feat(smart-proxy): add hot-reloadable global ingress security policy across Rust and TypeScript proxy layers

ts/proxies/smart-proxy/smart-proxy.ts

@@ -17,7 +17,7 @@ import { Mutex } from './utils/mutex.js';
 import { ConcurrencySemaphore } from './utils/concurrency-semaphore.js';
 
 // Types
-import type { ISmartProxyOptions, TSmartProxyCertProvisionObject, IAcmeOptions, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './models/interfaces.js';
+import type { ISmartProxyOptions, ISmartProxySecurityPolicy, TSmartProxyCertProvisionObject, IAcmeOptions, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './models/interfaces.js';
 import type { IRouteConfig } from './models/route-types.js';
 import type { IMetrics } from './models/metrics-types.js';
 import type { IRustCertificateStatus, IRustProxyOptions, IRustStatistics } from './models/rust-types.js';
@@ -350,6 +350,15 @@ export class SmartProxy extends plugins.EventEmitter {
       .catch((err) => logger.log('error', `Unexpected error in cert provisioning after route update: ${err.message}`, { component: 'smart-proxy' }));
   }
 
+  /**
+   * Update the global ingress security policy without changing routes.
+   * The Rust engine applies this before route selection and backend connection.
+   */
+  public async updateSecurityPolicy(policy: ISmartProxySecurityPolicy): Promise<void> {
+    this.settings.securityPolicy = policy;
+    await this.bridge.setSecurityPolicy(policy);
+  }
+
   /**
    * Provision a certificate for a named route.
    */