feat(docker,cache,proxy): improve container runtime defaults and add configurable connection limits

readme.md

@@ -83,7 +83,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 
 ### 💾 Persistent Storage & Caching
 - **Multiple storage backends**: filesystem, custom functions, or in-memory
-- **Embedded cache database** via smartdata + LocalTsmDb (MongoDB-compatible)
+- **Embedded cache database** via smartdata + smartdb (MongoDB-compatible)
 - **Automatic TTL-based cleanup** for cached emails and IP reputation data
 
 ### 🖥️ OpsServer Dashboard
@@ -340,7 +340,7 @@ graph TB
 | **OpsServer** | `@api.global/typedserver` | Web dashboard + TypedRequest API for monitoring and management |
 | **MetricsManager** | `@push.rocks/smartmetrics` | Real-time metrics collection (CPU, memory, email, DNS, security) |
 | **StorageManager** | built-in | Pluggable key-value storage (filesystem, custom, or in-memory) |
-| **CacheDb** | `@push.rocks/smartdata` | Embedded MongoDB-compatible database (LocalTsmDb) for persistent caching |
+| **CacheDb** | `@push.rocks/smartdb` | Embedded MongoDB-compatible database (LocalSmartDb) for persistent caching |
 
 ### How It Works
 
@@ -1066,7 +1066,7 @@ Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, I
 
 ### Cache Database
 
-An embedded MongoDB-compatible database (via smartdata + LocalTsmDb) for persistent caching with automatic TTL cleanup:
+An embedded MongoDB-compatible database (via smartdata + smartdb) for persistent caching with automatic TTL cleanup:
 
 ```typescript
 cacheConfig: {
@@ -1406,37 +1406,58 @@ tstest test/test.opsserver-api.ts --verbose --timeout 60
 
 ## Docker / OCI Container Deployment
 
-DcRouter ships with a `Dockerfile` and supports environment-variable-driven configuration for OCI container deployments. When `DCROUTER_MODE=OCI_CONTAINER` is set, DcRouter automatically reads configuration from environment variables (and optionally from a JSON config file).
+DcRouter ships with a production-ready `Dockerfile` and supports environment-variable-driven configuration for OCI container deployments. The container image includes tini as PID 1 (via the base image), proper health checks, and configurable resource limits. When `DCROUTER_MODE=OCI_CONTAINER` is set, DcRouter automatically reads configuration from environment variables (and optionally from a JSON config file).
 
 ### Running with Docker
 
 ```bash
 docker run -d \
-  -e DCROUTER_MODE=OCI_CONTAINER \
+  --ulimit nofile=65536:65536 \
   -e DCROUTER_TLS_EMAIL=admin@example.com \
   -e DCROUTER_PUBLIC_IP=203.0.113.1 \
   -e DCROUTER_DNS_NS_DOMAINS=ns1.example.com,ns2.example.com \
   -e DCROUTER_DNS_SCOPES=example.com \
-  -p 80:80 -p 443:443 -p 25:25 -p 53:53/udp -p 3000:3000 \
+  -p 80:80 -p 443:443 -p 25:25 -p 587:587 -p 465:465 \
+  -p 53:53/udp -p 3000:3000 -p 8443:8443 \
   code.foss.global/serve.zone/dcrouter:latest
 ```
 
+> ⚡ **Production tip:** Always set `--ulimit nofile=65536:65536` for production deployments. DcRouter will log a warning at startup if the file descriptor limit is below 65536.
+
 ### Environment Variables
 
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `DCROUTER_MODE` | Set to `OCI_CONTAINER` to enable container mode | `OCI_CONTAINER` |
-| `DCROUTER_CONFIG_PATH` | Path to a JSON config file (loaded as base, env vars override) | `/config/dcrouter.json` |
-| `DCROUTER_BASE_DIR` | Override base data directory | `/data/dcrouter` |
-| `DCROUTER_TLS_EMAIL` | ACME contact email | `admin@example.com` |
-| `DCROUTER_TLS_DOMAIN` | Primary TLS domain | `example.com` |
-| `DCROUTER_PUBLIC_IP` | Public IP for DNS records | `203.0.113.1` |
-| `DCROUTER_PROXY_IPS` | Comma-separated ingress proxy IPs | `198.51.100.1,198.51.100.2` |
-| `DCROUTER_DNS_NS_DOMAINS` | Comma-separated nameserver domains | `ns1.example.com,ns2.example.com` |
-| `DCROUTER_DNS_SCOPES` | Comma-separated authoritative domains | `example.com,other.com` |
-| `DCROUTER_EMAIL_HOSTNAME` | SMTP server hostname | `mail.example.com` |
-| `DCROUTER_EMAIL_PORTS` | Comma-separated email ports | `25,587,465` |
-| `DCROUTER_CACHE_ENABLED` | Enable/disable cache database | `true` |
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `DCROUTER_MODE` | Container mode (set automatically in image) | `OCI_CONTAINER` | — |
+| `DCROUTER_CONFIG_PATH` | Path to JSON config file (env vars override) | — | `/config/dcrouter.json` |
+| `DCROUTER_BASE_DIR` | Base data directory | `~/.serve.zone/dcrouter` | `/data/dcrouter` |
+| `DCROUTER_TLS_EMAIL` | ACME contact email | — | `admin@example.com` |
+| `DCROUTER_TLS_DOMAIN` | Primary TLS domain | — | `example.com` |
+| `DCROUTER_PUBLIC_IP` | Public IP for DNS records | — | `203.0.113.1` |
+| `DCROUTER_PROXY_IPS` | Comma-separated ingress proxy IPs | — | `198.51.100.1,198.51.100.2` |
+| `DCROUTER_DNS_NS_DOMAINS` | Comma-separated nameserver domains | — | `ns1.example.com,ns2.example.com` |
+| `DCROUTER_DNS_SCOPES` | Comma-separated authoritative domains | — | `example.com,other.com` |
+| `DCROUTER_EMAIL_HOSTNAME` | SMTP server hostname | — | `mail.example.com` |
+| `DCROUTER_EMAIL_PORTS` | Comma-separated email ports | — | `25,587,465` |
+| `DCROUTER_CACHE_ENABLED` | Enable/disable cache database | `true` | `false` |
+| `DCROUTER_HEAP_SIZE` | Node.js V8 heap size in MB | `512` | `1024` |
+| `DCROUTER_MAX_CONNECTIONS` | Global max concurrent connections | `50000` | `100000` |
+| `DCROUTER_MAX_CONNECTIONS_PER_IP` | Max connections per source IP | `100` | `200` |
+| `DCROUTER_CONNECTION_RATE_LIMIT` | Max new connections/min per IP | `600` | `1200` |
+
+### Exposed Ports
+
+The container exposes all service ports:
+
+| Port(s) | Protocol | Service |
+|---------|----------|---------|
+| 80, 443 | TCP | HTTP/HTTPS (SmartProxy) |
+| 25, 587, 465 | TCP | SMTP, Submission, SMTPS |
+| 53 | TCP/UDP | DNS |
+| 1812, 1813 | UDP | RADIUS auth/acct |
+| 3000 | TCP | OpsServer dashboard |
+| 8443 | TCP | Remote ingress tunnels |
+| 29000–30000 | TCP | Dynamic port range |
 
 ### Building the Image