil,
-			shouldLogCredentials: false,
-			expectRedacted:       nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h := LoggableHTTPHeader{Header: tt.header, ShouldLogCredentials: tt.shouldLogCredentials}
-			enc := zapcore.NewMapObjectEncoder()
-			err := h.MarshalLogObject(enc)
-			if err != nil {
-				t.Fatalf("MarshalLogObject() error = %v", err)
-			}
-
-			if tt.header == nil {
-				return
-			}
-
-			for _, key := range tt.expectRedacted {
-				// The encoded value should be an array with ["REDACTED"]
-				if arr, ok := enc.Fields[key]; ok {
-					arrEnc, ok := arr.(zapcore.ArrayMarshaler)
-					if !ok {
-						continue
-					}
-					// Marshal the array to check its contents
-					testEnc := &testArrayEncoder{}
-					_ = arrEnc.MarshalLogArray(testEnc)
-					if len(testEnc.items) != 1 || testEnc.items[0] != "REDACTED" {
-						t.Errorf("header %q should be REDACTED, got %v", key, testEnc.items)
-					}
-				}
-			}
-
-			if tt.shouldLogCredentials && tt.header != nil {
-				for key, vals := range tt.header {
-					if arr, ok := enc.Fields[key]; ok {
-						arrEnc, ok := arr.(zapcore.ArrayMarshaler)
-						if !ok {
-							continue
-						}
-						testEnc := &testArrayEncoder{}
-						_ = arrEnc.MarshalLogArray(testEnc)
-						if len(testEnc.items) > 0 && testEnc.items[0] == "REDACTED" {
-							t.Errorf("header %q should NOT be redacted when credentials logging is enabled, original: %v", key, vals)
-						}
-					}
-				}
-			}
-		})
-	}
-}
-
-// testArrayEncoder is a simple array encoder for testing
-type testArrayEncoder struct {
-	items []string
-}
-
-func (e *testArrayEncoder) AppendString(s string)                      { e.items = append(e.items, s) }
-func (e *testArrayEncoder) AppendBool(bool)                            {}
-func (e *testArrayEncoder) AppendByteString([]byte)                    {}
-func (e *testArrayEncoder) AppendComplex128(complex128)                {}
-func (e *testArrayEncoder) AppendComplex64(complex64)                  {}
-func (e *testArrayEncoder) AppendFloat64(float64)                      {}
-func (e *testArrayEncoder) AppendFloat32(float32)                      {}
-func (e *testArrayEncoder) AppendInt(int)                              {}
-func (e *testArrayEncoder) AppendInt64(int64)                          {}
-func (e *testArrayEncoder) AppendInt32(int32)                          {}
-func (e *testArrayEncoder) AppendInt16(int16)                          {}
-func (e *testArrayEncoder) AppendInt8(int8)                            {}
-func (e *testArrayEncoder) AppendUint(uint)                            {}
-func (e *testArrayEncoder) AppendUint64(uint64)                        {}
-func (e *testArrayEncoder) AppendUint32(uint32)                        {}
-func (e *testArrayEncoder) AppendUint16(uint16)                        {}
-func (e *testArrayEncoder) AppendUint8(uint8)                          {}
-func (e *testArrayEncoder) AppendUintptr(uintptr)                      {}
-func (e *testArrayEncoder) AppendDuration(time.Duration)               {}
-func (e *testArrayEncoder) AppendTime(time.Time)                       {}
-func (e *testArrayEncoder) AppendArray(zapcore.ArrayMarshaler) error   { return nil }
-func (e *testArrayEncoder) AppendObject(zapcore.ObjectMarshaler) error { return nil }
-func (e *testArrayEncoder) AppendReflected(any) error                  { return nil }
-
-func TestLoggableStringArray(t *testing.T) {
-	tests := []struct {
-		name  string
-		input LoggableStringArray
-	}{
-		{
-			name:  "nil array",
-			input: nil,
-		},
-		{
-			name:  "empty array",
-			input: LoggableStringArray{},
-		},
-		{
-			name:  "single element",
-			input: LoggableStringArray{"hello"},
-		},
-		{
-			name:  "multiple elements",
-			input: LoggableStringArray{"a", "b", "c"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			enc := &testArrayEncoder{}
-			err := tt.input.MarshalLogArray(enc)
-			if err != nil {
-				t.Fatalf("MarshalLogArray() error = %v", err)
-			}
-			if tt.input != nil && len(enc.items) != len(tt.input) {
-				t.Errorf("expected %d items, got %d", len(tt.input), len(enc.items))
-			}
-		})
-	}
-}
-
-func TestLoggableTLSConnState(t *testing.T) {
-	t.Run("basic TLS state", func(t *testing.T) {
-		state := LoggableTLSConnState(tls.ConnectionState{
-			Version:            tls.VersionTLS13,
-			CipherSuite:        tls.TLS_AES_128_GCM_SHA256,
-			NegotiatedProtocol: "h2",
-			ServerName:         "example.com",
-		})
-
-		enc := zapcore.NewMapObjectEncoder()
-		err := state.MarshalLogObject(enc)
-		if err != nil {
-			t.Fatalf("MarshalLogObject() error = %v", err)
-		}
-
-		if enc.Fields["proto"] != "h2" {
-			t.Errorf("proto = %v, want 'h2'", enc.Fields["proto"])
-		}
-		if enc.Fields["server_name"] != "example.com" {
-			t.Errorf("server_name = %v, want 'example.com'", enc.Fields["server_name"])
-		}
-	})
-
-	t.Run("TLS state with peer certificates", func(t *testing.T) {
-		// Skipping detailed cert subject test since x509.Certificate creation
-		// for testing requires complex setup; covered by the no-peer-certs test
-		state := LoggableTLSConnState(tls.ConnectionState{
-			Version:     tls.VersionTLS12,
-			CipherSuite: tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		})
-
-		enc := zapcore.NewMapObjectEncoder()
-		err := state.MarshalLogObject(enc)
-		if err != nil {
-			t.Fatalf("MarshalLogObject() error = %v", err)
-		}
-
-		if enc.Fields["version"] != uint16(tls.VersionTLS12) {
-			t.Errorf("version = %v, want TLS 1.2", enc.Fields["version"])
-		}
-	})
-
-	t.Run("TLS state without peer certificates", func(t *testing.T) {
-		state := LoggableTLSConnState(tls.ConnectionState{
-			Version: tls.VersionTLS12,
-		})
-
-		enc := zapcore.NewMapObjectEncoder()
-		err := state.MarshalLogObject(enc)
-		if err != nil {
-			t.Fatalf("MarshalLogObject() error = %v", err)
-		}
-
-		// Should not contain client cert fields when no peer certs
-		if _, ok := enc.Fields["client_common_name"]; ok {
-			t.Error("should not have client_common_name without peer certificates")
-		}
-	})
-}
-
-func TestLoggableHTTPHeaderCaseInsensitivity(t *testing.T) {
-	// HTTP headers should be case-insensitive for redaction
-	h := LoggableHTTPHeader{
-		Header: http.Header{
-			"AUTHORIZATION":       {"Bearer secret"},
-			"cookie":              {"session=abc"},
-			"Proxy-Authorization": {"Basic creds"},
-		},
-		ShouldLogCredentials: false,
-	}
-
-	enc := zapcore.NewMapObjectEncoder()
-	err := h.MarshalLogObject(enc)
-	if err != nil {
-		t.Fatalf("MarshalLogObject() error = %v", err)
-	}
-
-	// All sensitive headers should be redacted regardless of casing
-	// Note: http.Header canonicalizes keys, so "cookie" becomes "Cookie"
-	for key := range enc.Fields {
-		lk := strings.ToLower(key)
-		if lk == "cookie" || lk == "authorization" || lk == "proxy-authorization" {
-			arr, ok := enc.Fields[key].(zapcore.ArrayMarshaler)
-			if !ok {
-				continue
-			}
-			testEnc := &testArrayEncoder{}
-			_ = arr.MarshalLogArray(testEnc)
-			if len(testEnc.items) != 1 || testEnc.items[0] != "REDACTED" {
-				t.Errorf("header %q should be REDACTED, got %v", key, testEnc.items)
-			}
-		}
-	}
-}
@@ -435,12 +435,12 @@ func (m MatchPath) MatchWithError(r *http.Request) (bool, error) {
 	// can be used instead.
 	reqPath := strings.ToLower(r.URL.Path)

-	// See #2917; Windows ignores trailing dots and spaces
-	// when accessing files (sigh), potentially causing a
-	// security risk (cry) if PHP files end up being served
-	// as static files, exposing the source code, instead of
-	// being matched by *.php to be treated as PHP scripts.
 	if runtime.GOOS == "windows" { // issue #5613
+		// Windows treats backslashes as path separators and
+		// ignores trailing dots and spaces when accessing files
+		// (sigh), potentially causing a security risk (cry) if
+		// protected files are not matched as intended.
+		reqPath = strings.ReplaceAll(reqPath, `\`, "/")
 		reqPath = strings.TrimRight(reqPath, ". ")
 	}

@@ -478,7 +478,12 @@ func (m MatchPath) MatchWithError(r *http.Request) (bool, error) {
 		// the intent is to compare that part of the path in raw/escaped
 		// space; i.e. "%40"=="%40", not "@", and "%2F"=="%2F", not "/"
 		if strings.Contains(matchPattern, "%") {
-			reqPathForPattern := CleanPath(r.URL.EscapedPath(), mergeSlashes)
+			escapedPath := r.URL.EscapedPath()
+			if runtime.GOOS == "windows" {
+				escapedPath = windowsEscapedPathSeparatorRepl.Replace(escapedPath)
+				matchPattern = windowsEscapedPathSeparatorRepl.Replace(matchPattern)
+			}
+			reqPathForPattern := CleanPath(escapedPath, mergeSlashes)
 			if m.matchPatternWithEscapeSequence(reqPathForPattern, matchPattern) {
 				return true, nil
 			}
@@ -643,6 +648,14 @@ func (MatchPath) matchPatternWithEscapeSequence(escapedPath, matchPath string) b
 	return matches
 }

+// windowsEscapedPathSeparatorRepl normalizes Windows backslash separators
+// while preserving escaped-path matching semantics.
+var windowsEscapedPathSeparatorRepl = strings.NewReplacer(
+	`\`, "%2f",
+	"%5c", "%2f",
+	"%5C", "%2f",
+)
+
 // CELLibrary produces options that expose this matcher for use in CEL
 // expression matchers.
 //
@@ -461,18 +461,61 @@ func TestPathMatcherWindows(t *testing.T) {
 		return
 	}

-	req := &http.Request{URL: &url.URL{Path: "/index.php . . .."}}
 	repl := caddy.NewReplacer()
-	ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
-	req = req.WithContext(ctx)

-	match := MatchPath{"*.php"}
-	matched, err := match.MatchWithError(req)
-	if err != nil {
-		t.Errorf("Expected no error, but got: %v", err)
-	}
-	if !matched {
-		t.Errorf("Expected to match; should ignore trailing dots and spaces")
+	for _, tc := range []struct {
+		name          string
+		path          string
+		requestTarget string
+		match         MatchPath
+	}{
+		{
+			name:  "trailing dots and spaces",
+			path:  "/index.php . . ..",
+			match: MatchPath{"*.php"},
+		},
+		{
+			name:          "encoded backslash path separator",
+			requestTarget: `/private%5csecret.txt`,
+			match:         MatchPath{"/private/*"},
+		},
+		{
+			name:          "encoded backslash path separator with escaped wildcard",
+			requestTarget: `/private%5csecret.txt`,
+			match:         MatchPath{"/private/%*"},
+		},
+		{
+			name:          "uppercase encoded backslash path separator with escaped wildcard",
+			requestTarget: `/private%5Csecret.txt`,
+			match:         MatchPath{"/private/%*"},
+		},
+		{
+			name:          "encoded backslash in escaped pattern",
+			requestTarget: `/private%5csecret.txt`,
+			match:         MatchPath{"/private%5c%*"},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			u := &url.URL{Path: tc.path}
+			if tc.requestTarget != "" {
+				var err error
+				u, err = url.ParseRequestURI(tc.requestTarget)
+				if err != nil {
+					t.Fatalf("Parsing request target: %v", err)
+				}
+			}
+			req := &http.Request{URL: u}
+			ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
+			req = req.WithContext(ctx)
+
+			matched, err := tc.match.MatchWithError(req)
+			if err != nil {
+				t.Errorf("Expected no error, but got: %v", err)
+			}
+			if !matched {
+				t.Errorf("Expected %q to match %v", req.URL.Path, tc.match)
+			}
+		})
 	}
 }

@@ -135,8 +135,8 @@ type client struct {
 	logger *zap.Logger
 }

-// Do made the request and returns a io.Reader that translates the data read
-// from fcgi responder out of fcgi packet before returning it.
+// Do makes the request and returns an io.Reader that translates the data read
+// from the FastCGI responder out of FastCGI packets before returning it.
 func (c *client) Do(p map[string]string, req io.Reader) (r io.Reader, err error) {
 	// check for CONTENT_LENGTH, since the lack of it or wrong value will cause the backend to hang
 	if clStr, ok := p["CONTENT_LENGTH"]; !ok {
@@ -179,7 +179,7 @@ func (c *client) Do(p map[string]string, req io.Reader) (r io.Reader, err error)
 	return r, err
 }

-// clientCloser is a io.ReadCloser. It wraps a io.Reader with a Closer
+// clientCloser is an io.ReadCloser. It wraps an io.Reader with a Closer
 // that closes the client connection.
 type clientCloser struct {
 	rwc net.Conn
@@ -208,8 +208,8 @@ func (f clientCloser) Close() error {
 	return f.rwc.Close()
 }

-// Request returns a HTTP Response with Header and Body
-// from fcgi responder
+// Request returns an HTTP response with header and body
+// from the FastCGI responder.
 func (c *client) Request(p map[string]string, req io.Reader) (resp *http.Response, err error) {
 	r, err := c.Do(p, req)
 	if err != nil {
@@ -522,7 +522,7 @@ func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, networ
 		body = io.LimitReader(body, h.HealthChecks.Active.MaxSize)
 	}
 	defer func() {
-		// drain any remaining body so connection could be re-used
+		// drain any remaining body so connection could be reused
 		_, _ = io.Copy(io.Discard, body)
 		resp.Body.Close()
 	}()
@@ -32,6 +32,7 @@ import (
 	"time"

 	"github.com/pires/go-proxyproto"
+	"github.com/quic-go/quic-go"
 	"github.com/quic-go/quic-go/http3"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -161,7 +162,8 @@ type HTTPTransport struct {
 	// `HTTPS_PROXY`, and `NO_PROXY` environment variables.
 	NetworkProxyRaw json.RawMessage `json:"network_proxy,omitempty" caddy:"namespace=caddy.network_proxy inline_key=from"`

-	h3Transport *http3.Transport // TODO: EXPERIMENTAL (May 2024)
+	h3Transport   *http3.Transport // TODO: EXPERIMENTAL (May 2024)
+	quicTransport *quic.Transport  // used by h3Transport if sni placeholder is used, otherwise nil
 }

 // CaddyModule returns the Caddy module information.
@@ -499,6 +501,25 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 			if err != nil {
 				return nil, fmt.Errorf("making TLS client config for HTTP/3 transport: %v", err)
 			}
+
+			if strings.Contains(h.TLS.ServerName, "{") {
+				// copied from quic-go
+				udpConn, err := net.ListenUDP("udp", nil)
+				if err != nil {
+					return nil, fmt.Errorf("making udp socket for HTTP/3 transport: %v", err)
+				}
+				h.quicTransport = &quic.Transport{Conn: udpConn}
+				h.h3Transport.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
+					// tlsCfg is already cloned from h3Transport.TLSClientConfig
+					repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+					tlsCfg.ServerName = repl.ReplaceAll(tlsCfg.ServerName, "")
+					udpAddr, err := resolveUDPAddr(ctx, "udp", addr)
+					if err != nil {
+						return nil, err
+					}
+					return h.quicTransport.DialEarly(ctx, udpAddr, tlsCfg, cfg)
+				}
+			}
 		}
 	} else if len(h.Versions) > 1 && slices.Contains(h.Versions, "3") {
 		return nil, fmt.Errorf("if HTTP/3 is enabled to the upstream, no other HTTP versions are supported")
@@ -525,6 +546,71 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 	return rt, nil
 }

+// TODO: EXPERIMENTAL (May 2025)
+// copied from quic-go
+func resolveUDPAddr(ctx context.Context, network, addr string) (*net.UDPAddr, error) {
+	host, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	port, err := net.LookupPort(network, portStr)
+	if err != nil {
+		return nil, err
+	}
+	resolver := net.DefaultResolver
+	ipAddrs, err := resolver.LookupIPAddr(ctx, host)
+	if err != nil {
+		return nil, err
+	}
+	addrs := addrList(ipAddrs)
+	ip := addrs.forResolve(network, addr)
+	return &net.UDPAddr{IP: ip.IP, Port: port, Zone: ip.Zone}, nil
+}
+
+// TODO: EXPERIMENTAL (May 2025)
+// copied from quic-go
+// An addrList represents a list of network endpoint addresses.
+// Copy from [net.addrList] and change type from [net.Addr] to [net.IPAddr]
+type addrList []net.IPAddr
+
+// isIPv4 reports whether addr contains an IPv4 address.
+func isIPv4(addr net.IPAddr) bool {
+	return addr.IP.To4() != nil
+}
+
+// isNotIPv4 reports whether addr does not contain an IPv4 address.
+func isNotIPv4(addr net.IPAddr) bool { return !isIPv4(addr) }
+
+// forResolve returns the most appropriate address in address for
+// a call to ResolveTCPAddr, ResolveUDPAddr, or ResolveIPAddr.
+// IPv4 is preferred, unless addr contains an IPv6 literal.
+func (addrs addrList) forResolve(network, addr string) net.IPAddr {
+	var want6 bool
+	switch network {
+	case "ip":
+		// IPv6 literal (addr does NOT contain a port)
+		want6 = strings.ContainsRune(addr, ':')
+	case "tcp", "udp":
+		// IPv6 literal. (addr contains a port, so look for '[')
+		want6 = strings.ContainsRune(addr, '[')
+	}
+	if want6 {
+		return addrs.first(isNotIPv4)
+	}
+	return addrs.first(isIPv4)
+}
+
+// first returns the first address which satisfies strategy, or if
+// none do, then the first address of any kind.
+func (addrs addrList) first(strategy func(net.IPAddr) bool) net.IPAddr {
+	for _, addr := range addrs {
+		if strategy(addr) {
+			return addr
+		}
+	}
+	return addrs[0]
+}
+
 // RequestHeaderOps implements TransportHeaderOpsProvider. It returns header
 // operations for requests when the transport's configuration indicates they
 // should be applied. In particular, when TLS is enabled for this transport,
@@ -623,6 +709,16 @@ func (h HTTPTransport) Cleanup() error {
 		return nil
 	}
 	h.Transport.CloseIdleConnections()
+	// h3 related cleanup, errors are ignored as nothing can be done.
+	// TODO: log these errors if any
+	if h.h3Transport != nil {
+		h.h3Transport.CloseIdleConnections()
+		_ = h.h3Transport.Close()
+		if h.quicTransport != nil {
+			_ = h.quicTransport.Close()
+			_ = h.quicTransport.Conn.Close()
+		}
+	}
 	return nil
 }

@@ -4,11 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
+	"net/url"
 	"reflect"
 	"testing"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )

 func TestHTTPTransportUnmarshalCaddyFileWithCaPools(t *testing.T) {
@@ -194,3 +197,85 @@ func TestHTTPTransport_DialTLSContext_ProxyProtocol(t *testing.T) {
 		})
 	}
 }
+
+// TestHTTPTransport_DialContext_DialInfoOverride is a regression test for
+// issue #6447: a `tcp4/`-prefixed upstream silently fell back to plain `tcp`
+// because dialContext only honored DialInfo for unix networks. PR #7300 widened
+// the condition so DialInfo is honored when no upstream HTTP proxy is in use,
+// and skipped (for non-unix networks) when one is. Both halves are pinned here.
+func TestHTTPTransport_DialContext_DialInfoOverride(t *testing.T) {
+	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
+	defer cancel()
+
+	ln, err := net.Listen("tcp4", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+	t.Cleanup(func() { ln.Close() })
+	go func() {
+		for {
+			c, err := ln.Accept()
+			if err != nil {
+				return
+			}
+			c.Close()
+		}
+	}()
+
+	ht := &HTTPTransport{}
+	rt, err := ht.NewTransport(ctx)
+	if err != nil {
+		t.Fatalf("NewTransport: %v", err)
+	}
+
+	proxyURL, err := url.Parse("http://proxy.example:8080")
+	if err != nil {
+		t.Fatalf("parse proxy URL: %v", err)
+	}
+
+	tests := []struct {
+		name        string
+		proxy       bool
+		dialInfo    string
+		defaultAddr string
+	}{
+		{
+			// no proxy: DialInfo should be applied, so the dial lands on
+			// the live listener despite the bogus default address.
+			name:        "honors DialInfo when no proxy",
+			proxy:       false,
+			dialInfo:    ln.Addr().String(),
+			defaultAddr: "127.0.0.1:1",
+		},
+		{
+			// proxy active: DialInfo must NOT be applied for non-unix
+			// networks; the default address (the live listener) is used.
+			name:        "skips DialInfo when proxy active",
+			proxy:       true,
+			dialInfo:    "127.0.0.1:1",
+			defaultAddr: ln.Addr().String(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			dialCtx := context.WithValue(context.Background(), caddyhttp.VarsCtxKey, make(map[string]any))
+			caddyhttp.SetVar(dialCtx, dialInfoVarKey, DialInfo{
+				Network: "tcp4",
+				Address: tt.dialInfo,
+			})
+			if tt.proxy {
+				caddyhttp.SetVar(dialCtx, proxyVarKey, proxyURL)
+			}
+
+			conn, err := rt.DialContext(dialCtx, "tcp", tt.defaultAddr)
+			if err != nil {
+				t.Fatalf("DialContext: %v", err)
+			}
+			t.Cleanup(func() { conn.Close() })
+			if got := conn.RemoteAddr().String(); got != ln.Addr().String() {
+				t.Fatalf("conn.RemoteAddr() = %s, want %s", got, ln.Addr().String())
+			}
+		})
+	}
+}
@@ -449,6 +449,39 @@ func (h *Handler) Cleanup() error {
 	return err
 }

+// bodyNopCloserIfNotRead wraps a request body to prevent closing if not read, i.e., when
+// dialing to upstream fails.
+// It will close the body as normal if the body is read.
+type bodyNopCloserIfNotRead struct {
+	io.ReadCloser
+	read int // tracks the number of bytes read, -1 when first Read returns 0, io.EOF
+}
+
+func (b *bodyNopCloserIfNotRead) Read(p []byte) (int, error) {
+	if b.read == -1 {
+		return 0, io.EOF
+	}
+	n, err := b.ReadCloser.Read(p)
+	// first Read returns 0, io.EOF
+	if b.read == 0 && n == 0 && err == io.EOF {
+		b.read = -1
+	} else {
+		b.read += n
+	}
+	return n, err
+}
+
+func (b *bodyNopCloserIfNotRead) Close() error {
+	// don't close the body
+	if b.read == 0 {
+		return nil
+	}
+	// close as usual, when -1, any read will return EOF as the original read will do
+	// in other cases, the read will fail as body is closed because we do not want partial bodies to be sent to the upstream
+	// users can buffer the entire request body to allow the request to be resent
+	return b.ReadCloser.Close()
+}
+
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)

@@ -510,7 +543,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
 				bufPool.Put(bufferedReqBody)
 			}()
 		} else {
-			clonedReq.Body = io.NopCloser(clonedReq.Body)
+			clonedReq.Body = &bodyNopCloserIfNotRead{ReadCloser: clonedReq.Body}
 		}
 	}

@@ -568,7 +568,7 @@ func TestQueryHashPolicy(t *testing.T) {
 	pool[1].setHealthy(false)
 	h = queryPolicy.Select(pool, request, nil)
 	if h != nil {
-		t.Error("Expected query policy policy host to be nil.")
+		t.Error("Expected query policy host to be nil.")
 	}

 	request = httptest.NewRequest(http.MethodGet, "/?foo=aa11&foo=bb22", nil)
@@ -630,7 +630,7 @@ func TestURIHashPolicy(t *testing.T) {
 	pool[1].setHealthy(false)
 	h = uriPolicy.Select(pool, request, nil)
 	if h != nil {
-		t.Error("Expected uri policy policy host to be nil.")
+		t.Error("Expected uri policy host to be nil.")
 	}
 }

@@ -1,194 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package rewrite
-
-import (
-	"testing"
-)
-
-func TestReverse(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{
-			name:     "simple string",
-			input:    "hello",
-			expected: "olleh",
-		},
-		{
-			name:     "empty string",
-			input:    "",
-			expected: "",
-		},
-		{
-			name:     "single character",
-			input:    "a",
-			expected: "a",
-		},
-		{
-			name:     "two characters",
-			input:    "ab",
-			expected: "ba",
-		},
-		{
-			name:     "palindrome",
-			input:    "racecar",
-			expected: "racecar",
-		},
-		{
-			name:     "with spaces",
-			input:    "hello world",
-			expected: "dlrow olleh",
-		},
-		{
-			name:     "with numbers",
-			input:    "abc123",
-			expected: "321cba",
-		},
-		{
-			name:     "unicode characters",
-			input:    "hello世界",
-			expected: "界世olleh",
-		},
-		{
-			name:     "emoji",
-			input:    "🎉🎊🎈",
-			expected: "🎈🎊🎉",
-		},
-		{
-			name:     "mixed unicode and ascii",
-			input:    "café☕",
-			expected: "☕éfac",
-		},
-		{
-			name:     "special characters",
-			input:    "a!b@c#d$",
-			expected: "$d#c@b!a",
-		},
-		{
-			name:     "path-like string",
-			input:    "/path/to/file",
-			expected: "elif/ot/htap/",
-		},
-		{
-			name:     "url-like string",
-			input:    "https://example.com",
-			expected: "moc.elpmaxe//:sptth",
-		},
-		{
-			name:     "long string",
-			input:    "The quick brown fox jumps over the lazy dog",
-			expected: "god yzal eht revo spmuj xof nworb kciuq ehT",
-		},
-		{
-			name:     "newlines",
-			input:    "line1\nline2\nline3",
-			expected: "3enil\n2enil\n1enil",
-		},
-		{
-			name:     "tabs",
-			input:    "a\tb\tc",
-			expected: "c\tb\ta",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := reverse(tt.input)
-			if result != tt.expected {
-				t.Errorf("reverse(%q) = %q; want %q", tt.input, result, tt.expected)
-			}
-
-			// Test that reversing twice gives the original string
-			if tt.input != "" {
-				doubleReverse := reverse(reverse(tt.input))
-				if doubleReverse != tt.input {
-					t.Errorf("reverse(reverse(%q)) = %q; want %q", tt.input, doubleReverse, tt.input)
-				}
-			}
-		})
-	}
-}
-
-func TestReverse_LengthPreservation(t *testing.T) {
-	// Test that reverse preserves string length
-	testStrings := []string{
-		"",
-		"a",
-		"ab",
-		"abc",
-		"hello world",
-		"🎉🎊🎈",
-		"café☕",
-		"The quick brown fox jumps over the lazy dog",
-	}
-
-	for _, s := range testStrings {
-		reversed := reverse(s)
-		if len([]rune(s)) != len([]rune(reversed)) {
-			t.Errorf("reverse(%q) changed length: original %d, reversed %d", s, len([]rune(s)), len([]rune(reversed)))
-		}
-	}
-}
-
-// BenchmarkReverse benchmarks the reverse function
-func BenchmarkReverse(b *testing.B) {
-	testCases := []struct {
-		name  string
-		input string
-	}{
-		{"empty", ""},
-		{"short", "hello"},
-		{"medium", "The quick brown fox jumps over the lazy dog"},
-		{"long", "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."},
-		{"unicode", "hello世界🎉"},
-	}
-
-	for _, tc := range testCases {
-		b.Run(tc.name, func(b *testing.B) {
-			for i := 0; i < b.N; i++ {
-				reverse(tc.input)
-			}
-		})
-	}
-}
-
-func TestReverse_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name  string
-		input string
-	}{
-		{"null byte", "\x00"},
-		{"multiple null bytes", "\x00\x00\x00"},
-		{"control characters", "\t\n\r"},
-		{"high unicode", "𝕳𝖊𝖑𝖑𝖔"},
-		{"zero-width characters", "a\u200Bb\u200Cc"},
-		{"combining characters", "é"}, // e + combining acute
-		{"rtl text", "مرحبا"},
-		{"mixed rtl/ltr", "Hello مرحبا World"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := reverse(tt.input)
-			// Just ensure it doesn't panic and returns something
-			if result == "" && tt.input != "" {
-				t.Errorf("reverse(%q) returned empty string", tt.input)
-			}
-		})
-	}
-}
@@ -1,197 +0,0 @@
-package caddyhttp
-
-import (
-	"context"
-	"errors"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-)
-
-func TestStaticErrorCaddyModule(t *testing.T) {
-	se := StaticError{}
-	info := se.CaddyModule()
-	if info.ID != "http.handlers.error" {
-		t.Errorf("CaddyModule().ID = %q, want 'http.handlers.error'", info.ID)
-	}
-}
-
-func TestStaticErrorServeHTTP(t *testing.T) {
-	tests := []struct {
-		name           string
-		staticErr      StaticError
-		wantStatusCode int
-		wantMessage    string
-	}{
-		{
-			name:           "default status code 500",
-			staticErr:      StaticError{},
-			wantStatusCode: 500,
-		},
-		{
-			name:           "custom status code",
-			staticErr:      StaticError{StatusCode: "404"},
-			wantStatusCode: 404,
-		},
-		{
-			name:           "custom error message",
-			staticErr:      StaticError{Error: "custom error", StatusCode: "503"},
-			wantStatusCode: 503,
-			wantMessage:    "custom error",
-		},
-		{
-			name:           "status code only",
-			staticErr:      StaticError{StatusCode: "403"},
-			wantStatusCode: 403,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			repl := caddy.NewReplacer()
-			ctx := context.WithValue(context.Background(), caddy.ReplacerCtxKey, repl)
-
-			req, _ := http.NewRequest("GET", "http://example.com/", nil)
-			req = req.WithContext(ctx)
-			w := httptest.NewRecorder()
-
-			err := tt.staticErr.ServeHTTP(w, req, nil)
-			if err == nil {
-				t.Fatal("ServeHTTP() should return an error")
-			}
-
-			var he HandlerError
-			if !errors.As(err, &he) {
-				t.Fatal("ServeHTTP() error should be HandlerError")
-			}
-
-			if he.StatusCode != tt.wantStatusCode {
-				t.Errorf("StatusCode = %d, want %d", he.StatusCode, tt.wantStatusCode)
-			}
-
-			if tt.wantMessage != "" && he.Err != nil {
-				if he.Err.Error() != tt.wantMessage {
-					t.Errorf("Err.Error() = %q, want %q", he.Err.Error(), tt.wantMessage)
-				}
-			}
-		})
-	}
-}
-
-func TestStaticErrorServeHTTPInvalidStatusCode(t *testing.T) {
-	repl := caddy.NewReplacer()
-	ctx := context.WithValue(context.Background(), caddy.ReplacerCtxKey, repl)
-
-	req, _ := http.NewRequest("GET", "http://example.com/", nil)
-	req = req.WithContext(ctx)
-	w := httptest.NewRecorder()
-
-	se := StaticError{StatusCode: "not_a_number"}
-	err := se.ServeHTTP(w, req, nil)
-	if err == nil {
-		t.Fatal("ServeHTTP() should return error for invalid status code")
-	}
-
-	var he HandlerError
-	if !errors.As(err, &he) {
-		t.Fatal("error should be HandlerError")
-	}
-	// Invalid status code should return 500
-	if he.StatusCode != 500 {
-		t.Errorf("StatusCode = %d, want 500 for invalid status code", he.StatusCode)
-	}
-}
-
-func TestStaticErrorUnmarshalCaddyfile(t *testing.T) {
-	tests := []struct {
-		name       string
-		input      string
-		wantErr    bool
-		wantStatus string
-		wantMsg    string
-	}{
-		{
-			name:       "status code only",
-			input:      `error 404`,
-			wantStatus: "404",
-		},
-		{
-			name:    "message only (non-3-digit)",
-			input:   `error "Page not found"`,
-			wantMsg: "Page not found",
-		},
-		{
-			name:       "message and status code",
-			input:      `error "Page not found" 404`,
-			wantStatus: "404",
-			wantMsg:    "Page not found",
-		},
-		{
-			name:    "no args",
-			input:   `error`,
-			wantErr: true,
-		},
-		{
-			name:    "too many args",
-			input:   `error "msg" 404 extra`,
-			wantErr: true,
-		},
-		{
-			name:       "status in block",
-			input:      "error 500 {\n    message \"server error\"\n}",
-			wantStatus: "500",
-			wantMsg:    "server error",
-		},
-		{
-			name:    "two-digit number is treated as message",
-			input:   `error 42`,
-			wantMsg: "42",
-		},
-		{
-			name:    "four-digit number is treated as message",
-			input:   `error 1234`,
-			wantMsg: "1234",
-		},
-		{
-			name:       "three-digit is status code",
-			input:      `error 503`,
-			wantStatus: "503",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			d := caddyfile.NewTestDispenser(tt.input)
-			se := &StaticError{}
-			err := se.UnmarshalCaddyfile(d)
-
-			if (err != nil) != tt.wantErr {
-				t.Errorf("UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if err != nil {
-				return
-			}
-
-			if tt.wantStatus != "" && string(se.StatusCode) != tt.wantStatus {
-				t.Errorf("StatusCode = %q, want %q", se.StatusCode, tt.wantStatus)
-			}
-			if tt.wantMsg != "" && se.Error != tt.wantMsg {
-				t.Errorf("Error = %q, want %q", se.Error, tt.wantMsg)
-			}
-		})
-	}
-}
-
-func TestStaticErrorUnmarshalCaddyfileDuplicateMessage(t *testing.T) {
-	input := "error \"first message\" 500 {\n    message \"second message\"\n}"
-	d := caddyfile.NewTestDispenser(input)
-	se := &StaticError{}
-	err := se.UnmarshalCaddyfile(d)
-	if err == nil {
-		t.Error("expected error when message is specified both inline and in block")
-	}
-}
@@ -23,158 +23,6 @@ import (
 	"github.com/caddyserver/caddy/v2"
 )

-func TestGetVarAndSetVar(t *testing.T) {
-	vars := map[string]any{
-		"existing_key": "existing_value",
-	}
-
-	ctx := context.WithValue(context.Background(), VarsCtxKey, vars)
-
-	if v := GetVar(ctx, "existing_key"); v != "existing_value" {
-		t.Errorf("GetVar() = %v, want 'existing_value'", v)
-	}
-
-	if v := GetVar(ctx, "nonexistent_key"); v != nil {
-		t.Errorf("GetVar() for missing key = %v, want nil", v)
-	}
-
-	emptyCtx := context.Background()
-	if v := GetVar(emptyCtx, "any"); v != nil {
-		t.Errorf("GetVar() on context without vars = %v, want nil", v)
-	}
-}
-
-func TestSetVar(t *testing.T) {
-	vars := map[string]any{}
-	ctx := context.WithValue(context.Background(), VarsCtxKey, vars)
-
-	SetVar(ctx, "key1", "value1")
-	if vars["key1"] != "value1" {
-		t.Errorf("SetVar() didn't set value, got %v", vars["key1"])
-	}
-
-	SetVar(ctx, "key1", "value2")
-	if vars["key1"] != "value2" {
-		t.Errorf("SetVar() didn't overwrite value, got %v", vars["key1"])
-	}
-
-	SetVar(ctx, "key1", nil)
-	if _, ok := vars["key1"]; ok {
-		t.Error("SetVar(nil) should delete the key")
-	}
-
-	// BUG: SetVar with nil for non-existent key should be a no-op per its documentation,
-	// but it actually inserts a nil value into the map. The nil check only deletes
-	// existing keys; if the key doesn't exist, execution falls through to the
-	// final `varMap[key] = value` line, storing nil.
-	SetVar(ctx, "nonexistent", nil)
-	if _, ok := vars["nonexistent"]; !ok {
-		t.Error("BUG: SetVar(nil) for non-existent key unexpectedly did NOT set the key. If this passes, the bug described in code comments may have been fixed.")
-	}
-}
-
-func TestSetVarWithoutContext(t *testing.T) {
-	ctx := context.Background()
-	SetVar(ctx, "key", "value")
-}
-
-func TestVarsMiddlewareCaddyModule(t *testing.T) {
-	m := VarsMiddleware{}
-	info := m.CaddyModule()
-	if info.ID != "http.handlers.vars" {
-		t.Errorf("CaddyModule().ID = %v, want 'http.handlers.vars'", info.ID)
-	}
-}
-
-func TestVarsMatcherEmptyMatch(t *testing.T) {
-	m := VarsMatcher{}
-
-	vars := map[string]any{}
-	repl := caddy.NewReplacer()
-	ctx := context.WithValue(context.Background(), VarsCtxKey, vars)
-	ctx = context.WithValue(ctx, caddy.ReplacerCtxKey, repl)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://example.com/", nil)
-	req = req.WithContext(ctx)
-
-	match, err := m.MatchWithError(req)
-	if err != nil {
-		t.Fatalf("MatchWithError() error = %v", err)
-	}
-	if !match {
-		t.Error("empty VarsMatcher should match everything")
-	}
-}
-
-func TestVarsMatcherMatch(t *testing.T) {
-	vars := map[string]any{
-		"my_var": "hello",
-	}
-	repl := caddy.NewReplacer()
-	ctx := context.WithValue(context.Background(), VarsCtxKey, vars)
-	ctx = context.WithValue(ctx, caddy.ReplacerCtxKey, repl)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://example.com/", nil)
-	req = req.WithContext(ctx)
-
-	tests := []struct {
-		name      string
-		matcher   VarsMatcher
-		wantMatch bool
-	}{
-		{
-			name:      "matching variable",
-			matcher:   VarsMatcher{"my_var": {"hello"}},
-			wantMatch: true,
-		},
-		{
-			name:      "non-matching variable",
-			matcher:   VarsMatcher{"my_var": {"world"}},
-			wantMatch: false,
-		},
-		{
-			name:      "nonexistent variable",
-			matcher:   VarsMatcher{"nonexistent": {"anything"}},
-			wantMatch: false,
-		},
-		{
-			name:      "multiple values OR",
-			matcher:   VarsMatcher{"my_var": {"world", "hello", "foo"}},
-			wantMatch: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			match := tt.matcher.Match(req)
-			if match != tt.wantMatch {
-				t.Errorf("Match() = %v, want %v", match, tt.wantMatch)
-			}
-		})
-	}
-}
-
-func TestVarsMatcherWithNilVarValue(t *testing.T) {
-	vars := map[string]any{
-		"nil_var": nil,
-	}
-	repl := caddy.NewReplacer()
-	ctx := context.WithValue(context.Background(), VarsCtxKey, vars)
-	ctx = context.WithValue(ctx, caddy.ReplacerCtxKey, repl)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://example.com/", nil)
-	req = req.WithContext(ctx)
-
-	m := VarsMatcher{"nil_var": {""}}
-	match, err := m.MatchWithError(req)
-	if err != nil {
-		t.Fatalf("MatchWithError() error = %v", err)
-	}
-	if !match {
-		t.Error("nil variable value should match empty string")
-	}
-}
-
 func newVarsTestRequest(t *testing.T, target string, headers http.Header, vars map[string]any) (*http.Request, *caddy.Replacer) {
 	t.Helper()

@@ -190,6 +38,8 @@ func newVarsTestRequest(t *testing.T, target string, headers http.Header, vars m
 	if vars == nil {
 		vars = make(map[string]any)
 	}
+	// Inject vars directly so these tests exercise matcher-side handling of
+	// already-resolved values, not VarsMiddleware placeholder expansion.
 	ctx = context.WithValue(ctx, VarsCtxKey, vars)
 	req = req.WithContext(ctx)

@@ -158,7 +158,7 @@ type AutomationPolicy struct {
 	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`

 	// Overrides the URLs of OCSP responders embedded in certificates.
-	// Each key is a OCSP server URL to override, and its value is the
+	// Each key is an OCSP server URL to override, and its value is the
 	// replacement. An empty value will disable querying of that server.
 	// EXPERIMENTAL. Subject to change.
 	OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"`
@@ -107,7 +107,8 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 				if sni, ok := m.(MatchServerName); ok {
 					for _, sniName := range sni {
 						// index for fast lookups during handshakes
-						indexedBySNI[sniName] = append(indexedBySNI[sniName], p)
+						indexName := asciiServerNameForMatch(sniName)
+						indexedBySNI[indexName] = append(indexedBySNI[indexName], p)
 					}
 				}
 			}
@@ -118,7 +119,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 		// filter policies by SNI first, if possible, to speed things up
 		// when there may be lots of policies
 		possiblePolicies := cp
-		if indexedPolicies, ok := indexedBySNI[hello.ServerName]; ok {
+		if indexedPolicies, ok := indexedBySNI[asciiServerNameForMatch(hello.ServerName)]; ok {
 			possiblePolicies = indexedPolicies
 		}

@@ -15,6 +15,8 @@
 package caddytls

 import (
+	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"reflect"
@@ -24,6 +26,40 @@ import (
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )

+func TestConnectionPolicyIDNSNIMatcherFastPath(t *testing.T) {
+	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
+	defer cancel()
+
+	targetTLSConfig := &tls.Config{ClientAuth: tls.RequireAnyClientCert}
+	policies := ConnectionPolicies{
+		{
+			matchers:  []ConnectionMatcher{MatchServerName{"つ.Localhost"}},
+			TLSConfig: targetTLSConfig,
+		},
+	}
+
+	const sniFastPathThreshold = 30
+	for i := len(policies); i < sniFastPathThreshold; i++ {
+		policies = append(policies, &ConnectionPolicy{
+			matchers:  []ConnectionMatcher{MatchServerName{fmt.Sprintf("example-%d.localhost", i)}},
+			TLSConfig: &tls.Config{},
+		})
+	}
+	policies = append(policies, &ConnectionPolicy{
+		matchers:  []ConnectionMatcher{MatchServerName{"xn--k9j.localhost"}},
+		TLSConfig: &tls.Config{ClientAuth: tls.NoClientCert},
+	})
+
+	tlsConfig := policies.TLSConfig(ctx)
+	got, err := tlsConfig.GetConfigForClient(&tls.ClientHelloInfo{ServerName: "XN--K9J.LOCALHOST"})
+	if err != nil {
+		t.Fatalf("GetConfigForClient() error = %v", err)
+	}
+	if got != targetTLSConfig {
+		t.Fatalf("expected Unicode IDN policy to match before later punycode policy")
+	}
+}
+
 func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) {
 	const test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
 	const test_cert_file_1 = "../../caddytest/caddy.ca.cer"
@@ -28,6 +28,7 @@ import (
 	"github.com/caddyserver/certmagic"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
+	"golang.org/x/net/idna"

 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -69,15 +70,45 @@ func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
 		repl = caddy.NewReplacer()
 	}

+	serverName := asciiServerNameForMatch(hello.ServerName)
 	for _, name := range m {
-		rs := repl.ReplaceAll(name, "")
-		if certmagic.MatchWildcard(hello.ServerName, rs) {
+		rs := asciiServerNameForMatch(repl.ReplaceAll(name, ""))
+		if certmagic.MatchWildcard(serverName, rs) {
 			return true
 		}
 	}
 	return false
 }

+func asciiServerNameForMatch(name string) string {
+	if name == "" {
+		return name
+	}
+
+	// SNI is ASCII on the wire, but config can use Unicode IDNs.
+	ascii, err := idna.ToASCII(name)
+	if err == nil {
+		return strings.ToLower(ascii)
+	}
+
+	if !strings.Contains(name, "*") {
+		return strings.ToLower(name)
+	}
+
+	labels := strings.Split(name, ".")
+	for i, label := range labels {
+		if label == "" || label == "*" {
+			continue
+		}
+		ascii, err := idna.ToASCII(label)
+		if err != nil {
+			return strings.ToLower(name)
+		}
+		labels[i] = strings.ToLower(ascii)
+	}
+	return strings.Join(labels, ".")
+}
+
 // UnmarshalCaddyfile sets up the MatchServerName from Caddyfile tokens. Syntax:
 //
 //	sni <domains...>
@@ -79,6 +79,26 @@ func TestServerNameMatcher(t *testing.T) {
 			input:  "sub2.sub.example.com",
 			expect: true,
 		},
+		{
+			names:  []string{"つ.localhost"},
+			input:  "xn--k9j.localhost",
+			expect: true,
+		},
+		{
+			names:  []string{"つ.Localhost"},
+			input:  "XN--K9J.LOCALHOST",
+			expect: true,
+		},
+		{
+			names:  []string{"*.つ.localhost"},
+			input:  "sub.xn--k9j.localhost",
+			expect: true,
+		},
+		{
+			names:  []string{"*.つ.Localhost"},
+			input:  "Sub.XN--K9J.LOCALHOST",
+			expect: true,
+		},
 	} {
 		chi := &tls.ClientHelloInfo{ServerName: tc.input}
 		actual := MatchServerName(tc.names).Match(chi)
@@ -137,11 +137,10 @@ func (s *SessionTicketService) stayUpdated() {
 		case newKeys := <-keysChan:
 			s.mu.Lock()
 			s.currentKeys = newKeys
-			configs := s.configs
-			s.mu.Unlock()
-			for cfg := range configs {
+			for cfg := range s.configs {
 				cfg.SetSessionTicketKeys(newKeys)
 			}
+			s.mu.Unlock()
 		case <-s.stopChan:
 			return
 		}
@@ -440,7 +440,7 @@ func (t *TLS) Start() error {
 					t.EncryptedClientHello.configsMu.Unlock()
 					if err != nil {
 						echLogger.Error("rotating ECH configs failed", zap.Error(err))
-						return
+						continue
 					}
 					err := t.publishECHConfigs(echLogger)
 					if err != nil {
@@ -879,6 +879,8 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
 // AllMatchingCertificates returns the list of all certificates in
 // the cache which could be used to satisfy the given SAN.
 func AllMatchingCertificates(san string) []certmagic.Certificate {
+	certCacheMu.RLock()
+	defer certCacheMu.RUnlock()
 	return certCache.AllMatchingCertificates(san)
 }

@@ -1,102 +0,0 @@
-package filestorage
-
-import (
-	"testing"
-
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-)
-
-func TestFileStorageCaddyModule(t *testing.T) {
-	fs := FileStorage{}
-	info := fs.CaddyModule()
-	if info.ID != "caddy.storage.file_system" {
-		t.Errorf("CaddyModule().ID = %q, want 'caddy.storage.file_system'", info.ID)
-	}
-	mod := info.New()
-	if mod == nil {
-		t.Error("New() should not return nil")
-	}
-}
-
-func TestFileStorageCertMagicStorage(t *testing.T) {
-	fs := FileStorage{Root: "/var/lib/caddy/certs"}
-	storage, err := fs.CertMagicStorage()
-	if err != nil {
-		t.Fatalf("CertMagicStorage() error = %v", err)
-	}
-	if storage == nil {
-		t.Fatal("CertMagicStorage() returned nil")
-	}
-}
-
-func TestFileStorageCertMagicStorageEmptyRoot(t *testing.T) {
-	fs := FileStorage{Root: ""}
-	storage, err := fs.CertMagicStorage()
-	if err != nil {
-		t.Fatalf("CertMagicStorage() error = %v", err)
-	}
-	if storage == nil {
-		t.Fatal("CertMagicStorage() returned nil even with empty root")
-	}
-}
-
-func TestFileStorageUnmarshalCaddyfile(t *testing.T) {
-	tests := []struct {
-		name    string
-		input   string
-		wantErr bool
-		wantVal string
-	}{
-		{
-			name:    "root as inline arg",
-			input:   `file_system /var/lib/caddy`,
-			wantVal: "/var/lib/caddy",
-		},
-		{
-			name:    "root in block",
-			input:   "file_system {\n\troot /var/lib/caddy\n}",
-			wantVal: "/var/lib/caddy",
-		},
-		{
-			name:    "missing root",
-			input:   `file_system`,
-			wantErr: true,
-		},
-		{
-			name:    "too many inline args",
-			input:   `file_system /path1 /path2`,
-			wantErr: true,
-		},
-		{
-			name:    "root already set inline then block",
-			input:   "file_system /path1 {\n\troot /path2\n}",
-			wantErr: true,
-		},
-		{
-			name:    "unknown subdirective",
-			input:   "file_system {\n\tunknown_option value\n}",
-			wantErr: true,
-		},
-		{
-			name:    "root in block without value",
-			input:   "file_system {\n\troot\n}",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			d := caddyfile.NewTestDispenser(tt.input)
-			fs := &FileStorage{}
-			err := fs.UnmarshalCaddyfile(d)
-
-			if (err != nil) != tt.wantErr {
-				t.Errorf("UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !tt.wantErr && fs.Root != tt.wantVal {
-				t.Errorf("Root = %q, want %q", fs.Root, tt.wantVal)
-			}
-		})
-	}
-}
@@ -149,10 +149,10 @@ func (f *ReplaceFilter) Filter(in zapcore.Field) zapcore.Field {
 // list of IP addresses, where all of the values
 // will be masked.
 type IPMaskFilter struct {
-	// The IPv4 mask, as an subnet size CIDR.
+	// The IPv4 mask, as a subnet size CIDR.
 	IPv4MaskRaw int `json:"ipv4_cidr,omitempty"`

-	// The IPv6 mask, as an subnet size CIDR.
+	// The IPv6 mask, as a subnet size CIDR.
 	IPv6MaskRaw int `json:"ipv6_cidr,omitempty"`

 	v4Mask net.IPMask
@@ -1,963 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-)
-
-func TestNetworkAddress_String_Consistency(t *testing.T) {
-	tests := []struct {
-		name string
-		addr NetworkAddress
-	}{
-		{
-			name: "basic tcp",
-			addr: NetworkAddress{Network: "tcp", Host: "localhost", StartPort: 8080, EndPort: 8080},
-		},
-		{
-			name: "tcp with port range",
-			addr: NetworkAddress{Network: "tcp", Host: "localhost", StartPort: 8080, EndPort: 8090},
-		},
-		{
-			name: "unix socket",
-			addr: NetworkAddress{Network: "unix", Host: "/tmp/socket"},
-		},
-		{
-			name: "udp",
-			addr: NetworkAddress{Network: "udp", Host: "0.0.0.0", StartPort: 53, EndPort: 53},
-		},
-		{
-			name: "ipv6",
-			addr: NetworkAddress{Network: "tcp", Host: "::1", StartPort: 80, EndPort: 80},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			str := test.addr.String()
-
-			// Parse the string back
-			parsed, err := ParseNetworkAddress(str)
-			if err != nil {
-				t.Fatalf("Failed to parse string representation: %v", err)
-			}
-
-			// Should be equivalent to original
-			if parsed.Network != test.addr.Network {
-				t.Errorf("Network mismatch: expected %s, got %s", test.addr.Network, parsed.Network)
-			}
-			if parsed.Host != test.addr.Host {
-				t.Errorf("Host mismatch: expected %s, got %s", test.addr.Host, parsed.Host)
-			}
-			if parsed.StartPort != test.addr.StartPort {
-				t.Errorf("StartPort mismatch: expected %d, got %d", test.addr.StartPort, parsed.StartPort)
-			}
-			if parsed.EndPort != test.addr.EndPort {
-				t.Errorf("EndPort mismatch: expected %d, got %d", test.addr.EndPort, parsed.EndPort)
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_PortRangeSize_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name     string
-		addr     NetworkAddress
-		expected uint
-	}{
-		{
-			name:     "single port",
-			addr:     NetworkAddress{StartPort: 80, EndPort: 80},
-			expected: 1,
-		},
-		{
-			name:     "invalid range (end < start)",
-			addr:     NetworkAddress{StartPort: 8080, EndPort: 8070},
-			expected: 0,
-		},
-		{
-			name:     "zero ports",
-			addr:     NetworkAddress{StartPort: 0, EndPort: 0},
-			expected: 1,
-		},
-		{
-			name:     "maximum range",
-			addr:     NetworkAddress{StartPort: 1, EndPort: 65535},
-			expected: 65535,
-		},
-		{
-			name:     "large range",
-			addr:     NetworkAddress{StartPort: 8000, EndPort: 9000},
-			expected: 1001,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			size := test.addr.PortRangeSize()
-			if size != test.expected {
-				t.Errorf("Expected %d, got %d", test.expected, size)
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_At_Validation(t *testing.T) {
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 8080,
-		EndPort:   8090,
-	}
-
-	// Test valid offsets
-	for offset := uint(0); offset <= 10; offset++ {
-		result := addr.At(offset)
-		expectedPort := 8080 + offset
-
-		if result.StartPort != expectedPort || result.EndPort != expectedPort {
-			t.Errorf("Offset %d: expected port %d, got %d-%d",
-				offset, expectedPort, result.StartPort, result.EndPort)
-		}
-
-		if result.Network != addr.Network || result.Host != addr.Host {
-			t.Errorf("Offset %d: network/host should be preserved", offset)
-		}
-	}
-}
-
-func TestNetworkAddress_Expand_LargeRange(t *testing.T) {
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 8000,
-		EndPort:   8010,
-	}
-
-	expanded := addr.Expand()
-	expectedSize := 11 // 8000 to 8010 inclusive
-
-	if len(expanded) != expectedSize {
-		t.Errorf("Expected %d addresses, got %d", expectedSize, len(expanded))
-	}
-
-	// Verify each address
-	for i, expandedAddr := range expanded {
-		expectedPort := uint(8000 + i)
-		if expandedAddr.StartPort != expectedPort || expandedAddr.EndPort != expectedPort {
-			t.Errorf("Address %d: expected port %d, got %d-%d",
-				i, expectedPort, expandedAddr.StartPort, expandedAddr.EndPort)
-		}
-	}
-}
-
-func TestNetworkAddress_IsLoopback_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name     string
-		addr     NetworkAddress
-		expected bool
-	}{
-		{
-			name:     "unix socket",
-			addr:     NetworkAddress{Network: "unix", Host: "/tmp/socket"},
-			expected: true, // Unix sockets are always considered loopback
-		},
-		{
-			name:     "fd network",
-			addr:     NetworkAddress{Network: "fd", Host: "3"},
-			expected: true, // fd networks are always considered loopback
-		},
-		{
-			name:     "localhost",
-			addr:     NetworkAddress{Network: "tcp", Host: "localhost"},
-			expected: true,
-		},
-		{
-			name:     "127.0.0.1",
-			addr:     NetworkAddress{Network: "tcp", Host: "127.0.0.1"},
-			expected: true,
-		},
-		{
-			name:     "::1",
-			addr:     NetworkAddress{Network: "tcp", Host: "::1"},
-			expected: true,
-		},
-		{
-			name:     "127.0.0.2",
-			addr:     NetworkAddress{Network: "tcp", Host: "127.0.0.2"},
-			expected: true, // Part of 127.0.0.0/8 loopback range
-		},
-		{
-			name:     "192.168.1.1",
-			addr:     NetworkAddress{Network: "tcp", Host: "192.168.1.1"},
-			expected: false, // Private but not loopback
-		},
-		{
-			name:     "invalid ip",
-			addr:     NetworkAddress{Network: "tcp", Host: "invalid-ip"},
-			expected: false,
-		},
-		{
-			name:     "empty host",
-			addr:     NetworkAddress{Network: "tcp", Host: ""},
-			expected: false,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := test.addr.isLoopback()
-			if result != test.expected {
-				t.Errorf("Expected %v, got %v", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_IsWildcard_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name     string
-		addr     NetworkAddress
-		expected bool
-	}{
-		{
-			name:     "empty host",
-			addr:     NetworkAddress{Network: "tcp", Host: ""},
-			expected: true,
-		},
-		{
-			name:     "ipv4 any",
-			addr:     NetworkAddress{Network: "tcp", Host: "0.0.0.0"},
-			expected: true,
-		},
-		{
-			name:     "ipv6 any",
-			addr:     NetworkAddress{Network: "tcp", Host: "::"},
-			expected: true,
-		},
-		{
-			name:     "localhost",
-			addr:     NetworkAddress{Network: "tcp", Host: "localhost"},
-			expected: false,
-		},
-		{
-			name:     "specific ip",
-			addr:     NetworkAddress{Network: "tcp", Host: "192.168.1.1"},
-			expected: false,
-		},
-		{
-			name:     "invalid ip",
-			addr:     NetworkAddress{Network: "tcp", Host: "invalid"},
-			expected: false,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := test.addr.isWildcardInterface()
-			if result != test.expected {
-				t.Errorf("Expected %v, got %v", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestSplitNetworkAddress_IPv6_EdgeCases(t *testing.T) {
-	tests := []struct {
-		name          string
-		input         string
-		expectNetwork string
-		expectHost    string
-		expectPort    string
-		expectErr     bool
-	}{
-		{
-			name:       "ipv6 with port",
-			input:      "[::1]:8080",
-			expectHost: "::1",
-			expectPort: "8080",
-		},
-		{
-			name:       "ipv6 without port",
-			input:      "[::1]",
-			expectHost: "::1",
-		},
-		{
-			name:       "ipv6 without brackets or port",
-			input:      "::1",
-			expectHost: "::1",
-		},
-		{
-			name:       "ipv6 loopback",
-			input:      "[::1]:443",
-			expectHost: "::1",
-			expectPort: "443",
-		},
-		{
-			name:       "ipv6 any address",
-			input:      "[::]:80",
-			expectHost: "::",
-			expectPort: "80",
-		},
-		{
-			name:          "ipv6 with network prefix",
-			input:         "tcp6/[::1]:8080",
-			expectNetwork: "tcp6",
-			expectHost:    "::1",
-			expectPort:    "8080",
-		},
-		{
-			name:       "malformed ipv6",
-			input:      "[::1:8080", // Missing closing bracket
-			expectHost: "::1:8080",
-		},
-		{
-			name:       "ipv6 with zone",
-			input:      "[fe80::1%eth0]:8080",
-			expectHost: "fe80::1%eth0",
-			expectPort: "8080",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			network, host, port, err := SplitNetworkAddress(test.input)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error but got none")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-
-			if network != test.expectNetwork {
-				t.Errorf("Network: expected '%s', got '%s'", test.expectNetwork, network)
-			}
-			if host != test.expectHost {
-				t.Errorf("Host: expected '%s', got '%s'", test.expectHost, host)
-			}
-			if port != test.expectPort {
-				t.Errorf("Port: expected '%s', got '%s'", test.expectPort, port)
-			}
-		})
-	}
-}
-
-func TestParseNetworkAddress_PortRange_Validation(t *testing.T) {
-	tests := []struct {
-		name      string
-		input     string
-		expectErr bool
-		errMsg    string
-	}{
-		{
-			name:      "valid range",
-			input:     "localhost:8080-8090",
-			expectErr: false,
-		},
-		{
-			name:      "inverted range",
-			input:     "localhost:8090-8080",
-			expectErr: true,
-			errMsg:    "end port must not be less than start port",
-		},
-		{
-			name:      "too large range",
-			input:     "localhost:0-65535",
-			expectErr: true,
-			errMsg:    "port range exceeds 65535 ports",
-		},
-		{
-			name:      "invalid start port",
-			input:     "localhost:abc-8080",
-			expectErr: true,
-		},
-		{
-			name:      "invalid end port",
-			input:     "localhost:8080-xyz",
-			expectErr: true,
-		},
-		{
-			name:      "port too large",
-			input:     "localhost:99999",
-			expectErr: true,
-		},
-		{
-			name:      "negative port",
-			input:     "localhost:-80",
-			expectErr: true,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			_, err := ParseNetworkAddress(test.input)
-
-			if test.expectErr && err == nil {
-				t.Error("Expected error but got none")
-			}
-			if !test.expectErr && err != nil {
-				t.Errorf("Unexpected error: %v", err)
-			}
-
-			if test.expectErr && test.errMsg != "" && err != nil {
-				if !containsString(err.Error(), test.errMsg) {
-					t.Errorf("Expected error containing '%s', got '%s'", test.errMsg, err.Error())
-				}
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_Listen_ContextCancellation(t *testing.T) {
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 0, // Let OS assign port
-		EndPort:   0,
-	}
-
-	// Create context that will be cancelled
-	ctx, cancel := context.WithCancel(context.Background())
-
-	// Start listening in a goroutine
-	listenDone := make(chan error, 1)
-	go func() {
-		_, err := addr.Listen(ctx, 0, net.ListenConfig{})
-		listenDone <- err
-	}()
-
-	// Cancel context immediately
-	cancel()
-
-	// Should get context cancellation error quickly
-	select {
-	case err := <-listenDone:
-		if err == nil {
-			t.Error("Expected error due to context cancellation")
-		}
-		// Accept any error related to context cancellation
-		// (could be context.Canceled or DNS lookup error due to cancellation)
-	case <-time.After(time.Second):
-		t.Error("Listen operation did not respect context cancellation")
-	}
-}
-
-func TestNetworkAddress_ListenAll_PartialFailure(t *testing.T) {
-	// Create an address range where some ports might fail to bind
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 0, // OS-assigned port
-		EndPort:   2, // Try to bind 3 ports starting from OS-assigned
-	}
-
-	// This test might be flaky depending on available ports,
-	// but tests the error handling logic
-	ctx := context.Background()
-
-	listeners, err := addr.ListenAll(ctx, net.ListenConfig{})
-
-	// Either all succeed or all fail (due to cleanup on partial failure)
-	if err != nil {
-		// If there's an error, no listeners should be returned
-		if len(listeners) != 0 {
-			t.Errorf("Expected no listeners on error, got %d", len(listeners))
-		}
-	} else {
-		// If successful, should have listeners for all ports in range
-		expectedCount := int(addr.PortRangeSize())
-		if len(listeners) != expectedCount {
-			t.Errorf("Expected %d listeners, got %d", expectedCount, len(listeners))
-		}
-
-		// Clean up listeners
-		for _, ln := range listeners {
-			if closer, ok := ln.(interface{ Close() error }); ok {
-				closer.Close()
-			}
-		}
-	}
-}
-
-func TestJoinNetworkAddress_SpecialCases(t *testing.T) {
-	tests := []struct {
-		name     string
-		network  string
-		host     string
-		port     string
-		expected string
-	}{
-		{
-			name:     "empty everything",
-			network:  "",
-			host:     "",
-			port:     "",
-			expected: "",
-		},
-		{
-			name:     "network only",
-			network:  "tcp",
-			host:     "",
-			port:     "",
-			expected: "tcp/",
-		},
-		{
-			name:     "host only",
-			network:  "",
-			host:     "localhost",
-			port:     "",
-			expected: "localhost",
-		},
-		{
-			name:     "port only",
-			network:  "",
-			host:     "",
-			port:     "8080",
-			expected: ":8080",
-		},
-		{
-			name:     "unix socket with port (port ignored)",
-			network:  "unix",
-			host:     "/tmp/socket",
-			port:     "8080",
-			expected: "unix//tmp/socket",
-		},
-		{
-			name:     "fd network with port (port ignored)",
-			network:  "fd",
-			host:     "3",
-			port:     "8080",
-			expected: "fd/3",
-		},
-		{
-			name:     "ipv6 host with port",
-			network:  "tcp",
-			host:     "::1",
-			port:     "8080",
-			expected: "tcp/[::1]:8080",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := JoinNetworkAddress(test.network, test.host, test.port)
-			if result != test.expected {
-				t.Errorf("Expected '%s', got '%s'", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestIsUnixNetwork_IsFdNetwork(t *testing.T) {
-	tests := []struct {
-		network string
-		isUnix  bool
-		isFd    bool
-	}{
-		{"unix", true, false},
-		{"unixgram", true, false},
-		{"unixpacket", true, false},
-		{"fd", false, true},
-		{"fdgram", false, true},
-		{"tcp", false, false},
-		{"udp", false, false},
-		{"", false, false},
-		{"unix-like", true, false},
-		{"fd-like", false, true},
-	}
-
-	for _, test := range tests {
-		t.Run(test.network, func(t *testing.T) {
-			if IsUnixNetwork(test.network) != test.isUnix {
-				t.Errorf("IsUnixNetwork('%s'): expected %v, got %v",
-					test.network, test.isUnix, IsUnixNetwork(test.network))
-			}
-			if IsFdNetwork(test.network) != test.isFd {
-				t.Errorf("IsFdNetwork('%s'): expected %v, got %v",
-					test.network, test.isFd, IsFdNetwork(test.network))
-			}
-
-			// Test NetworkAddress methods too
-			addr := NetworkAddress{Network: test.network}
-			if addr.IsUnixNetwork() != test.isUnix {
-				t.Errorf("NetworkAddress.IsUnixNetwork(): expected %v, got %v",
-					test.isUnix, addr.IsUnixNetwork())
-			}
-			if addr.IsFdNetwork() != test.isFd {
-				t.Errorf("NetworkAddress.IsFdNetwork(): expected %v, got %v",
-					test.isFd, addr.IsFdNetwork())
-			}
-		})
-	}
-}
-
-func TestRegisterNetwork_Validation(t *testing.T) {
-	// Save original state
-	originalNetworkTypes := make(map[string]ListenerFunc)
-	for k, v := range networkTypes {
-		originalNetworkTypes[k] = v
-	}
-	defer func() {
-		// Restore original state
-		networkTypes = originalNetworkTypes
-	}()
-
-	mockListener := func(ctx context.Context, network, host, portRange string, portOffset uint, cfg net.ListenConfig) (any, error) {
-		return nil, nil
-	}
-
-	// Test reserved network types that should panic
-	reservedTypes := []string{
-		"tcp", "tcp4", "tcp6",
-		"udp", "udp4", "udp6",
-		"unix", "unixpacket", "unixgram",
-		"ip:1", "ip4:1", "ip6:1",
-		"fd", "fdgram",
-	}
-
-	for _, networkType := range reservedTypes {
-		t.Run("reserved_"+networkType, func(t *testing.T) {
-			defer func() {
-				if r := recover(); r == nil {
-					t.Errorf("Expected panic for reserved network type: %s", networkType)
-				}
-			}()
-			RegisterNetwork(networkType, mockListener)
-		})
-	}
-
-	// Test valid registration
-	t.Run("valid_registration", func(t *testing.T) {
-		customNetwork := "custom-network"
-		RegisterNetwork(customNetwork, mockListener)
-
-		if _, exists := networkTypes[customNetwork]; !exists {
-			t.Error("Custom network should be registered")
-		}
-	})
-
-	// Test duplicate registration should panic
-	t.Run("duplicate_registration", func(t *testing.T) {
-		customNetwork := "another-custom"
-		RegisterNetwork(customNetwork, mockListener)
-
-		defer func() {
-			if r := recover(); r == nil {
-				t.Error("Expected panic for duplicate registration")
-			}
-		}()
-		RegisterNetwork(customNetwork, mockListener)
-	})
-}
-
-func TestListenerUsage_EdgeCases(t *testing.T) {
-	// Test ListenerUsage function with various inputs
-	tests := []struct {
-		name     string
-		network  string
-		addr     string
-		expected int
-	}{
-		{
-			name:     "non-existent listener",
-			network:  "tcp",
-			addr:     "localhost:9999",
-			expected: 0,
-		},
-		{
-			name:     "empty network and address",
-			network:  "",
-			addr:     "",
-			expected: 0,
-		},
-		{
-			name:     "unix socket",
-			network:  "unix",
-			addr:     "/tmp/non-existent.sock",
-			expected: 0,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			usage := ListenerUsage(test.network, test.addr)
-			if usage != test.expected {
-				t.Errorf("Expected usage %d, got %d", test.expected, usage)
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_Port_Formatting(t *testing.T) {
-	tests := []struct {
-		name     string
-		addr     NetworkAddress
-		expected string
-	}{
-		{
-			name:     "single port",
-			addr:     NetworkAddress{StartPort: 80, EndPort: 80},
-			expected: "80",
-		},
-		{
-			name:     "port range",
-			addr:     NetworkAddress{StartPort: 8080, EndPort: 8090},
-			expected: "8080-8090",
-		},
-		{
-			name:     "zero ports",
-			addr:     NetworkAddress{StartPort: 0, EndPort: 0},
-			expected: "0",
-		},
-		{
-			name:     "large ports",
-			addr:     NetworkAddress{StartPort: 65534, EndPort: 65535},
-			expected: "65534-65535",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := test.addr.port()
-			if result != test.expected {
-				t.Errorf("Expected '%s', got '%s'", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_JoinHostPort_SpecialNetworks(t *testing.T) {
-	tests := []struct {
-		name     string
-		addr     NetworkAddress
-		offset   uint
-		expected string
-	}{
-		{
-			name: "unix socket ignores offset",
-			addr: NetworkAddress{
-				Network: "unix",
-				Host:    "/tmp/socket",
-			},
-			offset:   100,
-			expected: "/tmp/socket",
-		},
-		{
-			name: "fd network ignores offset",
-			addr: NetworkAddress{
-				Network: "fd",
-				Host:    "3",
-			},
-			offset:   50,
-			expected: "3",
-		},
-		{
-			name: "tcp with offset",
-			addr: NetworkAddress{
-				Network:   "tcp",
-				Host:      "localhost",
-				StartPort: 8000,
-			},
-			offset:   10,
-			expected: "localhost:8010",
-		},
-		{
-			name: "ipv6 with offset",
-			addr: NetworkAddress{
-				Network:   "tcp",
-				Host:      "::1",
-				StartPort: 8000,
-			},
-			offset:   5,
-			expected: "[::1]:8005",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := test.addr.JoinHostPort(test.offset)
-			if result != test.expected {
-				t.Errorf("Expected '%s', got '%s'", test.expected, result)
-			}
-		})
-	}
-}
-
-// Helper function for string containment check
-func containsString(haystack, needle string) bool {
-	return len(haystack) >= len(needle) &&
-		(needle == "" || haystack == needle ||
-			strings.Contains(haystack, needle))
-}
-
-func TestListenerKey_Generation(t *testing.T) {
-	tests := []struct {
-		network  string
-		addr     string
-		expected string
-	}{
-		{
-			network:  "tcp",
-			addr:     "localhost:8080",
-			expected: "tcp/localhost:8080",
-		},
-		{
-			network:  "unix",
-			addr:     "/tmp/socket",
-			expected: "unix//tmp/socket",
-		},
-		{
-			network:  "",
-			addr:     "localhost:8080",
-			expected: "/localhost:8080",
-		},
-		{
-			network:  "tcp",
-			addr:     "",
-			expected: "tcp/",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(fmt.Sprintf("%s_%s", test.network, test.addr), func(t *testing.T) {
-			result := listenerKey(test.network, test.addr)
-			if result != test.expected {
-				t.Errorf("Expected '%s', got '%s'", test.expected, result)
-			}
-		})
-	}
-}
-
-func TestNetworkAddress_ConcurrentAccess(t *testing.T) {
-	// Test that NetworkAddress methods are safe for concurrent read access
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 8080,
-		EndPort:   8090,
-	}
-
-	const numGoroutines = 50
-	var wg sync.WaitGroup
-
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(id int) {
-			defer wg.Done()
-
-			// Call various methods concurrently
-			_ = addr.String()
-			_ = addr.PortRangeSize()
-			_ = addr.IsUnixNetwork()
-			_ = addr.IsFdNetwork()
-			_ = addr.isLoopback()
-			_ = addr.isWildcardInterface()
-			_ = addr.port()
-			_ = addr.JoinHostPort(uint(id % 10))
-			_ = addr.At(uint(id % 11))
-
-			// Expand creates new slice, should be safe
-			expanded := addr.Expand()
-			if len(expanded) == 0 {
-				t.Errorf("Goroutine %d: Expected non-empty expansion", id)
-			}
-		}(i)
-	}
-
-	wg.Wait()
-}
-
-func TestNetworkAddress_IPv6_Zone_Handling(t *testing.T) {
-	// Test IPv6 addresses with zone identifiers
-	input := "tcp/[fe80::1%eth0]:8080"
-
-	addr, err := ParseNetworkAddress(input)
-	if err != nil {
-		t.Fatalf("Failed to parse IPv6 with zone: %v", err)
-	}
-
-	if addr.Network != "tcp" {
-		t.Errorf("Expected network 'tcp', got '%s'", addr.Network)
-	}
-	if addr.Host != "fe80::1%eth0" {
-		t.Errorf("Expected host 'fe80::1%%eth0', got '%s'", addr.Host)
-	}
-	if addr.StartPort != 8080 {
-		t.Errorf("Expected port 8080, got %d", addr.StartPort)
-	}
-
-	// Test string representation round-trip
-	str := addr.String()
-	parsed, err := ParseNetworkAddress(str)
-	if err != nil {
-		t.Fatalf("Failed to parse string representation: %v", err)
-	}
-
-	if parsed.Host != addr.Host {
-		t.Errorf("Round-trip failed: expected host '%s', got '%s'", addr.Host, parsed.Host)
-	}
-}
-
-func BenchmarkParseNetworkAddress(b *testing.B) {
-	inputs := []string{
-		"localhost:8080",
-		"tcp/localhost:8080-8090",
-		"unix//tmp/socket",
-		"[::1]:443",
-		"udp/:53",
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		input := inputs[i%len(inputs)]
-		ParseNetworkAddress(input)
-	}
-}
-
-func BenchmarkNetworkAddress_String(b *testing.B) {
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 8080,
-		EndPort:   8090,
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		addr.String()
-	}
-}
-
-func BenchmarkNetworkAddress_Expand(b *testing.B) {
-	addr := NetworkAddress{
-		Network:   "tcp",
-		Host:      "localhost",
-		StartPort: 8000,
-		EndPort:   8100, // 101 addresses
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		addr.Expand()
-	}
-}
@@ -1,624 +0,0 @@
-// Copyright 2015 Matthew Holt and The Caddy Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package caddy
-
-import (
-	"errors"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-)
-
-type mockDestructor struct {
-	value     string
-	destroyed int32
-	err       error
-}
-
-func (m *mockDestructor) Destruct() error {
-	atomic.StoreInt32(&m.destroyed, 1)
-	return m.err
-}
-
-func (m *mockDestructor) IsDestroyed() bool {
-	return atomic.LoadInt32(&m.destroyed) == 1
-}
-
-func TestUsagePool_LoadOrNew_Basic(t *testing.T) {
-	pool := NewUsagePool()
-	key := "test-key"
-
-	// First load should construct new value
-	val, loaded, err := pool.LoadOrNew(key, func() (Destructor, error) {
-		return &mockDestructor{value: "test-value"}, nil
-	})
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	if loaded {
-		t.Error("Expected loaded to be false for new value")
-	}
-	if val.(*mockDestructor).value != "test-value" {
-		t.Errorf("Expected 'test-value', got '%s'", val.(*mockDestructor).value)
-	}
-
-	// Second load should return existing value
-	val2, loaded2, err := pool.LoadOrNew(key, func() (Destructor, error) {
-		t.Error("Constructor should not be called for existing value")
-		return nil, nil
-	})
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	if !loaded2 {
-		t.Error("Expected loaded to be true for existing value")
-	}
-	if val2.(*mockDestructor).value != "test-value" {
-		t.Errorf("Expected 'test-value', got '%s'", val2.(*mockDestructor).value)
-	}
-
-	// Check reference count
-	refs, exists := pool.References(key)
-	if !exists {
-		t.Error("Key should exist in pool")
-	}
-	if refs != 2 {
-		t.Errorf("Expected 2 references, got %d", refs)
-	}
-}
-
-func TestUsagePool_LoadOrNew_ConstructorError(t *testing.T) {
-	pool := NewUsagePool()
-	key := "test-key"
-	expectedErr := errors.New("constructor failed")
-
-	val, loaded, err := pool.LoadOrNew(key, func() (Destructor, error) {
-		return nil, expectedErr
-	})
-	if err != expectedErr {
-		t.Errorf("Expected constructor error, got: %v", err)
-	}
-	if loaded {
-		t.Error("Expected loaded to be false for failed construction")
-	}
-	if val != nil {
-		t.Error("Expected nil value for failed construction")
-	}
-
-	// Key should not exist after constructor failure
-	refs, exists := pool.References(key)
-	if exists {
-		t.Error("Key should not exist after constructor failure")
-	}
-	if refs != 0 {
-		t.Errorf("Expected 0 references, got %d", refs)
-	}
-}
-
-func TestUsagePool_LoadOrStore_Basic(t *testing.T) {
-	pool := NewUsagePool()
-	key := "test-key"
-	mockVal := &mockDestructor{value: "stored-value"}
-
-	// First load/store should store new value
-	val, loaded := pool.LoadOrStore(key, mockVal)
-	if loaded {
-		t.Error("Expected loaded to be false for new value")
-	}
-	if val != mockVal {
-		t.Error("Expected stored value to be returned")
-	}
-
-	// Second load/store should return existing value
-	newMockVal := &mockDestructor{value: "new-value"}
-	val2, loaded2 := pool.LoadOrStore(key, newMockVal)
-	if !loaded2 {
-		t.Error("Expected loaded to be true for existing value")
-	}
-	if val2 != mockVal {
-		t.Error("Expected original stored value to be returned")
-	}
-
-	// Check reference count
-	refs, exists := pool.References(key)
-	if !exists {
-		t.Error("Key should exist in pool")
-	}
-	if refs != 2 {
-		t.Errorf("Expected 2 references, got %d", refs)
-	}
-}
-
-func TestUsagePool_Delete_Basic(t *testing.T) {
-	pool := NewUsagePool()
-	key := "test-key"
-	mockVal := &mockDestructor{value: "test-value"}
-
-	// Store value twice to get ref count of 2
-	pool.LoadOrStore(key, mockVal)
-	pool.LoadOrStore(key, mockVal)
-
-	// First delete should decrement ref count
-	deleted, err := pool.Delete(key)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	if deleted {
-		t.Error("Expected deleted to be false when refs > 0")
-	}
-	if mockVal.IsDestroyed() {
-		t.Error("Value should not be destroyed yet")
-	}
-
-	// Second delete should destroy value
-	deleted, err = pool.Delete(key)
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-	if !deleted {
-		t.Error("Expected deleted to be true when refs = 0")
-	}
-	if !mockVal.IsDestroyed() {
-		t.Error("Value should be destroyed")
-	}
-
-	// Key should not exist after deletion
-	refs, exists := pool.References(key)
-	if exists {
-		t.Error("Key should not exist after deletion")
-	}
-	if refs != 0 {
-		t.Errorf("Expected 0 references, got %d", refs)
-	}
-}
-
-func TestUsagePool_Delete_NonExistentKey(t *testing.T) {
-	pool := NewUsagePool()
-
-	deleted, err := pool.Delete("non-existent")
-	if err != nil {
-		t.Errorf("Expected no error for non-existent key, got: %v", err)
-	}
-	if deleted {
-		t.Error("Expected deleted to be false for non-existent key")
-	}
-}
-
-func TestUsagePool_Delete_PanicOnNegativeRefs(t *testing.T) {
-	// This test demonstrates the panic condition by manipulating
-	// the ref count directly to create an invalid state
-	pool := NewUsagePool()
-	key := "test-key"
-	mockVal := &mockDestructor{value: "test-value"}
-
-	// Store the value to get it in the pool
-	pool.LoadOrStore(key, mockVal)
-
-	// Get the pool value to manipulate its refs directly
-	pool.Lock()
-	upv, exists := pool.pool[key]
-	if !exists {
-		pool.Unlock()
-		t.Fatal("Value should exist in pool")
-	}
-
-	// Manually set refs to 1 to test the panic condition
-	atomic.StoreInt32(&upv.refs, 1)
-	pool.Unlock()
-
-	// Now delete twice - the second delete should cause refs to go negative
-	// First delete
-	deleted1, err := pool.Delete(key)
-	if err != nil {
-		t.Fatalf("First delete failed: %v", err)
-	}
-	if !deleted1 {
-		t.Error("First delete should have removed the value")
-	}
-
-	// Second delete on the same key after it was removed should be safe
-	deleted2, err := pool.Delete(key)
-	if err != nil {
-		t.Errorf("Second delete should not error: %v", err)
-	}
-	if deleted2 {
-		t.Error("Second delete should return false for non-existent key")
-	}
-}
-
-func TestUsagePool_Range(t *testing.T) {
-	pool := NewUsagePool()
-
-	// Add multiple values
-	values := map[string]string{
-		"key1": "value1",
-		"key2": "value2",
-		"key3": "value3",
-	}
-
-	for key, value := range values {
-		pool.LoadOrStore(key, &mockDestructor{value: value})
-	}
-
-	// Range through all values
-	found := make(map[string]string)
-	pool.Range(func(key, value any) bool {
-		found[key.(string)] = value.(*mockDestructor).value
-		return true
-	})
-
-	if len(found) != len(values) {
-		t.Errorf("Expected %d values, got %d", len(values), len(found))
-	}
-
-	for key, expectedValue := range values {
-		if actualValue, exists := found[key]; !exists || actualValue != expectedValue {
-			t.Errorf("Key %s: expected '%s', got '%s'", key, expectedValue, actualValue)
-		}
-	}
-}
-
-func TestUsagePool_Range_EarlyReturn(t *testing.T) {
-	pool := NewUsagePool()
-
-	// Add multiple values
-	for i := 0; i < 5; i++ {
-		pool.LoadOrStore(i, &mockDestructor{value: "value"})
-	}
-
-	// Range but return false after first iteration
-	count := 0
-	pool.Range(func(key, value any) bool {
-		count++
-		return false // Stop after first iteration
-	})
-
-	if count != 1 {
-		t.Errorf("Expected 1 iteration, got %d", count)
-	}
-}
-
-func TestUsagePool_Concurrent_LoadOrNew(t *testing.T) {
-	pool := NewUsagePool()
-	key := "concurrent-key"
-	constructorCalls := int32(0)
-
-	const numGoroutines = 100
-	var wg sync.WaitGroup
-	results := make([]any, numGoroutines)
-
-	for i := 0; i < numGoroutines; i++ {
-		wg.Add(1)
-		go func(index int) {
-			defer wg.Done()
-			val, _, err := pool.LoadOrNew(key, func() (Destructor, error) {
-				atomic.AddInt32(&constructorCalls, 1)
-				// Add small delay to increase chance of race conditions
-				time.Sleep(time.Microsecond)
-				return &mockDestructor{value: "concurrent-value"}, nil
-			})
-			if err != nil {
-				t.Errorf("Goroutine %d: Unexpected error: %v", index, err)
-				return
-			}
-			results[index] = val
-		}(i)
-	}
-
-	wg.Wait()
-
-	// Constructor should only be called once
-	if calls := atomic.LoadInt32(&constructorCalls); calls != 1 {
-		t.Errorf("Expected constructor to be called once, was called %d times", calls)
-	}
-
-	// All goroutines should get the same value
-	firstVal := results[0]
-	for i, val := range results {
-		if val != firstVal {
-			t.Errorf("Goroutine %d got different value than first goroutine", i)
-		}
-	}
-
-	// Reference count should equal number of goroutines
-	refs, exists := pool.References(key)
-	if !exists {
-		t.Error("Key should exist in pool")
-	}
-	if refs != numGoroutines {
-		t.Errorf("Expected %d references, got %d", numGoroutines, refs)
-	}
-}
-
-func TestUsagePool_Concurrent_Delete(t *testing.T) {
-	pool := NewUsagePool()
-	key := "concurrent-delete-key"
-	mockVal := &mockDestructor{value: "test-value"}
-
-	const numRefs = 50
-
-	// Add multiple references
-	for i := 0; i < numRefs; i++ {
-		pool.LoadOrStore(key, mockVal)
-	}
-
-	var wg sync.WaitGroup
-	deleteResults := make([]bool, numRefs)
-
-	// Delete concurrently
-	for i := 0; i < numRefs; i++ {
-		wg.Add(1)
-		go func(index int) {
-			defer wg.Done()
-			deleted, err := pool.Delete(key)
-			if err != nil {
-				t.Errorf("Goroutine %d: Unexpected error: %v", index, err)
-				return
-			}
-			deleteResults[index] = deleted
-		}(i)
-	}
-
-	wg.Wait()
-
-	// Exactly one delete should have returned true (when refs reached 0)
-	deletedCount := 0
-	for _, deleted := range deleteResults {
-		if deleted {
-			deletedCount++
-		}
-	}
-	if deletedCount != 1 {
-		t.Errorf("Expected exactly 1 delete to return true, got %d", deletedCount)
-	}
-
-	// Value should be destroyed
-	if !mockVal.IsDestroyed() {
-		t.Error("Value should be destroyed after all references deleted")
-	}
-
-	// Key should not exist
-	refs, exists := pool.References(key)
-	if exists {
-		t.Error("Key should not exist after all references deleted")
-	}
-	if refs != 0 {
-		t.Errorf("Expected 0 references, got %d", refs)
-	}
-}
-
-func TestUsagePool_DestructorError(t *testing.T) {
-	pool := NewUsagePool()
-	key := "destructor-error-key"
-	expectedErr := errors.New("destructor failed")
-	mockVal := &mockDestructor{value: "test-value", err: expectedErr}
-
-	pool.LoadOrStore(key, mockVal)
-
-	deleted, err := pool.Delete(key)
-	if err != expectedErr {
-		t.Errorf("Expected destructor error, got: %v", err)
-	}
-	if !deleted {
-		t.Error("Expected deleted to be true even with destructor error")
-	}
-	if !mockVal.IsDestroyed() {
-		t.Error("Destructor should have been called despite error")
-	}
-}
-
-func TestUsagePool_Mixed_Concurrent_Operations(t *testing.T) {
-	pool := NewUsagePool()
-	keys := []string{"key1", "key2", "key3"}
-
-	var wg sync.WaitGroup
-	const opsPerKey = 10
-
-	// Test concurrent operations but with more controlled behavior
-	for _, key := range keys {
-		for i := 0; i < opsPerKey; i++ {
-			wg.Add(2) // LoadOrStore and Delete
-
-			// LoadOrStore (safer than LoadOrNew for concurrency)
-			go func(k string) {
-				defer wg.Done()
-				pool.LoadOrStore(k, &mockDestructor{value: k + "-value"})
-			}(key)
-
-			// Delete (may fail if refs are 0, that's fine)
-			go func(k string) {
-				defer wg.Done()
-				pool.Delete(k)
-			}(key)
-		}
-	}
-
-	wg.Wait()
-
-	// Test that the pool is in a consistent state
-	for _, key := range keys {
-		refs, exists := pool.References(key)
-		if exists && refs < 0 {
-			t.Errorf("Key %s has negative reference count: %d", key, refs)
-		}
-	}
-}
-
-func TestUsagePool_Range_SkipsErrorValues(t *testing.T) {
-	pool := NewUsagePool()
-
-	// Add value that will succeed
-	goodKey := "good-key"
-	pool.LoadOrStore(goodKey, &mockDestructor{value: "good-value"})
-
-	// Try to add value that will fail construction
-	badKey := "bad-key"
-	pool.LoadOrNew(badKey, func() (Destructor, error) {
-		return nil, errors.New("construction failed")
-	})
-
-	// Range should only iterate good values
-	count := 0
-	pool.Range(func(key, value any) bool {
-		count++
-		if key.(string) != goodKey {
-			t.Errorf("Expected only good key, got: %s", key.(string))
-		}
-		return true
-	})
-
-	if count != 1 {
-		t.Errorf("Expected 1 value in range, got %d", count)
-	}
-}
-
-func TestUsagePool_LoadOrStore_ErrorRecovery(t *testing.T) {
-	pool := NewUsagePool()
-	key := "error-recovery-key"
-
-	// First, create a value that fails construction
-	_, _, err := pool.LoadOrNew(key, func() (Destructor, error) {
-		return nil, errors.New("construction failed")
-	})
-	if err == nil {
-		t.Error("Expected constructor error")
-	}
-
-	// Now try LoadOrStore with a good value - should recover
-	goodVal := &mockDestructor{value: "recovery-value"}
-	val, loaded := pool.LoadOrStore(key, goodVal)
-	if loaded {
-		t.Error("Expected loaded to be false for error recovery")
-	}
-	if val != goodVal {
-		t.Error("Expected recovery value to be returned")
-	}
-}
-
-func TestUsagePool_MemoryLeak_Prevention(t *testing.T) {
-	pool := NewUsagePool()
-	key := "memory-leak-test"
-
-	// Create many references
-	const numRefs = 1000
-	mockVal := &mockDestructor{value: "leak-test"}
-
-	for i := 0; i < numRefs; i++ {
-		pool.LoadOrStore(key, mockVal)
-	}
-
-	// Delete all references
-	for i := 0; i < numRefs; i++ {
-		deleted, err := pool.Delete(key)
-		if err != nil {
-			t.Fatalf("Delete %d: Unexpected error: %v", i, err)
-		}
-		if i == numRefs-1 && !deleted {
-			t.Error("Last delete should return true")
-		} else if i < numRefs-1 && deleted {
-			t.Errorf("Delete %d should return false", i)
-		}
-	}
-
-	// Verify destructor was called
-	if !mockVal.IsDestroyed() {
-		t.Error("Value should be destroyed after all references deleted")
-	}
-
-	// Verify no memory leak - key should be removed from map
-	refs, exists := pool.References(key)
-	if exists {
-		t.Error("Key should not exist after complete deletion")
-	}
-	if refs != 0 {
-		t.Errorf("Expected 0 references, got %d", refs)
-	}
-}
-
-func TestUsagePool_RaceCondition_RefsCounter(t *testing.T) {
-	pool := NewUsagePool()
-	key := "race-test-key"
-	mockVal := &mockDestructor{value: "race-value"}
-
-	const numOperations = 100
-	var wg sync.WaitGroup
-
-	// Mix of increment and decrement operations
-	for i := 0; i < numOperations; i++ {
-		wg.Add(2)
-
-		// Increment (LoadOrStore)
-		go func() {
-			defer wg.Done()
-			pool.LoadOrStore(key, mockVal)
-		}()
-
-		// Decrement (Delete) - may fail if refs are 0, that's ok
-		go func() {
-			defer wg.Done()
-			pool.Delete(key)
-		}()
-	}
-
-	wg.Wait()
-
-	// Final reference count should be consistent
-	refs, exists := pool.References(key)
-	if exists {
-		if refs < 0 {
-			t.Errorf("Reference count should never be negative, got: %d", refs)
-		}
-	}
-}
-
-func BenchmarkUsagePool_LoadOrNew(b *testing.B) {
-	pool := NewUsagePool()
-	key := "bench-key"
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		pool.LoadOrNew(key, func() (Destructor, error) {
-			return &mockDestructor{value: "bench-value"}, nil
-		})
-	}
-}
-
-func BenchmarkUsagePool_LoadOrStore(b *testing.B) {
-	pool := NewUsagePool()
-	key := "bench-key"
-	mockVal := &mockDestructor{value: "bench-value"}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		pool.LoadOrStore(key, mockVal)
-	}
-}
-
-func BenchmarkUsagePool_Delete(b *testing.B) {
-	pool := NewUsagePool()
-	key := "bench-key"
-	mockVal := &mockDestructor{value: "bench-value"}
-
-	// Pre-populate with many references
-	for i := 0; i < b.N; i++ {
-		pool.LoadOrStore(key, mockVal)
-	}
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		pool.Delete(key)
-	}
-}
Author	SHA1	Message	Date
Zen Dodd	8e27d11657	reverseproxy: test HTTP/3 SNI host placeholder	2026-05-25 12:25:10 -04:00
WeidiDeng	11dca6de83	add test for placeholder	2026-05-25 12:25:10 -04:00
WeidiDeng	7f609d0953	reverseproxy: replace placeholders specified for sni while using http3	2026-05-25 12:25:10 -04:00
Zen Dodd	94fcea08f4	go.mod: update x/net (#7767 ) Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Waiting to run Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Waiting to run Details Lint / lint (macos-14, mac) (push) Waiting to run Details Lint / lint (windows-latest, windows) (push) Waiting to run Details Tests / test (s390x on IBM Z) (push) Has been skipped Details Tests / goreleaser-check (push) Has been skipped Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m47s Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 2m53s Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 3m1s Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 2m41s Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 2m35s Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m54s Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m44s Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 2m48s Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 2m45s Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 2m45s Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 1m53s Details Lint / dependency-review (push) Failing after 1m9s Details Lint / govulncheck (push) Successful in 2m1s Details Lint / lint (ubuntu-latest, linux) (push) Successful in 2m27s Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 6m16s Details	2026-05-25 12:24:44 -04:00
Matthew Holt	44b667a79f	go.mod: Update x/crypto Tests / test (s390x on IBM Z) (push) Has been skipped Details Tests / goreleaser-check (push) Has been skipped Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m45s Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 2m45s Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 2m49s Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m45s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 3m46s Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 4m41s Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m41s Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m35s Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 2m37s Details Lint / dependency-review (push) Failing after 1m7s Details Lint / govulncheck (push) Failing after 1m34s Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 3m29s Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 45s Details Lint / lint (ubuntu-latest, linux) (push) Successful in 2m21s Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 3m47s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled Details Lint / lint (macos-14, mac) (push) Has been cancelled Details Lint / lint (windows-latest, windows) (push) Has been cancelled Details	2026-05-22 09:25:04 -06:00
Vincent Yang	217a785824	caddyhttp: normalize Windows backslashes in path matcher (#7763 ) Tests / test (s390x on IBM Z) (push) Has been skipped Details Tests / goreleaser-check (push) Has been skipped Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m33s Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 2m37s Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 2m37s Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 2m56s Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m30s Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 1m25s Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m56s Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 1m35s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 4m59s Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 2m19s Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 53s Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 1m51s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled Details	2026-05-21 11:28:40 -06:00
dependabot[bot]	b5898c3f32	build(deps): bump the all-updates group across 1 directory with 9 updates (#7752 ) Tests / test (s390x on IBM Z) (push) Has been skipped Details Tests / goreleaser-check (push) Has been skipped Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m43s Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 2m27s Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m33s Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Failing after 2m2s Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 2m47s Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m46s Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m39s Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 5m17s Details Lint / lint (ubuntu-latest, linux) (push) Successful in 2m27s Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 2m35s Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 2m36s Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 3m39s Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 51s Details Lint / dependency-review (push) Failing after 57s Details Lint / govulncheck (push) Successful in 2m18s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled Details Lint / lint (macos-14, mac) (push) Has been cancelled Details Lint / lint (windows-latest, windows) (push) Has been cancelled Details Bumps the all-updates group with 9 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [github.com/alecthomas/chroma/v2](https://github.com/alecthomas/chroma) \| `2.23.1` \| `2.24.1` \| \| [github.com/google/cel-go](https://github.com/google/cel-go) \| `0.28.0` \| `0.28.1` \| \| [github.com/klauspost/compress](https://github.com/klauspost/compress) \| `1.18.5` \| `1.18.6` \| \| [go.opentelemetry.io/contrib/exporters/autoexport](https://github.com/open-telemetry/opentelemetry-go-contrib) \| `0.65.0` \| `0.68.0` \| \| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) \| `0.67.0` \| `0.68.0` \| \| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) \| `0.65.0` \| `0.68.0` \| \| [go.uber.org/zap](https://github.com/uber-go/zap) \| `1.27.1` \| `1.28.0` \| \| [golang.org/x/net](https://github.com/golang/net) \| `0.53.0` \| `0.54.0` \| \| [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) \| `0.11.0` \| `0.12.0` \| Updates `github.com/alecthomas/chroma/v2` from 2.23.1 to 2.24.1 - [Release notes](https://github.com/alecthomas/chroma/releases) - [Commits](https://github.com/alecthomas/chroma/compare/v2.23.1...v2.24.1) Updates `github.com/google/cel-go` from 0.28.0 to 0.28.1 - [Release notes](https://github.com/google/cel-go/releases) - [Commits](https://github.com/google/cel-go/compare/v0.28.0...v0.28.1) Updates `github.com/klauspost/compress` from 1.18.5 to 1.18.6 - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](https://github.com/klauspost/compress/compare/v1.18.5...v1.18.6) Updates `go.opentelemetry.io/contrib/exporters/autoexport` from 0.65.0 to 0.68.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.65.0...zpages/v0.68.0) Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.67.0 to 0.68.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.67.0...zpages/v0.68.0) Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.65.0 to 0.68.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.65.0...zpages/v0.68.0) Updates `go.uber.org/zap` from 1.27.1 to 1.28.0 - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber-go/zap/compare/v1.27.1...v1.28.0) Updates `golang.org/x/net` from 0.53.0 to 0.54.0 - [Commits](https://github.com/golang/net/compare/v0.53.0...v0.54.0) Updates `github.com/pires/go-proxyproto` from 0.11.0 to 0.12.0 - [Release notes](https://github.com/pires/go-proxyproto/releases) - [Commits](https://github.com/pires/go-proxyproto/compare/v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: github.com/alecthomas/chroma/v2 dependency-version: 2.24.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: github.com/google/cel-go dependency-version: 0.28.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-updates - dependency-name: github.com/klauspost/compress dependency-version: 1.18.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-updates - dependency-name: go.opentelemetry.io/contrib/exporters/autoexport dependency-version: 0.68.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.68.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.opentelemetry.io/contrib/propagators/autoprop dependency-version: 0.68.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: go.uber.org/zap dependency-version: 1.28.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: golang.org/x/net dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates - dependency-name: github.com/pires/go-proxyproto dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zen Dodd <mail@steadytao.com>	2026-05-20 12:17:10 -06:00
Zen Dodd	9505c0baa0	caddytls: match IDN SNI in connection policies (#7742 ) Tests / test (s390x on IBM Z) (push) Has been skipped Details Tests / goreleaser-check (push) Has been skipped Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Failing after 1m41s Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 3m29s Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 2m12s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 4m17s Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 2m12s Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 2m20s Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m51s Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 2m20s Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 2m19s Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 1m43s Details Lint / lint (ubuntu-latest, linux) (push) Successful in 2m40s Details Lint / govulncheck (push) Successful in 2m41s Details Lint / dependency-review (push) Failing after 1m29s Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 6m12s Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Failing after 25m52s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled Details Lint / lint (macos-14, mac) (push) Has been cancelled Details Lint / lint (windows-latest, windows) (push) Has been cancelled Details	2026-05-20 13:52:28 -04:00
WeidiDeng	ad912569b5	reverseproxy: wraps request body to prevent closing if not read (#7719 ) Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2026-05-20 17:35:40 +00:00
Zen Dodd	6a210e96ee	caddyfile: preserve implicit TLS issuer semantics (#7743 )	2026-05-20 12:48:37 -04:00
Zen Dodd	6628c4a9de	cmd: support caddy start on IPv6-only hosts (#7744 )	2026-05-20 10:17:34 -04:00
Zen Dodd	408d20a0e5	caddyauth: add candidate placeholders for rejected identities (#7698 )	2026-05-20 13:51:54 +00:00
Eyüp Can Akman	0b265eb845	reverseproxy: Add regression test for DialInfo network override (#7758 )	2026-05-20 09:43:58 -04:00
Zen Dodd	88037f1666	chore: clean up wording and typo fixes (#7745 ) Tests / test (s390x on IBM Z) (push) Has been skipped Details Tests / goreleaser-check (push) Has been skipped Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m28s Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 2m34s Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 2m35s Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m33s Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 3m39s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 3m55s Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m30s Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 2m37s Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m37s Details Lint / govulncheck (push) Successful in 56s Details Lint / dependency-review (push) Failing after 1m9s Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 3m8s Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 41s Details Lint / lint (ubuntu-latest, linux) (push) Successful in 2m22s Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 3m11s Details Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled Details Lint / lint (macos-14, mac) (push) Has been cancelled Details Lint / lint (windows-latest, windows) (push) Has been cancelled Details * chore: clean up wording and typo fixes * chore: ASCII -> alphanumeric in lexer for heredoc marker	2026-05-20 16:36:30 +10:00
cbro	325c244ea7	caddytls: fix TLS state races and ECH rotation retry (#7756 ) * caddytls: fix data race in session ticket key rotation stayUpdated copies the map header (configs := s.configs) under the lock, then iterates the original map after releasing it. Concurrent calls to register/unregister mutate the same map. Hold the lock for the entire iteration instead. * caddytls: fix data race in AllMatchingCertificates AllMatchingCertificates reads the package-level certCache without acquiring certCacheMu, while Cleanup sets certCache to nil under the write lock. The adjacent HasCertificateForSubject correctly acquires certCacheMu.RLock. Add the missing RLock/RUnlock to match. * caddytls: fix ECH key rotation stopping permanently on error When rotateECHKeys returns an error, the rotation goroutine returns immediately, stopping all future key rotation for the lifetime of the process. Change return to continue, matching the error handling for publishECHConfigs two lines below.	2026-05-20 16:35:40 +10:00
Brett Bethke	0125ae39cc	caddyhttp: omit Last-Modified for unusable mod times (#7740 ) See #5548 and #7730	2026-05-20 16:19:11 +10:00