v10.1.2

changelog.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## 2026-03-01 - 10.1.2 - fix(core)
+improve shutdown cleanup, socket/stream robustness, and memory/cache handling
+
+- Reset security singletons and CacheDb on shutdown to allow GC (SecurityLogger, ContentScanner, IPReputationChecker, CacheDb).
+- Add DNS socket 'error' handler and only destroy socket when not already destroyed to avoid uncaught exceptions.
+- Move pruning of dnsMetrics.queryTimestamps to a periodic interval to avoid O(n) work on every query.
+- Debounce IPReputationChecker cache saves (save timer + reset on instance reset) to reduce IO and prevent duplicate saves.
+- Fix virtualStream send timeout handling by keeping/clearing a timeout handle to avoid leaks and hung promises.
+- Add memory store eviction in StorageManager to cap entries (MAX_MEMORY_ENTRIES) and evict oldest entries when exceeded.
+- Add terminal-ready timeout in ops-view-logs to avoid blocking UI initialization if xterm CDN fails to initialize.
+- Bump dev dependency @types/node and push.rocks/smartstate versions.
+
+## 2026-02-27 - 10.1.1 - fix(ops-view-apitokens)
+replace lucide:refresh-cw with lucide:rotate-cw for Roll action icon
+
+- Updated ts_web/elements/ops-view-apitokens.ts: changed iconName in two locations to 'lucide:rotate-cw' for the Roll/Roll Token actions.
+- UI-only change — no functional or API behavior modified.
+- Current package version is 10.1.0; recommended patch bump to 10.1.1. 
+
+## 2026-02-27 - 10.1.0 - feat(api-tokens)
+add ability to roll (regenerate) API token secrets and UI to display the newly generated token once
+
+- Server: added ApiTokenManager.rollToken(id) to regenerate a token secret, update its hash, persist it and log the action.
+- Server: added opsserver handler 'rollApiToken' which requires admin identity and returns the new raw token value (shown once) or error messages.
+- API: added typed request interface IReq_RollApiToken for the rollApiToken RPC.
+- Web: added appstate.rollApiToken wrapper to call the new typed request.
+- UI: ops-view-apitokens updated with a 'Roll' action and a modal flow to confirm rolling, call the API, refresh token list, and present the new token value to copy (token value is shown only once).
+- Security: operation is admin-only and the raw token is returned only once after rolling.
+
 ## 2026-02-27 - 10.0.0 - BREAKING CHANGE(remote-ingress)
 replace tlsConfigured boolean with tlsMode ('custom' | 'acme' | 'self-signed') and compute TLS mode server-side
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "10.0.0",
+  "version": "10.1.2",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -24,7 +24,7 @@
     "@git.zone/tsrun": "^2.0.1",
     "@git.zone/tstest": "^3.1.8",
     "@git.zone/tswatch": "^3.2.0",
-    "@types/node": "^25.3.0"
+    "@types/node": "^25.3.3"
   },
   "dependencies": {
     "@api.global/typedrequest": "^3.2.6",
@@ -53,7 +53,7 @@
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.0.30",
+    "@push.rocks/smartstate": "^2.1.1",
     "@push.rocks/smartunique": "^3.0.9",
     "@serve.zone/catalog": "^2.5.0",
     "@serve.zone/interfaces": "^5.3.0",

pnpm-lock.yaml

@@ -87,8 +87,8 @@ importers:
         specifier: ^3.0.10
         version: 3.0.10
       '@push.rocks/smartstate':
-        specifier: ^2.0.30
-        version: 2.0.30
+        specifier: ^2.1.1
+        version: 2.1.1
       '@push.rocks/smartunique':
         specifier: ^3.0.9
         version: 3.0.9
@@ -127,8 +127,8 @@ importers:
         specifier: ^3.2.0
         version: 3.2.0(@tiptap/pm@2.27.2)
       '@types/node':
-        specifier: ^25.3.0
-        version: 25.3.0
+        specifier: ^25.3.3
+        version: 25.3.3
 
 packages:
 
@@ -1083,8 +1083,8 @@ packages:
   '@push.rocks/smartspawn@3.0.3':
     resolution: {integrity: sha512-DyrGPV69wwOiJgKkyruk5hS3UEGZ99xFAqBE9O2nM8VXCRLbbty3xt1Ug5Z092ZZmJYaaGMSnMw3ijyZJFCT0Q==}
 
-  '@push.rocks/smartstate@2.0.30':
-    resolution: {integrity: sha512-IuNW8XtSumXIr7g7MIFyWg5PBwLF2mwsymTJbSEycK2Pa9ZLk4yjRHnR907xCilxgiMU9ixQZyNdpa5MMF999A==}
+  '@push.rocks/smartstate@2.1.1':
+    resolution: {integrity: sha512-4OM9TXfiiSYIgVz2pQdM2UCTurXwd8o9LCtyZ/o+rnntnXp/X8UTWZ+WyTxgnfuzXhpIYXt83t34bVBJ2EPUOw==}
 
   '@push.rocks/smartstream@2.0.8':
     resolution: {integrity: sha512-GlF/9cCkvBHwKa3DK4DO5wjfSgqkj6gAS4TrY9uD5NMHu9RQv4WiNrElTYj7iCEpnZgUnLO3tzw1JA3NRIMnnA==}
@@ -1835,11 +1835,11 @@ packages:
   '@types/node@18.19.130':
     resolution: {integrity: sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==}
 
-  '@types/node@22.19.11':
-    resolution: {integrity: sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==}
+  '@types/node@22.19.13':
+    resolution: {integrity: sha512-akNQMv0wW5uyRpD2v2IEyRSZiR+BeGuoB6L310EgGObO44HSMNT8z1xzio28V8qOrgYaopIDNA18YgdXd+qTiw==}
 
-  '@types/node@25.3.0':
-    resolution: {integrity: sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A==}
+  '@types/node@25.3.3':
+    resolution: {integrity: sha512-DpzbrH7wIcBaJibpKo9nnSQL0MTRdnWttGyE5haGwK86xgMOkFLp7vEyfQPGLOJh5wNYiJ3V9PmUMDhV9u8kkQ==}
 
   '@types/ping@0.4.4':
     resolution: {integrity: sha512-ifvo6w2f5eJYlXm+HiVx67iJe8WZp87sfa683nlqED5Vnt9Z93onkokNoWqOG21EaE8fMxyKPobE+mkPEyxsdw==}
@@ -5010,7 +5010,7 @@ snapshots:
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/smartrouter': 1.3.3
       '@push.rocks/smartrx': 3.0.10
-      '@push.rocks/smartstate': 2.0.30
+      '@push.rocks/smartstate': 2.1.1
       '@push.rocks/smartstring': 4.1.0
       '@push.rocks/smarturl': 3.1.0
       '@push.rocks/webrequest': 3.0.37
@@ -5334,7 +5334,7 @@ snapshots:
       '@inquirer/figures': 1.0.15
       '@inquirer/type': 2.0.0
       '@types/mute-stream': 0.0.4
-      '@types/node': 22.19.11
+      '@types/node': 22.19.13
       '@types/wrap-ansi': 3.0.0
       ansi-escapes: 4.3.2
       cli-width: 4.1.0
@@ -6487,9 +6487,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@push.rocks/smartstate@2.0.30':
+  '@push.rocks/smartstate@2.1.1':
     dependencies:
-      '@push.rocks/lik': 6.2.2
       '@push.rocks/smarthash': 3.2.6
       '@push.rocks/smartjson': 6.0.0
       '@push.rocks/smartpromise': 4.2.3
@@ -7359,22 +7358,22 @@ snapshots:
   '@types/body-parser@1.19.6':
     dependencies:
       '@types/connect': 3.4.38
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/buffer-json@2.0.3': {}
 
   '@types/clean-css@4.2.11':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
       source-map: 0.6.1
 
   '@types/connect@3.4.38':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/cors@2.8.19':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/debug@4.1.12':
     dependencies:
@@ -7382,7 +7381,7 @@ snapshots:
 
   '@types/express-serve-static-core@5.1.1':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
       '@types/qs': 6.14.0
       '@types/range-parser': 1.2.7
       '@types/send': 1.2.1
@@ -7395,17 +7394,17 @@ snapshots:
 
   '@types/from2@2.3.6':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/fs-extra@11.0.4':
     dependencies:
       '@types/jsonfile': 6.1.4
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/glob@8.1.0':
     dependencies:
       '@types/minimatch': 5.1.2
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/hast@3.0.4':
     dependencies:
@@ -7427,12 +7426,12 @@ snapshots:
 
   '@types/jsonfile@6.1.4':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/jsonwebtoken@9.0.10':
     dependencies:
       '@types/ms': 2.1.0
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/linkify-it@5.0.0': {}
 
@@ -7455,26 +7454,26 @@ snapshots:
 
   '@types/mute-stream@0.0.4':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/node-fetch@2.6.13':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
       form-data: 4.0.5
 
   '@types/node-forge@1.3.14':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/node@18.19.130':
     dependencies:
       undici-types: 5.26.5
 
-  '@types/node@22.19.11':
+  '@types/node@22.19.13':
     dependencies:
       undici-types: 6.21.0
 
-  '@types/node@25.3.0':
+  '@types/node@25.3.3':
     dependencies:
       undici-types: 7.18.2
 
@@ -7492,22 +7491,22 @@ snapshots:
 
   '@types/send@1.2.1':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/serve-static@2.2.0':
     dependencies:
       '@types/http-errors': 2.0.5
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/symbol-tree@3.2.5': {}
 
   '@types/tar-stream@3.1.4':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/through2@2.0.41':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/trusted-types@2.0.7': {}
 
@@ -7537,11 +7536,11 @@ snapshots:
 
   '@types/ws@8.18.1':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
 
   '@types/yauzl@2.10.3':
     dependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
     optional: true
 
   '@ungap/structured-clone@1.3.0': {}
@@ -8018,7 +8017,7 @@ snapshots:
   engine.io@6.6.4:
     dependencies:
       '@types/cors': 2.8.19
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
       accepts: 1.3.8
       base64id: 2.0.0
       cookie: 0.7.2

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '10.0.0',
+  version: '10.1.2',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -23,6 +23,7 @@ import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
 import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
 import { RouteConfigManager, ApiTokenManager } from './config/index.js';
+import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -956,6 +957,7 @@ export class DcRouter {
       // Stop cache database after other services (they may need it during shutdown)
       if (this.cacheDb) {
         await this.cacheDb.stop().catch(err => logger.log('error', 'Error stopping CacheDb', { error: String(err) }));
+        CacheDb.resetInstance();
       }
 
       // Clear backoff cache in cert scheduler
@@ -979,6 +981,11 @@ export class DcRouter {
       this.apiTokenManager = undefined;
       this.certificateStatusMap.clear();
 
+      // Reset security singletons to allow GC
+      SecurityLogger.resetInstance();
+      ContentScanner.resetInstance();
+      IPReputationChecker.resetInstance();
+
       logger.log('info', 'All DcRouter services stopped');
     } catch (error) {
       logger.log('error', 'Error during DcRouter shutdown', { error: String(error) });
@@ -1363,15 +1370,25 @@ export class DcRouter {
         return;
       }
       
+      // Prevent uncaught exception from socket 'error' events
+      socket.on('error', (err) => {
+        logger.log('error', `DNS socket error: ${err.message}`);
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
+      });
+
       logger.log('debug', 'DNS socket handler: passing socket to DnsServer');
-      
+
       try {
         // Use the built-in socket handler from smartdns
         // This handles HTTP/2, DoH protocol, etc.
         await (this.dnsServer as any).handleHttpsSocket(socket);
       } catch (error) {
         logger.log('error', `DNS socket handler error: ${error.message}`);
-        socket.destroy();
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
       }
     };
   }

ts/config/classes.api-token-manager.ts

@@ -122,6 +122,24 @@ export class ApiTokenManager {
     return true;
   }
 
+  /**
+   * Roll (regenerate) a token's secret while keeping its identity.
+   * Returns the new raw token value (shown once).
+   */
+  public async rollToken(id: string): Promise<{ id: string; rawToken: string } | null> {
+    const stored = this.tokens.get(id);
+    if (!stored) return null;
+
+    const randomBytes = plugins.crypto.randomBytes(32);
+    const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
+    const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
+
+    stored.tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+    await this.persistToken(stored);
+    logger.log('info', `API token '${stored.name}' rolled (id: ${id})`);
+    return { id, rawToken };
+  }
+
   /**
    * Enable or disable a token.
    */

ts/monitoring/classes.metricsmanager.ts

@@ -111,6 +111,15 @@ export class MetricsManager {
         this.securityMetrics.lastResetDate = currentDate;
       }
 
+      // Prune old query timestamps (keep last 5 minutes)
+      const fiveMinutesAgo = Date.now() - 300000;
+      const idx = this.dnsMetrics.queryTimestamps.findIndex(ts => ts >= fiveMinutesAgo);
+      if (idx > 0) {
+        this.dnsMetrics.queryTimestamps = this.dnsMetrics.queryTimestamps.slice(idx);
+      } else if (idx === -1) {
+        this.dnsMetrics.queryTimestamps = [];
+      }
+
       // Prune old time-series buckets every minute (don't wait for lazy query)
       this.pruneOldBuckets();
     }, 60000); // Check every minute
@@ -427,13 +436,9 @@ export class MetricsManager {
       this.dnsMetrics.cacheMisses++;
     }
     
-    // Track query timestamp
+    // Track query timestamp (pruning moved to resetInterval to avoid O(n) per query)
     this.dnsMetrics.queryTimestamps.push(Date.now());
     
-    // Keep only timestamps from last 5 minutes
-    const fiveMinutesAgo = Date.now() - 300000;
-    this.dnsMetrics.queryTimestamps = this.dnsMetrics.queryTimestamps.filter(ts => ts >= fiveMinutesAgo);
-    
     // Track response time if provided
     if (responseTimeMs) {
       this.dnsMetrics.responseTimes.push(responseTimeMs);

ts/opsserver/handlers/api-token.handler.ts

@@ -77,6 +77,25 @@ export class ApiTokenHandler {
       ),
     );
 
+    // Roll API token
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RollApiToken>(
+        'rollApiToken',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg.identity);
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const result = await manager.rollToken(dataArg.id);
+          if (!result) {
+            return { success: false, message: 'Token not found' };
+          }
+          return { success: true, tokenValue: result.rawToken };
+        },
+      ),
+    );
+
     // Toggle API token
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleApiToken>(

ts/opsserver/handlers/logs.handler.ts

@@ -318,11 +318,15 @@ export class LogsHandler {
         try {
           // Use a timeout to detect hung streams (sendData can hang if the
           // VirtualStream's keepAlive loop has ended)
+          let timeoutHandle: ReturnType<typeof setTimeout>;
           await Promise.race([
-            virtualStream.sendData(encoder.encode(logData)),
-            new Promise<never>((_, reject) =>
-              setTimeout(() => reject(new Error('stream send timeout')), 10_000)
-            ),
+            virtualStream.sendData(encoder.encode(logData)).then((result) => {
+              clearTimeout(timeoutHandle);
+              return result;
+            }),
+            new Promise<never>((_, reject) => {
+              timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
+            }),
           ]);
         } catch {
           // Stream closed, errored, or timed out — clean up

ts/security/classes.contentscanner.ts

@@ -182,7 +182,14 @@ export class ContentScanner {
     }
     return ContentScanner.instance;
   }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    ContentScanner.instance = undefined;
+  }
+
   /**
    * Scan an email for malicious content
    * @param email The email to scan

ts/security/classes.ipreputationchecker.ts

@@ -65,6 +65,8 @@ export class IPReputationChecker {
   private reputationCache: LRUCache<string, IReputationResult>;
   private options: Required<IIPReputationOptions>;
   private storageManager?: any; // StorageManager instance
+  private saveCacheTimer: ReturnType<typeof setTimeout> | null = null;
+  private static readonly SAVE_CACHE_DEBOUNCE_MS = 30_000;
   
   // Default DNSBL servers
   private static readonly DEFAULT_DNSBL_SERVERS = [
@@ -143,7 +145,20 @@ export class IPReputationChecker {
     }
     return IPReputationChecker.instance;
   }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    if (IPReputationChecker.instance) {
+      if (IPReputationChecker.instance.saveCacheTimer) {
+        clearTimeout(IPReputationChecker.instance.saveCacheTimer);
+        IPReputationChecker.instance.saveCacheTimer = null;
+      }
+    }
+    IPReputationChecker.instance = undefined;
+  }
+
   /**
    * Check an IP address's reputation
    * @param ip IP address to check
@@ -213,12 +228,9 @@ export class IPReputationChecker {
       // Update cache with result
       this.reputationCache.set(ip, result);
       
-      // Save cache if enabled
+      // Schedule debounced cache save if enabled
       if (this.options.enableLocalCache) {
-        // Fire and forget the save operation
-        this.saveCache().catch(error => {
-          logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
-        });
+        this.debouncedSaveCache();
       }
       
       // Log the reputation check
@@ -447,6 +459,21 @@ export class IPReputationChecker {
     });
   }
   
+  /**
+   * Schedule a debounced cache save (at most once per SAVE_CACHE_DEBOUNCE_MS)
+   */
+  private debouncedSaveCache(): void {
+    if (this.saveCacheTimer) {
+      return; // already scheduled
+    }
+    this.saveCacheTimer = setTimeout(() => {
+      this.saveCacheTimer = null;
+      this.saveCache().catch(error => {
+        logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
+      });
+    }, IPReputationChecker.SAVE_CACHE_DEBOUNCE_MS);
+  }
+
   /**
    * Save cache to disk or storage manager
    */

ts/security/classes.securitylogger.ts

@@ -83,7 +83,14 @@ export class SecurityLogger {
     }
     return SecurityLogger.instance;
   }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    SecurityLogger.instance = undefined;
+  }
+
   /**
    * Log a security event
    * @param event The security event to log

ts/storage/classes.storagemanager.ts

@@ -30,6 +30,7 @@ export type StorageBackend = 'filesystem' | 'custom' | 'memory';
  * Provides unified key-value storage with multiple backend support
  */
 export class StorageManager {
+  private static readonly MAX_MEMORY_ENTRIES = 10_000;
   private backend: StorageBackend;
   private memoryStore: Map<string, string> = new Map();
   private config: IStorageConfig;
@@ -227,6 +228,11 @@ export class StorageManager {
         
         case 'memory': {
           this.memoryStore.set(key, value);
+          // Evict oldest entries if memory store exceeds limit
+          while (this.memoryStore.size > StorageManager.MAX_MEMORY_ENTRIES) {
+            const firstKey = this.memoryStore.keys().next().value;
+            this.memoryStore.delete(firstKey);
+          }
           break;
         }
         

ts_interfaces/requests/api-tokens.ts

@@ -63,6 +63,26 @@ export interface IReq_RevokeApiToken extends plugins.typedrequestInterfaces.impl
   };
 }
 
+/**
+ * Roll (regenerate) an API token's secret. Returns the new raw token value once.
+ * Admin JWT only.
+ */
+export interface IReq_RollApiToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RollApiToken
+> {
+  method: 'rollApiToken';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    tokenValue?: string;
+    message?: string;
+  };
+}
+
 /**
  * Enable or disable an API token.
  */

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '10.0.0',
+  version: '10.1.2',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -1115,6 +1115,18 @@ export async function createApiToken(name: string, scopes: interfaces.data.TApiT
   });
 }
 
+export async function rollApiToken(id: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_RollApiToken
+  >('/typedrequest', 'rollApiToken');
+
+  return request.fire({
+    identity: context.identity,
+    id,
+  });
+}
+
 export const revokeApiTokenAction = routeManagementStatePart.createAction<string>(
   async (statePartArg, tokenId) => {
     const context = getActionContext();

ts_web/elements/ops-view-apitokens.ts

@@ -152,6 +152,15 @@ export class OpsViewApiTokens extends DeesElement {
                 );
               },
             },
+            {
+              name: 'Roll',
+              iconName: 'lucide:rotate-cw',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const token = actionData.item as interfaces.data.IApiTokenInfo;
+                await this.showRollTokenDialog(token);
+              },
+            },
             {
               name: 'Revoke',
               iconName: 'lucide:trash2',
@@ -279,6 +288,60 @@ export class OpsViewApiTokens extends DeesElement {
     });
   }
 
+  private async showRollTokenDialog(token: interfaces.data.IApiTokenInfo) {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    await DeesModal.createAndShow({
+      heading: 'Roll Token Secret',
+      content: html`
+        <div style="color: #ccc; padding: 8px 0;">
+          <p>This will regenerate the secret for <strong>${token.name}</strong>. The old token value will stop working immediately.</p>
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Roll Token',
+          iconName: 'lucide:rotate-cw',
+          action: async (modalArg: any) => {
+            await modalArg.destroy();
+            try {
+              const response = await appstate.rollApiToken(token.id);
+              if (response.success && response.tokenValue) {
+                await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
+
+                await DeesModal.createAndShow({
+                  heading: 'Token Rolled',
+                  content: html`
+                    <div style="color: #ccc; padding: 8px 0;">
+                      <p>Copy this token now. It will not be shown again.</p>
+                      <div style="background: #111; padding: 12px; border-radius: 6px; margin-top: 8px;">
+                        <code style="color: #0f8; word-break: break-all; font-size: 13px;">${response.tokenValue}</code>
+                      </div>
+                    </div>
+                  `,
+                  menuOptions: [
+                    {
+                      name: 'Done',
+                      iconName: 'lucide:check',
+                      action: async (m: any) => await m.destroy(),
+                    },
+                  ],
+                });
+              }
+            } catch (error) {
+              console.error('Failed to roll token:', error);
+            }
+          },
+        },
+      ],
+    });
+  }
+
   async firstUpdated() {
     await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
   }

ts_web/elements/ops-view-logs.ts

@@ -76,8 +76,15 @@ export class OpsViewLogs extends DeesElement {
     // Wait for xterm terminal to finish initializing (CDN load)
     if (!chartLog.terminalReady) {
       await new Promise<void>((resolve) => {
+        let attempts = 0;
+        const maxAttempts = 200; // 200 * 50ms = 10 seconds
         const check = () => {
           if (chartLog.terminalReady) { resolve(); return; }
+          if (++attempts >= maxAttempts) {
+            console.warn('ops-view-logs: terminal ready timeout after 10s');
+            resolve(); // resolve gracefully to avoid blocking
+            return;
+          }
           setTimeout(check, 50);
         };
         check();