feat(vpn): support optional non-mandatory VPN route access and align route config with enabled semantics

ts_interfaces/data/remoteingress.ts

@@ -53,11 +53,14 @@ export interface IRouteRemoteIngress {
 
 /**
  * Route-level VPN access configuration.
- * When attached to a route, restricts access to VPN clients only.
+ * When attached to a route, controls VPN client access.
  */
 export interface IRouteVpn {
-  /** Whether this route requires VPN access */
-  required: boolean;
+  /** Enable VPN client access for this route */
+  enabled: boolean;
+  /** When true (default), ONLY VPN clients can access this route (replaces ipAllowList).
+   *  When false, VPN client IPs are added alongside the existing allowlist. */
+  mandatory?: boolean;
   /** Only allow VPN clients with these server-defined tags. Omitted = all VPN clients. */
   allowedServerDefinedClientTags?: string[];
 }

ts_interfaces/readme.md

@@ -97,7 +97,7 @@ interface IIdentity {
 | `IRemoteIngressStatus` | Runtime status: connected, publicIp, activeTunnels, lastHeartbeat |
 | `IRouteRemoteIngress` | Route-level config: enabled flag and optional edgeFilter |
 | `IDcRouterRouteConfig` | Extended SmartProxy route config with optional `remoteIngress` and `vpn` properties |
-| `IRouteVpn` | Route-level VPN config: `required` flag and optional `allowedServerDefinedClientTags` |
+| `IRouteVpn` | Route-level VPN config: `enabled`/`mandatory` flags and optional `allowedServerDefinedClientTags` |
 
 #### VPN Interfaces
 | Interface | Description |