FEATURES.md

FlexGate Features Catalog

Complete list of all implemented features in FlexGate Proxy

Last Updated: January 29, 2026
Version: 1.0.0

---

📊 Table of Contents

1. Core Proxy Features
2. Admin UI
3. Real-Time Metrics
4. Database & Persistence
5. Security Features
6. Observability
7. Webhooks & Events
8. API Management
9. Infrastructure

---

Core Proxy Features

✅ HTTP Proxying

• HTTP/HTTPS request forwarding
• Method filtering (GET, POST, PUT, DELETE, PATCH, etc.)
• Path-based routing with wildcards (/api/*)
• Query parameter preservation
• Header forwarding and manipulation
• Request/response body streaming
• Connection pooling and keep-alive
• Timeout configuration (request, connection, idle)

✅ Route Management

• Dynamic route configuration (YAML + Database)
• Hot reload without server restart
• Per-route settings:
  • Rate limiting
  • Circuit breakers
  • Authentication requirements
  • Timeouts and retries
  • Custom headers
• Route enable/disable toggle
• Route priority and matching order

✅ Traffic Control

• Rate Limiting

  • Token bucket algorithm
  • Redis-backed distributed limiting
  • Per-route and global limits
  • Configurable windows (seconds, minutes, hours)
  • Custom rate limit headers

• Circuit Breakers

  • Per-upstream circuit breaking
  • Configurable failure threshold
  • Half-open state with retry
  • Automatic recovery
  • Circuit breaker events

• Retries

  • Exponential backoff with jitter
  • Configurable retry attempts
  • Idempotent method detection
  • Retry on specific status codes

---

Admin UI

✅ Dashboard Page

• Real-time metrics visualization
• SSE-based live updates (every 5 seconds)
• Metric cards:
  • Total requests
  • Average response time
  • Success rate
  • Error rate
• Connection status indicator (Live/Disconnected)
• Auto-reconnect on disconnect
• Loading states and error handling

✅ Routes Management Page

• List all configured routes
• Search and filter routes
• Create new routes via dialog form
• Edit existing routes
• Delete routes with confirmation
• Enable/disable routes toggle
• Route configuration options:
  • Path pattern
  • Upstream URL
  • HTTP methods selection
  • Rate limit settings
  • Circuit breaker settings
• Real-time validation
• Success/error notifications

✅ Webhooks Management Page

• List all webhook subscriptions
• Create new webhooks
• Edit webhook configuration
• Delete webhooks
• Enable/disable webhooks
• Event type selection:
  • request.error
  • rate_limit.exceeded
  • circuit_breaker.opened
  • upstream.failure
  • auth.failure
• Retry configuration:
  • Max retries
  • Initial delay
  • Backoff multiplier
• Webhook delivery tracking
• Test webhook functionality

✅ Logs Page

• Audit log viewer
• Pagination support
• Log filtering:
  • By level (info, warn, error)
  • By time range
  • By source/service
• Log entry details
• Export functionality
• Real-time log streaming

✅ Settings Page

• System configuration
• Proxy settings (port, timeouts, body size limits)
• Security settings (allowed hosts, blocked IPs)
• Database connection settings
• Redis configuration
• NATS JetStream settings
• Configuration validation
• Save with confirmation

✅ UI Components

• Material-UI design system
• Responsive layout (mobile, tablet, desktop)
• Dark mode support (planned)
• Loading skeletons
• Error boundaries
• Toast notifications
• Confirmation dialogs
• Form validation
• Accessibility (ARIA labels, keyboard navigation)

---

Real-Time Metrics

✅ NATS JetStream Integration

• JetStream client initialization
• Stream creation (METRICS, ALERTS)
• Durable consumers
• Message persistence (24h for metrics, 7d for alerts)
• Automatic reconnection
• Error handling and logging

✅ Metrics Publisher

• Automatic metrics collection (every 5 seconds)
• Database query aggregation
• Metrics publishing to JetStream
• Summary metrics:
  • Total requests
  • Average latency
  • P50, P95, P99 latency
  • Error rate
  • Availability
  • Server/client errors
• Request rate calculation
• Status code distribution
• Time-series data formatting

✅ Server-Sent Events (SSE)

• /api/stream/metrics endpoint
• /api/stream/alerts endpoint
• Client connection tracking
• Automatic client cleanup on disconnect
• Heartbeat/keepalive
• Error stream recovery
• Multiple concurrent clients support
• CORS support for cross-origin streaming

✅ HTTP Polling Fallback

• /api/metrics REST endpoint
• Same data format as SSE
• Cache-control headers
• Fallback for browsers without SSE support

---

Database & Persistence

✅ PostgreSQL Schema

• Routes table

  • Route configuration storage
  • Enable/disable flag
  • Created/updated timestamps
  • Indexes for fast lookup

• Requests table (metrics)

  • Every proxy request logged
  • 14 columns: method, path, status, latency, upstream, etc.
  • 6 indexes for efficient queries
  • Timestamp-based partitioning ready

• API Keys table

  • Key storage with HMAC
  • Expiration dates
  • Permissions/scopes
  • Usage tracking

• Webhooks table

  • Webhook subscriptions
  • Event filtering
  • Retry configuration
  • Enable/disable state

• Webhook Deliveries table

  • Delivery attempts tracking
  • Success/failure status
  • Response data
  • Retry count

• Audit Logs table

  • All system changes logged
  • User actions
  • Metadata JSON field
  • Full-text search ready

• Schema Migrations

  • Version-controlled migrations
  • schema_migrations tracking table
  • Rollback support

✅ Database Features

• Connection pooling (pg-pool)
• Prepared statements
• Transaction support
• Query timeout protection
• Automatic reconnection
• Health check queries
• Database error handling

---

Security Features

✅ Authentication

• API Key Authentication

  • HMAC-SHA256 signing
  • Key validation middleware
  • Per-route auth requirements
  • Key expiration handling
  • Rate limit per key

• OAuth 2.0 / OIDC (In Progress)

  • Social login integration
  • JWT token validation
  • Session management
  • Refresh token support

✅ Request Validation

• Header sanitization
• Payload size limits
• Content-Type validation
• Method whitelisting
• URL encoding validation

✅ SSRF Protection

• Private IP blocking (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12)
• Localhost blocking (127.0.0.0/8, ::1)
• Cloud metadata blocking (169.254.169.254)
• Link-local address blocking
• Upstream URL validation

✅ Security Headers

• X-Correlation-ID (request tracing)
• X-Forwarded-* headers
• X-RateLimit-* headers
• Custom security headers injection
• Sensitive header filtering

---

Observability

✅ Structured Logging

• JSON log format
• Winston logger integration
• Log levels (error, warn, info, debug)
• Correlation ID tracking
• Request/response logging
• Error stack traces
• Context injection (service, hostname, PID)
• Log rotation support
• ELK/Splunk ready

✅ Metrics Collection

• Request Metrics

  • Count, rate, duration
  • Per-route metrics
  • Per-status-code metrics
  • Per-upstream metrics

• Latency Metrics

  • Histograms
  • Percentiles (P50, P95, P99)
  • Average, min, max
  • Bucketing for analysis

• Error Metrics

  • Error rate calculation
  • Error categorization (4xx, 5xx)
  • Circuit breaker states
  • Retry counts

• System Metrics

  • Memory usage
  • CPU usage
  • Active connections
  • Event loop lag

✅ Prometheus Integration

• /prometheus/metrics endpoint
• Counter metrics
• Histogram metrics
• Gauge metrics
• Label support (method, route, status)
• Grafana dashboard compatible

✅ Health Checks

• Liveness probe (/health/live)
• Readiness probe (/health/ready)
• Deep health check (database, redis, jetstream)
• Kubernetes-compatible format
• Custom health checks per component

---

Webhooks & Events

✅ Event System

• Event emitter architecture
• Event type definitions
• Event payload standardization
• Event metadata (correlation IDs, timestamps)

✅ Webhook Delivery

• HTTP POST to subscriber URLs
• Automatic retries with exponential backoff
• Configurable retry parameters:
  • Max retries (default: 3)
  • Initial delay (default: 1s)
  • Backoff multiplier (default: 2x)
• Delivery status tracking
• Success/failure logging
• Custom headers support
• HMAC signature for verification
• Timeout configuration
• Circuit breaking for failing webhooks

✅ Event Types

• request.error - Failed proxy requests
• rate_limit.exceeded - Rate limit violations
• circuit_breaker.opened - Circuit breaker trips
• circuit_breaker.closed - Circuit breaker recovery
• upstream.failure - Upstream connection failures
• auth.failure - Authentication failures
• config.changed - Configuration updates
• route.created - New route added
• route.updated - Route modified
• route.deleted - Route removed

✅ Webhook Management

• Create/update/delete subscriptions
• Enable/disable webhooks
• Event filtering (subscribe to specific events)
• Webhook testing endpoint
• Delivery history tracking
• Webhook statistics (success rate, avg latency)

---

API Management

✅ REST API

• /api/routes - Route CRUD operations (admin rate-limited)
• /api/webhooks - Webhook CRUD operations (admin rate-limited)
• /api/metrics - Current metrics (admin rate-limited)
• /api/logs - Audit logs with pagination (admin rate-limited)
• /api/settings - General settings GET/PUT/POST (admin rate-limited)
• /api/settings/ai - AI provider settings (admin rate-limited)
• /api/settings/claude - Claude-specific settings (admin rate-limited)
• /api/ai - AI analysis endpoints (admin rate-limited)
• /api/ai-incidents - AI incident tracking CRUD (admin rate-limited)
• /api/troubleshooting - Diagnostics & health tools (admin rate-limited)
• /api/stream/metrics - SSE metrics stream
• /api/stream/alerts - SSE alerts stream
• /api/auth - Authentication (strict rate-limited: 5 req/15min)
• /health - Basic health check
• /health/live - Liveness probe
• /health/ready - Readiness probe
• /prometheus/metrics - Prometheus format

✅ API Features

• RESTful design
• JSON request/response
• Error handling with standard codes
• Request validation
• CORS restricted to ALLOWED_ORIGINS env var (comma-separated list)
• Tiered API rate limiting:
  • Global: 100 req/min on all /api/*
  • Admin APIs: 60 req/min (routes, webhooks, settings, logs, metrics, AI)
  • Auth: 5 req/15min (brute-force protection)
• API versioning ready
• OpenAPI/Swagger ready

---

Infrastructure

✅ Dependencies

• PostgreSQL - Primary database
• Redis - Rate limiting and caching
• NATS JetStream - Real-time streaming (optional; falls back to HTTP polling)
• Node.js 18+ - Runtime
• Express.js - Web framework
• Anthropic Claude SDK (@anthropic-ai/sdk) - AI-native incident analysis

✅ Deployment Support

• Docker/Podman containerization
• Docker Compose setup
• Kubernetes manifests
• Health probes for K8s
• Environment variable configuration
• Graceful shutdown (SIGTERM)
• Process management (PM2 ready)

✅ Development Tools

• TypeScript support
• ESLint configuration
• Hot reload in development
• Test framework (Jest ready)
• Benchmark suite
• Migration scripts
• Database seeding
• Documentation generation

✅ Monitoring Integration

• Prometheus compatible
• Grafana dashboard template
• ELK stack compatible logs
• Datadog integration ready
• New Relic integration ready

---

Feature Comparison

Feature	FlexGate	Nginx	Kong	HAProxy
Admin UI	✅ Built-in	❌ No	✅ Enterprise only	❌ No
Real-time Metrics	✅ SSE + JetStream	❌ Logs only	✅ Paid	❌ No
Database Backend	✅ PostgreSQL	❌ File-based	✅ Yes	❌ File-based
Webhooks	✅ Built-in	❌ No	✅ Plugin	❌ No
JavaScript Config	✅ Yes	❌ Nginx conf	❌ Lua	❌ HAProxy conf
Circuit Breakers	✅ Built-in	❌ No	✅ Plugin	❌ No
Rate Limiting	✅ Redis-backed	✅ Basic	✅ Advanced	✅ Basic
Hot Reload	✅ Yes	✅ Yes	✅ Yes	✅ Yes
Performance	🟡 4.7K req/s	🟢 52K req/s	🟡 10K req/s	🟢 45K req/s
Ease of Use	🟢 High	🟡 Medium	🔴 Low	🟡 Medium

---

Feature Status Legend

• ✅ Implemented - Feature is complete and tested
• 🚧 In Progress - Feature is being developed
• 📋 Planned - Feature is on the roadmap
• ❌ Not Planned - Feature will not be implemented

---

Recent Additions (January–March 2026)

1. ✅ NATS JetStream integration
2. ✅ Real-time SSE metrics streaming
3. ✅ Database metrics storage (requests table)
4. ✅ Metrics middleware for request logging
5. ✅ Admin UI Dashboard with live charts
6. ✅ Improved test selectors (data-testid attributes)
7. ✅ Mobile-friendly dialog forms
8. ✅ Webhook delivery tracking
9. ✅ Comprehensive API documentation
10. ✅ Settings API backend (/api/settings) with validation, sanitization, backup
11. ✅ Troubleshooting API (/api/troubleshooting) with diagnostics
12. ✅ AI incident tracking (/api/ai-incidents) with Claude integration
13. ✅ Tiered API rate limiting (global / admin / auth)
14. ✅ Restricted CORS via ALLOWED_ORIGINS environment variable
15. ✅ Security: removed jade dependency (4 CVEs); upgraded http-proxy-middleware to v3, morgan to 1.10.1; 0 vulnerabilities

---

Next Quarter Roadmap (Q1 2026)

High Priority

• OAuth 2.0 / OIDC authentication for Admin UI
• OpenTelemetry distributed tracing
• Prometheus /metrics endpoint optimization
• Data retention policies and auto-cleanup
• Performance optimization (target: 10K req/s)

Medium Priority

• GraphQL proxy support
• WebSocket proxying
• Multi-tenancy support
• Advanced analytics dashboard
• Custom middleware plugins

Low Priority

• mTLS support
• gRPC proxying
• Service mesh integration
• WebAssembly plugins
• Machine learning-based routing

---

For detailed documentation on each feature, see:

• Admin UI Guide
• Webhooks Documentation
• Observability Guide
• Traffic Control
• Security Threat Model