diff --git a/harmony/src/domain/topology/router.rs b/harmony/src/domain/topology/router.rs
index c1a48fc..66ae8f9 100644
--- a/harmony/src/domain/topology/router.rs
+++ b/harmony/src/domain/topology/router.rs
@@ -75,8 +75,6 @@ pub struct TlsRoute {
     pub target_port: u16,
 }
 
-#[async_trait]
-
 /// Installs and queries TLS passthrough routes (L4 TCP/SNI forwarding, no TLS termination).
 /// Agnostic to impl: OKD Route, AWS NLB+HAProxy, k3s Envoy Gateway, Apache ProxyPass.
 /// Used by PostgreSQL capability to expose CNPG clusters multisite (site1 → site2 replication).
@@ -91,6 +89,7 @@ pub struct TlsRoute {
 ///     topology.install_route(route).await;  // OKD Route, HAProxy reload, etc.
 /// }
 /// ```
+#[async_trait]
 pub trait TlsRouter: Send + Sync {
     /// Provisions the route (idempotent where possible).
     /// Example: OKD Route{ host, to: backend:target_port, tls: {passthrough} };
diff --git a/harmony/src/modules/mod.rs b/harmony/src/modules/mod.rs
index 910b535..9e1e838 100644
--- a/harmony/src/modules/mod.rs
+++ b/harmony/src/modules/mod.rs
@@ -18,3 +18,4 @@ pub mod prometheus;
 pub mod storage;
 pub mod tenant;
 pub mod tftp;
+pub mod network;
diff --git a/harmony/src/modules/network/mod.rs b/harmony/src/modules/network/mod.rs
new file mode 100644
index 0000000..c70dd89
--- /dev/null
+++ b/harmony/src/modules/network/mod.rs
@@ -0,0 +1,2 @@
+mod tls_router;
+pub use tls_router::*;
diff --git a/harmony/src/modules/network/tls_router.rs b/harmony/src/modules/network/tls_router.rs
new file mode 100644
index 0000000..10d9d9f
--- /dev/null
+++ b/harmony/src/modules/network/tls_router.rs
@@ -0,0 +1,96 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use serde::Serialize;
+
+use crate::data::Version;
+use crate::domain::topology::router::{TlsRoute, TlsRouter};
+use crate::interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome};
+use crate::inventory::Inventory;
+use crate::score::Score;
+use crate::topology::{K8sclient, Topology};
+
+/// Score for provisioning a TLS passthrough route.
+/// Exposes backend services via TLS passthrough (L4 TCP/SNI forwarding).
+/// Agnostic to underlying router impl (OKD Route, HAProxy, Envoy, etc.).
+///
+/// # Usage
+/// ```
+/// use harmony::modules::network::TlsRouterScore;
+/// let score = TlsRouterScore::new("postgres-cluster-rw", "pg-rw.example.com", 5432);
+/// ```
+#[derive(Debug, Clone, Serialize)]
+pub struct TlsRouterScore {
+    /// Backend identifier (k8s Service, HAProxy upstream, IP/FQDN, etc.).
+    pub backend: String,
+    /// Public hostname clients connect to (TLS SNI, port 443 implicit).
+    pub hostname: String,
+    /// Backend TCP port.
+    pub target_port: u16,
+}
+
+impl Default for TlsRouterScore {
+    fn default() -> Self {
+        Self {
+            backend: "default-backend".to_string(),
+            hostname: "tls.default.public".to_string(),
+            target_port: 5432,
+        }
+    }
+}
+
+impl TlsRouterScore {
+    pub fn new(backend: &str, hostname: &str, target_port: u16) -> Self {
+        Self {
+            backend: backend.to_string(),
+            hostname: hostname.to_string(),
+            target_port,
+        }
+    }
+}
+
+/// Custom interpret: provisions the TLS passthrough route on the topology.
+#[derive(Debug, Clone)]
+struct TlsRouterInterpret {
+    tls_route: TlsRoute,
+}
+
+#[async_trait]
+impl<T: Topology + K8sclient + TlsRouter + Send + Sync> Interpret<T> for TlsRouterInterpret {
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("TlsRouterInterpret")
+    }
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+    async fn execute(&self, _inventory: &Inventory, topo: &T) -> Result<Outcome, InterpretError> {
+        topo.install_route(self.tls_route.clone())
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!(
+            "TLS route installed: {} → {}:{}",
+            self.tls_route.hostname, self.tls_route.backend, self.tls_route.target_port
+        )))
+    }
+}
+
+impl<T: Topology + K8sclient + TlsRouter + Send + Sync> Score<T> for TlsRouterScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let tls_route = TlsRoute {
+            hostname: self.hostname.clone(),
+            backend: self.backend.clone(),
+            target_port: self.target_port,
+        };
+        Box::new(TlsRouterInterpret { tls_route })
+    }
+
+    fn name(&self) -> String {
+        format!("TlsRouterScore({}:{ } → {})", self.backend, self.target_port, self.hostname)
+    }
+}
diff --git a/harmony/src/modules/okd/mod.rs b/harmony/src/modules/okd/mod.rs
index 8bb85ef..da6f9e8 100644
--- a/harmony/src/modules/okd/mod.rs
+++ b/harmony/src/modules/okd/mod.rs
@@ -12,6 +12,7 @@ pub mod dns;
 pub mod installation;
 pub mod ipxe;
 pub mod load_balancer;
+pub mod route;
 pub mod templates;
 pub mod upgrade;
 pub use bootstrap_01_prepare::*;