v11.6.0

changelog.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 2026-03-19 - 11.6.0 - feat(http3)
+add automatic HTTP/3 route augmentation for qualifying HTTPS routes
+
+- introduce configurable HTTP/3 augmentation utilities for eligible SmartProxy routes on port 443
+- apply HTTP/3 settings to both constructor-defined and stored programmatic routes, with global and per-route opt-out support
+- export the HTTP/3 config type and add test coverage for qualification, augmentation behavior, and defaults
+- bump @push.rocks/smartproxy to ^25.15.0 for HTTP/3-related support
+
+## 2026-03-19 - 11.5.1 - fix(project)
+no changes to commit
+
+
+## 2026-03-19 - 11.5.0 - feat(opsserver)
+add configurable OpsServer port and update related tests and documentation
+
+- introduces an optional `opsServerPort` configuration that overrides the default OpsServer port 3000
+- updates OpsServer startup logic to use the configured port
+- adjusts integration tests to run against dedicated OpsServer ports to avoid conflicts
+- documents the new OpsServer port option in the README and TypeScript docs
+- includes dependency updates and a remote ingress port range type refinement
+
+## 2026-03-19 - 11.4.0 - feat(docs)
+document OCI container deployment and enable verbose docker build scripts
+
+- adds a new README section covering Docker/OCI container deployment, environment variables, and image build/push commands
+- updates docker build and release npm scripts to pass the --verbose flag for more detailed output
+
 ## 2026-03-18 - 11.3.0 - feat(docker)
 add OCI container startup configuration and migrate Docker release pipeline to tsdocker
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "11.3.0",
+  "version": "11.6.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -16,8 +16,8 @@
     "start": "(node --max_old_space_size=250 ./cli.js)",
     "startTs": "(node cli.ts.js)",
     "build": "(tsbuild tsfolders --allowimplicitany && npm run bundle)",
-    "build:docker": "tsdocker build",
-    "release:docker": "tsdocker push",
+    "build:docker": "tsdocker build --verbose",
+    "release:docker": "tsdocker push --verbose",
     "bundle": "(tsbundle)",
     "watch": "tswatch"
   },
@@ -25,7 +25,7 @@
     "@git.zone/tsbuild": "^4.3.0",
     "@git.zone/tsbundle": "^2.9.1",
     "@git.zone/tsrun": "^2.0.1",
-    "@git.zone/tstest": "^3.3.2",
+    "@git.zone/tstest": "^3.5.0",
     "@git.zone/tswatch": "^3.3.0",
     "@types/node": "^25.5.0"
   },
@@ -40,7 +40,7 @@
     "@push.rocks/lik": "^6.3.1",
     "@push.rocks/projectinfo": "^5.0.2",
     "@push.rocks/qenv": "^6.1.3",
-    "@push.rocks/smartacme": "^9.1.3",
+    "@push.rocks/smartacme": "^9.3.0",
     "@push.rocks/smartdata": "^7.1.0",
     "@push.rocks/smartdns": "^7.9.0",
     "@push.rocks/smartfile": "^13.1.2",
@@ -53,15 +53,15 @@
     "@push.rocks/smartnetwork": "^4.4.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.11.24",
+    "@push.rocks/smartproxy": "^25.15.0",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstate": "^2.2.0",
     "@push.rocks/smartunique": "^3.0.9",
-    "@serve.zone/catalog": "^2.7.0",
+    "@serve.zone/catalog": "^2.9.0",
     "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^4.9.0",
+    "@serve.zone/remoteingress": "^4.13.0",
     "@tsclass/tsclass": "^9.4.0",
     "lru-cache": "^11.2.7",
     "uuid": "^13.0.0"

readme.md

@@ -30,6 +30,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - [API Reference](#api-reference)
 - [Sub-Modules](#sub-modules)
 - [Testing](#testing)
+- [Docker / OCI Container Deployment](#docker--oci-container-deployment)
 - [License and Legal Information](#license-and-legal-information)
 
 ## Features
@@ -343,7 +344,7 @@ graph TB
 
 DcRouter acts purely as an **orchestrator** — it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:
 
-1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, and RemoteIngress based on which configs are provided.
+1. **On `start()`**: DcRouter initializes OpsServer (default port 3000, configurable via `opsServerPort`), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, and RemoteIngress based on which configs are provided.
 2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
 3. **On `stop()`**: All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.
 
@@ -424,6 +425,10 @@ interface IDcRouterOptions {
     };
   };
 
+  // ── OpsServer ────────────────────────────────────────────────
+  /** Port for the OpsServer web dashboard (default: 3000) */
+  opsServerPort?: number;
+
   // ── TLS & Certificates ────────────────────────────────────────
   tls?: {
     contactEmail: string;
@@ -1015,7 +1020,7 @@ action: {
 
 ## OpsServer Dashboard
 
-The OpsServer provides a web-based management interface served on port 3000. It's built with modern web components using [@design.estate/dees-catalog](https://code.foss.global/design.estate/dees-catalog).
+The OpsServer provides a web-based management interface served on port 3000 by default (configurable via `opsServerPort`). It's built with modern web components using [@design.estate/dees-catalog](https://code.foss.global/design.estate/dees-catalog).
 
 ### Dashboard Views
 
@@ -1278,6 +1283,49 @@ tstest test/test.opsserver-api.ts --verbose --timeout 60
 | `test.protected-endpoint.ts` | Admin auth, identity verification, public endpoints | 8 |
 | `test.storagemanager.ts` | Memory, filesystem, custom backends, concurrency | 8 |
 
+## Docker / OCI Container Deployment
+
+DcRouter ships with a `Dockerfile` and supports environment-variable-driven configuration for OCI container deployments. When `DCROUTER_MODE=OCI_CONTAINER` is set, DcRouter automatically reads configuration from environment variables (and optionally from a JSON config file).
+
+### Running with Docker
+
+```bash
+docker run -d \
+  -e DCROUTER_MODE=OCI_CONTAINER \
+  -e DCROUTER_TLS_EMAIL=admin@example.com \
+  -e DCROUTER_PUBLIC_IP=203.0.113.1 \
+  -e DCROUTER_DNS_NS_DOMAINS=ns1.example.com,ns2.example.com \
+  -e DCROUTER_DNS_SCOPES=example.com \
+  -p 80:80 -p 443:443 -p 25:25 -p 53:53/udp -p 3000:3000 \
+  code.foss.global/serve.zone/dcrouter:latest
+```
+
+### Environment Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `DCROUTER_MODE` | Set to `OCI_CONTAINER` to enable container mode | `OCI_CONTAINER` |
+| `DCROUTER_CONFIG_PATH` | Path to a JSON config file (loaded as base, env vars override) | `/config/dcrouter.json` |
+| `DCROUTER_BASE_DIR` | Override base data directory | `/data/dcrouter` |
+| `DCROUTER_TLS_EMAIL` | ACME contact email | `admin@example.com` |
+| `DCROUTER_TLS_DOMAIN` | Primary TLS domain | `example.com` |
+| `DCROUTER_PUBLIC_IP` | Public IP for DNS records | `203.0.113.1` |
+| `DCROUTER_PROXY_IPS` | Comma-separated ingress proxy IPs | `198.51.100.1,198.51.100.2` |
+| `DCROUTER_DNS_NS_DOMAINS` | Comma-separated nameserver domains | `ns1.example.com,ns2.example.com` |
+| `DCROUTER_DNS_SCOPES` | Comma-separated authoritative domains | `example.com,other.com` |
+| `DCROUTER_EMAIL_HOSTNAME` | SMTP server hostname | `mail.example.com` |
+| `DCROUTER_EMAIL_PORTS` | Comma-separated email ports | `25,587,465` |
+| `DCROUTER_CACHE_ENABLED` | Enable/disable cache database | `true` |
+
+### Building the Image
+
+```bash
+pnpm run build:docker    # Build the container image
+pnpm run release:docker  # Push to registry
+```
+
+The Docker build supports multi-platform (`linux/amd64`, `linux/arm64`) via [tsdocker](https://code.foss.global/git.zone/tsdocker).
+
 ## License and Legal Information
 
 This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
@@ -1292,7 +1340,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

test/test.dcrouter.email.ts

@@ -129,6 +129,7 @@ tap.test('DcRouter class - Email config with domains and routes', async () => {
     tls: {
       contactEmail: 'test@example.com'
     },
+    opsServerPort: 3104,
     cacheConfig: {
       enabled: false,
     }

test/test.dns-socket-handler.ts

@@ -9,6 +9,7 @@ tap.test('should NOT instantiate DNS server when dnsNsDomains is not set', async
     smartProxyConfig: {
       routes: []
     },
+    opsServerPort: 3100,
     cacheConfig: { enabled: false }
   });
 

test/test.http3-augmentation.ts

@@ -0,0 +1,304 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import {
+  routeQualifiesForHttp3,
+  augmentRouteWithHttp3,
+  augmentRoutesWithHttp3,
+  type IHttp3Config,
+} from '../ts/http3/index.js';
+import type * as plugins from '../ts/plugins.js';
+
+// Helper to create a basic HTTPS forward route on port 443
+function makeRoute(
+  overrides: Partial<plugins.smartproxy.IRouteConfig> = {},
+): plugins.smartproxy.IRouteConfig {
+  return {
+    match: { ports: 443, ...overrides.match },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      ...overrides.action,
+    },
+    name: overrides.name ?? 'test-https-route',
+    ...Object.fromEntries(
+      Object.entries(overrides).filter(([k]) => !['match', 'action', 'name'].includes(k)),
+    ),
+  } as plugins.smartproxy.IRouteConfig;
+}
+
+const defaultConfig: IHttp3Config = { enabled: true };
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Qualification tests
+// ──────────────────────────────────────────────────────────────────────────────
+
+tap.test('should augment qualifying HTTPS route on port 443', async () => {
+  const route = makeRoute();
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp).toBeTruthy();
+  expect(result.action.udp!.quic).toBeTruthy();
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+  expect(result.action.udp!.quic!.altSvcMaxAge).toEqual(86400);
+});
+
+tap.test('should NOT augment route on non-443 port', async () => {
+  const route = makeRoute({ match: { ports: 8080 } });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toBeUndefined();
+  expect(result.action.udp).toBeUndefined();
+});
+
+tap.test('should NOT augment socket-handler type route', async () => {
+  const route = makeRoute({
+    action: {
+      type: 'socket-handler' as any,
+      socketHandler: (() => {}) as any,
+    },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toBeUndefined();
+});
+
+tap.test('should NOT augment route without TLS', async () => {
+  const route: plugins.smartproxy.IRouteConfig = {
+    match: { ports: 443 },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+    },
+    name: 'no-tls-route',
+  };
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toBeUndefined();
+});
+
+tap.test('should NOT augment email routes', async () => {
+  const emailNames = ['smtp-route', 'submission-route', 'smtps-route', 'email-port-2525-route'];
+  for (const name of emailNames) {
+    const route = makeRoute({ name });
+    const result = augmentRouteWithHttp3(route, defaultConfig);
+    expect(result.match.transport).toBeUndefined();
+  }
+});
+
+tap.test('should respect per-route opt-out (options.http3 = false)', async () => {
+  const route = makeRoute({
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      options: { http3: false },
+    },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toBeUndefined();
+  expect(result.action.udp).toBeUndefined();
+});
+
+tap.test('should respect per-route opt-in when global is disabled', async () => {
+  const route = makeRoute({
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      options: { http3: true },
+    },
+  });
+  const result = augmentRouteWithHttp3(route, { enabled: false });
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+});
+
+tap.test('should NOT double-augment routes with transport: all', async () => {
+  const route = makeRoute({
+    match: { ports: 443, transport: 'all' as any },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  // Should be the exact same object (no augmentation)
+  expect(result).toEqual(route);
+});
+
+tap.test('should NOT double-augment routes with existing udp.quic', async () => {
+  const route = makeRoute({
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      udp: { quic: { enableHttp3: true } },
+    },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result).toEqual(route);
+});
+
+tap.test('should augment route with port range including 443', async () => {
+  const route = makeRoute({
+    match: { ports: [{ from: 400, to: 500 }] },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+});
+
+tap.test('should augment route with port array including 443', async () => {
+  const route = makeRoute({
+    match: { ports: [80, 443] },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+});
+
+tap.test('should NOT augment route with port range NOT including 443', async () => {
+  const route = makeRoute({
+    match: { ports: [{ from: 8000, to: 9000 }] },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toBeUndefined();
+});
+
+tap.test('should augment TLS passthrough routes', async () => {
+  const route = makeRoute({
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'passthrough' },
+    },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+});
+
+tap.test('should augment terminate-and-reencrypt routes', async () => {
+  const route = makeRoute({
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' },
+    },
+  });
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Configuration tests
+// ──────────────────────────────────────────────────────────────────────────────
+
+tap.test('should apply default QUIC settings when none provided', async () => {
+  const route = makeRoute();
+  const result = augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(result.action.udp!.quic!.altSvcMaxAge).toEqual(86400);
+  // Undefined means SmartProxy will use its own defaults
+  expect(result.action.udp!.quic!.maxIdleTimeout).toBeUndefined();
+  expect(result.action.udp!.quic!.altSvcPort).toBeUndefined();
+});
+
+tap.test('should apply custom QUIC settings', async () => {
+  const route = makeRoute();
+  const config: IHttp3Config = {
+    enabled: true,
+    quicSettings: {
+      maxIdleTimeout: 60000,
+      maxConcurrentBidiStreams: 200,
+      maxConcurrentUniStreams: 50,
+      initialCongestionWindow: 65536,
+    },
+    altSvc: {
+      port: 8443,
+      maxAge: 3600,
+    },
+    udpSettings: {
+      sessionTimeout: 120000,
+      maxSessionsPerIP: 500,
+      maxDatagramSize: 32768,
+    },
+  };
+  const result = augmentRouteWithHttp3(route, config);
+
+  expect(result.action.udp!.quic!.maxIdleTimeout).toEqual(60000);
+  expect(result.action.udp!.quic!.maxConcurrentBidiStreams).toEqual(200);
+  expect(result.action.udp!.quic!.maxConcurrentUniStreams).toEqual(50);
+  expect(result.action.udp!.quic!.initialCongestionWindow).toEqual(65536);
+  expect(result.action.udp!.quic!.altSvcPort).toEqual(8443);
+  expect(result.action.udp!.quic!.altSvcMaxAge).toEqual(3600);
+  expect(result.action.udp!.sessionTimeout).toEqual(120000);
+  expect(result.action.udp!.maxSessionsPerIP).toEqual(500);
+  expect(result.action.udp!.maxDatagramSize).toEqual(32768);
+});
+
+tap.test('should not mutate the original route', async () => {
+  const route = makeRoute();
+  const originalTransport = route.match.transport;
+  const originalUdp = route.action.udp;
+
+  augmentRouteWithHttp3(route, defaultConfig);
+
+  expect(route.match.transport).toEqual(originalTransport);
+  expect(route.action.udp).toEqual(originalUdp);
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Batch augmentation
+// ──────────────────────────────────────────────────────────────────────────────
+
+tap.test('should augment multiple routes in a batch', async () => {
+  const routes = [
+    makeRoute({ name: 'web-app' }),
+    makeRoute({ name: 'smtp-route', match: { ports: 25 } }),
+    makeRoute({ name: 'api-gateway' }),
+    makeRoute({
+      name: 'dns-query',
+      action: { type: 'socket-handler' as any, socketHandler: (() => {}) as any },
+    }),
+  ];
+
+  const results = augmentRoutesWithHttp3(routes, defaultConfig);
+
+  // web-app and api-gateway should be augmented
+  expect(results[0].match.transport).toEqual('all');
+  expect(results[2].match.transport).toEqual('all');
+
+  // smtp and dns should NOT be augmented
+  expect(results[1].match.transport).toBeUndefined();
+  expect(results[3].match.transport).toBeUndefined();
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Default enabled behavior
+// ──────────────────────────────────────────────────────────────────────────────
+
+tap.test('should treat undefined enabled as true (default on)', async () => {
+  const route = makeRoute();
+  const result = augmentRouteWithHttp3(route, {}); // no enabled field at all
+
+  expect(result.match.transport).toEqual('all');
+  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
+});
+
+tap.test('should disable when enabled is explicitly false', async () => {
+  const route = makeRoute();
+  const result = augmentRouteWithHttp3(route, { enabled: false });
+
+  expect(result.match.transport).toBeUndefined();
+  expect(result.action.udp).toBeUndefined();
+});
+
+export default tap.start();

test/test.jwt-auth.ts

@@ -9,6 +9,7 @@ let identity: interfaces.data.IIdentity;
 tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
+    opsServerPort: 3102,
     cacheConfig: { enabled: false },
   });
   
@@ -18,7 +19,7 @@ tap.test('should start DCRouter with OpsServer', async () => {
 
 tap.test('should login with admin credentials and receive JWT', async () => {
   const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3102/typedrequest',
     'adminLoginWithUsernameAndPassword'
   );
   
@@ -41,7 +42,7 @@ tap.test('should login with admin credentials and receive JWT', async () => {
 
 tap.test('should verify valid JWT identity', async () => {
   const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3102/typedrequest',
     'verifyIdentity'
   );
   
@@ -57,7 +58,7 @@ tap.test('should verify valid JWT identity', async () => {
 
 tap.test('should reject invalid JWT', async () => {
   const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3102/typedrequest',
     'verifyIdentity'
   );
   
@@ -74,7 +75,7 @@ tap.test('should reject invalid JWT', async () => {
 
 tap.test('should verify JWT matches identity data', async () => {
   const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3102/typedrequest',
     'verifyIdentity'
   );
   
@@ -91,7 +92,7 @@ tap.test('should verify JWT matches identity data', async () => {
 
 tap.test('should handle logout', async () => {
   const logoutRequest = new TypedRequest<interfaces.requests.IReq_AdminLogout>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3102/typedrequest',
     'adminLogout'
   );
   
@@ -105,7 +106,7 @@ tap.test('should handle logout', async () => {
 
 tap.test('should reject wrong credentials', async () => {
   const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3102/typedrequest',
     'adminLoginWithUsernameAndPassword'
   );
   

test/test.opsserver-api.ts

@@ -9,6 +9,7 @@ let adminIdentity: interfaces.data.IIdentity;
 tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
+    opsServerPort: 3101,
     cacheConfig: { enabled: false },
   });
 
@@ -18,7 +19,7 @@ tap.test('should start DCRouter with OpsServer', async () => {
 
 tap.test('should login as admin', async () => {
   const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3101/typedrequest',
     'adminLoginWithUsernameAndPassword'
   );
 
@@ -33,7 +34,7 @@ tap.test('should login as admin', async () => {
 
 tap.test('should respond to health status request', async () => {
   const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3101/typedrequest',
     'getHealthStatus'
   );
 
@@ -49,7 +50,7 @@ tap.test('should respond to health status request', async () => {
 
 tap.test('should respond to server statistics request', async () => {
   const statsRequest = new TypedRequest<interfaces.requests.IReq_GetServerStatistics>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3101/typedrequest',
     'getServerStatistics'
   );
 
@@ -66,7 +67,7 @@ tap.test('should respond to server statistics request', async () => {
 
 tap.test('should respond to configuration request', async () => {
   const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3101/typedrequest',
     'getConfiguration'
   );
 
@@ -87,7 +88,7 @@ tap.test('should respond to configuration request', async () => {
 
 tap.test('should handle log retrieval request', async () => {
   const logsRequest = new TypedRequest<interfaces.requests.IReq_GetRecentLogs>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3101/typedrequest',
     'getRecentLogs'
   );
 
@@ -104,7 +105,7 @@ tap.test('should handle log retrieval request', async () => {
 
 tap.test('should reject unauthenticated requests', async () => {
   const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3101/typedrequest',
     'getHealthStatus'
   );
 

test/test.protected-endpoint.ts

@@ -9,6 +9,7 @@ let adminIdentity: interfaces.data.IIdentity;
 tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
+    opsServerPort: 3103,
     cacheConfig: { enabled: false },
   });
 
@@ -18,7 +19,7 @@ tap.test('should start DCRouter with OpsServer', async () => {
 
 tap.test('should login as admin', async () => {
   const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3103/typedrequest',
     'adminLoginWithUsernameAndPassword'
   );
 
@@ -34,7 +35,7 @@ tap.test('should login as admin', async () => {
 
 tap.test('should allow admin to verify identity', async () => {
   const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3103/typedrequest',
     'verifyIdentity'
   );
 
@@ -49,7 +50,7 @@ tap.test('should allow admin to verify identity', async () => {
 
 tap.test('should reject verify identity without identity', async () => {
   const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3103/typedrequest',
     'verifyIdentity'
   );
 
@@ -64,7 +65,7 @@ tap.test('should reject verify identity without identity', async () => {
 
 tap.test('should reject verify identity with invalid JWT', async () => {
   const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3103/typedrequest',
     'verifyIdentity'
   );
 
@@ -84,7 +85,7 @@ tap.test('should reject verify identity with invalid JWT', async () => {
 
 tap.test('should reject protected endpoints without auth', async () => {
   const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3103/typedrequest',
     'getHealthStatus'
   );
 
@@ -100,7 +101,7 @@ tap.test('should reject protected endpoints without auth', async () => {
 
 tap.test('should allow authenticated access to protected endpoints', async () => {
   const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
-    'http://localhost:3000/typedrequest',
+    'http://localhost:3103/typedrequest',
     'getConfiguration'
   );
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.3.0',
+  version: '11.6.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -24,6 +24,7 @@ import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
 import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
 import { RouteConfigManager, ApiTokenManager } from './config/index.js';
 import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';
+import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -163,6 +164,17 @@ export interface IDcRouterOptions {
    * Remote Ingress configuration for edge tunnel nodes
    * Enables edge nodes to accept incoming connections and tunnel them to this DcRouter
    */
+  /**
+   * HTTP/3 (QUIC) configuration for HTTPS routes.
+   * Enabled by default — qualifying HTTPS routes on port 443 are automatically
+   * augmented with QUIC/H3 fields. Set { enabled: false } to disable globally.
+   * Individual routes can opt out via action.options.http3 = false.
+   */
+  http3?: IHttp3Config;
+
+  /** Port for the OpsServer web UI (default: 3000) */
+  opsServerPort?: number;
+
   remoteIngressConfig?: {
     /** Enable remote ingress hub (default: false) */
     enabled?: boolean;
@@ -294,6 +306,7 @@ export class DcRouter {
         this.storageManager,
         () => this.getConstructorRoutes(),
         () => this.smartProxy,
+        () => this.options.http3,
       );
       this.apiTokenManager = new ApiTokenManager(this.storageManager);
       await this.apiTokenManager.initialize();
@@ -466,6 +479,13 @@ export class DcRouter {
       challengeHandlers.push(dns01Handler);
     }
     
+    // HTTP/3 augmentation (enabled by default unless explicitly disabled)
+    if (this.options.http3?.enabled !== false) {
+      const http3Config: IHttp3Config = { enabled: true, ...this.options.http3 };
+      routes = augmentRoutesWithHttp3(routes, http3Config);
+      logger.log('info', 'HTTP/3: Augmented qualifying HTTPS routes with QUIC/H3 configuration');
+    }
+
     // Cache constructor routes for RouteConfigManager
     this.constructorRoutes = [...routes];
 

ts/config/classes.route-config-manager.ts

@@ -7,6 +7,7 @@ import type {
   IMergedRoute,
   IRouteWarning,
 } from '../../ts_interfaces/data/route-management.js';
+import { type IHttp3Config, augmentRouteWithHttp3 } from '../http3/index.js';
 
 const ROUTES_PREFIX = '/config-api/routes/';
 const OVERRIDES_PREFIX = '/config-api/overrides/';
@@ -20,6 +21,7 @@ export class RouteConfigManager {
     private storageManager: StorageManager,
     private getHardcodedRoutes: () => plugins.smartproxy.IRouteConfig[],
     private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
+    private getHttp3Config?: () => IHttp3Config | undefined,
   ) {}
 
   /**
@@ -258,10 +260,15 @@ export class RouteConfigManager {
       enabledRoutes.push(route);
     }
 
-    // Add enabled programmatic routes
+    // Add enabled programmatic routes (with HTTP/3 augmentation if enabled)
+    const http3Config = this.getHttp3Config?.();
     for (const stored of this.storedRoutes.values()) {
       if (stored.enabled) {
-        enabledRoutes.push(stored.route);
+        if (http3Config && http3Config.enabled !== false) {
+          enabledRoutes.push(augmentRouteWithHttp3(stored.route, { enabled: true, ...http3Config }));
+        } else {
+          enabledRoutes.push(stored.route);
+        }
       }
     }
 

ts/http3/http3-route-augmentation.ts

@@ -0,0 +1,153 @@
+import type * as plugins from '../plugins.js';
+
+/**
+ * Configuration for HTTP/3 (QUIC) route augmentation.
+ * HTTP/3 is enabled by default on all qualifying HTTPS routes.
+ */
+export interface IHttp3Config {
+  /** Enable HTTP/3 augmentation on qualifying routes (default: true) */
+  enabled?: boolean;
+  /** QUIC-specific settings applied to all augmented routes */
+  quicSettings?: {
+    /** QUIC connection idle timeout in ms (default: 30000) */
+    maxIdleTimeout?: number;
+    /** Max concurrent bidirectional streams per connection (default: 100) */
+    maxConcurrentBidiStreams?: number;
+    /** Max concurrent unidirectional streams per connection (default: 100) */
+    maxConcurrentUniStreams?: number;
+    /** Initial congestion window size in bytes */
+    initialCongestionWindow?: number;
+  };
+  /** Alt-Svc header settings */
+  altSvc?: {
+    /** Port advertised in Alt-Svc header (default: same as listening port) */
+    port?: number;
+    /** Max age for Alt-Svc advertisement in seconds (default: 86400) */
+    maxAge?: number;
+  };
+  /** UDP session settings */
+  udpSettings?: {
+    /** Idle timeout for UDP sessions in ms (default: 60000) */
+    sessionTimeout?: number;
+    /** Max concurrent UDP sessions per source IP (default: 1000) */
+    maxSessionsPerIP?: number;
+    /** Max accepted datagram size in bytes (default: 65535) */
+    maxDatagramSize?: number;
+  };
+}
+
+type TPortRange = plugins.smartproxy.IRouteConfig['match']['ports'];
+
+/**
+ * Check whether a TPortRange includes port 443.
+ */
+function portRangeIncludes443(ports: TPortRange): boolean {
+  if (typeof ports === 'number') return ports === 443;
+  if (Array.isArray(ports)) {
+    return ports.some((p) => {
+      if (typeof p === 'number') return p === 443;
+      return p.from <= 443 && p.to >= 443;
+    });
+  }
+  return false;
+}
+
+/**
+ * Check if a route name indicates an email route that should not get HTTP/3.
+ */
+function isEmailRoute(route: plugins.smartproxy.IRouteConfig): boolean {
+  const name = route.name?.toLowerCase() || '';
+  return (
+    name.startsWith('smtp-') ||
+    name.startsWith('submission-') ||
+    name.startsWith('smtps-') ||
+    name.startsWith('email-')
+  );
+}
+
+/**
+ * Determine if a route qualifies for HTTP/3 augmentation.
+ */
+export function routeQualifiesForHttp3(
+  route: plugins.smartproxy.IRouteConfig,
+  globalConfig: IHttp3Config,
+): boolean {
+  // Check global enable + per-route override
+  const globalEnabled = globalConfig.enabled !== false; // default true
+  const perRouteOverride = route.action.options?.http3;
+
+  // If per-route explicitly set, use that; otherwise use global
+  const shouldAugment =
+    perRouteOverride !== undefined ? perRouteOverride : globalEnabled;
+  if (!shouldAugment) return false;
+
+  // Must be forward type
+  if (route.action.type !== 'forward') return false;
+
+  // Must include port 443
+  if (!portRangeIncludes443(route.match.ports)) return false;
+
+  // Must have TLS
+  if (!route.action.tls) return false;
+
+  // Skip email routes
+  if (isEmailRoute(route)) return false;
+
+  // Skip if already configured with transport 'all' or 'udp'
+  if (route.match.transport === 'all' || route.match.transport === 'udp') return false;
+
+  // Skip if already has QUIC config
+  if (route.action.udp?.quic) return false;
+
+  return true;
+}
+
+/**
+ * Augment a single route with HTTP/3 fields.
+ * Returns a new route object (does not mutate the original).
+ */
+export function augmentRouteWithHttp3(
+  route: plugins.smartproxy.IRouteConfig,
+  config: IHttp3Config,
+): plugins.smartproxy.IRouteConfig {
+  if (!routeQualifiesForHttp3(route, config)) {
+    return route;
+  }
+
+  return {
+    ...route,
+    match: {
+      ...route.match,
+      transport: 'all' as const,
+    },
+    action: {
+      ...route.action,
+      udp: {
+        ...(route.action.udp || {}),
+        sessionTimeout: config.udpSettings?.sessionTimeout,
+        maxSessionsPerIP: config.udpSettings?.maxSessionsPerIP,
+        maxDatagramSize: config.udpSettings?.maxDatagramSize,
+        quic: {
+          enableHttp3: true,
+          maxIdleTimeout: config.quicSettings?.maxIdleTimeout,
+          maxConcurrentBidiStreams: config.quicSettings?.maxConcurrentBidiStreams,
+          maxConcurrentUniStreams: config.quicSettings?.maxConcurrentUniStreams,
+          altSvcPort: config.altSvc?.port,
+          altSvcMaxAge: config.altSvc?.maxAge ?? 86400,
+          initialCongestionWindow: config.quicSettings?.initialCongestionWindow,
+        },
+      },
+    },
+  };
+}
+
+/**
+ * Augment all qualifying routes in an array.
+ * Returns a new array (does not mutate originals).
+ */
+export function augmentRoutesWithHttp3(
+  routes: plugins.smartproxy.IRouteConfig[],
+  config: IHttp3Config,
+): plugins.smartproxy.IRouteConfig[] {
+  return routes.map((route) => augmentRouteWithHttp3(route, config));
+}

ts/http3/index.ts

@@ -0,0 +1 @@
+export * from './http3-route-augmentation.js';

ts/index.ts

@@ -14,6 +14,9 @@ export * from './radius/index.js';
 // Remote Ingress module
 export * from './remoteingress/index.js';
 
+// HTTP/3 module
+export type { IHttp3Config } from './http3/index.js';
+
 export const runCli = async () => {
   let options: import('./classes.dcrouter.js').IDcRouterOptions = {};
 

ts/opsserver/classes.opsserver.ts

@@ -50,7 +50,7 @@ export class OpsServer {
     // Set up handlers
     await this.setupHandlers();
 
-    await this.server.start(3000);
+    await this.server.start(this.dcRouterRef.options.opsServerPort ?? 3000);
   }
   
   /**

ts/readme.md

@@ -37,7 +37,7 @@ const router = new DcRouter({
 });
 
 await router.start();
-// OpsServer dashboard at http://localhost:3000
+// OpsServer dashboard at http://localhost:3000 (configurable via opsServerPort)
 
 // Graceful shutdown
 await router.stop();
@@ -71,7 +71,10 @@ ts/
 │       ├── email.handler.ts        # Email operations
 │       ├── certificate.handler.ts  # Certificate management
 │       ├── radius.handler.ts       # RADIUS management
-│       └── remoteingress.handler.ts # Remote ingress edge + token management
+│       ├── remoteingress.handler.ts # Remote ingress edge + token management
+│       ├── route-management.handler.ts # Programmatic route CRUD
+│       ├── api-token.handler.ts    # API token management
+│       └── security.handler.ts     # Security metrics + connections
 ├── radius/                         # RADIUS server integration
 ├── remoteingress/                  # Remote ingress hub integration
 │   ├── classes.remoteingress-manager.ts  # Edge CRUD + port derivation

ts/remoteingress/classes.remoteingress-manager.ts

@@ -7,7 +7,7 @@ const STORAGE_PREFIX = '/remote-ingress/';
 /**
  * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
  */
-function extractPorts(portRange: number | number[] | Array<{ from: number; to: number }>): number[] {
+function extractPorts(portRange: number | Array<number | { from: number; to: number }>): number[] {
   const ports = new Set<number>();
   if (typeof portRange === 'number') {
     ports.add(portRange);

ts_apiclient/readme.md

@@ -271,7 +271,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts_interfaces/readme.md

@@ -292,7 +292,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.3.0',
+  version: '11.6.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/readme.md

@@ -249,7 +249,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.