feat(forwarding): add hybrid forwarding mode with per-client bridge and VLAN settings

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartvpn',
-  version: '1.18.0',
+  version: '1.19.0',
   description: 'A VPN solution with TypeScript control plane and Rust data plane daemon'
 }

ts/smartvpn.interfaces.ts

@@ -92,8 +92,9 @@ export interface IVpnServerConfig {
   /** Enable NAT/masquerade for client traffic */
   enableNat?: boolean;
   /** Forwarding mode: 'tun' (kernel TUN, requires root), 'socket' (userspace NAT),
+   *  'bridge' (L2 bridge to host LAN), 'hybrid' (per-client socket+bridge),
    *  or 'testing' (monitoring only). Default: 'testing'. */
-  forwardingMode?: 'tun' | 'socket' | 'bridge' | 'testing';
+  forwardingMode?: 'tun' | 'socket' | 'bridge' | 'hybrid' | 'testing';
   /** Default rate limit for new clients (bytes/sec). Omit for unlimited. */
   defaultRateLimitBytesPerSec?: number;
   /** Default burst size for new clients (bytes). Omit for unlimited. */
@@ -361,6 +362,21 @@ export interface IClientEntry {
   expiresAt?: string;
   /** Assigned VPN IP address (set by server) */
   assignedIp?: string;
+
+  // Per-client bridge/host-IP settings
+
+  /** If true, client gets a host network IP via bridge mode (L2 to LAN).
+   *  If false (default), client gets a VPN subnet IP via socket/NAT mode. */
+  useHostIp?: boolean;
+  /** If true and useHostIp is true, obtain IP via DHCP relay.
+   *  If false or omitted, use staticIp or auto-assign from bridge IP range. */
+  useDhcp?: boolean;
+  /** Static LAN IP when useHostIp is true and useDhcp is false. */
+  staticIp?: string;
+  /** If true, assign this client to a specific 802.1Q VLAN on the bridge. */
+  forceVlan?: boolean;
+  /** 802.1Q VLAN ID (1-4094). Required when forceVlan is true. */
+  vlanId?: number;
 }
 
 /**