# TLS/mTLS Transport Plugin

## Module
Router

## Status
IMPLEMENTED

## Description
TLS transport wrapping TCP with SslStream, supporting mutual TLS (mTLS) with client certificate validation, certificate hot-reload without connection drops, and configurable cipher suites.

## Implementation Details
- **Modules**: `src/Router/__Libraries/StellaOps.Router.Transport.Tls/`
- **Key Classes**:
  - `TlsTransportPlugin` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportPlugin.cs`) - plugin registration for TLS/mTLS transport
  - `TlsTransportServer` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportServer.cs`) - TLS-wrapped transport server with mTLS support
  - `TlsTransportClient` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportClient.cs`) - TLS-wrapped transport client with client certificate
  - `CertificateLoader` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/CertificateLoader.cs`) - loads certificates from file/store
  - `CertificateWatcher` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/CertificateWatcher.cs`) - watches certificate files for hot-reload without connection drops
  - `TlsConnection` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsConnection.cs`) - TLS connection wrapper
- **Interfaces**: `IRouterTransportPlugin`, `ITransportServer`, `ITransportClient`, `IMicroserviceTransport`
- **Source**: batch_52/file_04.md

## E2E Test Plan
- [ ] Register `TlsTransportPlugin` and verify TLS-encrypted communication between gateway and microservice
- [ ] Enable mTLS and verify client certificate validation rejects connections without valid client certs
- [ ] Replace a server certificate and verify `CertificateWatcher` hot-reloads without dropping active connections
- [ ] Verify cipher suite configuration: restrict to specific ciphers and confirm they are enforced
- [ ] Verify connection fails with expired or self-signed certificates when validation is strict