docs: update differences.md sections 7-10 to reflect implemented features

differences.md

@@ -40,7 +40,7 @@
 |--------|:--:|:----:|-------|
 | SIGINT (Ctrl+C) | Y | Y | Both handle graceful shutdown |
 | SIGTERM | Y | Y | `PosixSignalRegistration` triggers `ShutdownAsync()` |
-| SIGUSR1 (reopen logs) | Y | Stub | Signal registered, handler logs "not yet implemented" |
+| SIGUSR1 (reopen logs) | Y | Y | SIGUSR1 handler calls ReOpenLogFile |
 | SIGUSR2 (lame duck mode) | Y | Y | Triggers `LameDuckShutdownAsync()` |
 | SIGHUP (config reload) | Y | Stub | Signal registered, handler logs "not yet implemented" |
 | Windows Service integration | Y | N | |
@@ -78,7 +78,7 @@
 | No-responders validation | Y | Y | CONNECT rejects `no_responders` without `headers`; 503 HMSG on no match |
 | Slow consumer detection | Y | Y | Pending bytes threshold (64MB) + write deadline timeout (10s) |
 | Write deadline / timeout policies | Y | Y | `WriteDeadline` option with `CancellationTokenSource.CancelAfter` on flush |
-| RTT measurement | Y | N | Go tracks round-trip time per client |
+| RTT measurement | Y | Y | `_rttStartTicks`/`Rtt` property, computed on PONG receipt |
 | Per-client trace mode | Y | N | |
 | Detailed close reason tracking | Y | Y | 37-value `ClosedState` enum with CAS-based `MarkClosed()` |
 | Connection state flags (16 flags) | Y | Y | 7-flag `ClientFlagHolder` with `Interlocked.Or`/`And` |
@@ -206,7 +206,7 @@ Go implements a sophisticated slow consumer detection system:
 | NKeys (Ed25519) | Y | Y | .NET has framework but integration is basic |
 | JWT validation | Y | N | |
 | Bcrypt password hashing | Y | Y | .NET supports bcrypt (`$2*` prefix) with constant-time fallback |
-| TLS certificate mapping | Y | N | Property exists but no implementation |
+| TLS certificate mapping | Y | Y | X500DistinguishedName with full DN match and CN fallback |
 | Custom auth interface | Y | N | |
 | External auth callout | Y | N | |
 | Proxy authentication | Y | N | |
@@ -247,7 +247,7 @@ Go implements a sophisticated slow consumer detection system:
 | `-n/--name` (ServerName) | Y | Y | |
 | `-m/--http_port` (monitoring) | Y | Y | |
 | `-c` (config file) | Y | Stub | Flag parsed, stored in `ConfigFile`, no config parser |
-| `-D/-V/-DV` (debug/trace) | Y | N | |
+| `-D/-V/-DV` (debug/trace) | Y | Y | `-D` for debug, `-V`/`-T` for trace, `-DV` for both |
 | `--tlscert/--tlskey/--tlscacert` | Y | Y | |
 | `--tlsverify` | Y | Y | |
 | `--http_base_path` | Y | Y | |
@@ -262,7 +262,7 @@ Go implements a sophisticated slow consumer detection system:
 | ~450 option fields | Y | ~54 | .NET covers core options only |
 
 ### Missing Options Categories
-- Logging options (file, rotation, syslog, trace levels)
+- Logging options: per-subsystem log control (file, rotation, syslog, trace/debug flags are implemented)
 - Advanced limits (MaxSubs, MaxSubTokens, MaxPending, WriteDeadline)
 - Tags/metadata
 - OCSP configuration
@@ -283,7 +283,7 @@ Go implements a sophisticated slow consumer detection system:
 | `/routez` | Y | Stub | Returns empty response |
 | `/gatewayz` | Y | Stub | Returns empty response |
 | `/leafz` | Y | Stub | Returns empty response |
-| `/subz` / `/subscriptionsz` | Y | Stub | Returns empty response |
+| `/subz` / `/subscriptionsz` | Y | Y | Account filtering, test subject filtering, pagination, and subscription details |
 | `/accountz` | Y | Stub | Returns empty response |
 | `/accstatz` | Y | Stub | Returns empty response |
 | `/jsz` | Y | Stub | Returns empty response |
@@ -308,7 +308,9 @@ Go implements a sophisticated slow consumer detection system:
 | Feature | Go | .NET | Notes |
 |---------|:--:|:----:|-------|
 | Filtering by CID, user, account | Y | Partial | |
-| Sorting (11 options) | Y | Y | .NET missing ByStop, ByReason |
+| Sorting (11 options) | Y | Y | All options including ByStop, ByReason, ByRtt |
+| State filtering (open/closed/all) | Y | Y | `state=open|closed|all` query parameter |
+| Closed connection tracking | Y | Y | `ConcurrentQueue<ClosedClient>` capped at 10,000 entries |
 | Pagination (offset, limit) | Y | Y | |
 | Subscription detail mode | Y | N | |
 | TLS peer certificate info | Y | N | |
@@ -337,9 +339,9 @@ Go implements a sophisticated slow consumer detection system:
 | Mutual TLS (client certs) | Y | Y | |
 | Certificate pinning (SHA256 SPKI) | Y | Y | |
 | TLS handshake timeout | Y | Y | |
-| TLS rate limiting | Y | Property only | .NET has the option but enforcement is partial |
+| TLS rate limiting | Y | Y | Rate enforcement with refill; unit tests cover rate limiting and refill |
 | First-byte peeking (0x16 detection) | Y | Y | |
-| Cert subject→user mapping | Y | N | `TlsMap` property exists, no implementation |
+| Cert subject→user mapping | Y | Y | X500DistinguishedName with full DN match and CN fallback |
 | OCSP stapling | Y | N | |
 | Min TLS version control | Y | Y | |
 
@@ -350,14 +352,14 @@ Go implements a sophisticated slow consumer detection system:
 | Feature | Go | .NET | Notes |
 |---------|:--:|:----:|-------|
 | Structured logging | Partial | Y | .NET uses Serilog with ILogger<T> |
-| File logging with rotation | Y | N | |
+| File logging with rotation | Y | Y | Serilog.Sinks.File with rolling file support |
-| Syslog (local and remote) | Y | N | |
+| Syslog (local and remote) | Y | Y | `--syslog` and `--remote_syslog` flags via Serilog.Sinks.SyslogMessages |
-| Log reopening (SIGUSR1) | Y | N | |
+| Log reopening (SIGUSR1) | Y | Y | SIGUSR1 handler calls ReOpenLogFile |
-| Trace mode (protocol-level) | Y | N | |
+| Trace mode (protocol-level) | Y | Y | `-V` or `-T` flag enables trace-level logging |
-| Debug mode | Y | N | |
+| Debug mode | Y | Y | `-D` flag enables debug-level logging |
 | Per-subsystem log control | Y | N | |
-| Color output on TTY | Y | N | |
+| Color output on TTY | Y | Y | Auto-detected via `Console.IsOutputRedirected`, uses `AnsiConsoleTheme.Code` |
-| Timestamp format control | Y | N | |
+| Timestamp format control | Y | Y | `--logtime` and `--logtime_utc` flags |
 
 ---
 
@@ -369,34 +371,36 @@ Go implements a sophisticated slow consumer detection system:
 | Configurable interval | Y | Y | PingInterval option |
 | Max pings out | Y | Y | MaxPingsOut option |
 | Stale connection close | Y | Y | |
-| RTT-based first PING delay | Y | N | Go delays first PING based on RTT |
+| RTT-based first PING delay | Y | Y | Skips PING until FirstPongSent or 2s elapsed |
-| RTT tracking | Y | N | |
+| RTT tracking | Y | Y | `_rttStartTicks`/`Rtt` property, computed on PONG receipt |
-| Stale connection watcher | Y | N | Go has dedicated watcher goroutine |
+| Stale connection stats | Y | Y | `StaleConnectionStats` model, exposed in `/varz` |
 
 ---
 
 ## Summary: Critical Gaps for Production Use
 
-### High Priority
+### Resolved Since Initial Audit
-1. **Slow consumer detection** — unbounded writes can exhaust memory (stat fields exist but no detection logic)
+The following items from the original gap list have been implemented:
-2. **Write coalescing / batch flush** — performance gap for high-throughput scenarios
+- **Slow consumer detection** — pending bytes threshold (64MB) with write deadline enforcement
+- **Write coalescing / batch flush** — channel-based write loop drains all items before single flush
+- **Verbose mode** — `+OK` responses for CONNECT, SUB, UNSUB, PUB when `verbose:true`
+- **No-responders validation** — CONNECT rejects `no_responders` without `headers`; 503 HMSG on no match
+- **File logging with rotation** — Serilog.Sinks.File with rolling file support
+- **TLS certificate mapping** — X500DistinguishedName with full DN match and CN fallback
+- **Protocol tracing** — `-V`/`-T` flag enables trace-level logging; `-D` for debug
 
-### Medium Priority
+### Remaining High Priority
-3. **Verbose mode** — clients expect `+OK` when `verbose: true`
+1. **Permission deny enforcement at delivery** — deny lists checked at SUB/PUB time but not during message delivery
-4. **Permission deny enforcement at delivery** — deny lists checked at SUB/PUB time but not during message delivery
+2. **Config file parsing** — needed for production deployment (CLI stub exists)
-5. **Config file parsing** — needed for production deployment (CLI stub exists)
+3. **Hot reload** — needed for zero-downtime config changes (SIGHUP stub exists)
-6. **Hot reload** — needed for zero-downtime config changes (SIGHUP stub exists)
-7. **File logging with rotation** — needed for production logging
-8. **No-responders validation** — flag parsed but not enforced
 
-### Lower Priority
+### Remaining Lower Priority
-9. **Dynamic buffer sizing** — delegated to Pipe, less optimized for long-lived connections
+4. **Dynamic buffer sizing** — delegated to Pipe, less optimized for long-lived connections
-10. **JWT authentication** — needed for operator mode
+5. **JWT authentication** — needed for operator mode
-11. **TLS certificate mapping** — property exists, not implemented
+6. **OCSP support** — certificate revocation checking
-12. **OCSP support** — certificate revocation checking
+7. **Subject mapping** — input→output subject transformation
-13. **Subject mapping** — input→output subject transformation
+8. **Subscription statistics** — SubList has no stats collection
-14. **Protocol tracing** — no trace-level logging
+9. **Per-account limits** — connections, subscriptions per account
-15. **Subscription statistics** — SubList has no stats collection
+10. **Reply subject tracking** — dynamic response permissions
-16. **Per-account limits** — connections, subscriptions per account
+11. **Windows Service integration** — needed for Windows deployment
-17. **Reply subject tracking** — dynamic response permissions
+12. **Per-subsystem log control** — granular log levels per component
-18. **Windows Service integration** — needed for Windows deployment