v11.0.0

.playwright-mcp/console-2026-03-02T19-29-32-708Z.log

@@ -0,0 +1,6 @@
+[      95ms] TypeError: Cannot read properties of null (reading 'appendChild')
+    at TypedserverStatusPill.show (http://localhost:3000/typedserver/devtools:17607:21)
+    at TypedserverStatusPill.updateStatus (http://localhost:3000/typedserver/devtools:17567:10)
+    at ReloadChecker.checkReload (http://localhost:3000/typedserver/devtools:18137:23)
+    at async ReloadChecker.start (http://localhost:3000/typedserver/devtools:18224:9)
+[     992ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0

.playwright-mcp/console-2026-03-02T19-30-09-759Z.log

@@ -0,0 +1,5 @@
+[     329ms] [ERROR] method: >>getMergedRoutes<< got an ERROR: "unauthorized" with data undefined @ http://localhost:3000/bundle.js:13
+[     727ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/routes:0
+[  260513ms] [ERROR] method: >>adminLoginWithUsernameAndPassword<< got an ERROR: "login failed" with data undefined @ http://localhost:3000/bundle.js:13
+[  260514ms] [ERROR] Login failed: Ns @ http://localhost:3000/bundle.js:38066
+[  260518ms] [WARNING] FontAwesome icon not found: circle-xmark @ http://localhost:3000/bundle.js:1203

.playwright-mcp/console-2026-03-02T19-34-55-496Z.log

@@ -0,0 +1,3 @@
+[     397ms] [ERROR] method: >>getMergedRoutes<< got an ERROR: "unauthorized" with data undefined @ http://localhost:3000/bundle.js:13
+[     657ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/routes:0
+[   24180ms] [WARNING] FontAwesome icon not found: circle-check @ http://localhost:3000/bundle.js:1203

changelog.md

@@ -1,5 +1,66 @@
 # Changelog
 
+## 2026-03-03 - 11.0.0 - BREAKING CHANGE(opsserver)
+Require authentication for OpsServer endpoints, split handlers into authenticated view/admin routers, and make identity required on many TypedRequest interfaces
+
+- Added viewRouter and adminRouter to OpsServer and wired middleware to enforce identity/admin checks (requireValidIdentity, requireAdminIdentity).
+- Moved handlers to appropriate routers (viewRouter for read endpoints, adminRouter for write/admin endpoints) instead of registering on the unauthenticated main typedrouter.
+- Made identity a required field on numerous ts_interfaces request types (breaking change to request typings).
+- Refactored ApiTokenHandler to register directly on adminRouter and use dataArg.identity.userId (no per-handler admin checks needed thanks to middleware).
+- Updated tests: added admin login to obtain identity, adjusted protected endpoint tests to expect rejection when unauthenticated, and adapted other tests to pass identity where required.
+- Added IReq_GetNetworkStats request/response typings to ts_interfaces/requests/stats.ts.
+- Bumped dependencies: @api.global/typedrequest ^3.3.0 and @api.global/typedserver ^8.4.2.
+
+## 2026-03-03 - 10.1.9 - fix(deps)
+bump @push.rocks/smartproxy to ^25.9.1
+
+- Updated package.json dependency @push.rocks/smartproxy from ^25.9.0 to ^25.9.1
+- No other code changes; current package version is 10.1.8, recommend a patch release
+
+## 2026-03-03 - 10.1.8 - fix(deps)
+bump dependencies: @push.rocks/smartmetrics to ^3.0.2, @push.rocks/smartproxy to ^25.9.0, @serve.zone/remoteingress to ^4.4.0
+
+- @push.rocks/smartmetrics: 3.0.1 -> 3.0.2 (patch)
+- @push.rocks/smartproxy: 25.8.5 -> 25.9.0 (minor)
+- @serve.zone/remoteingress: 4.3.0 -> 4.4.0 (minor)
+
+## 2026-03-03 - 10.1.7 - fix(ops-view-apitokens)
+use correct lucide icon name for roll/rotate actions in API tokens view
+
+- Updated iconName from 'lucide:rotate-cw' to 'lucide:rotateCw' in ts_web/elements/ops-view-apitokens.ts (two occurrences) to match lucide icon naming and ensure icons render correctly
+- Non-functional UI fix; no API or behavior changes
+
+## 2026-03-02 - 10.1.6 - fix(ts_web)
+use actionContext for dispatches in web state actions and bump @push.rocks/smartstate to ^2.2.0
+
+- Action handlers in ts_web/appstate.ts now accept an actionContext parameter and call await actionContext.dispatch(...) instead of using statePartArg.dispatchAction(...).
+- Handlers return the awaited dispatch result (ensuring callers receive refreshed state) instead of returning the previous statePartArg.getState().
+- Dependency bumped in package.json: @push.rocks/smartstate from ^2.1.1 to ^2.2.0.
+- Playwright artifacts (logs and page screenshots) were added under .playwright-mcp.
+
+## 2026-03-02 - 10.1.5 - fix(monitoring)
+use a per-second ring buffer for DNS query metrics, improve DNS logging rate limiting and security event aggregation, and bump smartmta dependency
+
+- Replace unbounded query timestamp array with a fixed-size per-second Int32Array ring buffer (300s) to calculate queries-per-second with O(1) updates and bounded memory
+- Add incrementQueryRing and getQueryRingSum helpers to correctly zero stale slots and sum recent seconds
+- Change metrics cache interval from 200ms to 1000ms to better match dashboard polling and reduce update frequency
+- Refactor DNS adaptive logging to use per-second counters (dnsLogWindowSecond / dnsLogWindowCount) instead of timestamp arrays to avoid per-query array filtering and improve rate limiting accuracy; reset counters on flush
+- Security logger: avoid mutating source when sorting/filtering, and implement single-pass aggregation with optional time-window filtering for byLevel/byType/top lists
+- Bump dependency @push.rocks/smartmta from ^5.3.0 to ^5.3.1
+
+## 2026-03-02 - 10.1.4 - fix(no-changes)
+no changes detected; no version bump required
+
+- package version is 10.1.3
+- git diff contains no changes
+
+## 2026-03-02 - 10.1.3 - fix(deps)
+bump @api.global/typedrequest to ^3.2.7
+
+- Updated @api.global/typedrequest from ^3.2.6 to ^3.2.7 in package.json
+- Dependency patch bump only — no source code changes detected
+- Current package version 10.1.2 -> recommended next version 10.1.3 (patch)
+
 ## 2026-03-01 - 10.1.2 - fix(core)
 improve shutdown cleanup, socket/stream robustness, and memory/cache handling
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "10.1.2",
+  "version": "11.0.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -27,9 +27,9 @@
     "@types/node": "^25.3.3"
   },
   "dependencies": {
-    "@api.global/typedrequest": "^3.2.6",
+    "@api.global/typedrequest": "^3.3.0",
     "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^8.4.0",
+    "@api.global/typedserver": "^8.4.2",
     "@api.global/typedsocket": "^4.1.2",
     "@apiclient.xyz/cloudflare": "^7.1.0",
     "@design.estate/dees-catalog": "^3.43.3",
@@ -43,21 +43,21 @@
     "@push.rocks/smartguard": "^3.1.0",
     "@push.rocks/smartjwt": "^2.2.1",
     "@push.rocks/smartlog": "^3.2.1",
-    "@push.rocks/smartmetrics": "^3.0.1",
+    "@push.rocks/smartmetrics": "^3.0.2",
     "@push.rocks/smartmongo": "^5.1.0",
-    "@push.rocks/smartmta": "^5.3.0",
+    "@push.rocks/smartmta": "^5.3.1",
     "@push.rocks/smartnetwork": "^4.4.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.8.5",
+    "@push.rocks/smartproxy": "^25.9.1",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.1.1",
+    "@push.rocks/smartstate": "^2.2.0",
     "@push.rocks/smartunique": "^3.0.9",
     "@serve.zone/catalog": "^2.5.0",
     "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^4.3.0",
+    "@serve.zone/remoteingress": "^4.4.0",
     "@tsclass/tsclass": "^9.3.0",
     "lru-cache": "^11.2.6",
     "uuid": "^13.0.0"

pnpm-lock.yaml

@@ -9,14 +9,14 @@ importers:
   .:
     dependencies:
       '@api.global/typedrequest':
-        specifier: ^3.2.6
-        version: 3.2.6
+        specifier: ^3.3.0
+        version: 3.3.0
       '@api.global/typedrequest-interfaces':
         specifier: ^3.0.19
         version: 3.0.19
       '@api.global/typedserver':
-        specifier: ^8.4.0
-        version: 8.4.0(@tiptap/pm@2.27.2)
+        specifier: ^8.4.2
+        version: 8.4.2(@tiptap/pm@2.27.2)
       '@api.global/typedsocket':
         specifier: ^4.1.2
         version: 4.1.2(@push.rocks/smartserve@2.0.1)
@@ -57,14 +57,14 @@ importers:
         specifier: ^3.2.1
         version: 3.2.1
       '@push.rocks/smartmetrics':
-        specifier: ^3.0.1
-        version: 3.0.1
+        specifier: ^3.0.2
+        version: 3.0.2
       '@push.rocks/smartmongo':
         specifier: ^5.1.0
         version: 5.1.0(socks@2.8.7)
       '@push.rocks/smartmta':
-        specifier: ^5.3.0
-        version: 5.3.0
+        specifier: ^5.3.1
+        version: 5.3.1
       '@push.rocks/smartnetwork':
         specifier: ^4.4.0
         version: 4.4.0
@@ -75,8 +75,8 @@ importers:
         specifier: ^4.2.3
         version: 4.2.3
       '@push.rocks/smartproxy':
-        specifier: ^25.8.5
-        version: 25.8.5
+        specifier: ^25.9.1
+        version: 25.9.1
       '@push.rocks/smartradius':
         specifier: ^1.1.1
         version: 1.1.1
@@ -87,8 +87,8 @@ importers:
         specifier: ^3.0.10
         version: 3.0.10
       '@push.rocks/smartstate':
-        specifier: ^2.1.1
-        version: 2.1.1
+        specifier: ^2.2.0
+        version: 2.2.0
       '@push.rocks/smartunique':
         specifier: ^3.0.9
         version: 3.0.9
@@ -99,8 +99,8 @@ importers:
         specifier: ^5.3.0
         version: 5.3.0
       '@serve.zone/remoteingress':
-        specifier: ^4.3.0
-        version: 4.3.0
+        specifier: ^4.4.0
+        version: 4.4.0
       '@tsclass/tsclass':
         specifier: ^9.3.0
         version: 9.3.0
@@ -138,14 +138,14 @@ packages:
   '@api.global/typedrequest-interfaces@3.0.19':
     resolution: {integrity: sha512-uuHUXJeOy/inWSDrwD0Cwax2rovpxYllDhM2RWh+6mVpQuNmZ3uw6IVg6dA2G1rOe24Ebs+Y9SzEogo+jYN7vw==}
 
-  '@api.global/typedrequest@3.2.6':
-    resolution: {integrity: sha512-CnvbjYjnGGw3rwL+7bTHSgRHEpDujzhs3cv7l1xgCXMPQe3DcPg74+9ep1Y5cu21T/w0pxNnDCJpbb0SHqHzAw==}
+  '@api.global/typedrequest@3.3.0':
+    resolution: {integrity: sha512-Jwobqla+9k2IBG0duwrCFtc6GU6wsvHS3f0gJJsxTrpapylBW1YSF7NnGHPGs7F9hbATsO6IoUBpR2ScoKyGJA==}
 
   '@api.global/typedserver@3.0.80':
     resolution: {integrity: sha512-dcp0oXsjBL+XdFg1wUUP08uJQid5bQ0Yv3V3Y3lnI2QCbat0FU+Tsb0TZRnZ4+P150Vj/ITBqJUgDzFsF34grA==}
 
-  '@api.global/typedserver@8.4.0':
-    resolution: {integrity: sha512-qOa5jUwiuHEoY1ZuLZiuU1unPl5JNd99Vv+hNAwgEIgAZd4TTy/mjdTp7lyviBzkGf2pROeCmAbDJJF8YQFCSA==}
+  '@api.global/typedserver@8.4.2':
+    resolution: {integrity: sha512-eESOcWvrbqkshR4s4OeTX1AK74bNCeGgiRebKgjxIzJ+b0+rkPQyn2DOaMtyXjFZRNgRHyytLm5Iqj5fdazeqw==}
 
   '@api.global/typedsocket@3.1.1':
     resolution: {integrity: sha512-Wkz3NlhmfdZMKqXXI2c2dMtGGmSmhdOegZiziL+9b2mqPYdc7Gd8AZRdEOKvbSoIvc9G22/5BEadIWHrfq66TA==}
@@ -845,6 +845,9 @@ packages:
   '@push.rocks/lik@6.2.2':
     resolution: {integrity: sha512-j64FFPPyMXeeUorjKJVF6PWaJUfiIrF3pc41iJH4lOh0UUpBAHpcNzHVxTR58orwbVA/h3Hz+DQd4b1Rq0dFDQ==}
 
+  '@push.rocks/lik@6.3.1':
+    resolution: {integrity: sha512-UWDwGBaVx5yPtAFXqDDBtQZCzETUOA/7myQIXb+YBsuiIw4yQuhNZ23uY2ChQH2Zn6DLqdNSgQcYC0WywMZBNQ==}
+
   '@push.rocks/mongodump@1.1.0':
     resolution: {integrity: sha512-kW0ZUGyf1e4nwloVwBQjNId+MzgTcNS834C+RxH21i1NqyOubbpWZtJtPP+K+s35nSJRyCTy3ICfBMdDBTAm2w==}
 
@@ -981,8 +984,8 @@ packages:
   '@push.rocks/smartmatch@2.0.0':
     resolution: {integrity: sha512-MBzP++1yNIBeox71X6VxpIgZ8m4bXnJpZJ4nWVH6IWpmO38MXTu4X0QF8tQnyT4LFcwvc9iiWaD15cstHa7Mmw==}
 
-  '@push.rocks/smartmetrics@3.0.1':
-    resolution: {integrity: sha512-wdc9v8F0dQXwraAVCZjGvt2lnGpbVYHWzER9OFR+u+ultMq7aLjUevxSpkS8BkhBMLTuNMCCWIqyAzaCqHzFgQ==}
+  '@push.rocks/smartmetrics@3.0.2':
+    resolution: {integrity: sha512-bW60TrdCubsZwsYK1+lE9y+OoXN8MfB7bhSASlTKtwhExdCbjXYXnSt9W7zerD7HbsUNOsvejIjX9q4oju+P2g==}
 
   '@push.rocks/smartmime@1.0.6':
     resolution: {integrity: sha512-PHd+I4UcsnOATNg8wjDsSAmmJ4CwQFrQCNzd0HSJMs4ZpiK3Ya91almd6GLpDPU370U4HFh4FaPF4eEAI6vkJQ==}
@@ -996,8 +999,8 @@ packages:
   '@push.rocks/smartmongo@5.1.0':
     resolution: {integrity: sha512-2tpKf8K+SMdLHOEpafgKPIN+ypWTLwHc33hCUDNMQ1KaL7vokkavA44+fHxQydOGPMtDi22tSMFeVMCcUSzs4w==}
 
-  '@push.rocks/smartmta@5.3.0':
-    resolution: {integrity: sha512-uJI25fslzvrcenU36WCdt5gB8cCfkjUlY7PqlxEtFp474/l/kZxNnvirv1gnZLRNNa+ioe5aH18HKE+KcAjuxA==}
+  '@push.rocks/smartmta@5.3.1':
+    resolution: {integrity: sha512-cEuXO56i/zL9eZS79eAesEW16ikdBJKLlEv9pLKkt2cmaHBWADGHjeOzJmsszQ9CSFcuhd41aHYVGMZXVvsG2g==}
     engines: {node: '>=14.0.0'}
     cpu: [x64, arm64]
     os: [darwin, linux, win32]
@@ -1035,8 +1038,8 @@ packages:
   '@push.rocks/smartpromise@4.2.3':
     resolution: {integrity: sha512-Ycg/TJR+tMt+S3wSFurOpEoW6nXv12QBtKXgBcjMZ4RsdO28geN46U09osPn9N9WuwQy1PkmTV5J/V4F9U8qEw==}
 
-  '@push.rocks/smartproxy@25.8.5':
-    resolution: {integrity: sha512-oLmV+Bq7sSgQP9McTao/imb6Xb62QM7wlTFt5kNynrS5WK2wAe8cEjDKOcyu8N/WmzNCEClT5f/0xAtI6JxtkA==}
+  '@push.rocks/smartproxy@25.9.1':
+    resolution: {integrity: sha512-X9Yc74CwwvxUay/WDdomRL48vkQyb/kT/QZ4r+AyUUJV2tlt0rQxhbegv9C9kkjrVNsflQWjrAKseh0GB4hAfA==}
 
   '@push.rocks/smartpuppeteer@2.0.5':
     resolution: {integrity: sha512-yK/qSeWVHIGWRp3c8S5tfdGP6WCKllZC4DR8d8CQlEjszOSBmHtlTdyyqOMBZ/BA4kd+eU5f3A1r4K2tGYty1g==}
@@ -1083,8 +1086,8 @@ packages:
   '@push.rocks/smartspawn@3.0.3':
     resolution: {integrity: sha512-DyrGPV69wwOiJgKkyruk5hS3UEGZ99xFAqBE9O2nM8VXCRLbbty3xt1Ug5Z092ZZmJYaaGMSnMw3ijyZJFCT0Q==}
 
-  '@push.rocks/smartstate@2.1.1':
-    resolution: {integrity: sha512-4OM9TXfiiSYIgVz2pQdM2UCTurXwd8o9LCtyZ/o+rnntnXp/X8UTWZ+WyTxgnfuzXhpIYXt83t34bVBJ2EPUOw==}
+  '@push.rocks/smartstate@2.2.0':
+    resolution: {integrity: sha512-e41vA1y9b0HBauzjMSh3l0YlRhcG4jhArm43/HHNdT+inxEGIeRL24VGeq+sl2MUr/eFWqgrETXhvL3YrsYFaw==}
 
   '@push.rocks/smartstream@2.0.8':
     resolution: {integrity: sha512-GlF/9cCkvBHwKa3DK4DO5wjfSgqkj6gAS4TrY9uD5NMHu9RQv4WiNrElTYj7iCEpnZgUnLO3tzw1JA3NRIMnnA==}
@@ -1138,6 +1141,9 @@ packages:
   '@push.rocks/webrequest@4.0.2':
     resolution: {integrity: sha512-rowzty+Q2papFBcnNYPcy+8CQJukSn/FGfQG8ap0bUgQUsx882u8kEyLM0Q+GlGHS5OiZ+Z0z5TZqLKlk3XHxA==}
 
+  '@push.rocks/webrequest@4.0.5':
+    resolution: {integrity: sha512-wVSCaXqJ9Vh+rbwVz0wDl46dYz4rnwwSrm5vbVXKbuH6oKTPF0YRoujeJPqRltIn64RVGdLeY9/6ix+ZCrzhsg==}
+
   '@push.rocks/websetup@3.0.19':
     resolution: {integrity: sha512-iKJDwXdMmQdu5siOIgziPRxM51lN1AU9HOr+yMteu1YMDkZT7HKCyisDAr4gC9WZ9a7FzsG8zgthm4dMeA8NTw==}
 
@@ -1344,8 +1350,8 @@ packages:
   '@serve.zone/interfaces@5.3.0':
     resolution: {integrity: sha512-venO7wtDR9ixzD9NhdERBGjNKbFA5LL0yHw4eqGh0UpmvtXVc3SFG0uuHDilOKMZqZ8bttV88qVsFy1aSTJrtA==}
 
-  '@serve.zone/remoteingress@4.3.0':
-    resolution: {integrity: sha512-yk14uS6oWIP83Zpem4hGf8zi3W9pefnxijtSWp45WvZ+u9XTXIADQNaUZBSTCId8CYkfPkfRGaaaARunVdjFXg==}
+  '@serve.zone/remoteingress@4.4.0':
+    resolution: {integrity: sha512-+M2EHP0irezN0xutYn0H6ZXePWoMJy4ETbK9/5Zgb4nx2FbDRYQyFLJUXyLzVL/rtJ/5trToPwOa3ljZoVze3g==}
 
   '@sindresorhus/is@5.6.0':
     resolution: {integrity: sha512-TV7t8GKYaJWsn00tFDqBw8+Uqmr8A0fRU1tvTQhyZzGv0sJCGRQL3JGMI3ucuKo3XIZdUP+Lx7/gh2t3lewy7g==}
@@ -2081,8 +2087,8 @@ packages:
     resolution: {integrity: sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==}
     engines: {node: 20 || >=22}
 
-  brace-expansion@5.0.3:
-    resolution: {integrity: sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==}
+  brace-expansion@5.0.4:
+    resolution: {integrity: sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==}
     engines: {node: 18 || 20 || >=22}
 
   broadcast-channel@7.3.0:
@@ -3244,8 +3250,8 @@ packages:
     resolution: {integrity: sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==}
     engines: {node: 20 || >=22}
 
-  minimatch@10.2.2:
-    resolution: {integrity: sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==}
+  minimatch@10.2.4:
+    resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==}
     engines: {node: 18 || 20 || >=22}
 
   minimatch@3.1.3:
@@ -4291,21 +4297,21 @@ snapshots:
 
   '@api.global/typedrequest-interfaces@3.0.19': {}
 
-  '@api.global/typedrequest@3.2.6':
+  '@api.global/typedrequest@3.3.0':
     dependencies:
       '@api.global/typedrequest-interfaces': 3.0.19
       '@push.rocks/isounique': 1.0.5
-      '@push.rocks/lik': 6.2.2
+      '@push.rocks/lik': 6.3.1
       '@push.rocks/smartbuffer': 3.0.5
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartguard': 3.1.0
       '@push.rocks/smartpromise': 4.2.3
-      '@push.rocks/webrequest': 4.0.2
+      '@push.rocks/webrequest': 4.0.5
       '@push.rocks/webstream': 1.0.10
 
   '@api.global/typedserver@3.0.80(@push.rocks/smartserve@2.0.1)':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@api.global/typedrequest-interfaces': 3.0.19
       '@api.global/typedsocket': 3.1.1(@push.rocks/smartserve@2.0.1)
       '@cloudflare/workers-types': 4.20260210.0
@@ -4351,9 +4357,9 @@ snapshots:
       - utf-8-validate
       - vue
 
-  '@api.global/typedserver@8.4.0(@tiptap/pm@2.27.2)':
+  '@api.global/typedserver@8.4.2(@tiptap/pm@2.27.2)':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@api.global/typedrequest-interfaces': 3.0.19
       '@api.global/typedsocket': 4.1.2(@push.rocks/smartserve@2.0.1)
       '@cloudflare/workers-types': 4.20260303.0
@@ -4399,7 +4405,7 @@ snapshots:
 
   '@api.global/typedsocket@3.1.1(@push.rocks/smartserve@2.0.1)':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@api.global/typedrequest-interfaces': 3.0.19
       '@push.rocks/isohash': 2.0.1
       '@push.rocks/smartjson': 5.2.0
@@ -4419,7 +4425,7 @@ snapshots:
 
   '@api.global/typedsocket@4.1.2(@push.rocks/smartserve@2.0.1)':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@api.global/typedrequest-interfaces': 3.0.19
       '@push.rocks/isohash': 2.0.1
       '@push.rocks/smartdelay': 3.0.5
@@ -4994,14 +5000,14 @@ snapshots:
 
   '@design.estate/dees-comms@1.0.30':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@api.global/typedrequest-interfaces': 3.0.19
       '@push.rocks/smartdelay': 3.0.5
       broadcast-channel: 7.3.0
 
   '@design.estate/dees-domtools@2.3.8':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@design.estate/dees-comms': 1.0.30
       '@push.rocks/lik': 6.2.2
       '@push.rocks/smartdelay': 3.0.5
@@ -5010,7 +5016,7 @@ snapshots:
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/smartrouter': 1.3.3
       '@push.rocks/smartrx': 3.0.10
-      '@push.rocks/smartstate': 2.1.1
+      '@push.rocks/smartstate': 2.2.0
       '@push.rocks/smartstring': 4.1.0
       '@push.rocks/smarturl': 3.1.0
       '@push.rocks/webrequest': 3.0.37
@@ -5287,7 +5293,7 @@ snapshots:
 
   '@git.zone/tswatch@3.2.0(@tiptap/pm@2.27.2)':
     dependencies:
-      '@api.global/typedserver': 8.4.0(@tiptap/pm@2.27.2)
+      '@api.global/typedserver': 8.4.2(@tiptap/pm@2.27.2)
       '@git.zone/tsbundle': 2.9.0
       '@git.zone/tsrun': 2.0.1
       '@push.rocks/early': 4.0.4
@@ -5676,7 +5682,7 @@ snapshots:
 
   '@push.rocks/levelcache@3.2.0':
     dependencies:
-      '@push.rocks/lik': 6.2.2
+      '@push.rocks/lik': 6.3.1
       '@push.rocks/smartbucket': 3.3.10
       '@push.rocks/smartcache': 1.0.18
       '@push.rocks/smartenv': 5.0.13
@@ -5707,6 +5713,17 @@ snapshots:
       '@types/symbol-tree': 3.2.5
       symbol-tree: 3.2.4
 
+  '@push.rocks/lik@6.3.1':
+    dependencies:
+      '@push.rocks/smartdelay': 3.0.5
+      '@push.rocks/smartmatch': 2.0.0
+      '@push.rocks/smartpromise': 4.2.3
+      '@push.rocks/smartrx': 3.0.10
+      '@push.rocks/smarttime': 4.2.3
+      '@types/minimatch': 5.1.2
+      '@types/symbol-tree': 3.2.5
+      symbol-tree: 3.2.4
+
   '@push.rocks/mongodump@1.1.0(socks@2.8.7)':
     dependencies:
       '@push.rocks/lik': 6.2.2
@@ -5751,7 +5768,7 @@ snapshots:
 
   '@push.rocks/qenv@6.1.3':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@configvault.io/interfaces': 1.0.17
       '@push.rocks/smartfile': 11.2.7
       '@push.rocks/smartlog': 3.2.1
@@ -6165,7 +6182,7 @@ snapshots:
     dependencies:
       matcher: 5.0.0
 
-  '@push.rocks/smartmetrics@3.0.1':
+  '@push.rocks/smartmetrics@3.0.2':
     dependencies:
       '@push.rocks/smartdelay': 3.0.5
       '@push.rocks/smartlog': 3.2.1
@@ -6233,7 +6250,7 @@ snapshots:
       - supports-color
       - vue
 
-  '@push.rocks/smartmta@5.3.0':
+  '@push.rocks/smartmta@5.3.1':
     dependencies:
       '@push.rocks/smartfile': 13.1.2
       '@push.rocks/smartfs': 1.3.1
@@ -6340,13 +6357,13 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.3': {}
 
-  '@push.rocks/smartproxy@25.8.5':
+  '@push.rocks/smartproxy@25.9.1':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.2.1
       '@push.rocks/smartrust': 1.3.1
       '@tsclass/tsclass': 9.3.0
-      minimatch: 10.2.2
+      minimatch: 10.2.4
 
   '@push.rocks/smartpuppeteer@2.0.5(typescript@5.9.3)':
     dependencies:
@@ -6424,7 +6441,7 @@ snapshots:
 
   '@push.rocks/smartserve@2.0.1':
     dependencies:
-      '@api.global/typedrequest': 3.2.6
+      '@api.global/typedrequest': 3.3.0
       '@cfworker/json-schema': 4.1.1
       '@push.rocks/lik': 6.2.2
       '@push.rocks/smartenv': 6.0.0
@@ -6487,7 +6504,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@push.rocks/smartstate@2.1.1':
+  '@push.rocks/smartstate@2.2.0':
     dependencies:
       '@push.rocks/smarthash': 3.2.6
       '@push.rocks/smartjson': 6.0.0
@@ -6636,6 +6653,14 @@ snapshots:
       '@push.rocks/smartpromise': 4.2.3
       '@push.rocks/webstore': 2.0.20
 
+  '@push.rocks/webrequest@4.0.5':
+    dependencies:
+      '@push.rocks/smartdelay': 3.0.5
+      '@push.rocks/smartenv': 6.0.0
+      '@push.rocks/smartjson': 6.0.0
+      '@push.rocks/smartpromise': 4.2.3
+      '@push.rocks/webstore': 2.0.20
+
   '@push.rocks/websetup@3.0.19':
     dependencies:
       '@pushrocks/smartdelay': 3.0.1
@@ -6826,7 +6851,7 @@ snapshots:
       '@push.rocks/smartlog-interfaces': 3.0.2
       '@tsclass/tsclass': 9.3.0
 
-  '@serve.zone/remoteingress@4.3.0':
+  '@serve.zone/remoteingress@4.4.0':
     dependencies:
       '@push.rocks/qenv': 6.1.3
       '@push.rocks/smartrust': 1.3.1
@@ -7717,7 +7742,7 @@ snapshots:
     dependencies:
       balanced-match: 4.0.2
 
-  brace-expansion@5.0.3:
+  brace-expansion@5.0.4:
     dependencies:
       balanced-match: 4.0.4
 
@@ -9165,9 +9190,9 @@ snapshots:
     dependencies:
       brace-expansion: 5.0.2
 
-  minimatch@10.2.2:
+  minimatch@10.2.4:
     dependencies:
-      brace-expansion: 5.0.3
+      brace-expansion: 5.0.4
 
   minimatch@3.1.3:
     dependencies:

test/test.opsserver-api.ts

@@ -4,27 +4,44 @@ import { TypedRequest } from '@api.global/typedrequest';
 import * as interfaces from '../ts_interfaces/index.js';
 
 let testDcRouter: DcRouter;
+let adminIdentity: interfaces.data.IIdentity;
 
 tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
     cacheConfig: { enabled: false },
   });
-  
+
   await testDcRouter.start();
   expect(testDcRouter.opsServer).toBeInstanceOf(Object);
 });
 
+tap.test('should login as admin', async () => {
+  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+    'http://localhost:3000/typedrequest',
+    'adminLoginWithUsernameAndPassword'
+  );
+
+  const response = await loginRequest.fire({
+    username: 'admin',
+    password: 'admin',
+  });
+
+  expect(response).toHaveProperty('identity');
+  adminIdentity = response.identity;
+});
+
 tap.test('should respond to health status request', async () => {
   const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
     'http://localhost:3000/typedrequest',
     'getHealthStatus'
   );
-  
+
   const response = await healthRequest.fire({
-    detailed: false
+    identity: adminIdentity,
+    detailed: false,
   });
-  
+
   expect(response).toHaveProperty('health');
   expect(response.health.healthy).toBeTrue();
   expect(response.health.services).toHaveProperty('OpsServer');
@@ -35,11 +52,12 @@ tap.test('should respond to server statistics request', async () => {
     'http://localhost:3000/typedrequest',
     'getServerStatistics'
   );
-  
+
   const response = await statsRequest.fire({
-    includeHistory: false
+    identity: adminIdentity,
+    includeHistory: false,
   });
-  
+
   expect(response).toHaveProperty('stats');
   expect(response.stats).toHaveProperty('uptime');
   expect(response.stats).toHaveProperty('cpuUsage');
@@ -51,9 +69,11 @@ tap.test('should respond to configuration request', async () => {
     'http://localhost:3000/typedrequest',
     'getConfiguration'
   );
-  
-  const response = await configRequest.fire({});
-  
+
+  const response = await configRequest.fire({
+    identity: adminIdentity,
+  });
+
   expect(response).toHaveProperty('config');
   expect(response.config).toHaveProperty('system');
   expect(response.config).toHaveProperty('smartProxy');
@@ -70,19 +90,34 @@ tap.test('should handle log retrieval request', async () => {
     'http://localhost:3000/typedrequest',
     'getRecentLogs'
   );
-  
+
   const response = await logsRequest.fire({
-    limit: 10
+    identity: adminIdentity,
+    limit: 10,
   });
-  
+
   expect(response).toHaveProperty('logs');
   expect(response).toHaveProperty('total');
   expect(response).toHaveProperty('hasMore');
   expect(response.logs).toBeArray();
 });
 
+tap.test('should reject unauthenticated requests', async () => {
+  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
+    'http://localhost:3000/typedrequest',
+    'getHealthStatus'
+  );
+
+  try {
+    await healthRequest.fire({} as any);
+    expect(true).toBeFalse(); // Should not reach here
+  } catch (error) {
+    expect(error).toBeTruthy();
+  }
+});
+
 tap.test('should stop DCRouter', async () => {
   await testDcRouter.stop();
 });
 
-export default tap.start();
+export default tap.start();

test/test.protected-endpoint.ts

@@ -82,28 +82,31 @@ tap.test('should reject verify identity with invalid JWT', async () => {
   }
 });
 
-tap.test('should allow access to public endpoints without auth', async () => {
+tap.test('should reject protected endpoints without auth', async () => {
   const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
     'http://localhost:3000/typedrequest',
     'getHealthStatus'
   );
 
-  // No identity provided
-  const response = await healthRequest.fire({});
-
-  expect(response).toHaveProperty('health');
-  expect(response.health.healthy).toBeTrue();
-  console.log('Public endpoint accessible without auth');
+  try {
+    // No identity provided — should be rejected
+    await healthRequest.fire({} as any);
+    expect(true).toBeFalse(); // Should not reach here
+  } catch (error) {
+    expect(error).toBeTruthy();
+    console.log('Protected endpoint correctly rejects unauthenticated request');
+  }
 });
 
-tap.test('should allow read-only config access', async () => {
+tap.test('should allow authenticated access to protected endpoints', async () => {
   const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
     'http://localhost:3000/typedrequest',
     'getConfiguration'
   );
 
-  // Config is read-only and doesn't require auth
-  const response = await configRequest.fire({});
+  const response = await configRequest.fire({
+    identity: adminIdentity,
+  });
 
   expect(response).toHaveProperty('config');
   expect(response.config).toHaveProperty('system');
@@ -114,7 +117,7 @@ tap.test('should allow read-only config access', async () => {
   expect(response.config).toHaveProperty('cache');
   expect(response.config).toHaveProperty('radius');
   expect(response.config).toHaveProperty('remoteIngress');
-  console.log('Configuration read successfully');
+  console.log('Authenticated access to config successful');
 });
 
 tap.test('should stop DCRouter', async () => {

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '10.1.2',
+  version: '11.0.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -222,7 +222,8 @@ export class DcRouter {
   public detectedPublicIp: string | null = null;
 
   // DNS query logging rate limiter state
-  private dnsLogWindow: number[] = [];
+  private dnsLogWindowSecond: number = 0; // epoch second of current window
+  private dnsLogWindowCount: number = 0;  // queries logged this second
   private dnsBatchCount: number = 0;
   private dnsBatchTimer: ReturnType<typeof setTimeout> | null = null;
 
@@ -901,7 +902,8 @@ export class DcRouter {
       }
       this.dnsBatchTimer = null;
       this.dnsBatchCount = 0;
-      this.dnsLogWindow = [];
+      this.dnsLogWindowSecond = 0;
+      this.dnsLogWindowCount = 0;
     }
 
     await this.opsServer.stop();
@@ -1312,11 +1314,14 @@ export class DcRouter {
         }
 
         // Adaptive logging: individual logs up to 2/sec, then batch
-        const now = Date.now();
-        this.dnsLogWindow = this.dnsLogWindow.filter(t => now - t < 1000);
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (nowSec !== this.dnsLogWindowSecond) {
+          this.dnsLogWindowSecond = nowSec;
+          this.dnsLogWindowCount = 0;
+        }
 
-        if (this.dnsLogWindow.length < 2) {
-          this.dnsLogWindow.push(now);
+        if (this.dnsLogWindowCount < 2) {
+          this.dnsLogWindowCount++;
           const summary = event.questions.map(q => `${q.type} ${q.name}`).join(', ');
           logger.log('info', `DNS query: ${summary} (${event.responseTimeMs}ms, ${event.answered ? 'answered' : 'unanswered'})`, { zone: 'dns' });
         } else {

ts/monitoring/classes.metricsmanager.ts

@@ -35,7 +35,9 @@ export class MetricsManager {
     queryTypes: {} as Record<string, number>,
     topDomains: new Map<string, number>(),
     lastResetDate: new Date().toDateString(),
-    queryTimestamps: [] as number[], // Track query timestamps for rate calculation
+    // Per-second query count ring buffer (300 entries = 5 minutes)
+    queryRing: new Int32Array(300),
+    queryRingLastSecond: 0, // last epoch second that was written
     responseTimes: [] as number[], // Track response times in ms
     recentQueries: [] as Array<{ timestamp: number; domain: string; type: string; answered: boolean; responseTimeMs: number }>,
   };
@@ -95,12 +97,13 @@ export class MetricsManager {
         this.dnsMetrics.cacheMisses = 0;
         this.dnsMetrics.queryTypes = {};
         this.dnsMetrics.topDomains.clear();
-        this.dnsMetrics.queryTimestamps = [];
+        this.dnsMetrics.queryRing.fill(0);
+        this.dnsMetrics.queryRingLastSecond = 0;
         this.dnsMetrics.responseTimes = [];
         this.dnsMetrics.recentQueries = [];
         this.dnsMetrics.lastResetDate = currentDate;
       }
-      
+
       if (currentDate !== this.securityMetrics.lastResetDate) {
         this.securityMetrics.blockedIPs = 0;
         this.securityMetrics.authFailures = 0;
@@ -111,15 +114,6 @@ export class MetricsManager {
         this.securityMetrics.lastResetDate = currentDate;
       }
 
-      // Prune old query timestamps (keep last 5 minutes)
-      const fiveMinutesAgo = Date.now() - 300000;
-      const idx = this.dnsMetrics.queryTimestamps.findIndex(ts => ts >= fiveMinutesAgo);
-      if (idx > 0) {
-        this.dnsMetrics.queryTimestamps = this.dnsMetrics.queryTimestamps.slice(idx);
-      } else if (idx === -1) {
-        this.dnsMetrics.queryTimestamps = [];
-      }
-
       // Prune old time-series buckets every minute (don't wait for lazy query)
       this.pruneOldBuckets();
     }, 60000); // Check every minute
@@ -150,16 +144,16 @@ export class MetricsManager {
       const smartMetricsData = await this.smartMetrics.getMetrics();
       const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
       const proxyStats = this.dcRouter.smartProxy ? await this.dcRouter.smartProxy.getStatistics() : null;
+      const { heapUsed, heapTotal, external, rss } = process.memoryUsage();
 
       return {
         uptime: process.uptime(),
         startTime: Date.now() - (process.uptime() * 1000),
         memoryUsage: {
-          heapUsed: process.memoryUsage().heapUsed,
-          heapTotal: process.memoryUsage().heapTotal,
-          external: process.memoryUsage().external,
-          rss: process.memoryUsage().rss,
-          // Add SmartMetrics memory data
+          heapUsed,
+          heapTotal,
+          external,
+          rss,
           maxMemoryMB: this.smartMetrics.maxMemoryMB,
           actualUsageBytes: smartMetricsData.memoryUsageBytes,
           actualUsagePercentage: smartMetricsData.memoryPercentage,
@@ -228,11 +222,8 @@ export class MetricsManager {
         .slice(0, 10)
         .map(([domain, count]) => ({ domain, count }));
       
-      // Calculate queries per second from recent timestamps
-      const now = Date.now();
-      const oneMinuteAgo = now - 60000;
-      const recentQueries = this.dnsMetrics.queryTimestamps.filter(ts => ts >= oneMinuteAgo);
-      const queriesPerSecond = recentQueries.length / 60;
+      // Calculate queries per second from ring buffer (sum last 60 seconds)
+      const queriesPerSecond = this.getQueryRingSum(60) / 60;
       
       // Calculate average response time
       const avgResponseTime = this.dnsMetrics.responseTimes.length > 0
@@ -436,8 +427,8 @@ export class MetricsManager {
       this.dnsMetrics.cacheMisses++;
     }
     
-    // Track query timestamp (pruning moved to resetInterval to avoid O(n) per query)
-    this.dnsMetrics.queryTimestamps.push(Date.now());
+    // Increment per-second query counter in ring buffer
+    this.incrementQueryRing();
     
     // Track response time if provided
     if (responseTimeMs) {
@@ -609,7 +600,7 @@ export class MetricsManager {
         requestsPerSecond,
         requestsTotal,
       };
-    }, 200); // Use 200ms cache for more frequent updates
+    }, 1000); // 1s cache — matches typical dashboard poll interval
   }
 
   // --- Time-series helpers ---
@@ -638,6 +629,63 @@ export class MetricsManager {
     bucket.queries++;
   }
 
+  /**
+   * Increment the per-second query counter in the ring buffer.
+   * Zeros any stale slots between the last write and the current second.
+   */
+  private incrementQueryRing(): void {
+    const currentSecond = Math.floor(Date.now() / 1000);
+    const ring = this.dnsMetrics.queryRing;
+    const last = this.dnsMetrics.queryRingLastSecond;
+
+    if (last === 0) {
+      // First call — zero and anchor
+      ring.fill(0);
+      this.dnsMetrics.queryRingLastSecond = currentSecond;
+      ring[currentSecond % ring.length] = 1;
+      return;
+    }
+
+    const gap = currentSecond - last;
+    if (gap >= ring.length) {
+      // Entire ring is stale — clear all
+      ring.fill(0);
+    } else if (gap > 0) {
+      // Zero slots from (last+1) to currentSecond (inclusive)
+      for (let s = last + 1; s <= currentSecond; s++) {
+        ring[s % ring.length] = 0;
+      }
+    }
+
+    this.dnsMetrics.queryRingLastSecond = currentSecond;
+    ring[currentSecond % ring.length]++;
+  }
+
+  /**
+   * Sum query counts from the ring buffer for the last N seconds.
+   */
+  private getQueryRingSum(seconds: number): number {
+    const currentSecond = Math.floor(Date.now() / 1000);
+    const ring = this.dnsMetrics.queryRing;
+    const last = this.dnsMetrics.queryRingLastSecond;
+
+    if (last === 0) return 0;
+
+    // First, zero stale slots so reads are accurate even without writes
+    const gap = currentSecond - last;
+    if (gap >= ring.length) return 0; // all data is stale
+
+    let sum = 0;
+    const limit = Math.min(seconds, ring.length);
+    for (let i = 0; i < limit; i++) {
+      const sec = currentSecond - i;
+      if (sec < last - (ring.length - 1)) break; // slot is from older cycle
+      if (sec > last) continue; // no writes yet for this second
+      sum += ring[sec % ring.length];
+    }
+    return sum;
+  }
+
   private pruneOldBuckets(): void {
     const cutoff = Date.now() - 86400000; // 24h
     for (const key of this.emailMinuteBuckets.keys()) {

ts/opsserver/classes.opsserver.ts

@@ -2,14 +2,20 @@ import type DcRouter from '../classes.dcrouter.js';
 import * as plugins from '../plugins.js';
 import * as paths from '../paths.js';
 import * as handlers from './handlers/index.js';
+import * as interfaces from '../../ts_interfaces/index.js';
+import { requireValidIdentity, requireAdminIdentity } from './helpers/guards.js';
 
 export class OpsServer {
   public dcRouterRef: DcRouter;
   public server: plugins.typedserver.utilityservers.UtilityWebsiteServer;
-  
-  // TypedRouter for OpsServer-specific handlers
+
+  // Main TypedRouter — unauthenticated endpoints (login/logout/verify) and own-auth handlers
   public typedrouter = new plugins.typedrequest.TypedRouter();
-  
+
+  // Auth-enforced routers — middleware validates identity before any handler runs
+  public viewRouter = new plugins.typedrequest.TypedRouter<{ request: { identity: interfaces.data.IIdentity } }>();
+  public adminRouter = new plugins.typedrequest.TypedRouter<{ request: { identity: interfaces.data.IIdentity } }>();
+
   // Handler instances
   public adminHandler: handlers.AdminHandler;
   private configHandler: handlers.ConfigHandler;
@@ -25,7 +31,7 @@ export class OpsServer {
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
-    
+
     // Add our typedrouter to the dcRouter's main typedrouter
     this.dcRouterRef.typedrouter.addTypedRouter(this.typedrouter);
   }
@@ -51,10 +57,25 @@ export class OpsServer {
    * Set up all TypedRequest handlers
    */
   private async setupHandlers(): Promise<void> {
-    // Instantiate all handlers - they self-register with the typedrouter
+    // AdminHandler must be initialized first (JWT setup needed for guards)
     this.adminHandler = new handlers.AdminHandler(this);
-    await this.adminHandler.initialize(); // JWT needs async initialization
-    
+    await this.adminHandler.initialize();
+
+    // viewRouter middleware: requires valid identity (any logged-in user)
+    this.viewRouter.addMiddleware(async (typedRequest) => {
+      await requireValidIdentity(this.adminHandler, typedRequest.request);
+    });
+
+    // adminRouter middleware: requires admin identity
+    this.adminRouter.addMiddleware(async (typedRequest) => {
+      await requireAdminIdentity(this.adminHandler, typedRequest.request);
+    });
+
+    // Connect auth routers to the main typedrouter
+    this.typedrouter.addTypedRouter(this.viewRouter);
+    this.typedrouter.addTypedRouter(this.adminRouter);
+
+    // Instantiate all handlers — they self-register with the appropriate router
     this.configHandler = new handlers.ConfigHandler(this);
     this.logsHandler = new handlers.LogsHandler(this);
     this.securityHandler = new handlers.SecurityHandler(this);

ts/opsserver/handlers/api-token.handler.ts

@@ -3,34 +3,20 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 export class ApiTokenHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
   constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
-  /**
-   * Token management requires admin JWT only (tokens cannot manage tokens).
-   */
-  private async requireAdmin(identity?: interfaces.data.IIdentity): Promise<string> {
-    if (!identity?.jwt) {
-      throw new plugins.typedrequest.TypedResponseError('unauthorized');
-    }
-    const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({ identity });
-    if (!isAdmin) {
-      throw new plugins.typedrequest.TypedResponseError('admin access required');
-    }
-    return identity.userId;
-  }
-
   private registerHandlers(): void {
+    // All token management endpoints register directly on adminRouter
+    // (middleware enforces admin JWT check, so no per-handler requireAdmin needed)
+    const router = this.opsServerRef.adminRouter;
+
     // Create API token
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateApiToken>(
         'createApiToken',
         async (dataArg) => {
-          const userId = await this.requireAdmin(dataArg.identity);
           const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
           if (!manager) {
             return { success: false, message: 'Token management not initialized' };
@@ -39,7 +25,7 @@ export class ApiTokenHandler {
             dataArg.name,
             dataArg.scopes,
             dataArg.expiresInDays ?? null,
-            userId,
+            dataArg.identity.userId,
           );
           return { success: true, tokenId: result.id, tokenValue: result.rawToken };
         },
@@ -47,11 +33,10 @@ export class ApiTokenHandler {
     );
 
     // List API tokens
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListApiTokens>(
         'listApiTokens',
         async (dataArg) => {
-          await this.requireAdmin(dataArg.identity);
           const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
           if (!manager) {
             return { tokens: [] };
@@ -62,11 +47,10 @@ export class ApiTokenHandler {
     );
 
     // Revoke API token
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RevokeApiToken>(
         'revokeApiToken',
         async (dataArg) => {
-          await this.requireAdmin(dataArg.identity);
           const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
           if (!manager) {
             return { success: false, message: 'Token management not initialized' };
@@ -78,11 +62,10 @@ export class ApiTokenHandler {
     );
 
     // Roll API token
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RollApiToken>(
         'rollApiToken',
         async (dataArg) => {
-          await this.requireAdmin(dataArg.identity);
           const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
           if (!manager) {
             return { success: false, message: 'Token management not initialized' };
@@ -97,11 +80,10 @@ export class ApiTokenHandler {
     );
 
     // Toggle API token
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleApiToken>(
         'toggleApiToken',
         async (dataArg) => {
-          await this.requireAdmin(dataArg.identity);
           const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
           if (!manager) {
             return { success: false, message: 'Token management not initialized' };

ts/opsserver/handlers/certificate.handler.ts

@@ -3,16 +3,18 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 export class CertificateHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
   constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
   private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+
     // Get Certificate Overview
-    this.typedrouter.addTypedHandler(
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCertificateOverview>(
         'getCertificateOverview',
         async (dataArg) => {
@@ -23,8 +25,10 @@ export class CertificateHandler {
       )
     );
 
+    // ---- Write endpoints (adminRouter — admin identity required via middleware) ----
+
     // Legacy route-based reprovision (backward compat)
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificate>(
         'reprovisionCertificate',
         async (dataArg) => {
@@ -34,7 +38,7 @@ export class CertificateHandler {
     );
 
     // Domain-based reprovision (preferred)
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificateDomain>(
         'reprovisionCertificateDomain',
         async (dataArg) => {
@@ -44,7 +48,7 @@ export class CertificateHandler {
     );
 
     // Delete certificate
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteCertificate>(
         'deleteCertificate',
         async (dataArg) => {
@@ -54,7 +58,7 @@ export class CertificateHandler {
     );
 
     // Export certificate
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportCertificate>(
         'exportCertificate',
         async (dataArg) => {
@@ -64,7 +68,7 @@ export class CertificateHandler {
     );
 
     // Import certificate
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ImportCertificate>(
         'importCertificate',
         async (dataArg) => {

ts/opsserver/handlers/config.handler.ts

@@ -4,17 +4,16 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 export class ConfigHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
   constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
   private registerHandlers(): void {
+    // Config endpoint registers directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
     // Get Configuration Handler (read-only)
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetConfiguration>(
         'getConfiguration',
         async (dataArg, toolsArg) => {

ts/opsserver/handlers/email-ops.handler.ts

@@ -3,17 +3,18 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 export class EmailOpsHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
   constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
   private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+
     // Get All Emails Handler
-    this.typedrouter.addTypedHandler(
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAllEmails>(
         'getAllEmails',
         async (dataArg) => {
@@ -24,7 +25,7 @@ export class EmailOpsHandler {
     );
 
     // Get Email Detail Handler
-    this.typedrouter.addTypedHandler(
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDetail>(
         'getEmailDetail',
         async (dataArg) => {
@@ -34,8 +35,10 @@ export class EmailOpsHandler {
       )
     );
 
+    // ---- Write endpoints (adminRouter) ----
+
     // Resend Failed Email Handler
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ResendEmail>(
         'resendEmail',
         async (dataArg) => {

ts/opsserver/handlers/logs.handler.ts

@@ -10,12 +10,9 @@ let logPushDestinationInstalled = false;
 let currentOpsServerRef: OpsServer | null = null;
 
 export class LogsHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
   private activeStreamStops: Set<() => void> = new Set();
 
   constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
     this.setupLogPushDestination();
   }
@@ -35,8 +32,11 @@ export class LogsHandler {
   }
 
   private registerHandlers(): void {
+    // All log endpoints register directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
     // Get Recent Logs Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRecentLogs>(
         'getRecentLogs',
         async (dataArg, toolsArg) => {
@@ -59,7 +59,7 @@ export class LogsHandler {
     );
 
     // Get Log Stream Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetLogStream>(
         'getLogStream',
         async (dataArg, toolsArg) => {

ts/opsserver/handlers/radius.handler.ts

@@ -3,21 +3,19 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 export class RadiusHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
   constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
   private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
     // ========================================================================
     // RADIUS Client Management
     // ========================================================================
 
-    // Get all RADIUS clients
-    this.typedrouter.addTypedHandler(
+    // Get all RADIUS clients (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusClients>(
         'getRadiusClients',
         async (dataArg, toolsArg) => {
@@ -40,8 +38,8 @@ export class RadiusHandler {
       )
     );
 
-    // Add or update a RADIUS client
-    this.typedrouter.addTypedHandler(
+    // Add or update a RADIUS client (write)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetRadiusClient>(
         'setRadiusClient',
         async (dataArg, toolsArg) => {
@@ -61,8 +59,8 @@ export class RadiusHandler {
       )
     );
 
-    // Remove a RADIUS client
-    this.typedrouter.addTypedHandler(
+    // Remove a RADIUS client (write)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveRadiusClient>(
         'removeRadiusClient',
         async (dataArg, toolsArg) => {
@@ -85,8 +83,8 @@ export class RadiusHandler {
     // VLAN Mapping Management
     // ========================================================================
 
-    // Get all VLAN mappings
-    this.typedrouter.addTypedHandler(
+    // Get all VLAN mappings (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVlanMappings>(
         'getVlanMappings',
         async (dataArg, toolsArg) => {
@@ -121,8 +119,8 @@ export class RadiusHandler {
       )
     );
 
-    // Add or update a VLAN mapping
-    this.typedrouter.addTypedHandler(
+    // Add or update a VLAN mapping (write)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetVlanMapping>(
         'setVlanMapping',
         async (dataArg, toolsArg) => {
@@ -153,8 +151,8 @@ export class RadiusHandler {
       )
     );
 
-    // Remove a VLAN mapping
-    this.typedrouter.addTypedHandler(
+    // Remove a VLAN mapping (write)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveVlanMapping>(
         'removeVlanMapping',
         async (dataArg, toolsArg) => {
@@ -174,8 +172,8 @@ export class RadiusHandler {
       )
     );
 
-    // Update VLAN configuration
-    this.typedrouter.addTypedHandler(
+    // Update VLAN configuration (write)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateVlanConfig>(
         'updateVlanConfig',
         async (dataArg, toolsArg) => {
@@ -206,8 +204,8 @@ export class RadiusHandler {
       )
     );
 
-    // Test VLAN assignment
-    this.typedrouter.addTypedHandler(
+    // Test VLAN assignment (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TestVlanAssignment>(
         'testVlanAssignment',
         async (dataArg, toolsArg) => {
@@ -240,8 +238,8 @@ export class RadiusHandler {
     // Accounting / Session Management
     // ========================================================================
 
-    // Get active sessions
-    this.typedrouter.addTypedHandler(
+    // Get active sessions (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusSessions>(
         'getRadiusSessions',
         async (dataArg, toolsArg) => {
@@ -289,8 +287,8 @@ export class RadiusHandler {
       )
     );
 
-    // Disconnect a session
-    this.typedrouter.addTypedHandler(
+    // Disconnect a session (write)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DisconnectRadiusSession>(
         'disconnectRadiusSession',
         async (dataArg, toolsArg) => {
@@ -314,8 +312,8 @@ export class RadiusHandler {
       )
     );
 
-    // Get accounting summary
-    this.typedrouter.addTypedHandler(
+    // Get accounting summary (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusAccountingSummary>(
         'getRadiusAccountingSummary',
         async (dataArg, toolsArg) => {
@@ -351,8 +349,8 @@ export class RadiusHandler {
     // Statistics
     // ========================================================================
 
-    // Get RADIUS statistics
-    this.typedrouter.addTypedHandler(
+    // Get RADIUS statistics (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusStatistics>(
         'getRadiusStatistics',
         async (dataArg, toolsArg) => {

ts/opsserver/handlers/remoteingress.handler.ts

@@ -3,16 +3,18 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
 export class RemoteIngressHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
   constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
   private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+
     // Get all remote ingress edges
-    this.typedrouter.addTypedHandler(
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngresses>(
         'getRemoteIngresses',
         async (dataArg, toolsArg) => {
@@ -36,8 +38,10 @@ export class RemoteIngressHandler {
       ),
     );
 
+    // ---- Write endpoints (adminRouter) ----
+
     // Create a new remote ingress edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRemoteIngress>(
         'createRemoteIngress',
         async (dataArg, toolsArg) => {
@@ -69,7 +73,7 @@ export class RemoteIngressHandler {
     );
 
     // Delete a remote ingress edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRemoteIngress>(
         'deleteRemoteIngress',
         async (dataArg, toolsArg) => {
@@ -94,7 +98,7 @@ export class RemoteIngressHandler {
     );
 
     // Update a remote ingress edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateRemoteIngress>(
         'updateRemoteIngress',
         async (dataArg, toolsArg) => {
@@ -138,7 +142,7 @@ export class RemoteIngressHandler {
     );
 
     // Regenerate secret for an edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RegenerateRemoteIngressSecret>(
         'regenerateRemoteIngressSecret',
         async (dataArg, toolsArg) => {
@@ -164,8 +168,8 @@ export class RemoteIngressHandler {
       ),
     );
 
-    // Get runtime status of all edges
-    this.typedrouter.addTypedHandler(
+    // Get runtime status of all edges (read)
+    viewRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressStatus>(
         'getRemoteIngressStatus',
         async (dataArg, toolsArg) => {
@@ -178,8 +182,8 @@ export class RemoteIngressHandler {
       ),
     );
 
-    // Get a connection token for an edge
-    this.typedrouter.addTypedHandler(
+    // Get a connection token for an edge (write — exposes secret)
+    adminRouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressConnectionToken>(
         'getRemoteIngressConnectionToken',
         async (dataArg, toolsArg) => {

ts/opsserver/handlers/security.handler.ts

@@ -4,17 +4,16 @@ import * as interfaces from '../../../ts_interfaces/index.js';
 import { MetricsManager } from '../../monitoring/index.js';
 
 export class SecurityHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-  
   constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
-  
+
   private registerHandlers(): void {
+    // All security endpoints register directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
     // Security Metrics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityMetrics>(
         'getSecurityMetrics',
         async (dataArg, toolsArg) => {
@@ -40,7 +39,7 @@ export class SecurityHandler {
     );
     
     // Active Connections Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetActiveConnections>(
         'getActiveConnections',
         async (dataArg, toolsArg) => {
@@ -77,8 +76,8 @@ export class SecurityHandler {
     );
     
     // Network Stats Handler - provides comprehensive network metrics
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler(
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkStats>(
         'getNetworkStats',
         async (dataArg, toolsArg) => {
           // Get network stats from MetricsManager if available
@@ -121,7 +120,7 @@ export class SecurityHandler {
     );
     
     // Rate Limit Status Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRateLimitStatus>(
         'getRateLimitStatus',
         async (dataArg, toolsArg) => {

ts/opsserver/handlers/stats.handler.ts

@@ -5,17 +5,16 @@ import { MetricsManager } from '../../monitoring/index.js';
 import { SecurityLogger } from '../../security/classes.securitylogger.js';
 
 export class StatsHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-  
   constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
-  
+
   private registerHandlers(): void {
+    // All stats endpoints register directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
     // Server Statistics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServerStatistics>(
         'getServerStatistics',
         async (dataArg, toolsArg) => {
@@ -38,7 +37,7 @@ export class StatsHandler {
     );
     
     // Email Statistics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailStatistics>(
         'getEmailStatistics',
         async (dataArg, toolsArg) => {
@@ -77,7 +76,7 @@ export class StatsHandler {
     );
     
     // DNS Statistics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsStatistics>(
         'getDnsStatistics',
         async (dataArg, toolsArg) => {
@@ -114,7 +113,7 @@ export class StatsHandler {
     );
     
     // Queue Status Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetQueueStatus>(
         'getQueueStatus',
         async (dataArg, toolsArg) => {
@@ -142,7 +141,7 @@ export class StatsHandler {
     );
     
     // Health Status Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetHealthStatus>(
         'getHealthStatus',
         async (dataArg, toolsArg) => {
@@ -167,7 +166,7 @@ export class StatsHandler {
     );
     
     // Combined Metrics Handler - More efficient for frontend polling
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCombinedMetrics>(
         'getCombinedMetrics',
         async (dataArg, toolsArg) => {

ts/opsserver/helpers/guards.ts

@@ -22,16 +22,17 @@ export async function passGuards<T extends { identity?: any }>(
 }
 
 /**
- * Helper to check admin identity in handlers
+ * Helper to check admin identity in handlers and middleware.
+ * Accepts both optional and required identity for flexibility.
  */
-export async function requireAdminIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+export async function requireAdminIdentity(
   adminHandler: AdminHandler,
-  dataArg: T
+  dataArg: { identity?: interfaces.data.IIdentity }
 ): Promise<void> {
   if (!dataArg.identity) {
     throw new plugins.typedrequest.TypedResponseError('No identity provided');
   }
-  
+
   const passed = await adminHandler.adminIdentityGuard.exec({ identity: dataArg.identity });
   if (!passed) {
     throw new plugins.typedrequest.TypedResponseError('Admin access required');
@@ -39,16 +40,17 @@ export async function requireAdminIdentity<T extends { identity?: interfaces.dat
 }
 
 /**
- * Helper to check valid identity in handlers
+ * Helper to check valid identity in handlers and middleware.
+ * Accepts both optional and required identity for flexibility.
  */
-export async function requireValidIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+export async function requireValidIdentity(
   adminHandler: AdminHandler,
-  dataArg: T
+  dataArg: { identity?: interfaces.data.IIdentity }
 ): Promise<void> {
   if (!dataArg.identity) {
     throw new plugins.typedrequest.TypedResponseError('No identity provided');
   }
-  
+
   const passed = await adminHandler.validIdentityGuard.exec({ identity: dataArg.identity });
   if (!passed) {
     throw new plugins.typedrequest.TypedResponseError('Valid identity required');

ts/security/classes.securitylogger.ts

@@ -162,8 +162,9 @@ export class SecurityLogger {
       }
     }
     
-    // Return most recent events up to limit
+    // Return most recent events up to limit (slice first to avoid mutating source)
     return filteredEvents
+      .slice()
       .sort((a, b) => b.timestamp - a.timestamp)
       .slice(0, limit);
   }
@@ -249,58 +250,46 @@ export class SecurityLogger {
     topIPs: Array<{ ip: string; count: number }>;
     topDomains: Array<{ domain: string; count: number }>;
   } {
-    // Filter by time window if provided
-    let events = this.securityEvents;
-    if (timeWindow) {
-      const cutoff = Date.now() - timeWindow;
-      events = events.filter(e => e.timestamp >= cutoff);
+    const cutoff = timeWindow ? Date.now() - timeWindow : 0;
+
+    // Initialize counters
+    const byLevel = {} as Record<SecurityLogLevel, number>;
+    for (const level of Object.values(SecurityLogLevel)) {
+      byLevel[level] = 0;
+    }
+    const byType = {} as Record<SecurityEventType, number>;
+    for (const type of Object.values(SecurityEventType)) {
+      byType[type] = 0;
     }
-    
-    // Count by level
-    const byLevel = Object.values(SecurityLogLevel).reduce((acc, level) => {
-      acc[level] = events.filter(e => e.level === level).length;
-      return acc;
-    }, {} as Record<SecurityLogLevel, number>);
-    
-    // Count by type
-    const byType = Object.values(SecurityEventType).reduce((acc, type) => {
-      acc[type] = events.filter(e => e.type === type).length;
-      return acc;
-    }, {} as Record<SecurityEventType, number>);
-    
-    // Count by IP
     const ipCounts = new Map<string, number>();
-    events.forEach(e => {
+    const domainCounts = new Map<string, number>();
+
+    // Single pass over all events
+    let total = 0;
+    for (const e of this.securityEvents) {
+      if (cutoff && e.timestamp < cutoff) continue;
+      total++;
+      byLevel[e.level]++;
+      byType[e.type]++;
       if (e.ipAddress) {
         ipCounts.set(e.ipAddress, (ipCounts.get(e.ipAddress) || 0) + 1);
       }
-    });
-    
-    // Count by domain
-    const domainCounts = new Map<string, number>();
-    events.forEach(e => {
       if (e.domain) {
         domainCounts.set(e.domain, (domainCounts.get(e.domain) || 0) + 1);
       }
-    });
-    
+    }
+
     // Sort and limit top entries
     const topIPs = Array.from(ipCounts.entries())
       .map(([ip, count]) => ({ ip, count }))
       .sort((a, b) => b.count - a.count)
       .slice(0, 10);
-    
+
     const topDomains = Array.from(domainCounts.entries())
       .map(([domain, count]) => ({ domain, count }))
       .sort((a, b) => b.count - a.count)
       .slice(0, 10);
-    
-    return {
-      total: events.length,
-      byLevel,
-      byType,
-      topIPs,
-      topDomains
-    };
+
+    return { total, byLevel, byType, topIPs, topDomains };
   }
 }

ts_interfaces/requests/api-tokens.ts

@@ -16,7 +16,7 @@ export interface IReq_CreateApiToken extends plugins.typedrequestInterfaces.impl
 > {
   method: 'createApiToken';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     name: string;
     scopes: TApiTokenScope[];
     expiresInDays?: number | null;
@@ -38,7 +38,7 @@ export interface IReq_ListApiTokens extends plugins.typedrequestInterfaces.imple
 > {
   method: 'listApiTokens';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     tokens: IApiTokenInfo[];
@@ -54,7 +54,7 @@ export interface IReq_RevokeApiToken extends plugins.typedrequestInterfaces.impl
 > {
   method: 'revokeApiToken';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     id: string;
   };
   response: {
@@ -73,7 +73,7 @@ export interface IReq_RollApiToken extends plugins.typedrequestInterfaces.implem
 > {
   method: 'rollApiToken';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     id: string;
   };
   response: {
@@ -92,7 +92,7 @@ export interface IReq_ToggleApiToken extends plugins.typedrequestInterfaces.impl
 > {
   method: 'toggleApiToken';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     id: string;
     enabled: boolean;
   };

ts_interfaces/requests/certificate.ts

@@ -28,7 +28,7 @@ export interface IReq_GetCertificateOverview extends plugins.typedrequestInterfa
 > {
   method: 'getCertificateOverview';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     certificates: ICertificateInfo[];
@@ -50,7 +50,7 @@ export interface IReq_ReprovisionCertificate extends plugins.typedrequestInterfa
 > {
   method: 'reprovisionCertificate';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     routeName: string;
   };
   response: {
@@ -66,7 +66,7 @@ export interface IReq_ReprovisionCertificateDomain extends plugins.typedrequestI
 > {
   method: 'reprovisionCertificateDomain';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     domain: string;
   };
   response: {
@@ -82,7 +82,7 @@ export interface IReq_DeleteCertificate extends plugins.typedrequestInterfaces.i
 > {
   method: 'deleteCertificate';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     domain: string;
   };
   response: {
@@ -98,7 +98,7 @@ export interface IReq_ExportCertificate extends plugins.typedrequestInterfaces.i
 > {
   method: 'exportCertificate';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     domain: string;
   };
   response: {
@@ -123,7 +123,7 @@ export interface IReq_ImportCertificate extends plugins.typedrequestInterfaces.i
 > {
   method: 'importCertificate';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     cert: {
       id: string;
       domainName: string;

ts_interfaces/requests/config.ts

@@ -81,7 +81,7 @@ export interface IReq_GetConfiguration extends plugins.typedrequestInterfaces.im
 > {
   method: 'getConfiguration';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     section?: string;
   };
   response: {

ts_interfaces/requests/email-ops.ts

@@ -68,7 +68,7 @@ export interface IReq_GetAllEmails extends plugins.typedrequestInterfaces.implem
 > {
   method: 'getAllEmails';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     emails: IEmail[];
@@ -84,7 +84,7 @@ export interface IReq_GetEmailDetail extends plugins.typedrequestInterfaces.impl
 > {
   method: 'getEmailDetail';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     emailId: string;
   };
   response: {
@@ -101,7 +101,7 @@ export interface IReq_ResendEmail extends plugins.typedrequestInterfaces.impleme
 > {
   method: 'resendEmail';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     emailId: string;
   };
   response: {

ts_interfaces/requests/logs.ts

@@ -9,7 +9,7 @@ export interface IReq_GetRecentLogs extends plugins.typedrequestInterfaces.imple
 > {
   method: 'getRecentLogs';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     level?: 'debug' | 'info' | 'warn' | 'error';
     category?: 'smtp' | 'dns' | 'security' | 'system' | 'email';
     limit?: number;
@@ -31,7 +31,7 @@ export interface IReq_GetLogStream extends plugins.typedrequestInterfaces.implem
 > {
   method: 'getLogStream';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     follow?: boolean;
     filters?: {
       level?: string[];

ts_interfaces/requests/radius.ts

@@ -14,7 +14,7 @@ export interface IReq_GetRadiusClients extends plugins.typedrequestInterfaces.im
 > {
   method: 'getRadiusClients';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     clients: Array<{
@@ -35,7 +35,7 @@ export interface IReq_SetRadiusClient extends plugins.typedrequestInterfaces.imp
 > {
   method: 'setRadiusClient';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     client: {
       name: string;
       ipRange: string;
@@ -59,7 +59,7 @@ export interface IReq_RemoveRadiusClient extends plugins.typedrequestInterfaces.
 > {
   method: 'removeRadiusClient';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     name: string;
   };
   response: {
@@ -81,7 +81,7 @@ export interface IReq_GetVlanMappings extends plugins.typedrequestInterfaces.imp
 > {
   method: 'getVlanMappings';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     mappings: Array<{
@@ -108,7 +108,7 @@ export interface IReq_SetVlanMapping extends plugins.typedrequestInterfaces.impl
 > {
   method: 'setVlanMapping';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     mapping: {
       mac: string;
       vlan: number;
@@ -139,7 +139,7 @@ export interface IReq_RemoveVlanMapping extends plugins.typedrequestInterfaces.i
 > {
   method: 'removeVlanMapping';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     mac: string;
   };
   response: {
@@ -157,7 +157,7 @@ export interface IReq_UpdateVlanConfig extends plugins.typedrequestInterfaces.im
 > {
   method: 'updateVlanConfig';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     defaultVlan?: number;
     allowUnknownMacs?: boolean;
   };
@@ -179,7 +179,7 @@ export interface IReq_TestVlanAssignment extends plugins.typedrequestInterfaces.
 > {
   method: 'testVlanAssignment';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     mac: string;
   };
   response: {
@@ -207,7 +207,7 @@ export interface IReq_GetRadiusSessions extends plugins.typedrequestInterfaces.i
 > {
   method: 'getRadiusSessions';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     filter?: {
       username?: string;
       nasIpAddress?: string;
@@ -243,7 +243,7 @@ export interface IReq_DisconnectRadiusSession extends plugins.typedrequestInterf
 > {
   method: 'disconnectRadiusSession';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     sessionId: string;
     reason?: string;
   };
@@ -262,7 +262,7 @@ export interface IReq_GetRadiusAccountingSummary extends plugins.typedrequestInt
 > {
   method: 'getRadiusAccountingSummary';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     startTime: number;
     endTime: number;
   };
@@ -296,7 +296,7 @@ export interface IReq_GetRadiusStatistics extends plugins.typedrequestInterfaces
 > {
   method: 'getRadiusStatistics';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     stats: {

ts_interfaces/requests/remoteingress.ts

@@ -15,7 +15,7 @@ export interface IReq_CreateRemoteIngress extends plugins.typedrequestInterfaces
 > {
   method: 'createRemoteIngress';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     name: string;
     listenPorts?: number[];
     autoDerivePorts?: boolean;
@@ -36,7 +36,7 @@ export interface IReq_DeleteRemoteIngress extends plugins.typedrequestInterfaces
 > {
   method: 'deleteRemoteIngress';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     id: string;
   };
   response: {
@@ -54,7 +54,7 @@ export interface IReq_UpdateRemoteIngress extends plugins.typedrequestInterfaces
 > {
   method: 'updateRemoteIngress';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     id: string;
     name?: string;
     listenPorts?: number[];
@@ -77,7 +77,7 @@ export interface IReq_RegenerateRemoteIngressSecret extends plugins.typedrequest
 > {
   method: 'regenerateRemoteIngressSecret';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     id: string;
   };
   response: {
@@ -95,7 +95,7 @@ export interface IReq_GetRemoteIngresses extends plugins.typedrequestInterfaces.
 > {
   method: 'getRemoteIngresses';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     edges: IRemoteIngress[];
@@ -111,7 +111,7 @@ export interface IReq_GetRemoteIngressStatus extends plugins.typedrequestInterfa
 > {
   method: 'getRemoteIngressStatus';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
   };
   response: {
     statuses: IRemoteIngressStatus[];
@@ -128,7 +128,7 @@ export interface IReq_GetRemoteIngressConnectionToken extends plugins.typedreque
 > {
   method: 'getRemoteIngressConnectionToken';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     edgeId: string;
     hubHost?: string;
   };

ts_interfaces/requests/stats.ts

@@ -9,7 +9,7 @@ export interface IReq_GetServerStatistics extends plugins.typedrequestInterfaces
 > {
   method: 'getServerStatistics';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     includeHistory?: boolean;
     timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
   };
@@ -29,7 +29,7 @@ export interface IReq_GetEmailStatistics extends plugins.typedrequestInterfaces.
 > {
   method: 'getEmailStatistics';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
     domain?: string;
     includeDetails?: boolean;
@@ -49,7 +49,7 @@ export interface IReq_GetDnsStatistics extends plugins.typedrequestInterfaces.im
 > {
   method: 'getDnsStatistics';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
     domain?: string;
     includeQueryTypes?: boolean;
@@ -69,7 +69,7 @@ export interface IReq_GetRateLimitStatus extends plugins.typedrequestInterfaces.
 > {
   method: 'getRateLimitStatus';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     domain?: string;
     ip?: string;
     includeBlocked?: boolean;
@@ -91,7 +91,7 @@ export interface IReq_GetSecurityMetrics extends plugins.typedrequestInterfaces.
 > {
   method: 'getSecurityMetrics';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
     includeDetails?: boolean;
   };
@@ -112,7 +112,7 @@ export interface IReq_GetActiveConnections extends plugins.typedrequestInterface
 > {
   method: 'getActiveConnections';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     protocol?: 'smtp' | 'smtps' | 'http' | 'https';
     state?: string;
   };
@@ -137,7 +137,7 @@ export interface IReq_GetQueueStatus extends plugins.typedrequestInterfaces.impl
 > {
   method: 'getQueueStatus';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     queueName?: string;
   };
   response: {
@@ -153,10 +153,31 @@ export interface IReq_GetHealthStatus extends plugins.typedrequestInterfaces.imp
 > {
   method: 'getHealthStatus';
   request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
     detailed?: boolean;
   };
   response: {
     health: statsInterfaces.IHealthStatus;
   };
+}
+
+// Network Stats (raw SmartProxy network data)
+export interface IReq_GetNetworkStats extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetNetworkStats
+> {
+  method: 'getNetworkStats';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    connectionsByIP: Array<{ ip: string; count: number }>;
+    throughputRate: { bytesInPerSecond: number; bytesOutPerSecond: number };
+    topIPs: Array<{ ip: string; count: number }>;
+    totalDataTransferred: { bytesIn: number; bytesOut: number };
+    throughputHistory: Array<{ timestamp: number; in: number; out: number }>;
+    throughputByIP: Array<{ ip: string; in: number; out: number }>;
+    requestsPerSecond: number;
+    requestsTotal: number;
+  };
 }

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '10.1.2',
+  version: '11.0.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -298,8 +298,8 @@ export const logoutAction = loginStatePart.createAction(async (statePartArg) =>
 // Fetch All Stats Action - Using combined endpoint for efficiency
 export const fetchAllStatsAction = statsStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
-  
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     // Use combined metrics endpoint - single request instead of 4
@@ -340,8 +340,8 @@ export const fetchAllStatsAction = statsStatePart.createAction(async (statePartA
 // Fetch Configuration Action (read-only)
 export const fetchConfigurationAction = configStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
-
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     const configRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -373,6 +373,7 @@ export const fetchRecentLogsAction = logStatePart.createAction<{
   category?: 'smtp' | 'dns' | 'security' | 'system' | 'email';
 }>(async (statePartArg, dataArg) => {
   const context = getActionContext();
+  if (!context.identity) return statePartArg.getState();
 
   const logsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
     interfaces.requests.IReq_GetRecentLogs
@@ -448,8 +449,8 @@ export const setActiveViewAction = uiStatePart.createAction<string>(async (state
 // Fetch Network Stats Action
 export const fetchNetworkStatsAction = networkStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
-  
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     // Fetch active connections using the existing endpoint
@@ -522,6 +523,7 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
 export const fetchAllEmailsAction = emailOpsStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -554,6 +556,7 @@ export const fetchAllEmailsAction = emailOpsStatePart.createAction(async (stateP
 export const fetchCertificateOverviewAction = certificateStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -581,7 +584,7 @@ export const fetchCertificateOverviewAction = certificateStatePart.createAction(
 });
 
 export const reprovisionCertificateAction = certificateStatePart.createAction<string>(
-  async (statePartArg, domain) => {
+  async (statePartArg, domain, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -596,8 +599,7 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
       });
 
       // Re-fetch overview after reprovisioning
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -608,7 +610,7 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
 );
 
 export const deleteCertificateAction = certificateStatePart.createAction<string>(
-  async (statePartArg, domain) => {
+  async (statePartArg, domain, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -623,8 +625,7 @@ export const deleteCertificateAction = certificateStatePart.createAction<string>
       });
 
       // Re-fetch overview after deletion
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -643,7 +644,7 @@ export const importCertificateAction = certificateStatePart.createAction<{
   publicKey: string;
   csr: string;
 }>(
-  async (statePartArg, cert) => {
+  async (statePartArg, cert, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -658,8 +659,7 @@ export const importCertificateAction = certificateStatePart.createAction<{
       });
 
       // Re-fetch overview after import
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -700,6 +700,7 @@ export async function fetchConnectionToken(edgeId: string) {
 export const fetchRemoteIngressAction = remoteIngressStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     const edgesRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -737,7 +738,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
   listenPorts?: number[];
   autoDerivePorts?: boolean;
   tags?: string[];
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -756,7 +757,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
 
     if (response.success) {
       // Refresh the list
-      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+      await actionContext.dispatch(fetchRemoteIngressAction, null);
 
       return {
         ...statePartArg.getState(),
@@ -774,7 +775,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
 });
 
 export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<string>(
-  async (statePartArg, edgeId) => {
+  async (statePartArg, edgeId, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -788,8 +789,7 @@ export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<str
         id: edgeId,
       });
 
-      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchRemoteIngressAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -805,7 +805,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
   listenPorts?: number[];
   autoDerivePorts?: boolean;
   tags?: string[];
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -823,8 +823,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
       tags: dataArg.tags,
     });
 
-    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchRemoteIngressAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -877,7 +876,7 @@ export const clearNewEdgeIdAction = remoteIngressStatePart.createAction(
 export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
   id: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -892,8 +891,7 @@ export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchRemoteIngressAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -909,6 +907,7 @@ export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
 export const fetchMergedRoutesAction = routeManagementStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -939,7 +938,7 @@ export const fetchMergedRoutesAction = routeManagementStatePart.createAction(asy
 export const createRouteAction = routeManagementStatePart.createAction<{
   route: any;
   enabled?: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -954,8 +953,7 @@ export const createRouteAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -965,7 +963,7 @@ export const createRouteAction = routeManagementStatePart.createAction<{
 });
 
 export const deleteRouteAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, routeId) => {
+  async (statePartArg, routeId, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -979,8 +977,7 @@ export const deleteRouteAction = routeManagementStatePart.createAction<string>(
         id: routeId,
       });
 
-      await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchMergedRoutesAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -993,7 +990,7 @@ export const deleteRouteAction = routeManagementStatePart.createAction<string>(
 export const toggleRouteAction = routeManagementStatePart.createAction<{
   id: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -1008,8 +1005,7 @@ export const toggleRouteAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -1021,7 +1017,7 @@ export const toggleRouteAction = routeManagementStatePart.createAction<{
 export const setRouteOverrideAction = routeManagementStatePart.createAction<{
   routeName: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -1036,8 +1032,7 @@ export const setRouteOverrideAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -1047,7 +1042,7 @@ export const setRouteOverrideAction = routeManagementStatePart.createAction<{
 });
 
 export const removeRouteOverrideAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, routeName) => {
+  async (statePartArg, routeName, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -1061,8 +1056,7 @@ export const removeRouteOverrideAction = routeManagementStatePart.createAction<s
         routeName,
       });
 
-      await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchMergedRoutesAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -1079,6 +1073,7 @@ export const removeRouteOverrideAction = routeManagementStatePart.createAction<s
 export const fetchApiTokensAction = routeManagementStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
 
   try {
     const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -1128,7 +1123,7 @@ export async function rollApiToken(id: string) {
 }
 
 export const revokeApiTokenAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, tokenId) => {
+  async (statePartArg, tokenId, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -1142,8 +1137,7 @@ export const revokeApiTokenAction = routeManagementStatePart.createAction<string
         id: tokenId,
       });
 
-      await routeManagementStatePart.dispatchAction(fetchApiTokensAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchApiTokensAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -1156,7 +1150,7 @@ export const revokeApiTokenAction = routeManagementStatePart.createAction<string
 export const toggleApiTokenAction = routeManagementStatePart.createAction<{
   id: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -1171,8 +1165,7 @@ export const toggleApiTokenAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchApiTokensAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchApiTokensAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -1233,8 +1226,9 @@ async function disconnectSocket() {
 // Combined refresh action for efficient polling
 async function dispatchCombinedRefreshAction() {
   const context = getActionContext();
+  if (!context.identity) return;
   const currentView = uiStatePart.getState().activeView;
-  
+
   try {
     // Always fetch basic stats for dashboard widgets
     const combinedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<

ts_web/elements/ops-view-apitokens.ts

@@ -154,7 +154,7 @@ export class OpsViewApiTokens extends DeesElement {
             },
             {
               name: 'Roll',
-              iconName: 'lucide:rotate-cw',
+              iconName: 'lucide:rotateCw',
               type: ['inRow', 'contextmenu'] as any,
               actionFunc: async (actionData: any) => {
                 const token = actionData.item as interfaces.data.IApiTokenInfo;
@@ -306,7 +306,7 @@ export class OpsViewApiTokens extends DeesElement {
         },
         {
           name: 'Roll Token',
-          iconName: 'lucide:rotate-cw',
+          iconName: 'lucide:rotateCw',
           action: async (modalArg: any) => {
             await modalArg.destroy();
             try {