BREAKING CHANGE(vpn): replace tag-based VPN access control with source and target profiles

ts_interfaces/data/index.ts

@@ -2,4 +2,5 @@ export * from './auth.js';
 export * from './stats.js';
 export * from './remoteingress.js';
 export * from './route-management.js';
+export * from './target-profile.js';
 export * from './vpn.js';

ts_interfaces/data/remoteingress.ts

@@ -51,26 +51,14 @@ export interface IRouteRemoteIngress {
   edgeFilter?: string[];
 }
 
-/**
- * Route-level VPN access configuration.
- * When attached to a route, controls VPN client access.
- */
-export interface IRouteVpn {
-  /** Enable VPN client access for this route */
-  enabled: boolean;
-  /** When true (default), ONLY VPN clients can access this route (replaces ipAllowList).
-   *  When false, VPN client IPs are added alongside the existing allowlist. */
-  mandatory?: boolean;
-  /** Only allow VPN clients with these server-defined tags. Omitted = all VPN clients. */
-  allowedServerDefinedClientTags?: string[];
-}
-
 /**
  * Extended route config used within dcrouter.
- * Adds optional `remoteIngress` and `vpn` properties to SmartProxy's IRouteConfig.
+ * Adds optional `remoteIngress` and `vpnOnly` properties to SmartProxy's IRouteConfig.
  * SmartProxy ignores unknown properties at runtime.
  */
 export type IDcRouterRouteConfig = IRouteConfig & {
   remoteIngress?: IRouteRemoteIngress;
-  vpn?: IRouteVpn;
+  /** When true, only VPN clients whose TargetProfile matches this route get access.
+   *  Matching is determined by domain overlap, target overlap, or direct routeRef. */
+  vpnOnly?: boolean;
 };

ts_interfaces/data/route-management.ts

@@ -12,18 +12,22 @@ export type TApiTokenScope =
   | 'routes:read' | 'routes:write'
   | 'config:read'
   | 'tokens:read' | 'tokens:manage'
-  | 'profiles:read' | 'profiles:write'
+  | 'source-profiles:read' | 'source-profiles:write'
+  | 'target-profiles:read' | 'target-profiles:write'
   | 'targets:read' | 'targets:write';
 
 // ============================================================================
-// Security Profile Types
+// Source Profile Types (source-side: who can access)
 // ============================================================================
 
 /**
- * A reusable, named security profile that can be referenced by routes.
+ * A reusable, named source profile that can be referenced by routes.
  * Stores the full IRouteSecurity shape from SmartProxy.
+ *
+ * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
+ * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
  */
-export interface ISecurityProfile {
+export interface ISourceProfile {
   id: string;
   name: string;
   description?: string;
@@ -62,12 +66,12 @@ export interface INetworkTarget {
  * Metadata on a stored route tracking where its resolved values came from.
  */
 export interface IRouteMetadata {
-  /** ID of the SecurityProfileDoc used to resolve this route's security. */
-  securityProfileRef?: string;
+  /** ID of the SourceProfileDoc used to resolve this route's security. */
+  sourceProfileRef?: string;
   /** ID of the NetworkTargetDoc used to resolve this route's targets. */
   networkTargetRef?: string;
   /** Snapshot of the profile name at resolution time, for display. */
-  securityProfileName?: string;
+  sourceProfileName?: string;
   /** Snapshot of the target name at resolution time, for display. */
   networkTargetName?: string;
   /** Timestamp of last reference resolution. */

ts_interfaces/data/target-profile.ts

@@ -0,0 +1,29 @@
+/**
+ * A specific IP:port target within a TargetProfile.
+ */
+export interface ITargetProfileTarget {
+  host: string;
+  port: number;
+}
+
+/**
+ * A reusable, named target profile that defines what resources a VPN client can reach.
+ * Assigned to VPN clients via targetProfileIds.
+ *
+ * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
+ * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
+ */
+export interface ITargetProfile {
+  id: string;
+  name: string;
+  description?: string;
+  /** Domain patterns this profile grants access to (supports wildcards: '*.example.com') */
+  domains?: string[];
+  /** Specific IP:port targets this profile grants access to */
+  targets?: ITargetProfileTarget[];
+  /** Route references by stored route ID or route name */
+  routeRefs?: string[];
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}

ts_interfaces/data/vpn.ts

@@ -4,7 +4,8 @@
 export interface IVpnClient {
   clientId: string;
   enabled: boolean;
-  serverDefinedClientTags?: string[];
+  /** IDs of TargetProfiles assigned to this client */
+  targetProfileIds?: string[];
   description?: string;
   assignedIp?: string;
   createdAt: number;

ts_interfaces/requests/index.ts

@@ -10,5 +10,6 @@ export * from './remoteingress.js';
 export * from './route-management.js';
 export * from './api-tokens.js';
 export * from './vpn.js';
-export * from './security-profiles.js';
+export * from './source-profiles.js';
+export * from './target-profiles.js';
 export * from './network-targets.js';

ts_interfaces/requests/source-profiles.ts

@@ -1,54 +1,54 @@
 import * as plugins from '../plugins.js';
 import type * as authInterfaces from '../data/auth.js';
-import type { ISecurityProfile, IRouteSecurity } from '../data/route-management.js';
+import type { ISourceProfile, IRouteSecurity } from '../data/route-management.js';
 
 // ============================================================================
-// Security Profile Endpoints
+// Source Profile Endpoints (source-side: who can access)
 // ============================================================================
 
 /**
- * Get all security profiles.
+ * Get all source profiles.
  */
-export interface IReq_GetSecurityProfiles extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_GetSourceProfiles extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetSecurityProfiles
+  IReq_GetSourceProfiles
 > {
-  method: 'getSecurityProfiles';
+  method: 'getSourceProfiles';
   request: {
     identity?: authInterfaces.IIdentity;
     apiToken?: string;
   };
   response: {
-    profiles: ISecurityProfile[];
+    profiles: ISourceProfile[];
   };
 }
 
 /**
- * Get a single security profile by ID.
+ * Get a single source profile by ID.
  */
-export interface IReq_GetSecurityProfile extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_GetSourceProfile extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetSecurityProfile
+  IReq_GetSourceProfile
 > {
-  method: 'getSecurityProfile';
+  method: 'getSourceProfile';
   request: {
     identity?: authInterfaces.IIdentity;
     apiToken?: string;
     id: string;
   };
   response: {
-    profile: ISecurityProfile | null;
+    profile: ISourceProfile | null;
   };
 }
 
 /**
- * Create a new security profile.
+ * Create a new source profile.
  */
-export interface IReq_CreateSecurityProfile extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_CreateSourceProfile extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_CreateSecurityProfile
+  IReq_CreateSourceProfile
 > {
-  method: 'createSecurityProfile';
+  method: 'createSourceProfile';
   request: {
     identity?: authInterfaces.IIdentity;
     apiToken?: string;
@@ -65,13 +65,13 @@ export interface IReq_CreateSecurityProfile extends plugins.typedrequestInterfac
 }
 
 /**
- * Update a security profile.
+ * Update a source profile.
  */
-export interface IReq_UpdateSecurityProfile extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_UpdateSourceProfile extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_UpdateSecurityProfile
+  IReq_UpdateSourceProfile
 > {
-  method: 'updateSecurityProfile';
+  method: 'updateSourceProfile';
   request: {
     identity?: authInterfaces.IIdentity;
     apiToken?: string;
@@ -89,13 +89,13 @@ export interface IReq_UpdateSecurityProfile extends plugins.typedrequestInterfac
 }
 
 /**
- * Delete a security profile.
+ * Delete a source profile.
  */
-export interface IReq_DeleteSecurityProfile extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_DeleteSourceProfile extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_DeleteSecurityProfile
+  IReq_DeleteSourceProfile
 > {
-  method: 'deleteSecurityProfile';
+  method: 'deleteSourceProfile';
   request: {
     identity?: authInterfaces.IIdentity;
     apiToken?: string;
@@ -109,13 +109,13 @@ export interface IReq_DeleteSecurityProfile extends plugins.typedrequestInterfac
 }
 
 /**
- * Get which routes reference a security profile.
+ * Get which routes reference a source profile.
  */
-export interface IReq_GetSecurityProfileUsage extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_GetSourceProfileUsage extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetSecurityProfileUsage
+  IReq_GetSourceProfileUsage
 > {
-  method: 'getSecurityProfileUsage';
+  method: 'getSourceProfileUsage';
   request: {
     identity?: authInterfaces.IIdentity;
     apiToken?: string;

ts_interfaces/requests/target-profiles.ts

@@ -0,0 +1,128 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type { ITargetProfile, ITargetProfileTarget } from '../data/target-profile.js';
+
+// ============================================================================
+// Target Profile Endpoints (target-side: what can be accessed)
+// ============================================================================
+
+/**
+ * Get all target profiles.
+ */
+export interface IReq_GetTargetProfiles extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetTargetProfiles
+> {
+  method: 'getTargetProfiles';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    profiles: ITargetProfile[];
+  };
+}
+
+/**
+ * Get a single target profile by ID.
+ */
+export interface IReq_GetTargetProfile extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetTargetProfile
+> {
+  method: 'getTargetProfile';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    profile: ITargetProfile | null;
+  };
+}
+
+/**
+ * Create a new target profile.
+ */
+export interface IReq_CreateTargetProfile extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateTargetProfile
+> {
+  method: 'createTargetProfile';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    name: string;
+    description?: string;
+    domains?: string[];
+    targets?: ITargetProfileTarget[];
+    routeRefs?: string[];
+  };
+  response: {
+    success: boolean;
+    id?: string;
+    message?: string;
+  };
+}
+
+/**
+ * Update a target profile.
+ */
+export interface IReq_UpdateTargetProfile extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateTargetProfile
+> {
+  method: 'updateTargetProfile';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+    name?: string;
+    description?: string;
+    domains?: string[];
+    targets?: ITargetProfileTarget[];
+    routeRefs?: string[];
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Delete a target profile.
+ */
+export interface IReq_DeleteTargetProfile extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteTargetProfile
+> {
+  method: 'deleteTargetProfile';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+    force?: boolean;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Get which VPN clients reference a target profile.
+ */
+export interface IReq_GetTargetProfileUsage extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetTargetProfileUsage
+> {
+  method: 'getTargetProfileUsage';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    clients: Array<{ clientId: string; description?: string }>;
+  };
+}

ts_interfaces/requests/vpn.ts

@@ -49,7 +49,7 @@ export interface IReq_CreateVpnClient extends plugins.typedrequestInterfaces.imp
   request: {
     identity: authInterfaces.IIdentity;
     clientId: string;
-    serverDefinedClientTags?: string[];
+    targetProfileIds?: string[];
     description?: string;
     forceDestinationSmartproxy?: boolean;
     destinationAllowList?: string[];
@@ -81,7 +81,7 @@ export interface IReq_UpdateVpnClient extends plugins.typedrequestInterfaces.imp
     identity: authInterfaces.IIdentity;
     clientId: string;
     description?: string;
-    serverDefinedClientTags?: string[];
+    targetProfileIds?: string[];
     forceDestinationSmartproxy?: boolean;
     destinationAllowList?: string[];
     destinationBlockList?: string[];