Update README.md

Update Taskfile
Apply fmt
2025-08-23 19:05:21 +07:00 · 2025-08-23 18:57:46 +07:00 · 2025-08-23 18:52:43 +07:00 · 2025-08-23 18:50:15 +07:00 · 2025-08-23 18:33:02 +07:00 · 2025-08-23 18:26:23 +07:00
30 changed files with 1399 additions and 229 deletions
--- a/36
+++ b/36
@ -0,0 +1,36 @@
+# Build stage
+FROM golang:1.24-alpine AS builder
+
+WORKDIR /app
+
+# Copy go mod files
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build server
+RUN CGO_ENABLED=0 go build -o hash-of-wisdom ./cmd/server
+
+# Runtime stage
+FROM alpine:3.19
+
+# Create non-root user
+RUN addgroup -g 1001 -S hash-of-wisdom && \
+    adduser -u 1001 -S hash-of-wisdom -G hash-of-wisdom
+
+WORKDIR /app
+
+# Copy binary and config from builder stage with correct ownership
+COPY --from=builder --chown=hash-of-wisdom:hash-of-wisdom /app/hash-of-wisdom .
+COPY --from=builder --chown=hash-of-wisdom:hash-of-wisdom /app/config.yaml .
+
+# Switch to non-root user
+USER hash-of-wisdom
+
+# Expose ports
+EXPOSE 8080 8081
+
+# Run server with config file
+CMD ["./hash-of-wisdom", "-config", "config.yaml"]
--- a/README.md
+++ b/README.md
@ -0,0 +1,86 @@
+# Hash of Wisdom
+
+A TCP server implementing the "Word of Wisdom" concept with proof-of-work challenges to protect against DDoS attacks.
+
+## Overview
+
+The Hash of Wisdom server requires clients to solve computational puzzles (proof-of-work) before receiving wise quotes. This approach prevents spam and DDoS attacks by requiring clients to invest CPU time for each request.
+
+## Quick Start
+
+### Prerequisites
+- Go 1.24.3+
+- Docker (optional)
+- [Task](https://taskfile.dev/) (optional, but recommended)
+
+### Building
+```bash
+# Build server
+go build -o hash-of-wisdom ./cmd/server
+
+# Build client
+go build -o client ./cmd/client
+```
+
+### Running
+
+#### Using Task (Recommended)
+```bash
+# Most useful command - run all checks
+task check
+
+# Start server
+task server -- -config config.yaml
+
+# Connect client
+task client -- --addr=localhost:8080
+
+# Run tests
+task test
+
+# See coverage
+task test-coverage
+
+# See all available commands
+task --list
+```
+
+#### Manual Commands
+```bash
+# Start server (uses config.yaml by default)
+./hash-of-wisdom
+
+# Or with custom config
+./hash-of-wisdom -config /path/to/config.yaml
+
+# Connect with client
+./client -addr localhost:8080
+
+# Run tests
+go test ./...
+```
+
+### Using Docker
+```bash
+# Build image
+docker build -t hash-of-wisdom .
+
+# Run container
+docker run -p 8080:8080 -p 8081:8081 hash-of-wisdom
+```
+
+### Monitoring
+- Metrics: http://localhost:8081/metrics (Prometheus format with Go runtime stats)
+- Profiling: http://localhost:8081/debug/pprof/
+
+## Documentation
+
+### Protocol & Implementation
+- [Protocol Specification](docs/PROTOCOL.md) - Binary protocol definition
+- [PoW Algorithm Analysis](docs/POW_ANALYSIS.md) - Algorithm selection rationale and comparison
+- [Implementation Plan](docs/IMPLEMENTATION.md) - Development phases and progress
+- [Package Structure](docs/PACKAGES.md) - Code organization and package responsibilities
+- [Architecture Choices](docs/ARCHITECTURE.md) - Design decisions and patterns
+
+### Production Readiness
+- [Production Readiness Guide](docs/PRODUCTION_READINESS.md) - Requirements for production deployment
--- a/Taskfile.yml
+++ b/Taskfile.yml
@ -93,3 +93,41 @@ tasks:
    desc: Alias for cpu-burner
    cmds:
      - task: cpu-burner
+
+  server:
+    desc: Build and run the server
+    cmds:
+      - go build -o hash-of-wisdom ./cmd/server
+      - ./hash-of-wisdom {{.CLI_ARGS}}
+
+  server-config:
+    desc: Build and run the server with custom config
+    cmds:
+      - go build -o hash-of-wisdom ./cmd/server
+      - ./hash-of-wisdom -config {{.CONFIG | default "config.yaml"}}
+
+  client:
+    desc: Build and run the client
+    cmds:
+      - go build -o client ./cmd/client
+      - ./client {{.CLI_ARGS | default "-addr localhost:8080"}}
+
+  docker-build:
+    desc: Build Docker image
+    cmds:
+      - docker build -t hash-of-wisdom .
+
+  docker-run:
+    desc: Run Docker container
+    cmds:
+      - docker run -p 8080:8080 -p 8081:8081 hash-of-wisdom
+
+  metrics:
+    desc: Check metrics endpoint
+    cmds:
+      - curl -s http://localhost:8081/metrics
+
+  integration:
+    desc: Run integration tests only
+    cmds:
+      - go test -v ./test/integration/...
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@ -2,32 +2,47 @@ package main

 import (
 	"context"
+	"flag"
 	"log/slog"
+	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
-	"time"

+	"hash-of-wisdom/internal/config"
 	"hash-of-wisdom/internal/lib/sl"
 	"hash-of-wisdom/internal/pow/challenge"
 	"hash-of-wisdom/internal/quotes"
 	"hash-of-wisdom/internal/server"
 	"hash-of-wisdom/internal/service"
+
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	_ "net/http/pprof"
 )

 func main() {
-	addr := ":8080"
-	if len(os.Args) > 1 {
-		addr = os.Args[1]
+	configPath := flag.String("config", "", "path to configuration file")
+	flag.Parse()
+
+	// Load configuration
+	cfg, err := config.Load(*configPath)
+	if err != nil {
+		slog.Error("failed to load config", sl.Err(err))
+		os.Exit(1)
 	}

 	logger := slog.Default()
-	logger.Info("starting word of wisdom server", "address", addr)
+	logger.Info("starting word of wisdom server", "address", cfg.Server.Address)

-	// Create components
-	challengeConfig, err := challenge.NewConfig()
+	// Create components using config
+	challengeConfig, err := challenge.NewConfig(
+		challenge.WithDefaultDifficulty(cfg.PoW.Difficulty),
+		challenge.WithMaxDifficulty(cfg.PoW.MaxDifficulty),
+		challenge.WithChallengeTTL(cfg.PoW.TTL),
+		challenge.WithHMACSecret([]byte(cfg.PoW.HMACSecret)),
+	)
 	if err != nil {
-		logger.Error("failed to create config", sl.Err(err))
+		logger.Error("failed to create challenge config", sl.Err(err))
 		os.Exit(1)
 	}
 	generator := challenge.NewGenerator(challengeConfig)
@ -39,35 +54,51 @@ func main() {
 	wisdomService := service.NewWisdomService(genAdapter, verifier, quoteService)

 	// Create server configuration
-	serverConfig := server.DefaultConfig()
-	serverConfig.Address = addr
+	serverConfig := &server.Config{
+		Address: cfg.Server.Address,
+		Timeouts: server.TimeoutConfig{
+			Read:       cfg.Server.Timeouts.Read,
+			Write:      cfg.Server.Timeouts.Write,
+			Connection: cfg.Server.Timeouts.Connection,
+		},
+	}
+
+	// Go runtime metrics are automatically registered by default registry
+
+	// Start metrics and pprof HTTP server
+	go func() {
+		http.Handle("/metrics", promhttp.Handler())
+		logger.Info("starting metrics server", "address", cfg.Metrics.Address)
+		if err := http.ListenAndServe(cfg.Metrics.Address, nil); err != nil {
+			logger.Error("metrics server failed", sl.Err(err))
+		}
+	}()
+
+	// Create context that cancels on interrupt signals
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()

 	// Create server
-	srv := server.NewTCPServer(wisdomService,
-		server.WithConfig(serverConfig),
+	srv := server.NewTCPServer(wisdomService, serverConfig,
 		server.WithLogger(logger))

 	// Start server
-	ctx := context.Background()
 	if err := srv.Start(ctx); err != nil {
 		logger.Error("failed to start server", sl.Err(err))
 		os.Exit(1)
 	}

-	// Wait for interrupt
-	sigChan := make(chan os.Signal, 1)
-	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
-
 	logger.Info("server ready - press ctrl+c to stop")
-	<-sigChan
+
+	// Wait for context cancellation (signal received)
+	<-ctx.Done()

 	// Graceful shutdown
 	logger.Info("shutting down server")
 	if err := srv.Stop(); err != nil {
 		logger.Error("error during shutdown", sl.Err(err))
+	} else {
+		logger.Info("server stopped gracefully")
 	}

-	// Give connections time to close
-	time.Sleep(100 * time.Millisecond)
-	logger.Info("server stopped")
 }
--- a/config.yaml
+++ b/config.yaml
@ -0,0 +1,22 @@
+server:
+  address: ":8080"
+  timeouts:
+    read: 5s
+    write: 5s
+    connection: 15s
+
+pow:
+  difficulty: 25
+  max_difficulty: 30
+  ttl: 5m
+  hmac_secret: "development-secret-change-in-production"
+
+quotes:
+  timeout: 10s
+
+metrics:
+  address: ":8081"
+
+logging:
+  level: "info"
+  format: "text"
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@ -0,0 +1,330 @@
+# Architecture Choices
+
+This document explains the key architectural decisions made in the Hash of Wisdom project and the reasoning behind them.
+
+## Overall Architecture
+
+### Clean Architecture
+We follow Clean Architecture principles with clear layer separation:
+
+```
+┌─────────────────────────────────────┐
+│         Infrastructure Layer        │  ← cmd/, internal/server, internal/protocol
+├─────────────────────────────────────┤
+│         Application Layer           │  ← internal/application (message handling)
+├─────────────────────────────────────┤
+│           Domain Layer              │  ← internal/service, internal/pow (business logic)
+├─────────────────────────────────────┤
+│          External Layer             │  ← internal/quotes (external APIs)
+└─────────────────────────────────────┘
+```
+
+**Benefits**:
+- **Testability**: Each layer can be unit tested independently
+- **Maintainability**: Changes in one layer don't cascade
+- **Flexibility**: Easy to swap implementations (e.g., different quote sources)
+- **Domain Focus**: Core business rules are isolated and protected
+
+## Protocol Design
+
+### Binary Protocol with JSON Payloads
+Choice: Custom binary protocol with JSON-encoded message bodies
+
+**Why Binary Protocol**:
+- **Performance**: Efficient framing and length prefixes
+- **Reliability**: Clear message boundaries prevent parsing issues
+- **Extensibility**: Easy to add message types and versions
+
+**Why JSON Payloads**:
+- **Simplicity**: Standard library support, easy debugging
+- **Flexibility**: Schema evolution without breaking compatibility
+- **Tooling**: Excellent tooling and human readability
+
+**Alternative Considered**: Pure binary (Protocol Buffers)
+- **Rejected Because**: Added complexity without significant benefit for our use case
+- **Trade-off**: Slightly larger payload size for much simpler implementation
+
+### Stateless Challenge Design
+Choice: HMAC-signed challenges with all state embedded
+
+```go
+type Challenge struct {
+    Target     string `json:"target"`      // "quotes"
+    Timestamp  int64  `json:"timestamp"`   // Unix timestamp
+    Difficulty int    `json:"difficulty"`  // Leading zero bits
+    Random     string `json:"random"`      // Entropy
+    Signature  string `json:"signature"`   // HMAC-SHA256
+}
+```
+
+**Benefits**:
+- **Scalability**: No server-side session storage required
+- **Reliability**: Challenges survive server restarts
+- **Security**: HMAC prevents tampering and replay attacks
+- **Simplicity**: No cache management or cleanup needed
+
+**Alternative Considered**: Session-based challenges
+- **Rejected Because**: Requires distributed session management for horizontal scaling
+
+## Proof-of-Work Algorithm
+
+### SHA-256 with Leading Zero Bits
+Choice: SHA-256 hashing with difficulty measured as leading zero bits
+
+**Why SHA-256**:
+- **Security**: Cryptographically secure, extensively tested
+- **Performance**: Hardware-optimized on most platforms
+- **Standardization**: Well-known algorithm with predictable properties
+
+**Why Leading Zero Bits**:
+- **Linear Scaling**: Each bit doubles the difficulty (2^n complexity)
+- **Simplicity**: Easy to verify and understand
+- **Flexibility**: Fine-grained difficulty adjustment
+
+**Alternative Considered**: Scrypt/Argon2 (memory-hard functions)
+- **Rejected Because**: Excessive complexity for DDoS protection use case
+- **Trade-off**: ASIC resistance not needed for temporary challenges
+
+### Difficulty Range: 4-30 Bits
+Choice: Configurable difficulty with reasonable bounds
+
+- **Minimum (4 bits)**: ~16 attempts average, sub-second solve time
+- **Maximum (30 bits)**: ~1 billion attempts, several seconds on modern CPU
+- **Default (4 bits)**: Balance between protection and user experience
+
+## Server Architecture
+
+### TCP Server with Per-Connection Goroutines
+Choice: Custom TCP server with one goroutine per connection
+
+```go
+func (s *TCPServer) Start(ctx context.Context) error {
+    // Start listener
+    listener, err := net.Listen("tcp", s.config.Address)
+    if err != nil {
+        return err
+    }
+
+    // Start accept loop in goroutine
+    go s.acceptLoop(ctx)
+    return nil // Returns immediately
+}
+
+func (s *TCPServer) acceptLoop(ctx context.Context) {
+    for {
+        conn, err := s.listener.Accept()
+        if err != nil || ctx.Done() != nil {
+            return
+        }
+
+        // Launch handler in goroutine with WaitGroup tracking
+        s.wg.Add(1)
+        go func() {
+            defer s.wg.Done()
+            s.handleConnection(ctx, conn)
+        }()
+    }
+}
+```
+
+**Benefits**:
+- **Concurrency**: Each connection handled in separate goroutine
+- **Non-blocking Start**: Server starts in background, returns immediately
+- **Graceful Shutdown**: WaitGroup ensures all connections finish before stop
+- **Context Cancellation**: Proper cleanup when context is cancelled
+- **Resource Control**: Connection timeouts prevent resource exhaustion
+
+**Alternative Considered**: HTTP/REST API
+- **Rejected Because**: Test task requirements
+
+### Connection Security: Multi-Level Timeouts
+Choice: Layered timeout protection against various attacks
+
+1. **Connection Timeout (15s)**: Maximum total connection lifetime
+2. **Read Timeout (5s)**: Maximum time between incoming bytes
+3. **Write Timeout (5s)**: Maximum time to send response
+
+**Protects Against**:
+- **Slowloris**: Slow read timeout prevents slow header attacks
+- **Slow POST**: Connection timeout limits total request time
+- **Resource Exhaustion**: Automatic cleanup of stale connections
+
+## Configuration Management
+
+### cleanenv with YAML + Environment Variables
+Choice: File-based configuration with environment variable overrides
+
+```yaml
+# config.yaml
+server:
+  address: ":8080"
+
+pow:
+  difficulty: 4
+```
+
+```bash
+# Environment override
+export POW_DIFFICULTY=8
+```
+
+**Benefits**:
+- **Development**: Easy configuration files for local development
+- **Production**: Environment variables for containerized deployments
+- **Validation**: Built-in validation and type conversion
+- **Documentation**: Self-documenting with struct tags
+
+**Alternative Considered**: Pure environment variables
+- **Rejected Because**: Harder to manage complex configurations
+
+## Observability Architecture
+
+### Prometheus Metrics
+Choice: Prometheus format metrics with essential measurements
+
+**Application Metrics**:
+- `wisdom_requests_total` - All incoming requests
+- `wisdom_request_errors_total{error_type}` - Errors by type
+- `wisdom_request_duration_seconds` - Request processing time
+- `wisdom_quotes_served_total` - Successfully served quotes
+
+**Go Runtime Metrics** (automatically exported):
+- `go_memstats_*` - Memory allocation and GC statistics
+- `go_goroutines` - Current number of goroutines
+- `go_gc_duration_seconds` - Garbage collection duration
+- `process_*` - Process-level CPU, memory, and file descriptor stats
+
+**Design Principle**: Simple metrics that provide actionable insights
+- **Avoided**: Complex multi-dimensional metrics
+- **Focus**: Essential health and performance indicators
+- **Runtime Visibility**: Go collector provides deep runtime observability
+
+### Metrics at Infrastructure Layer
+Choice: Collect metrics in TCP server, not business logic
+
+```go
+// In TCP server (infrastructure)
+metrics.RequestsTotal.Inc()
+start := time.Now()
+response, err := s.wisdomApplication.HandleMessage(ctx, msg)
+metrics.RequestDuration.Observe(time.Since(start).Seconds())
+```
+
+**Benefits**:
+- **Separation of Concerns**: Business logic stays pure
+- **Consistency**: All requests measured the same way
+- **Performance**: Minimal overhead in critical path
+
+## Design Patterns
+
+### Dependency Injection
+All major components use constructor injection:
+```go
+server := server.NewTCPServer(wisdomApplication, config, options...)
+service := service.NewWisdomService(generator, verifier, quoteService)
+```
+
+**Benefits**:
+- **Testing**: Easy to inject mocks and stubs
+- **Configuration**: Runtime assembly of components
+- **Decoupling**: Components don't know about concrete implementations
+
+### Interface Segregation
+Small, focused interfaces for easy testing:
+```go
+type ChallengeGenerator interface {
+    GenerateChallenge(ctx context.Context) (*Challenge, error)
+}
+
+type QuoteService interface {
+    GetQuote(ctx context.Context) (string, error)
+}
+```
+
+### Functional Options
+Flexible configuration with sensible defaults:
+```go
+server := NewTCPServer(application, config,
+    WithLogger(logger),
+)
+```
+
+### Clean Architecture Implementation
+See the layer diagram in the Overall Architecture section above for package organization.
+
+## Testing Architecture
+
+### Layered Testing Strategy
+1. **Unit Tests**: Each package tested independently with mocks
+2. **Integration Tests**: End-to-end tests with real TCP connections
+3. **Benchmark Tests**: Performance validation for PoW algorithms
+
+```go
+// Unit test with mocks
+func TestWisdomService_HandleMessage(t *testing.T) {
+    mockGenerator := &MockGenerator{}
+    mockVerifier := &MockVerifier{}
+    mockQuotes := &MockQuoteService{}
+
+    service := NewWisdomService(mockGenerator, mockVerifier, mockQuotes)
+    // Test business logic in isolation
+}
+
+// Integration test with real components
+func TestTCPServer_SlowlorisProtection(t *testing.T) {
+    // Start real server, make slow connection
+    // Verify server doesn't hang
+}
+```
+
+## Security Architecture
+
+### Defense in Depth
+Multiple security layers working together:
+
+1. **HMAC Authentication**: Prevents challenge tampering
+2. **Timestamp Validation**: Prevents replay attacks (5-minute TTL)
+3. **Connection Timeouts**: Prevents resource exhaustion
+4. **Proof-of-Work**: Rate limiting through computational cost
+5. **Input Validation**: All protocol messages validated
+
+### Threat Model
+**Primary Threats Addressed**:
+- **DDoS Attacks**: PoW makes attacks expensive
+- **Resource Exhaustion**: Connection timeouts and limits
+- **Protocol Attacks**: Binary framing prevents confusion
+- **Replay Attacks**: Timestamp validation in challenges
+
+**Threats NOT Addressed** (by design):
+- **Authentication**: Public service, no user accounts
+- **Authorization**: All valid solutions get quotes
+- **Data Confidentiality**: Quotes are public information
+
+## Trade-offs Made
+
+### Simplicity vs Performance
+- **Chose**: Simple JSON payloads over binary serialization
+- **Trade-off**: ~30% larger messages for easier debugging and maintenance
+
+### Memory vs CPU
+- **Chose**: Stateless challenges requiring CPU verification
+- **Trade-off**: More CPU per request for better scalability
+
+### Flexibility vs Optimization
+- **Chose**: Interface-based design with dependency injection
+- **Trade-off**: Small runtime overhead for much better testability
+
+### Features vs Complexity
+- **Chose**: Essential features only (no rate limiting, user accounts, etc.)
+- **Benefit**: Clean, focused implementation that does one thing well
+
+## Future Architecture Considerations
+
+For production scaling, consider:
+1. **Quote Service Enhancement**: Caching, fallback quotes, multiple API sources
+2. **Load Balancing**: Multiple server instances behind load balancer
+3. **Rate Limiting**: Per-IP request limiting for additional protection
+4. **Monitoring**: Full observability stack (Prometheus, Grafana, alerting)
+5. **Security**: TLS encryption for sensitive deployments
+
+The current architecture provides a solid foundation for these enhancements while maintaining simplicity and focus.
--- a/docs/IMPLEMENTATION.md
+++ b/docs/IMPLEMENTATION.md
@ -89,99 +89,32 @@
 - [X] Update cmd/server to use new TCP server with logging

 ## Phase 7: Client Implementation
- [ ] Create client application structure
- [ ] Implement PoW solver algorithm on client side
- [ ] Create client-side protocol implementation
- [ ] Add retry logic and error handling
- [ ] Implement connection management
- [ ] Create CLI interface for client
- [ ] Add client structured logging
- [ ] Write client unit and integration tests
+- [X] Create client application structure
+- [X] Implement PoW solver algorithm on client side
+- [X] Create client-side protocol implementation
+- [X] Add retry logic and error handling
+- [X] Implement connection management
+- [X] Create CLI interface for client with flag support
+- [X] Add symmetric encode/decode to protocol package for client use
+- [X] Update protocol to use separate connections per request-response
+- [X] Write comprehensive slowloris protection integration tests
+- [X] Verify server successfully handles slow reader attacks
+- [X] Verify server successfully handles slow writer attacks
+- [X] Test end-to-end client-server communication flow

-## Phase 8: Basic Server Architecture
- [ ] Set up metrics collection (prometheus)
- [ ] Create configuration management
- [ ] Integrate all components into server architecture
+## Phase 8: Server Instrumentation & Configuration
+- [X] Add `/metrics` HTTP endpoint for Prometheus collection
+- [X] Add `/debug/pprof` endpoint for performance profiling
+- [X] Create Dockerfile to build server image
+- [X] Implement configuration management using cleanenv library
+- [X] Read configuration from file with environment variable support

-## Phase 9: Advanced Server Features
- [ ] Add connection pooling and advanced connection management
- [ ] Implement graceful shutdown mechanism
- [ ] Add health check endpoints
- [ ] Add request/response logging middleware
- [ ] Create health check endpoints
- [ ] Write integration tests for server core
+## Phase 9: Documentation
+- [X] Create comprehensive README.md with project overview and quick start
+- [X] Document package structure and responsibilities
+- [X] Document architecture choices and design decisions
+- [X] Update production readiness assessment

-## Phase 10: DDOS Protection & Rate Limiting
- [ ] Implement IP-based connection limiting
- [ ] Create rate limiting service with time windows
- [ ] Add automatic difficulty adjustment based on load
- [ ] Implement temporary IP blacklisting
- [ ] Create circuit breaker for overload protection
- [ ] Add monitoring for attack detection
- [ ] Write tests for protection mechanisms
-
-## Phase 11: Observability & Monitoring
- [ ] Add structured logging throughout application
- [ ] Implement metrics for key performance indicators:
-  - [ ] Active connections count
-  - [ ] Challenge generation rate
-  - [ ] Solution verification rate
-  - [ ] Success/failure ratios
-  - [ ] Response time histograms
- [ ] Create logging middleware for request tracing
- [ ] Add error categorization and reporting
- [ ] Implement health check endpoints
-
-## Phase 12: Configuration & Environment Setup
- [ ] Create configuration structure with validation
- [ ] Support environment variables and config files
- [ ] Add configuration for different environments (dev/prod)
- [ ] Implement feature flags for protection levels
- [ ] Create deployment configuration templates
- [ ] Add configuration validation and defaults
-
-## Phase 13: Docker & Deployment
- [ ] Create multi-stage Dockerfile for server
- [ ] Create Dockerfile for client
- [ ] Create docker-compose.yml for local development
- [ ] Add docker-compose for production deployment
- [ ] Create health check scripts for containers
- [ ] Add environment-specific configurations
- [ ] Create deployment documentation
-
-## Phase 14: Testing & Quality Assurance
- [ ] Write comprehensive unit tests (>80% coverage):
-  - [ ] PoW algorithm tests
-  - [ ] Protocol handler tests
-  - [ ] Rate limiting tests
-  - [ ] Quote service tests
-  - [ ] Configuration tests
- [ ] Create integration tests:
-  - [ ] End-to-end client-server communication
-  - [ ] Load testing scenarios
-  - [ ] Failure recovery tests
-  - [ ] DDOS protection validation
- [ ] Add benchmark tests for performance validation
- [ ] Create stress testing scenarios
-
-## Phase 15: Documentation & Final Polish
- [ ] Write comprehensive README with setup instructions
- [ ] Create API documentation for all interfaces
- [ ] Add inline code documentation
- [ ] Create deployment guide
- [ ] Write troubleshooting guide
- [ ] Add performance tuning recommendations
- [ ] Create monitoring and alerting guide
-
-## Phase 16: Production Readiness Checklist
- [ ] Security audit of all components
- [ ] Performance benchmarking and optimization
- [ ] Memory leak detection and prevention
- [ ] Resource cleanup validation
- [ ] Error handling coverage review
- [ ] Logging security (no sensitive data exposure)
- [ ] Configuration security (secrets management)
- [ ] Container security hardening

 ## Directory Structure
 ```
@ -204,13 +137,3 @@
 ├── deployments/         # Deployment configurations
 └── docs/                # Additional documentation
 ```
-
-## Success Criteria
- [ ] Server handles 1000+ concurrent connections
- [ ] PoW protection prevents DDOS attacks effectively
- [ ] All tests pass with >80% code coverage
- [ ] Docker containers build and run successfully
- [ ] Client successfully solves challenges and receives quotes
- [ ] Comprehensive logging and metrics in place
- [ ] Production-ready error handling and recovery
- [ ] Clear documentation for deployment and operation
--- a/docs/PACKAGES.md
+++ b/docs/PACKAGES.md
@ -0,0 +1,147 @@
+# Package Structure
+
+This document explains the organization and responsibilities of all packages in the Hash of Wisdom project.
+
+## Directory Structure
+
+```
+/
+├── cmd/                    # Application entry points
+│   ├── server/            # Server application
+│   └── client/            # Client application
+├── internal/              # Private application packages
+│   ├── application/      # Application layer (message handling)
+│   ├── config/           # Configuration management
+│   ├── lib/              # Shared utilities
+│   ├── metrics/          # Prometheus metrics
+│   ├── pow/              # Proof-of-Work implementation
+│   ├── protocol/         # Binary protocol codec
+│   ├── quotes/           # Quote service
+│   ├── server/           # TCP server implementation
+│   └── service/          # Business logic layer
+├── test/                 # Integration tests
+└── docs/                 # Documentation
+```
+
+## Package Responsibilities
+
+### `cmd/server`
+**Entry point for the TCP server application**
+- Parses command-line flags and configuration
+- Initializes all components with dependency injection
+- Starts TCP server and metrics endpoints
+- Handles graceful shutdown signals
+
+### `cmd/client`
+**Entry point for the client application**
+- Command-line interface for connecting to server
+- Handles proof-of-work solving on client side
+- Manages TCP connection lifecycle
+
+### `internal/config`
+**Configuration management with cleanenv**
+- Defines configuration structures with YAML/env tags
+- Loads configuration from files and environment variables
+- Provides sensible defaults for all settings
+- Supports both development and production configurations
+
+### `internal/lib/sl`
+**Shared logging utilities**
+- Structured logging helpers for consistent log formatting
+- Error attribute helpers for slog integration
+
+### `internal/metrics`
+**Prometheus metrics collection**
+- Defines application-specific metrics (requests, errors, duration)
+- Provides simple counters and histograms for monitoring
+- Integrated at the infrastructure layer (TCP server)
+
+### `internal/pow`
+**Proof-of-Work implementation**
+
+#### `internal/pow/challenge`
+- **Challenge Generation**: Creates HMAC-signed stateless challenges
+- **Verification**: Validates solutions against original challenges
+- **Security**: HMAC authentication prevents tampering
+- **Configuration**: Difficulty scaling, TTL management, secrets
+
+#### `internal/pow/solver`
+- **Solution Finding**: Brute-force nonce search with SHA-256
+- **Optimization**: Efficient bit counting for difficulty verification
+- **Client-side**: Used by client to solve server challenges
+
+### `internal/protocol`
+**Binary protocol codec**
+- **Message Types**: Challenge requests/responses, solution requests/responses, errors
+- **Encoding/Decoding**: JSON-based message serialization
+- **Streaming**: MessageDecoder for reading from TCP connections
+- **Validation**: Message structure and field validation
+- See [Protocol Specification](PROTOCOL.md) for detailed message flow and format
+
+### `internal/quotes`
+**Quote service implementation**
+- **HTTP Client**: Fetches quotes from external APIs using resty
+- **Interface**: Clean abstraction for quote retrieval
+- **Error Handling**: Graceful degradation for network issues
+- **Timeout Management**: Configurable request timeouts
+
+### `internal/server`
+**TCP server implementation**
+
+#### `internal/server/tcp.go`
+- **Connection Management**: Accept, handle, cleanup TCP connections
+- **Protocol Integration**: Uses protocol package for message handling
+- **Security**: Connection timeouts, slowloris protection
+- **Metrics**: Request tracking at infrastructure layer
+- **Lifecycle**: Graceful startup/shutdown with context
+
+#### `internal/server/config.go`
+- **Server Configuration**: Network settings, timeouts
+- **Functional Options**: Builder pattern for server customization
+
+### `internal/application`
+**Application layer (message handling and coordination)**
+- **WisdomApplication**: Protocol message handler and coordinator
+- **Message Processing**: Handles challenge and solution requests from protocol layer
+- **Response Generation**: Creates appropriate protocol responses
+- **Service Coordination**: Orchestrates calls to business logic layer
+- **Error Handling**: Converts service errors to protocol error responses
+
+### `internal/service`
+**Business logic layer (core domain services)**
+- **WisdomService**: Main business logic coordinator
+- **Challenge Workflow**: Manages challenge generation and validation
+- **Solution Workflow**: Handles solution verification and quote retrieval
+- **Clean Architecture**: Pure business logic, no I/O dependencies
+- **Testing**: Easily mockable interfaces for unit testing
+
+**Service Dependencies**:
+- `ChallengeGenerator` - Creates new challenges
+- `ChallengeVerifier` - Validates submitted solutions
+- `QuoteService` - Retrieves quotes after successful validation
+
+### `test/integration`
+**End-to-end integration tests**
+- **Slowloris Protection**: Tests server resilience against slow attacks
+- **Connection Timeouts**: Validates timeout configurations
+- **Full Workflow**: Tests complete client-server interaction
+- **Real Components**: Uses actual TCP connections and protocol
+
+## Dependency Flow
+
+```
+cmd/server
+    ↓
+internal/config → internal/server → internal/application → internal/service
+                      ↓                    ↓                   ↓
+                internal/protocol     internal/protocol   internal/pow
+                internal/metrics                         internal/quotes
+```
+
+## Architecture Benefits
+
+This package structure provides:
+- **Clear Separation**: Each package has a single, well-defined responsibility
+- **Testability**: Dependencies are injected, making testing straightforward
+- **Maintainability**: Changes are isolated to specific layers
+- **Scalability**: Clean interfaces allow for easy implementation swapping
--- a/docs/PRODUCTION_READINESS.md
+++ b/docs/PRODUCTION_READINESS.md
@ -0,0 +1,70 @@
+# Production Readiness Assessment
+
+## Current Implementation Status
+
+### ✅ Core Functionality (Complete)
+- **Proof of Work System**: SHA-256 hashcash with HMAC-signed stateless challenges
+- **Binary Protocol**: Custom TCP protocol with JSON payloads and proper framing
+- **TCP Server**: Connection handling with timeout protection against slowloris attacks
+- **Client Application**: CLI tool with challenge solving and solution submission
+- **Service Layer**: Clean architecture with dependency injection
+- **Quote System**: External API integration for inspirational quotes
+- **Security**: HMAC authentication, replay protection, input validation
+- **Testing**: Comprehensive unit tests and slowloris protection integration tests
+
+### ✅ Observability & Configuration (Complete)
+- **Metrics Endpoint**: Prometheus metrics at `/metrics` with application and Go runtime KPIs
+- **Application Metrics**: Request tracking, error categorization, duration histograms, quotes served
+- **Go Runtime Metrics**: Memory stats, GC metrics, goroutine counts, process stats (auto-registered)
+- **Profiler Endpoint**: Go pprof integration at `/debug/pprof/` for performance debugging
+- **Structured Logging**: slog integration throughout server components with consistent formatting
+- **Configuration**: cleanenv-based config management with YAML files and environment variables
+- **Containerization**: Production-ready Dockerfile with security best practices
+- **Error Handling**: Proper error propagation and categorization
+- **Graceful Shutdown**: Context-based shutdown with connection draining
+
+## Remaining Components for Production
+
+### Critical for Production
+1. **Connection Pooling & Resource Management** (worker pools, connection limits)
+2. **Rate Limiting & DDoS Protection**
+3. **Secret Management** (HMAC keys, external API credentials)
+4. **Advanced Monitoring & Alerting**
+5. **Advanced Configuration Management**
+6. **Health Checks** (graceful shutdown already implemented)
+
+### Important for Scale
+7. **Security Hardening**
+8. **Quote Service Enhancement** (caching, fallback quotes, multiple sources)
+9. **Load Testing & Performance**
+10. **Documentation & Runbooks**
+
+### Nice to Have
+11. **Advanced Observability**
+12. **Chaos Engineering**
+13. **Automated Deployment**
+
+## Risk Assessment
+
+### High Risk Areas
+- **No rate limiting**: Vulnerable to sophisticated DDoS attacks
+- **Hardcoded secrets**: HMAC keys in configuration files (not properly secured)
+- **Limited monitoring**: Basic metrics but no alerting or attack detection
+- **Single point of failure**: No redundancy or failover
+
+### Medium Risk Areas
+- **Memory management**: Potential leaks under high load
+- **External dependencies**: Quote API could become bottleneck
+- **Configuration drift**: Manual configuration prone to errors
+
+## Current Architecture Strengths
+
+The existing implementation provides an excellent foundation:
+- **Clean Architecture**: Proper separation of concerns with dependency injection
+- **Security-First Design**: HMAC authentication, replay protection, and timeout protection
+- **Stateless Operation**: HMAC-signed challenges enable horizontal scaling
+- **Graceful Shutdown**: Proper context handling and connection draining
+- **Comprehensive Testing**: Proven slowloris protection and unit test coverage
+- **Observability Ready**: Prometheus metrics, pprof profiling, structured logging
+- **Standard Protocols**: Industry-standard approaches (TCP, JSON, SHA-256)
+- **Container Ready**: Production Dockerfile with security best practices
--- a/go.mod
+++ b/go.mod
@ -4,17 +4,28 @@ go 1.24.3

 require (
 	github.com/go-resty/resty/v2 v2.16.5
+	github.com/ilyakaznacheev/cleanenv v1.5.0
+	github.com/prometheus/client_golang v1.23.0
 	github.com/stretchr/testify v1.10.0
 )

 require (
+	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,26 +1,60 @@
+github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
 github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/ilyakaznacheev/cleanenv v1.5.0 h1:0VNZXggJE2OYdXE87bfSSwGxeiGt9moSR2lOrsHHvr4=
+github.com/ilyakaznacheev/cleanenv v1.5.0/go.mod h1:a5aDzaJrLCQZsazHol1w8InnDcOX0OColm64SlIi6gk=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc=
+github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
+github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
 golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3 h1:slmdOY3vp8a7KQbHkL+FLbvbkgMqmXojpFUO/jENuqQ=
+olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3/go.mod h1:oVgVk4OWVDi43qWBEyGhXgYxt7+ED4iYNpTngSLX2Iw=
--- a/internal/application/application_test.go
+++ b/internal/application/application_test.go
@ -32,9 +32,9 @@ func TestWisdomApplication_HandleMessage_UnsupportedType(t *testing.T) {

 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.MessageType(0xFF), // Invalid type
-		PayloadLength:  0,
-		PayloadStream:  nil,
+		Type:          protocol.MessageType(0xFF), // Invalid type
+		PayloadLength: 0,
+		PayloadStream: nil,
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -64,9 +64,9 @@ func TestWisdomApplication_HandleChallengeRequest_Success(t *testing.T) {

 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.ChallengeRequestType,
-		PayloadLength:  0,
-		PayloadStream:  nil,
+		Type:          protocol.ChallengeRequestType,
+		PayloadLength: 0,
+		PayloadStream: nil,
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -89,9 +89,9 @@ func TestWisdomApplication_HandleChallengeRequest_ServiceError(t *testing.T) {

 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.ChallengeRequestType,
-		PayloadLength:  0,
-		PayloadStream:  nil,
+		Type:          protocol.ChallengeRequestType,
+		PayloadLength: 0,
+		PayloadStream: nil,
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -138,9 +138,9 @@ func TestWisdomApplication_HandleSolutionRequest_Success(t *testing.T) {

 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.SolutionRequestType,
-		PayloadLength:  uint32(len(payloadJSON)),
-		PayloadStream:  bytes.NewReader(payloadJSON),
+		Type:          protocol.SolutionRequestType,
+		PayloadLength: uint32(len(payloadJSON)),
+		PayloadStream: bytes.NewReader(payloadJSON),
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -161,9 +161,9 @@ func TestWisdomApplication_HandleSolutionRequest_InvalidJSON(t *testing.T) {
 	invalidJSON := []byte("invalid json")
 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.SolutionRequestType,
-		PayloadLength:  uint32(len(invalidJSON)),
-		PayloadStream:  bytes.NewReader(invalidJSON),
+		Type:          protocol.SolutionRequestType,
+		PayloadLength: uint32(len(invalidJSON)),
+		PayloadStream: bytes.NewReader(invalidJSON),
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -205,9 +205,9 @@ func TestWisdomApplication_HandleSolutionRequest_VerificationFailed(t *testing.T

 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.SolutionRequestType,
-		PayloadLength:  uint32(len(payloadJSON)),
-		PayloadStream:  bytes.NewReader(payloadJSON),
+		Type:          protocol.SolutionRequestType,
+		PayloadLength: uint32(len(payloadJSON)),
+		PayloadStream: bytes.NewReader(payloadJSON),
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -250,9 +250,9 @@ func TestWisdomApplication_HandleSolutionRequest_QuoteServiceError(t *testing.T)

 	ctx := context.Background()
 	msg := &protocol.Message{
-		Type:           protocol.SolutionRequestType,
-		PayloadLength:  uint32(len(payloadJSON)),
-		PayloadStream:  bytes.NewReader(payloadJSON),
+		Type:          protocol.SolutionRequestType,
+		PayloadLength: uint32(len(payloadJSON)),
+		PayloadStream: bytes.NewReader(payloadJSON),
 	}

 	response, err := app.HandleMessage(ctx, msg)
@ -279,9 +279,9 @@ func TestWisdomApplication_HandleMessage_ContextCancellation(t *testing.T) {
 	mockService.On("GenerateChallenge", mock.Anything, "quotes").Return(nil, context.Canceled)

 	msg := &protocol.Message{
-		Type:           protocol.ChallengeRequestType,
-		PayloadLength:  0,
-		PayloadStream:  nil,
+		Type:          protocol.ChallengeRequestType,
+		PayloadLength: 0,
+		PayloadStream: nil,
 	}

 	response, err := app.HandleMessage(ctx, msg)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -0,0 +1,72 @@
+package config
+
+import (
+	"time"
+
+	"github.com/ilyakaznacheev/cleanenv"
+)
+
+type Config struct {
+	Server  ServerConfig  `yaml:"server"`
+	PoW     PoWConfig     `yaml:"pow"`
+	Quotes  QuotesConfig  `yaml:"quotes"`
+	Metrics MetricsConfig `yaml:"metrics"`
+	Logging LoggingConfig `yaml:"logging"`
+}
+
+type ServerConfig struct {
+	Address  string        `yaml:"address" env:"SERVER_ADDRESS" env-default:":8080"`
+	Timeouts TimeoutConfig `yaml:"timeouts"`
+}
+
+type TimeoutConfig struct {
+	Read       time.Duration `yaml:"read" env:"SERVER_READ_TIMEOUT" env-default:"5s"`
+	Write      time.Duration `yaml:"write" env:"SERVER_WRITE_TIMEOUT" env-default:"5s"`
+	Connection time.Duration `yaml:"connection" env:"SERVER_CONNECTION_TIMEOUT" env-default:"15s"`
+}
+
+type PoWConfig struct {
+	Difficulty    int           `yaml:"difficulty" env:"POW_DIFFICULTY" env-default:"4"`
+	MaxDifficulty int           `yaml:"max_difficulty" env:"POW_MAX_DIFFICULTY" env-default:"10"`
+	TTL           time.Duration `yaml:"ttl" env:"POW_TTL" env-default:"5m"`
+	HMACSecret    string        `yaml:"hmac_secret" env:"POW_HMAC_SECRET" env-default:"development-secret-change-in-production"`
+}
+
+type QuotesConfig struct {
+	Timeout time.Duration `yaml:"timeout" env:"QUOTES_TIMEOUT" env-default:"10s"`
+}
+
+type MetricsConfig struct {
+	Address string `yaml:"address" env:"METRICS_ADDRESS" env-default:":8081"`
+}
+
+type LoggingConfig struct {
+	Level  string `yaml:"level" env:"LOG_LEVEL" env-default:"info"`
+	Format string `yaml:"format" env:"LOG_FORMAT" env-default:"text"`
+}
+
+func Load(configPath string) (*Config, error) {
+	cfg := &Config{}
+
+	if configPath != "" {
+		err := cleanenv.ReadConfig(configPath, cfg)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		err := cleanenv.ReadEnv(cfg)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return cfg, nil
+}
+
+func (c *Config) ToServerConfig() *ServerConfig {
+	return &c.Server
+}
+
+func (c *Config) ToPoWConfig() *PoWConfig {
+	return &c.PoW
+}
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@ -0,0 +1,33 @@
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+)
+
+var (
+	ActiveConnections = promauto.NewGauge(prometheus.GaugeOpts{
+		Name: "wisdom_active_connections",
+		Help: "Number of currently active TCP connections",
+	})
+
+	RequestsTotal = promauto.NewCounter(prometheus.CounterOpts{
+		Name: "wisdom_requests_total",
+		Help: "Total number of requests processed",
+	})
+
+	RequestErrors = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "wisdom_request_errors_total",
+		Help: "Total number of request errors by type",
+	}, []string{"error_type"})
+
+	RequestDuration = promauto.NewHistogram(prometheus.HistogramOpts{
+		Name: "wisdom_request_duration_seconds",
+		Help: "Time taken to process requests",
+	})
+
+	QuotesServed = promauto.NewCounter(prometheus.CounterOpts{
+		Name: "wisdom_quotes_served_total",
+		Help: "Total number of quotes successfully served to clients",
+	})
+)
--- a/internal/pow/challenge/types.go
+++ b/internal/pow/challenge/types.go
@ -68,8 +68,8 @@ func (c *Challenge) VerifySolution(nonce uint64) bool {

 // hasLeadingZeroBits checks if hash has the required number of leading zero bits
 func hasLeadingZeroBits(hash []byte, difficulty int) bool {
-	full := difficulty >> 3        // number of whole zero bytes
-	rem  := uint(difficulty & 7)   // remaining leading zero bits
+	full := difficulty >> 3     // number of whole zero bytes
+	rem := uint(difficulty & 7) // remaining leading zero bits

 	for i := range full {
 		if hash[i] != 0 {
--- a/internal/protocol/constants.go
+++ b/internal/protocol/constants.go
@ -4,8 +4,8 @@ package protocol
 type MessageType byte

 const (
-	ChallengeRequestType  MessageType = 0x01
-	SolutionRequestType   MessageType = 0x03
+	ChallengeRequestType MessageType = 0x01
+	SolutionRequestType  MessageType = 0x03
 	// Response types (for responses.go)
 	ChallengeResponseType MessageType = 0x02
 	QuoteResponseType     MessageType = 0x04
@ -14,14 +14,14 @@ const (

 // Error codes as defined in protocol specification
 const (
-	ErrMalformedMessage    = "MALFORMED_MESSAGE"
-	ErrInvalidChallenge    = "INVALID_CHALLENGE"
-	ErrInvalidSolution     = "INVALID_SOLUTION"
-	ErrExpiredChallenge    = "EXPIRED_CHALLENGE"
-	ErrRateLimited         = "RATE_LIMITED"
-	ErrServerError         = "SERVER_ERROR"
-	ErrTooManyConnections  = "TOO_MANY_CONNECTIONS"
-	ErrDifficultyTooHigh   = "DIFFICULTY_TOO_HIGH"
+	ErrMalformedMessage   = "MALFORMED_MESSAGE"
+	ErrInvalidChallenge   = "INVALID_CHALLENGE"
+	ErrInvalidSolution    = "INVALID_SOLUTION"
+	ErrExpiredChallenge   = "EXPIRED_CHALLENGE"
+	ErrRateLimited        = "RATE_LIMITED"
+	ErrServerError        = "SERVER_ERROR"
+	ErrTooManyConnections = "TOO_MANY_CONNECTIONS"
+	ErrDifficultyTooHigh  = "DIFFICULTY_TOO_HIGH"
 )

 // Protocol constants
--- a/internal/protocol/message_decoder.go
+++ b/internal/protocol/message_decoder.go
@ -43,8 +43,8 @@ func (d *MessageDecoder) Decode(r io.Reader) (*Message, error) {
 	}

 	return &Message{
-		Type:           msgType,
-		PayloadLength:  payloadLength,
-		PayloadStream:  payloadStream,
+		Type:          msgType,
+		PayloadLength: payloadLength,
+		PayloadStream: payloadStream,
 	}, nil
 }
--- a/internal/protocol/message_decoder_test.go
+++ b/internal/protocol/message_decoder_test.go
@ -13,11 +13,11 @@ func TestMessageDecoder_Decode_Header(t *testing.T) {
 	decoder := NewMessageDecoder()

 	tests := []struct {
-		name           string
-		data           []byte
-		wantType       MessageType
-		wantLength     uint32
-		wantErr        string
+		name       string
+		data       []byte
+		wantType   MessageType
+		wantLength uint32
+		wantErr    string
 	}{
 		{
 			name:       "challenge request with empty payload",
--- a/internal/protocol/requests.go
+++ b/internal/protocol/requests.go
@ -7,7 +7,6 @@ import (
 	"hash-of-wisdom/internal/pow/challenge"
 )

-
 // ChallengeRequest is empty (no payload for challenge requests)
 type ChallengeRequest struct{}

--- a/internal/protocol/responses.go
+++ b/internal/protocol/responses.go
@ -8,7 +8,6 @@ import (
 	"hash-of-wisdom/internal/quotes"
 )

-
 // ChallengeResponse represents a challenge response
 type ChallengeResponse struct {
 	Challenge *challenge.Challenge
--- a/internal/protocol/roundtrip_test.go
+++ b/internal/protocol/roundtrip_test.go
@ -113,7 +113,6 @@ func TestChallengeRequest_EmptyPayload(t *testing.T) {
 	require.NoError(t, err)
 }

-
 func TestPayloadStream_LimitedRead(t *testing.T) {
 	decoder := NewMessageDecoder()

--- a/internal/protocol/types.go
+++ b/internal/protocol/types.go
@ -4,7 +4,7 @@ import "io"

 // Message represents a protocol message with type and payload stream
 type Message struct {
-	Type           MessageType
-	PayloadLength  uint32
-	PayloadStream  io.Reader
+	Type          MessageType
+	PayloadLength uint32
+	PayloadStream io.Reader
 }
--- a/internal/server/config.go
+++ b/internal/server/config.go
@ -17,15 +17,3 @@ type TimeoutConfig struct {
 	// Connection timeout is the maximum total connection lifetime
 	Connection time.Duration
 }
-
-// DefaultConfig returns default server configuration
-func DefaultConfig() *Config {
-	return &Config{
-		Address: ":8080",
-		Timeouts: TimeoutConfig{
-			Read:       5 * time.Second,
-			Write:      5 * time.Second,
-			Connection: 15 * time.Second,
-		},
-	}
-}
--- a/internal/server/tcp.go
+++ b/internal/server/tcp.go
@ -11,6 +11,7 @@ import (

 	"hash-of-wisdom/internal/application"
 	"hash-of-wisdom/internal/lib/sl"
+	"hash-of-wisdom/internal/metrics"
 	"hash-of-wisdom/internal/protocol"
 	"hash-of-wisdom/internal/service"
 )
@ -23,19 +24,12 @@ type TCPServer struct {
 	listener          net.Listener
 	logger            *slog.Logger
 	wg                sync.WaitGroup
-	shutdown          chan struct{}
+	cancel            context.CancelFunc
 }

 // Option is a functional option for configuring TCPServer
 type option func(*TCPServer)

-// WithConfig sets a custom configuration
-func WithConfig(config *Config) option {
-	return func(s *TCPServer) {
-		s.config = config
-	}
-}
-
 // WithLogger sets a custom logger
 func WithLogger(logger *slog.Logger) option {
 	return func(s *TCPServer) {
@ -43,14 +37,13 @@ func WithLogger(logger *slog.Logger) option {
 	}
 }

-// NewTCPServer creates a new TCP server with optional configuration
-func NewTCPServer(wisdomService *service.WisdomService, opts ...option) *TCPServer {
+// NewTCPServer creates a new TCP server with required configuration
+func NewTCPServer(wisdomService *service.WisdomService, config *Config, opts ...option) *TCPServer {
 	server := &TCPServer{
-		config:            DefaultConfig(),
+		config:            config,
 		wisdomApplication: application.NewWisdomApplication(wisdomService),
 		decoder:           protocol.NewMessageDecoder(),
 		logger:            slog.Default(),
-		shutdown:          make(chan struct{}),
 	}

 	for _, opt := range opts {
@ -60,7 +53,6 @@ func NewTCPServer(wisdomService *service.WisdomService, opts ...option) *TCPServ
 	return server
 }

-
 // Start starts the TCP server
 func (s *TCPServer) Start(ctx context.Context) error {
 	listener, err := net.Listen("tcp", s.config.Address)
@ -71,14 +63,22 @@ func (s *TCPServer) Start(ctx context.Context) error {
 	s.listener = listener
 	s.logger.Info("tcp server started", "address", s.config.Address)

-	go s.acceptLoop(ctx)
+	// Create cancellable context for server lifecycle
+	serverCtx, cancel := context.WithCancel(ctx)
+	s.cancel = cancel
+
+	go s.acceptLoop(serverCtx)
 	return nil
 }

 // Stop gracefully stops the server
 func (s *TCPServer) Stop() error {
 	s.logger.Info("stopping tcp server")
-	close(s.shutdown)
+
+	// Cancel server context to stop accept loop and active connections
+	if s.cancel != nil {
+		s.cancel()
+	}

 	if s.listener != nil {
 		s.listener.Close()
@ -101,8 +101,6 @@ func (s *TCPServer) Address() string {
 func (s *TCPServer) acceptLoop(ctx context.Context) {
 	for {
 		select {
-		case <-s.shutdown:
-			return
 		case <-ctx.Done():
 			return
 		default:
@ -111,7 +109,7 @@ func (s *TCPServer) acceptLoop(ctx context.Context) {
 		rawConn, err := s.listener.Accept()
 		if err != nil {
 			select {
-			case <-s.shutdown:
+			case <-ctx.Done():
 				return
 			default:
 				s.logger.Error("accept error", sl.Err(err))
@ -131,6 +129,10 @@ func (s *TCPServer) acceptLoop(ctx context.Context) {
 func (s *TCPServer) handleConnection(ctx context.Context, rawConn net.Conn) {
 	defer rawConn.Close()

+	// Track active connections
+	metrics.ActiveConnections.Inc()
+	defer metrics.ActiveConnections.Dec()
+
 	connLogger := s.logger.With("remote_addr", rawConn.RemoteAddr().String())
 	connLogger.Info("connection accepted")

@ -188,19 +190,38 @@ func (s *TCPServer) processConnection(ctx context.Context, conn net.Conn, logger
 			logger.Debug("client closed connection gracefully")
 			return nil
 		}
+		metrics.RequestErrors.WithLabelValues("decode_error").Inc()
 		logger.Error("failed to decode message", sl.Err(err))
 		return fmt.Errorf("decode error: %w", err)
 	}

 	logger.Debug("message decoded", "type", msg.Type, "payload_length", msg.PayloadLength)

-	// Process message through application layer
+	// Track all requests
+	metrics.RequestsTotal.Inc()
+
+	// Process message through application layer with timing
+	start := time.Now()
 	response, err := s.wisdomApplication.HandleMessage(ctx, msg)
+	duration := time.Since(start)
+	metrics.RequestDuration.Observe(duration.Seconds())
+
 	if err != nil {
+		metrics.RequestErrors.WithLabelValues("internal_error").Inc()
 		logger.Error("application error", sl.Err(err))
 		return fmt.Errorf("application error: %w", err)
 	}

+	// Check if response is an error response
+	if errorResp, isError := response.(*protocol.ErrorResponse); isError {
+		metrics.RequestErrors.WithLabelValues(string(errorResp.Code)).Inc()
+	} else {
+		// Track quotes served for successful solution requests
+		if msg.Type == protocol.SolutionRequestType {
+			metrics.QuotesServed.Inc()
+		}
+	}
+
 	logger.Debug("sending response to client")
 	// Send response using the response's own Encode method
 	if err := response.Encode(dc); err != nil {
--- a/internal/service/wisdom.go
+++ b/internal/service/wisdom.go
@ -9,11 +9,11 @@ import (
 )

 var (
-	ErrResourceRequired   = errors.New("resource is required")
+	ErrResourceRequired    = errors.New("resource is required")
 	ErrUnsupportedResource = errors.New("unsupported resource")
-	ErrSolutionRequired   = errors.New("solution is required")
-	ErrInvalidChallenge   = errors.New("invalid challenge")
-	ErrInvalidSolution    = errors.New("invalid proof of work solution")
+	ErrSolutionRequired    = errors.New("solution is required")
+	ErrInvalidChallenge    = errors.New("invalid challenge")
+	ErrInvalidSolution     = errors.New("invalid proof of work solution")
 )

 type ChallengeGenerator interface {
--- a/internal/service/wisdom_test.go
+++ b/internal/service/wisdom_test.go
@ -70,15 +70,15 @@ func TestWisdomService_GenerateChallenge(t *testing.T) {

 func TestWisdomService_VerifySolution(t *testing.T) {
 	tests := []struct {
-		name     string
-		solution *challenge.Solution
-		wantErr  error
+		name       string
+		solution   *challenge.Solution
+		wantErr    error
 		setupMocks func(*mocks.MockChallengeVerifier)
 	}{
 		{
-			name:     "nil solution",
-			solution: nil,
-			wantErr:  ErrSolutionRequired,
+			name:       "nil solution",
+			solution:   nil,
+			wantErr:    ErrSolutionRequired,
 			setupMocks: func(mv *mocks.MockChallengeVerifier) {},
 		},
 		{
@ -93,17 +93,17 @@ func TestWisdomService_VerifySolution(t *testing.T) {
 			},
 		},
 		{
-			name: "invalid solution",
+			name:     "invalid solution",
 			solution: createInvalidSolution(t),
-			wantErr: ErrInvalidSolution,
+			wantErr:  ErrInvalidSolution,
 			setupMocks: func(mv *mocks.MockChallengeVerifier) {
 				mv.EXPECT().VerifyChallenge(mock.Anything).Return(nil).Once()
 			},
 		},
 		{
-			name: "valid solution",
+			name:     "valid solution",
 			solution: createValidSolution(t),
-			wantErr: nil,
+			wantErr:  nil,
 			setupMocks: func(mv *mocks.MockChallengeVerifier) {
 				mv.EXPECT().VerifyChallenge(mock.Anything).Return(nil).Once()
 			},
--- a/internal/service/workflow_test.go
+++ b/internal/service/workflow_test.go
@ -284,8 +284,8 @@ func TestWisdomService_InvalidSolutions(t *testing.T) {

 func TestWisdomService_UnsuccessfulFlows(t *testing.T) {
 	tests := []struct {
-		name       string
-		difficulty int
+		name           string
+		difficulty     int
 		createSolution func(*challenge.Challenge, *challenge.Solution) *challenge.Solution
 	}{
 		{
--- a/test/integration/helpers_test.go
+++ b/test/integration/helpers_test.go
@ -0,0 +1,56 @@
+package integration
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"hash-of-wisdom/internal/lib/sl"
+	"hash-of-wisdom/internal/pow/challenge"
+	"hash-of-wisdom/internal/quotes"
+	"hash-of-wisdom/internal/server"
+	"hash-of-wisdom/internal/service"
+
+	"github.com/stretchr/testify/require"
+)
+
+// testQuoteService provides static quotes for testing
+type testQuoteService struct{}
+
+func (s *testQuoteService) GetRandomQuote(ctx context.Context) (*quotes.Quote, error) {
+	return &quotes.Quote{
+		Text:   "Test quote for integration testing",
+		Author: "Test Author",
+	}, nil
+}
+
+func setupTestServerWithConfig(t *testing.T, serverConfig *server.Config) *server.TCPServer {
+	// Create test components
+	challengeConfig := challenge.TestConfig()
+	generator := challenge.NewGenerator(challengeConfig)
+	verifier := challenge.NewVerifier(challengeConfig)
+
+	// Create a simple test quote service
+	quoteService := &testQuoteService{}
+
+	// Wire up service
+	genAdapter := service.NewGeneratorAdapter(generator)
+	wisdomService := service.NewWisdomService(genAdapter, verifier, quoteService)
+
+	// Create server with custom config using functional options
+	logger := sl.NewMockLogger()
+	srv := server.NewTCPServer(wisdomService, serverConfig,
+		server.WithLogger(logger))
+
+	// Start server
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+
+	err := srv.Start(ctx)
+	require.NoError(t, err)
+
+	// Give server time to start
+	time.Sleep(100 * time.Millisecond)
+
+	return srv
+}
--- a/test/integration/slowloris_test.go
+++ b/test/integration/slowloris_test.go
@ -0,0 +1,114 @@
+package integration
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"hash-of-wisdom/internal/server"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSlowlorisProtection_SlowReader(t *testing.T) {
+	// Setup server with very short read timeout for testing
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       100 * time.Millisecond,
+			Write:      5 * time.Second,
+			Connection: 15 * time.Second,
+		},
+	}
+
+	srv := setupTestServerWithConfig(t, serverConfig)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send partial message header very slowly (slowloris attack)
+	_, err = conn.Write([]byte{0x01}) // Challenge request type
+	require.NoError(t, err)
+
+	// Wait longer than read timeout before sending length
+	time.Sleep(200 * time.Millisecond)
+
+	// Try to send more data - connection should be timed out
+	_, err = conn.Write([]byte{0x00, 0x00, 0x00, 0x00}) // Payload length
+
+	// Verify connection is closed by trying to read
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to slow reading")
+}
+
+func TestSlowlorisProtection_SlowConnectionTimeout(t *testing.T) {
+	// Setup server with very short connection timeout for testing
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       5 * time.Second,
+			Write:      5 * time.Second,
+			Connection: 200 * time.Millisecond,
+		},
+	}
+
+	srv := setupTestServerWithConfig(t, serverConfig)
+	defer srv.Stop()
+
+	// Connect to server but do nothing
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Wait longer than connection timeout
+	time.Sleep(300 * time.Millisecond)
+
+	// Try to read - connection should be closed
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to connection timeout")
+}
+
+func TestSlowlorisProtection_MultipleSlowClients(t *testing.T) {
+	// Setup server with short timeouts
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       1 * time.Second,
+			Write:      1 * time.Second,
+			Connection: 2 * time.Second,
+		},
+	}
+
+	srv := setupTestServerWithConfig(t, serverConfig)
+	defer srv.Stop()
+
+	// Create multiple slow connections
+	var connections []net.Conn
+	for i := 0; i < 5; i++ {
+		conn, err := net.Dial("tcp", srv.Address())
+		require.NoError(t, err)
+		connections = append(connections, conn)
+		// Send partial data on each connection
+		conn.Write([]byte{0x01}) // Challenge request type only
+	}
+
+	// Wait for timeouts to kick in
+	time.Sleep(1500 * time.Millisecond)
+
+	// All connections should be closed
+	buffer := make([]byte, 1024)
+	for i, conn := range connections {
+		conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+		_, err := conn.Read(buffer)
+		assert.Error(t, err, "Connection %d should be closed", i)
+		conn.Close()
+	}
+}
--- a/test/integration/timeout_test.go
+++ b/test/integration/timeout_test.go
@ -0,0 +1,161 @@
+package integration
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"hash-of-wisdom/internal/protocol"
+	"hash-of-wisdom/internal/server"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTCPServer_TimeoutProtection_SlowReader(t *testing.T) {
+	// Setup server with very short read timeout for testing
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       500 * time.Millisecond,
+			Write:      5 * time.Second,
+			Connection: 15 * time.Second,
+		},
+	}
+	srv := setupTestServerWithConfig(t, serverConfig)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send partial message header (just type byte)
+	_, err = conn.Write([]byte{0x01}) // Challenge request type
+	require.NoError(t, err)
+
+	// Wait longer than read timeout before sending length
+	time.Sleep(700 * time.Millisecond)
+
+	// Try to send more data - connection should be timed out
+	_, err = conn.Write([]byte{0x00, 0x00, 0x00, 0x00}) // Payload length
+
+	// Verify connection is closed by reading
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(1 * time.Second))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to slow reading")
+}
+
+func TestTCPServer_TimeoutProtection_ConnectionTimeout(t *testing.T) {
+	// Setup server with very short connection timeout
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       5 * time.Second,
+			Write:      5 * time.Second,
+			Connection: 1 * time.Second,
+		},
+	}
+	srv := setupTestServerWithConfig(t, serverConfig)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Wait longer than connection timeout
+	time.Sleep(1500 * time.Millisecond)
+
+	// Try to read from connection - should get EOF or connection reset
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to timeout")
+}
+
+func TestTCPServer_NormalOperation_WithinTimeouts(t *testing.T) {
+	srv := setupTestServer(t)
+	defer srv.Stop()
+
+	// Connect and complete normal flow quickly
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Request challenge using new protocol API
+	challengeReq := &protocol.ChallengeRequest{}
+	err = challengeReq.Encode(conn)
+	require.NoError(t, err)
+
+	// Should receive challenge response without timeout
+	decoder := protocol.NewMessageDecoder()
+	msg, err := decoder.Decode(conn)
+	require.NoError(t, err)
+	assert.Equal(t, protocol.ChallengeResponseType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0), "Challenge payload should not be empty")
+}
+
+func TestTCPServer_MultipleConnections_IndependentTimeouts(t *testing.T) {
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       1 * time.Second,
+			Write:      5 * time.Second,
+			Connection: 3 * time.Second,
+		},
+	}
+	srv := setupTestServerWithConfig(t, serverConfig)
+	defer srv.Stop()
+
+	// Start two connections
+	conn1, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn1.Close()
+
+	conn2, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn2.Close()
+
+	// Conn1: Send complete request quickly
+	go func() {
+		req := &protocol.ChallengeRequest{}
+		req.Encode(conn1)
+	}()
+
+	// Conn2: Send partial request and stall
+	conn2.Write([]byte{0x01}) // Just message type
+
+	// Wait for read timeout
+	time.Sleep(1500 * time.Millisecond)
+
+	// Conn1 should still work, Conn2 should be closed
+	buffer := make([]byte, 1024)
+
+	// Conn1 should receive response
+	conn1.SetReadDeadline(time.Now().Add(1 * time.Second))
+	n, err := conn1.Read(buffer)
+	assert.NoError(t, err)
+	assert.Greater(t, n, 0, "Conn1 should receive response")
+
+	// Conn2 should be closed
+	conn2.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn2.Read(buffer)
+	assert.Error(t, err, "Conn2 should be closed due to timeout")
+}
+
+// Helper function to create test server with default config
+func setupTestServer(t *testing.T) *server.TCPServer {
+	serverConfig := &server.Config{
+		Address: ":0",
+		Timeouts: server.TimeoutConfig{
+			Read:       5 * time.Second,
+			Write:      5 * time.Second,
+			Connection: 15 * time.Second,
+		},
+	}
+	return setupTestServerWithConfig(t, serverConfig)
+}
+
+// Helper function to create test server with custom config
Author	SHA1	Message	Date
Savely Krendelhoff	dfbf23a27c	Update README.md	2025-08-23 19:05:21 +07:00
Savely Krendelhoff	89b5fb9cf1	Update Taskfile	2025-08-23 18:57:46 +07:00
Savely Krendelhoff	c9fb9f91c1	Apply fmt	2025-08-23 18:52:43 +07:00
Savely Krendelhoff	78beb401fe	Remove flawed integration tests	2025-08-23 18:50:15 +07:00
Savely Krendelhoff	16dd1378a9	[PHASE-9] Production readiness	2025-08-23 18:33:02 +07:00
Savely Krendelhoff	5bf07dfda8	[PHASE-9] Add packages doc	2025-08-23 18:26:23 +07:00
Savely Krendelhoff	6bf918dca8	[PHASE-9] Fix graceful shutdown	2025-08-23 18:26:13 +07:00
Savely Krendelhoff	997859db84	[PHASE-9] Add architecture doc	2025-08-23 18:26:12 +07:00
Savely Krendelhoff	ea85e0b04d	[PHASE-9] Add README.md	2025-08-23 18:05:33 +07:00
Savely Krendelhoff	736eebc5bd	[PHASE-9] Update implementation plan	2025-08-23 18:05:32 +07:00
Savely Krendelhoff	2d8a7fae61	[PHASE-9] Expose runtime go metrics	2025-08-23 18:05:31 +07:00
Savely Krendelhoff	64513deaf8	[PHASE-8] Update implementation plan	2025-08-23 17:52:44 +07:00
Savely Krendelhoff	7c2560422d	[PHASE-8] Introduce Dockerfile	2025-08-23 17:49:38 +07:00
Savely Krendelhoff	d780b4f2ea	[PHASE-8] Gather metrics in tcp server	2025-08-23 17:49:37 +07:00
Savely Krendelhoff	ad042dd9aa	[PHASE-8] Implement proper graceful shutdown	2025-08-23 17:49:36 +07:00
Savely Krendelhoff	f68b055538	[PHASE-8] Define metrics	2025-08-23 17:49:35 +07:00
Savely Krendelhoff	54b75835a4	[PHASE-8] Expose metrics and pprof endpoints	2025-08-23 17:49:34 +07:00
Savely Krendelhoff	451403f8d1	[PHASE-8] Add config load	2025-08-23 17:49:33 +07:00
Savely Krendelhoff	0bf84576a8	[PHASE-8] Add proper configuration	2025-08-23 17:49:32 +07:00
Savely Krendelhoff	0ba0888d2b	[PHASE-8] Update dependencies	2025-08-23 16:01:09 +07:00
Savely Krendelhoff	2014d434d5	[PHASE-8] Update implementation plan	2025-08-23 13:54:40 +07:00
Savely Krendelhoff	eed4444eb8	[PHASE-7] Update implementation plan	2025-08-23 13:44:27 +07:00
Savely Krendelhoff	801c63a8e5	[PHASE-7] Implement integration tests	2025-08-23 13:44:25 +07:00