docs: refresh readme and legal info

2026-05-07 20:22:12 +00:00
parent 5fbe2eb80b
commit 7bb6559748
6 changed files with 287 additions and 243 deletions
@@ -1,34 +1,38 @@
 # @serve.zone/dcrouter
-![dcrouter banner](https://code.foss.global/serve.zone/docs/raw/branch/main/dcrouter.png)
+`dcrouter` is the serve.zone datacenter gateway runtime: a TypeScript control plane that brings HTTP/HTTPS/TCP routing, email ingress, authoritative DNS, RADIUS, VPN access control, remote ingress tunnels, certificate operations, metrics, and an Ops dashboard into one process.
 `dcrouter` is a TypeScript control plane for running a serious multi-protocol edge or datacenter gateway from one process. It wires together SmartProxy for HTTP/HTTPS/TCP routing, smartmta for email, smartdns for authoritative DNS and DNS-over-HTTPS, smartradius, smartvpn, remote ingress tunnels, a TypedRequest API, and the Ops dashboard.
 Use it when you want one place to define routes, manage domains and certificates, protect internal services, automate changes over an API, and operate the whole stack from a browser.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
-## Why It Works
+## Why It Exists
- 🌐 One runtime for HTTP/HTTPS/TCP, SMTP, authoritative DNS + DoH, RADIUS, VPN, and remote ingress.
+Modern infrastructure often has too many tiny edge tools: a proxy here, a DNS daemon there, a separate cert worker, another dashboard, and a tunnel process bolted on later. `dcrouter` is designed as a cohesive gateway layer for operators who want one audited place to define public routes, domains, edge tunnels, access policy, and operational state.
 - 🧠 Constructor config becomes system-managed routes, while API-created routes stay editable and clearly separated.
 - 🔐 Certificates, DNS providers, domains, records, API tokens, access profiles, and protected routes live in one management plane.
 - 🖥️ The OpsServer UI and TypedRequest API are first-class parts of the package, not an afterthought.
 - ⚡ Qualifying HTTPS forward routes on port `443` get HTTP/3 augmentation by default unless you opt out.
-## What You Get
+Highlights:
-| Area | What dcrouter does |
+- 🌐 SmartProxy-backed HTTP, HTTPS, TCP, TLS/SNI, and optional HTTP/3 route handling
 - 📬 SmartMTA-backed SMTP ingress and email-domain operations
 - 🧭 SmartDNS-backed authoritative DNS plus generated DNS-over-HTTPS routes
 - 🔐 ACME, certificate state, API tokens, users, source profiles, target profiles, and security policies
 - 🛡️ RADIUS, VLAN assignment, VPN-protected routes, and remote ingress firewall snapshots
 - 🖥️ Browser Ops dashboard and TypedRequest API served by the built-in OpsServer
 ## Runtime Areas
 | Area | What dcrouter manages |
 | --- | --- |
-| HTTP / HTTPS / TCP | SmartProxy-based reverse proxying, TLS termination or passthrough, path/domain/port matching, TCP/SNI forwarding |
+| Proxying | SmartProxy routes for HTTP, HTTPS, TCP, SNI, TLS termination, passthrough, and backend forwarding |
-| Email | SMTP ingress and delivery via `UnifiedEmailServer`, route-based mail actions, email-domain management, queue and resend operations |
+| Route ownership | Constructor routes, generated email/DNS routes, and API-created routes with explicit origins |
-| DNS | Authoritative zones, nameserver bootstrap records, DNS-over-HTTPS routes on `/dns-query` and `/resolve`, provider-backed domain management |
+| DNS | Authoritative scopes, generated NS records, static DNS records, provider-backed domains, and DoH endpoints |
-| Access and Edge | VPN-gated routes, RADIUS auth/accounting, remote ingress edge registrations and tunnel hub support |
+| Email | UnifiedEmailServer startup, email-domain management, route-backed delivery actions, received mail operations |
-| Operations | Browser dashboard, TypedRequest API, route management, tokens, certificates, logs, metrics, and health views |
+| Certificates | ACME config, stored certificate metadata, provisioning backoff, and certificate status reporting |
 | Edge access | Remote ingress hub, edge registrations, derived edge ports, pushed firewall rules, VPN-only route access |
 | Network auth | RADIUS clients, MAC Authentication Bypass, VLAN mapping, and accounting sessions |
 | Operations | Dashboard views, TypedRequest handlers, metrics, logs, health, API tokens, users, and configuration views |
-## Installation
+## Install
 ```bash
 pnpm add @serve.zone/dcrouter
@@ -36,7 +40,7 @@ pnpm add @serve.zone/dcrouter
 ## Quick Start
-This example stays on unprivileged ports so you can run it locally without root.
+This starts the gateway on unprivileged ports and stores data under the default `~/.serve.zone/dcrouter` base directory.
 ```typescript
 import { DcRouter } from '@serve.zone/dcrouter';
@@ -69,86 +73,77 @@ await router.start();
 After startup:
 - open the dashboard at `http://localhost:3000`
- log in with the current built-in credentials `admin` / `admin`
+- log in with the current built-in development credentials `admin` / `admin`
 - send proxied traffic to `http://localhost:18080`
 - stop gracefully with `await router.stop()`
-## Route Ownership Model
+## Configuration Model
-dcrouter keeps route ownership explicit so automation does not accidentally stomp on system-generated traffic.
+`DcRouter` is configured with `IDcRouterOptions` from `@serve.zone/dcrouter`.
 | Route origin | Where it comes from | What you can do |
 | --- | --- | --- |
 | `config` | Constructor `smartProxyConfig.routes` and related seed config | View and toggle |
 | `email` | Email listener and mail-routing derived routes | View and toggle |
 | `dns` | Generated DoH and DNS-related routes | View and toggle |
 | `api` | Created through the Ops UI or API client | Full CRUD |
 Important details:
 - system routes are persisted with stable `systemKey` values
 - DNS-over-HTTPS routes are persisted and then hydrated with live socket handlers at runtime
 - editing and deletion are reserved for `api` routes; system routes are toggle-only by design
 ## Configuration Cheat Sheet
 The main entrypoint is `IDcRouterOptions`.
 | Option | Purpose |
 | --- | --- |
-| `smartProxyConfig` | Main HTTP/HTTPS and TCP/SNI routing config |
+| `baseDir` | Root directory for dcrouter runtime data. Defaults to `~/.serve.zone/dcrouter`. |
-| `emailConfig` | Email hostname, ports, domains, and mail routing rules |
+| `smartProxyConfig` | Main SmartProxy route configuration for HTTP/HTTPS/TCP/SNI traffic. |
-| `emailPortConfig` | External-to-internal email port remapping and received-email storage path |
+| `emailConfig` | UnifiedEmailServer configuration: hostname, ports, domains, and mail routes. |
-| `tls` | ACME contact and static certificate paths |
+| `emailPortConfig` | External-to-internal email port mapping and received-email storage path. |
-| `dnsNsDomains` | Nameserver hostnames used for NS bootstrap and DoH route generation |
+| `tls` | Legacy/static TLS and ACME contact settings used to seed certificate config. |
-| `dnsScopes` | Domains served authoritatively by the embedded DNS server |
+| `dnsNsDomains` | Nameserver hostnames used for generated NS records and DoH routes. |
-| `dnsRecords` | Static constructor-defined DNS records |
+| `dnsScopes` | Authoritative domains served by the embedded DNS server. |
-| `publicIp` / `proxyIps` | How A records are exposed for nameserver and service records |
+| `dnsRecords` | Constructor-defined DNS records. |
-| `dbConfig` | Embedded LocalSmartDb or external MongoDB-backed persistence |
+| `publicIp` / `proxyIps` | IPs used for generated A records and proxy-aware DNS exposure. |
-| `radiusConfig` | RADIUS auth, VLAN assignment, and accounting |
+| `dbConfig` | Smartdata persistence via embedded LocalSmartDb or external MongoDB. |
-| `remoteIngressConfig` | Remote ingress hub and edge tunnel setup |
+| `radiusConfig` | RADIUS authentication, accounting, and VLAN assignment. |
-| `vpnConfig` | VPN server and client definitions for protected route access |
+| `remoteIngressConfig` | Remote ingress hub configuration for edge tunnel nodes. |
-| `http3` | Global HTTP/3 behavior for qualifying HTTPS routes |
+| `vpnConfig` | VPN server/client definitions and VPN-only routing behavior. |
-| `opsServerPort` | Ops dashboard and TypedRequest API port |
+| `http3` | HTTP/3 augmentation settings for qualifying HTTPS routes. |
 | `opsServerPort` | Port for the Ops dashboard and `/typedrequest` API. Defaults to `3000`. |
-## Important Behavior
+Important runtime behavior:
- `dbConfig.enabled` defaults to `true`. If you do not provide `mongoDbUrl`, dcrouter starts an embedded local database automatically.
+- `dbConfig.enabled` defaults to enabled. Without `mongoDbUrl`, dcrouter uses embedded LocalSmartDb.
- If you disable the DB, constructor-driven traffic can still run, but DB-backed features such as persistent routes, tokens, ACME config, and managed domains do not start.
+- If the DB is disabled, constructor-defined proxy traffic can still run, but persistent API routes, tokens, managed domains, and stored certificate state are unavailable.
- Qualifying HTTPS forward routes on port `443` get HTTP/3 by default unless `http3.enabled === false` or the route opts out.
+- Qualifying HTTPS forward routes on port `443` are HTTP/3-augmented unless `http3.enabled === false` or the route opts out.
- DNS-over-HTTPS endpoints are generated on the first entry of `dnsNsDomains` at `/dns-query` and `/resolve`.
+- DNS-over-HTTPS routes are generated on the first `dnsNsDomains` entry at `/dns-query` and `/resolve`.
- Email listener ports are internally remapped by default, so common external ports such as `25`, `587`, and `465` end up on internal ports like `10025`, `10587`, and `10465`.
+- Email listener ports can be remapped internally, for example public `25`, `587`, and `465` to unprivileged internal ports.
 - Provider-backed domains can be managed in the Ops plane without being served by the embedded authoritative DNS server.
-## Bigger Example
+## Route Ownership
 dcrouter keeps generated and operator-created routes separate so automation can reconcile safely.
 | Origin | Source | Mutability |
 | --- | --- | --- |
 | `config` | Constructor `smartProxyConfig.routes` and seed data | Toggle only |
 | `email` | Email listener and email-domain generated routes | Toggle only |
 | `dns` | Generated DNS-over-HTTPS and DNS-related routes | Toggle only |
 | `api` | Ops UI or API client | Full CRUD |
 System routes are persisted with stable `systemKey` values. API-created routes are the editable route layer intended for operators and automation.
 ## Production-Flavored Example
 ```typescript
 import { DcRouter } from '@serve.zone/dcrouter';
 const router = new DcRouter({
  baseDir: '/var/lib/dcrouter',
  smartProxyConfig: {
    routes: [
      {
        name: 'web-app',
-        match: {
+        match: { domains: ['app.example.com'], ports: [443] },
          domains: ['app.example.com'],
          ports: [443],
        },
        action: {
          type: 'forward',
-          targets: [{ host: '127.0.0.1', port: 8080 }],
+          targets: [{ host: '10.10.0.21', port: 8080 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
      },
      {
        name: 'internal-admin',
-        match: {
+        match: { domains: ['admin.example.com'], ports: [443] },
          domains: ['internal.example.com'],
          ports: [443],
        },
        action: {
          type: 'forward',
-          targets: [{ host: '127.0.0.1', port: 9090 }],
+          targets: [{ host: '10.10.0.30', port: 9000 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
        vpnOnly: true,
@@ -158,15 +153,10 @@ const router = new DcRouter({
  emailConfig: {
    hostname: 'mail.example.com',
    ports: [25, 587, 465],
-    domains: [
+    domains: [{ domain: 'example.com', dnsMode: 'internal-dns' }],
      {
        domain: 'example.com',
        dnsMode: 'internal-dns',
      },
    ],
    routes: [
      {
-        name: 'inbound-mail',
+        name: 'inbound-example',
        match: { recipients: '*@example.com' },
        action: {
          type: 'forward',
@@ -178,18 +168,15 @@ const router = new DcRouter({
  dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
  dnsScopes: ['example.com'],
  publicIp: '203.0.113.10',
  remoteIngressConfig: {
    enabled: true,
    tunnelPort: 8443,
    hubDomain: 'ingress.example.com',
  },
  vpnConfig: {
    enabled: true,
    serverEndpoint: 'vpn.example.com',
-    clients: [
+    clients: [{ clientId: 'ops-laptop', description: 'Operations laptop' }],
      {
        clientId: 'ops-laptop',
        description: 'Operations laptop',
      },
    ],
  },
  dbConfig: {
    enabled: true,
  },
  opsServerPort: 3000,
 });
@@ -197,15 +184,9 @@ const router = new DcRouter({
 await router.start();
 ```
-## Automation
+## Automation API
-dcrouter gives you three good integration layers:
+The OpsServer exposes TypedRequest handlers at `/typedrequest`. You can use raw contracts or the object-oriented API client.
 - the browser dashboard served by `OpsServer`
 - raw TypedRequest contracts via `@serve.zone/dcrouter/interfaces`
 - a higher-level OO API client via `@serve.zone/dcrouter/apiclient` or `@serve.zone/dcrouter-apiclient`
 ### OO API Client Example
 ```bash
 pnpm add @serve.zone/dcrouter-apiclient
@@ -220,24 +201,20 @@ const client = new DcRouterApiClient({
 await client.login('admin', 'admin');
-const { routes } = await client.routes.list();
+const route = await client.routes.build()
 await client.routes.build()
  .setName('api-gateway')
  .setMatch({ ports: 443, domains: ['api.example.com'] })
  .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8081 }] })
  .save();
-if (routes[0] && routes[0].origin !== 'api') {
+await route.toggle(true);
  await routes[0].toggle(false);
 }
 ```
-See `./ts_apiclient/readme.md` for the dedicated client package and `./ts_interfaces/readme.md` for the raw contracts.
+Use `@serve.zone/dcrouter/interfaces` or `@serve.zone/dcrouter-interfaces` when you want the raw TypedRequest contracts instead of resource managers.
 ## OCI / Container Bootstrap
-The package also includes an environment-driven bootstrap used by `runCli()` when `DCROUTER_MODE=OCI_CONTAINER`.
+`runCli()` supports an environment-driven container mode when `DCROUTER_MODE=OCI_CONTAINER`.
 ```typescript
 import { runCli } from '@serve.zone/dcrouter';
@@ -245,49 +222,52 @@ import { runCli } from '@serve.zone/dcrouter';
 await runCli();
 ```
-Useful environment variables include:
+Supported environment overrides include:
- `DCROUTER_CONFIG_PATH`
+| Variable | Purpose |
- `DCROUTER_BASE_DIR`
+| --- | --- |
- `DCROUTER_TLS_EMAIL`
+| `DCROUTER_CONFIG_PATH` | JSON file loaded as the base `IDcRouterOptions` object. |
- `DCROUTER_TLS_DOMAIN`
+| `DCROUTER_BASE_DIR` | Runtime data root. |
- `DCROUTER_PUBLIC_IP`
+| `DCROUTER_TLS_EMAIL` / `DCROUTER_TLS_DOMAIN` | TLS/ACME seed settings. |
- `DCROUTER_PROXY_IPS`
+| `DCROUTER_PUBLIC_IP` / `DCROUTER_PROXY_IPS` | Public/proxy IP exposure settings. |
- `DCROUTER_DNS_NS_DOMAINS`
+| `DCROUTER_DNS_NS_DOMAINS` / `DCROUTER_DNS_SCOPES` | DNS nameserver and authoritative scope settings. |
- `DCROUTER_DNS_SCOPES`
+| `DCROUTER_EMAIL_HOSTNAME` / `DCROUTER_EMAIL_PORTS` | Email server seed settings. |
- `DCROUTER_EMAIL_HOSTNAME`
+| `DCROUTER_CACHE_ENABLED` | Enables or disables DB-backed persistence. |
- `DCROUTER_EMAIL_PORTS`
+| `DCROUTER_MAX_CONNECTIONS`, `DCROUTER_MAX_CONNECTIONS_PER_IP`, `DCROUTER_CONNECTION_RATE_LIMIT` | SmartProxy capacity and rate-limit overrides. |
 ## Published Modules
-This repository ships several module boundaries from one codebase.
+This repository intentionally publishes multiple module boundaries from one codebase.
 | Module | Purpose | Docs |
 | --- | --- | --- |
 | `@serve.zone/dcrouter` | Main runtime and orchestrator | `./readme.md` |
-| `@serve.zone/dcrouter/interfaces` | Shared request and data contracts as a subpath export | `./ts_interfaces/readme.md` |
+| `@serve.zone/dcrouter/interfaces` | Shared contracts as a subpath export | `./ts_interfaces/readme.md` |
-| `@serve.zone/dcrouter/apiclient` | OO API client as a subpath export | `./ts_apiclient/readme.md` |
+| `@serve.zone/dcrouter/apiclient` | API client as a subpath export | `./ts_apiclient/readme.md` |
-| `@serve.zone/dcrouter-interfaces` | Standalone interfaces package | `./ts_interfaces/readme.md` |
+| `@serve.zone/dcrouter-interfaces` | Standalone contracts package | `./ts_interfaces/readme.md` |
 | `@serve.zone/dcrouter-apiclient` | Standalone OO API client package | `./ts_apiclient/readme.md` |
 | `@serve.zone/dcrouter-migrations` | Standalone migration runner package | `./ts_migrations/readme.md` |
-| `@serve.zone/dcrouter-web` | Standalone web dashboard package boundary | `./ts_web/readme.md` |
+| `@serve.zone/dcrouter-web` | Dashboard frontend module boundary | `./ts_web/readme.md` |
 ## Development
 ```bash
 pnpm run build
 pnpm test
 pnpm run watch
 ```
-Target a single test while working on one area:
+Useful source entry points:
-```bash
+- `ts/index.ts` exports `DcRouter`, `runCli()`, and public module surfaces.
-tstest test/test.apiclient.ts --verbose
+- `ts/classes.dcrouter.ts` owns service startup, dependency ordering, and `IDcRouterOptions`.
-```
+- `ts/opsserver/classes.opsserver.ts` wires the dashboard server and TypedRequest handlers.
 - `ts/remoteingress/` integrates `@serve.zone/remoteingress` with stored edge registrations.
 - `ts_migrations/index.ts` contains all DB schema migration steps.
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -79,7 +79,7 @@ await router.start();
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -1,18 +1,18 @@
 # @serve.zone/dcrouter-apiclient
-Typed, object-oriented client for operating a running dcrouter instance. It wraps the OpsServer `/typedrequest` API in managers and resource classes so your scripts can work with routes, certificates, tokens, remote ingress edges, emails, stats, config, logs, and RADIUS without hand-rolling requests.
+`@serve.zone/dcrouter-apiclient` is the object-oriented TypeScript client for the dcrouter OpsServer API. It wraps `/typedrequest` calls in managers, builders, and resource classes for routes, certificates, API tokens, remote ingress, email, stats, config, logs, RADIUS, and WorkHoster integrations.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
-## Installation
+## Install
 ```bash
 pnpm add @serve.zone/dcrouter-apiclient
 ```
-You can also import the same client through the main package subpath:
+The same client is also exposed as a subpath of the main package:
 ```typescript
 import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
@@ -30,7 +30,7 @@ const client = new DcRouterApiClient({
 await client.login('admin', 'admin');
 const { routes, warnings } = await client.routes.list();
-console.log('route count', routes.length, 'warnings', warnings.length);
+console.log(routes.length, warnings.length);
 const route = await client.routes.build()
  .setName('api-gateway')
@@ -38,47 +38,46 @@ const route = await client.routes.build()
  .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] })
  .save();
-await route.toggle(false);
+await route.toggle(true);
 ```
-## What the Client Gives You
+## Authentication
-| Manager | Purpose |
+The client supports session login and API-token authentication.
 | --- | --- |
 | `client.routes` | List merged routes, create API routes, toggle routes |
 | `client.certificates` | Inspect certificates and run certificate operations |
 | `client.apiTokens` | Create, list, toggle, roll, and revoke API tokens |
 | `client.remoteIngress` | Manage edge registrations, statuses, and connection tokens |
 | `client.emails` | Inspect email items and trigger resend flows |
 | `client.stats` | Health, statistics, and operational summaries |
 | `client.config` | Read the current configuration view |
 | `client.logs` | Read recent logs and log-related data |
 | `client.radius` | Manage RADIUS clients, VLANs, and sessions |
 ## Authentication Modes
 | Mode | How it works |
 | --- | --- |
 | Admin login | Call `login(username, password)` and the returned identity is stored on the client |
 | API token | Pass `apiToken` in the constructor and it is injected into requests automatically |
 ```typescript
-const client = new DcRouterApiClient({
+const sessionClient = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
-  apiToken: 'dcr_your_token_here',
+});
 await sessionClient.login('admin', 'admin');
 const tokenClient = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
  apiToken: 'dcr_token_value',
 });
 ```
-Important behavior:
+`baseUrl` is normalized by removing trailing slashes. Requests are sent to `${baseUrl}/typedrequest`. `buildRequestPayload()` injects the current identity and optional API token for manager methods.
- `baseUrl` is normalized, and the client automatically calls `${baseUrl}/typedrequest`
+## Manager Map
 - `buildRequestPayload()` injects the current identity and optional API token for you
 - system routes can be toggled, but only API routes are meant for edit and delete flows
-## Route Builder Example
+| Manager | Purpose |
 | --- | --- |
 | `client.routes` | List merged routes, build API routes, update/delete API routes, and toggle routes. |
 | `client.certificates` | Inspect certificate summaries and trigger certificate operations. |
 | `client.apiTokens` | Create, list, toggle, roll, and revoke API tokens. |
 | `client.remoteIngress` | Manage edge registrations, statuses, ports, tags, and connection tokens. |
 | `client.emails` | Inspect received/cached email items and trigger resend flows. |
 | `client.workHosters` | Manage WorkHoster-facing route/application integration calls. |
 | `client.stats` | Read health, counters, summaries, and runtime status. |
 | `client.config` | Read the current configuration view. |
 | `client.logs` | Read recent log information. |
 | `client.radius` | Manage RADIUS clients, VLAN mappings, and accounting sessions. |
 ## Route Builder
 ```typescript
-const newRoute = await client.routes.build()
+const route = await client.routes.build()
  .setName('internal-app')
  .setMatch({
    ports: 443,
@@ -91,7 +90,7 @@ const newRoute = await client.routes.build()
  .setEnabled(true)
  .save();
-await newRoute.update({
+await route.update({
  action: {
    type: 'forward',
    targets: [{ host: '127.0.0.1', port: 3001 }],
@@ -99,17 +98,17 @@ await newRoute.update({
 });
 ```
-## Token and Remote Ingress Example
+System routes from `config`, `email`, and `dns` origins are designed to be toggled, not edited. Full create/update/delete behavior is for routes with origin `api`.
 ## API Tokens and Remote Ingress
 ```typescript
 const token = await client.apiTokens.build()
-  .setName('ci-token')
+  .setName('automation')
  .setScopes(['routes:read', 'routes:write'])
  .setExpiresInDays(30)
  .save();
 console.log('copy this once:', token.tokenValue);
 const edge = await client.remoteIngress.build()
  .setName('edge-eu-1')
  .setListenPorts([80, 443])
@@ -118,20 +117,31 @@ const edge = await client.remoteIngress.build()
  .save();
 const connectionToken = await edge.getConnectionToken();
-console.log(connectionToken);
+console.log(token.tokenValue, connectionToken);
 ```
-## What This Package Does Not Do
+## What This Package Is Not
 - It does not start dcrouter.
- It does not bundle the dashboard.
+- It does not serve or bundle the Ops dashboard.
- It does not replace the raw interfaces package when you want low-level TypedRequest contracts.
+- It does not replace `@serve.zone/dcrouter-interfaces` when you want raw TypedRequest contracts.
-Use `@serve.zone/dcrouter` to run the server and `@serve.zone/dcrouter-interfaces` for the shared request/data types.
+Use `@serve.zone/dcrouter` for the server runtime and `@serve.zone/dcrouter-interfaces` for shared request/data types.
 ## Development
 This folder is published from the dcrouter monorepo via `tspublish.json` with order `5`.
 Useful source entry points:
 - `index.ts` exports the public client surface.
 - `classes.dcrouterapiclient.ts` owns authentication and request dispatch.
 - `classes.route.ts` owns route resources and builders.
 - `classes.remoteingress.ts`, `classes.apitoken.ts`, `classes.radius.ts`, and the other manager files wrap focused API domains.
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -1,18 +1,18 @@
 # @serve.zone/dcrouter-interfaces
-Shared TypeScript contracts for dcrouter's TypedRequest API. Use this package when you want compile-time request/response types and shared data models without pulling in the higher-level client SDK.
+`@serve.zone/dcrouter-interfaces` contains the shared TypeScript data models and TypedRequest contracts used by dcrouter's OpsServer, dashboard, API client, tests, and external automation.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
-## Installation
+## Install
 ```bash
 pnpm add @serve.zone/dcrouter-interfaces
 ```
-You can also consume the same contracts through the main package subpath:
+The same contracts are exposed through the main package subpath:
 ```typescript
 import { data, requests } from '@serve.zone/dcrouter/interfaces';
@@ -22,23 +22,24 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';
 | Export | Purpose |
 | --- | --- |
-| `data` | Shared runtime-shaped data such as identities, routes, stats, domains, DNS records, VPN data, remote ingress data, and email-domain data |
+| `data` | Shared runtime-shaped models such as identities, routes, DNS records, domains, email domains, remote ingress edges, VPN objects, stats, and security policy data. |
-| `requests` | TypedRequest request/response contracts for OpsServer endpoints |
+| `requests` | TypedRequest request/response contracts for OpsServer methods. |
-| `typedrequestInterfaces` | Re-exported helper types from `@api.global/typedrequest-interfaces` |
+| `typedrequestInterfaces` | Helper types re-exported from `@api.global/typedrequest-interfaces` through `plugins.ts`. |
-## API Surface Covered
+## Covered API Areas
-| Domain | Examples |
+| Area | Examples |
 | --- | --- |
-| Auth | login, logout, identity verification |
+| Auth | admin login, logout, identity verification, users |
-| Routes | list merged routes, create, update, delete, toggle |
+| Routes | merged route listing, API route CRUD, toggles, warnings, ownership metadata |
-| Access | API tokens, source profiles, target profiles, network targets, users |
+| Access | API tokens, source profiles, target profiles, network targets |
-| DNS and domains | providers, domains, DNS records, ACME config |
+| DNS and domains | DNS providers, domains, DNS records, ACME config |
-| Email | email operations and email-domain management |
+| Email | email-domain management and email operations |
 | Edge services | remote ingress, VPN, RADIUS |
-| Observability | stats, health, logs, configuration |
+| Observability | stats, combined stats, logs, configuration |
 | WorkHoster | external app/workhoster route ownership contracts |
-## Quick Example
+## Raw TypedRequest Example
 ```typescript
 import { TypedRequest } from '@api.global/typedrequest';
@@ -61,21 +62,31 @@ const request = new TypedRequest<requests.IReq_GetMergedRoutes>(
 const response = await request.fire({ identity });
 for (const route of response.routes) {
-  console.log(route.id, route.origin, route.systemKey, route.enabled);
+  console.log(route.id, route.origin, route.enabled, route.systemKey);
 }
 ```
-## When To Use This Package
+## When To Use It
- Use it in tests that need strong request/response typing.
+- Use it in custom CLIs that call dcrouter's TypedRequest API directly.
- Use it in custom CLIs or dashboards that call TypedRequest directly.
+- Use it in tests that need request/response types without the OO client.
- Use it in shared code where both client and server need the same data shapes.
+- Use it in integrations where server and client code need the same data shapes.
 - Use `@serve.zone/dcrouter-apiclient` instead when you want higher-level managers and builders.
-If you want managers, builders, and resource classes instead of raw contracts, use `@serve.zone/dcrouter-apiclient`.
+## Development
 This folder is published from the dcrouter monorepo via `tspublish.json` with order `1`, before the client package that imports it.
 Useful source entry points:
 - `index.ts` exports `data` and `requests` namespaces.
 - `data/index.ts` groups shared data models.
 - `requests/index.ts` groups TypedRequest contracts.
 - `data/route-management.ts` defines route ownership, API token scopes, profiles, and network target shapes.
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -1,63 +1,89 @@
 # @serve.zone/dcrouter-migrations
-Versioned SmartMigration chain for dcrouter's persistent data. This package builds the migration runner that dcrouter executes before DB-backed managers start reading collections.
+`@serve.zone/dcrouter-migrations` is dcrouter's versioned SmartMigration chain for persistent database schema and data transitions. The main dcrouter runtime runs it after the database is ready and before DB-backed managers read collections.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
-## Installation
+## Install
 ```bash
 pnpm add @serve.zone/dcrouter-migrations
 ```
-## What It Exports
+If you boot `DcRouter`, you usually do not install or call this package directly; startup handles it.
 ## API
 | Export | Purpose |
 | --- | --- |
-| `createMigrationRunner(db, targetVersion)` | Builds the dcrouter migration runner for the target application version |
+| `createMigrationRunner(db, targetVersion)` | Builds a configured SmartMigration runner for the supplied Smartdata database and target app version. |
-| `IMigrationRunner` | Small interface for the returned runner |
+| `IMigrationRunner` | Minimal runner interface with `run()`. |
-| `IMigrationRunResult` | Result shape logged after a run |
+| `IMigrationRunResult` | Result shape logged after a migration run. |
 ## When To Use It
 - You are embedding dcrouter's storage layer outside the full runtime.
 - You want to test or inspect schema transitions directly.
 - You are extending dcrouter with new persistent data and need versioned upgrades.
 If you boot the full `DcRouter` runtime, this package is already used for you during startup.
 ## Usage
 ```typescript
 import { createMigrationRunner } from '@serve.zone/dcrouter-migrations';
-const migration = await createMigrationRunner(db, '13.20.0');
+const migration = await createMigrationRunner(db, '13.25.0');
 const result = await migration.run();
 console.log(result.currentVersionBefore, result.currentVersionAfter);
 ```
-## What the Current Chain Covers
+## Current Chain
- target profile target field migration from `host` to `ip`
+The current migration chain covers:
- legacy domain source rename from `manual` to `dcrouter`
+
- legacy DNS record source rename from `manual` to `local`
+- `TargetProfileDoc.targets[].host` to `TargetProfileDoc.targets[].ip`
- route storage unification from `StoredRouteDoc` to `RouteDoc`
+- legacy domain source `manual` to `dcrouter`
 - legacy DNS record source `manual` to `local`
 - route collection unification from `StoredRouteDoc` to `RouteDoc`
 - route `origin` backfill for migrated API routes
 - `systemKey` backfill for persisted config, email, and DNS routes
-## Authoring Rules
+## Migration Rules
- Add new migration logic only in `ts_migrations/index.ts`.
+All schema migrations must live in `ts_migrations/index.ts` as SmartMigration steps. Do not put migration logic in application services, managers, startup hooks, or document classes.
- Keep every step idempotent so reruns are safe.
+
- Make each step's `.to()` version line up with the release version that ships it.
+Every step must be idempotent. SmartMigration may re-run steps during skip-forward or resume flows, so an already-migrated database must remain safe.
- When adding new collection references, use the exact smartdata class-name collection casing for new code.
+
 The `.to()` version of a step must match the release version that ships the migration so SmartMigration can plan the step correctly.
 ## Collection Name Warning
 smartdata uses the exact class name as the MongoDB collection name. Do not lowercase new collection references.
 Examples:
 | Document class | MongoDB collection |
 | --- | --- |
 | `StoredRouteDoc` | `StoredRouteDoc` |
 | `TargetProfileDoc` | `TargetProfileDoc` |
 | `RouteDoc` | `RouteDoc` |
 When writing migrations in `ts_migrations/index.ts`, use exact class-name casing in calls such as `ctx.mongo!.collection('ClassName')` and `db.listCollections({ name: 'ClassName' })`.
 Historical migration steps may still reference older lowercased collections from earlier behavior. Do not copy that pattern for new migrations.
 ## When To Use This Package Directly
 - You are testing dcrouter schema transitions without booting the full runtime.
 - You are embedding dcrouter persistence in another process and need the same version chain.
 - You are authoring a migration and want a focused test harness around `createMigrationRunner()`.
 ## Development
 This folder is published from the dcrouter monorepo via `tspublish.json` with order `2`.
 Useful source entry points:
 - `index.ts` defines the public runner factory and all migration steps.
 - `../AGENTS.md` contains the local migration authoring rules that must be followed.
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -1,6 +1,6 @@
 # @serve.zone/dcrouter-web
-Browser-side frontend for the dcrouter Ops dashboard. This folder is the SPA entrypoint, router, app state, and web-component UI rendered by OpsServer.
+`@serve.zone/dcrouter-web` is the browser-side Ops dashboard module for dcrouter. It provides the SPA entry point, route synchronization, app state, and web-component views that OpsServer serves from the main dcrouter runtime.
 ## Issue Reporting and Security
@@ -8,10 +8,12 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ## What It Boots
- `index.ts` initializes the app router and renders `<ops-dashboard>` into `document.body`
+| File | Purpose |
- `router.ts` defines top-level dashboard routes and subviews
+| --- | --- |
- `appstate.ts` holds reactive state, TypedRequest actions, and TypedSocket log streaming
+| `index.ts` | Initializes the app router and renders `<ops-dashboard>` into `document.body`. |
- `elements/` contains the dashboard shell and feature views
+| `router.ts` | Defines top-level dashboard routes, subviews, redirects, and URL/state synchronization. |
 | `appstate.ts` | Holds reactive login, UI, config, stats, route, DNS, email, remote ingress, VPN, and log state. |
 | `elements/` | Contains the dashboard shell and feature-specific Dees web components. |
 ## View Map
@@ -20,37 +22,52 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 | `overview` | `stats`, `configuration` |
 | `network` | `activity`, `routes`, `sourceprofiles`, `networktargets`, `targetprofiles`, `remoteingress`, `vpn` |
 | `email` | `log`, `security`, `domains` |
 | `logs` | flat view |
 | `access` | `apitokens`, `users` |
 | `security` | `overview`, `blocked`, `authentication` |
 | `domains` | `providers`, `domains`, `dns`, `certificates` |
 | `logs` | flat view |
-## How It Talks To dcrouter
+## Runtime Communication
- TypedRequest for the main API surface
+The dashboard talks to the dcrouter OpsServer through:
 - shared request and data contracts from `@serve.zone/dcrouter-interfaces`
 - TypedSocket for real-time log streaming
 - QR code generation for VPN client UX
-## Development Notes
+- TypedRequest calls for normal API actions
 - shared contracts from `@serve.zone/dcrouter-interfaces`
 - TypedSocket log streaming for live operational output
 - Dees web components and app-state subscriptions for UI updates
 - QR code rendering for VPN client UX
-This package is the frontend module boundary, but it is built and served as part of the main workspace.
+## Usage
 This package is primarily consumed by the main dcrouter build and served by OpsServer. Install it directly only when you intentionally need the dashboard module boundary.
 ```bash
 pnpm add @serve.zone/dcrouter-web
 ```
 For the full server and hosted dashboard, use `@serve.zone/dcrouter`.
 ## Development
 This folder is published from the dcrouter monorepo via `tspublish.json` with order `4`.
 ```bash
 pnpm run build
 pnpm run watch
 ```
-The built dashboard assets are emitted into `dist_serve/` by the workspace build pipeline.
+The dcrouter build emits served dashboard assets into `dist_serve/`.
-## What This Package Is For
+Useful source entry points:
- Use it when you want the dashboard frontend as its own published module boundary.
+- `index.ts` boots the frontend.
- Use `@serve.zone/dcrouter` when you want the server that actually hosts this UI and the backend API.
+- `router.ts` owns URL/view state synchronization.
 - `elements/ops-dashboard.ts` defines the app shell and tab map.
 - `elements/network/`, `elements/domains/`, `elements/email/`, `elements/security/`, `elements/access/`, and `elements/overview/` hold feature views.
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.