feat: add workhoster gateway API

ts_interfaces/data/route-management.ts

@@ -11,6 +11,7 @@ export type IRouteSecurity = NonNullable<IRouteConfig['security']>;
 export type TApiTokenScope =
   | 'routes:read' | 'routes:write'
   | 'config:read'
+  | 'certificates:read' | 'certificates:write'
   | 'tokens:read' | 'tokens:manage'
   | 'source-profiles:read' | 'source-profiles:write'
   | 'target-profiles:read' | 'target-profiles:write'
@@ -18,7 +19,11 @@ export type TApiTokenScope =
   | 'dns-providers:read' | 'dns-providers:write'
   | 'domains:read' | 'domains:write'
   | 'dns-records:read' | 'dns-records:write'
-  | 'acme-config:read' | 'acme-config:write';
+  | 'acme-config:read' | 'acme-config:write'
+  | 'email-domains:read' | 'email-domains:write'
+  | 'workhosters:read' | 'workhosters:write';
+
+export type TWorkHosterType = 'onebox' | 'cloudly' | 'custom';
 
 // ============================================================================
 // Source Profile Types (source-side: who can access)
@@ -80,6 +85,12 @@ export interface IRouteMetadata {
   networkTargetName?: string;
   /** Timestamp of last reference resolution. */
   lastResolvedAt?: number;
+  /** External route ownership, used by WorkHoster reconciliation. */
+  ownerType?: 'workhoster' | 'operator' | 'system';
+  workHosterType?: TWorkHosterType;
+  workHosterId?: string;
+  workAppId?: string;
+  externalKey?: string;
 }
 
 /**