BREAKING CHANGE(vpn): replace tag-based VPN access control with source and target profiles

ts_interfaces/data/target-profile.ts

@@ -0,0 +1,29 @@
+/**
+ * A specific IP:port target within a TargetProfile.
+ */
+export interface ITargetProfileTarget {
+  host: string;
+  port: number;
+}
+
+/**
+ * A reusable, named target profile that defines what resources a VPN client can reach.
+ * Assigned to VPN clients via targetProfileIds.
+ *
+ * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
+ * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
+ */
+export interface ITargetProfile {
+  id: string;
+  name: string;
+  description?: string;
+  /** Domain patterns this profile grants access to (supports wildcards: '*.example.com') */
+  domains?: string[];
+  /** Specific IP:port targets this profile grants access to */
+  targets?: ITargetProfileTarget[];
+  /** Route references by stored route ID or route name */
+  routeRefs?: string[];
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}