fix(opsserver,vpn): tighten admin bootstrap behavior when the database is unavailable and include wildcard VPN profile matches in route access rules

ts/config/classes.route-config-manager.ts

@@ -608,9 +608,23 @@ export class RouteConfigManager {
     routeId?: string,
   ): plugins.smartproxy.IRouteConfig {
     const dcRoute = route as IDcRouterRouteConfig;
-    if (!dcRoute.vpnOnly) return route;
-
     const vpnEntries = this.getVpnClientIpsForRoute?.(dcRoute, routeId) || [];
+
+    if (!dcRoute.vpnOnly) {
+      const existingAllowList = route.security?.ipAllowList;
+      if (!Array.isArray(existingAllowList) || existingAllowList.length === 0 || vpnEntries.length === 0) {
+        return route;
+      }
+
+      return {
+        ...route,
+        security: {
+          ...route.security,
+          ipAllowList: this.mergeIpAllowEntries(existingAllowList as TIpAllowEntry[], vpnEntries),
+        },
+      };
+    }
+
     const existingBlockList = route.security?.ipBlockList || [];
     const ipBlockList = vpnEntries.length
       ? existingBlockList
@@ -625,4 +639,23 @@ export class RouteConfigManager {
       },
     };
   }
+
+  private mergeIpAllowEntries(
+    existingEntries: TIpAllowEntry[],
+    vpnEntries: TIpAllowEntry[],
+  ): TIpAllowEntry[] {
+    const merged: TIpAllowEntry[] = [];
+    const seen = new Set<string>();
+
+    for (const entry of [...existingEntries, ...vpnEntries]) {
+      const key = typeof entry === 'string'
+        ? `ip:${entry}`
+        : `domain:${entry.ip}:${[...entry.domains].sort().join(',')}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      merged.push(entry);
+    }
+
+    return merged;
+  }
 }