BREAKING CHANGE(vpn): replace tag-based VPN access control with source and target profiles

ts_interfaces/data/route-management.ts

@@ -12,18 +12,22 @@ export type TApiTokenScope =
   | 'routes:read' | 'routes:write'
   | 'config:read'
   | 'tokens:read' | 'tokens:manage'
-  | 'profiles:read' | 'profiles:write'
+  | 'source-profiles:read' | 'source-profiles:write'
+  | 'target-profiles:read' | 'target-profiles:write'
   | 'targets:read' | 'targets:write';
 
 // ============================================================================
-// Security Profile Types
+// Source Profile Types (source-side: who can access)
 // ============================================================================
 
 /**
- * A reusable, named security profile that can be referenced by routes.
+ * A reusable, named source profile that can be referenced by routes.
  * Stores the full IRouteSecurity shape from SmartProxy.
+ *
+ * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
+ * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
  */
-export interface ISecurityProfile {
+export interface ISourceProfile {
   id: string;
   name: string;
   description?: string;
@@ -62,12 +66,12 @@ export interface INetworkTarget {
  * Metadata on a stored route tracking where its resolved values came from.
  */
 export interface IRouteMetadata {
-  /** ID of the SecurityProfileDoc used to resolve this route's security. */
-  securityProfileRef?: string;
+  /** ID of the SourceProfileDoc used to resolve this route's security. */
+  sourceProfileRef?: string;
   /** ID of the NetworkTargetDoc used to resolve this route's targets. */
   networkTargetRef?: string;
   /** Snapshot of the profile name at resolution time, for display. */
-  securityProfileName?: string;
+  sourceProfileName?: string;
   /** Snapshot of the target name at resolution time, for display. */
   networkTargetName?: string;
   /** Timestamp of last reference resolution. */