v11.0.11

fix(build): add debug logging to build script to list dist_ts and dist_ts_interfaces before and after bundling
2026-03-05 11:49:24 +00:00 · 2026-03-05 11:49:24 +00:00
153 changed files with 4890 additions and 18052 deletions
@@ -1,7 +1 @@
 node_modules/
-.nogit/
-.git/
-.playwright-mcp/
-.vscode/
-test/
-test_watch/
@@ -6,7 +6,7 @@ on:
      - '**'

 env:
-  IMAGE: code.foss.global/host.today/ht-docker-node:szci
+  IMAGE: registry.gitlab.com/hosttoday/ht-docker-node:npmci
  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@gitea.lossless.digital/${{gitea.repository}}.git
  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
@@ -6,7 +6,7 @@ on:
      - '*'

 env:
-  IMAGE: code.foss.global/host.today/ht-docker-node:szci
+  IMAGE: registry.gitlab.com/hosttoday/ht-docker-node:npmci
  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@gitea.lossless.digital/${{gitea.repository}}.git
  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
@@ -74,7 +74,7 @@ jobs:
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    container:
-      image: code.foss.global/host.today/ht-docker-node:dbase_dind
+      image: registry.gitlab.com/hosttoday/ht-docker-dbase:npmci

    steps:
      - uses: actions/checkout@v3
@@ -82,13 +82,15 @@ jobs:
      - name: Prepare
        run: |
          pnpm install -g pnpm
-          pnpm install -g @git.zone/tsdocker
+          pnpm install -g @shipzone/npmci

      - name: Release
        run: |
-          tsdocker login
-          tsdocker build
-          tsdocker push
+          npmci docker login
+          npmci docker build
+          npmci docker test
+          # npmci docker push gitea.lossless.digital
+          npmci docker push dockerregistry.lossless.digital

  metadata:
    needs: test
@@ -1,7 +1,7 @@
 {
  "json.schemas": [
    {
-      "fileMatch": ["/.smartconfig.json"],
+      "fileMatch": ["/npmextra.json"],
      "schema": {
        "type": "object",
        "properties": {
@@ -1,34 +1,46 @@
 # gitzone dockerfile_service
 ## STAGE 1 // BUILD
-FROM code.foss.global/host.today/ht-docker-node:lts AS build
+FROM registry.gitlab.com/hosttoday/ht-docker-node:npmci as node1
 COPY ./ /app
 WORKDIR /app
+ARG NPMCI_TOKEN_NPM2
+ENV NPMCI_TOKEN_NPM2 $NPMCI_TOKEN_NPM2
+RUN npmci npm prepare
 RUN pnpm config set store-dir .pnpm-store
 RUN rm -rf node_modules && pnpm install
 RUN pnpm run build
-RUN rm -rf .pnpm-store node_modules && pnpm install --prod
-
-## STAGE 2 // PRODUCTION
-FROM code.foss.global/host.today/ht-docker-node:alpine-node AS production
-
-# gcompat + libstdc++ for glibc-linked Rust binaries (smartproxy, smartmta, remoteingress)
-RUN apk add --no-cache gcompat libstdc++

+# gitzone dockerfile_service
+## STAGE 2 // install production
+FROM registry.gitlab.com/hosttoday/ht-docker-node:npmci as node2
 WORKDIR /app
-COPY --from=build /app /app
+COPY --from=node1 /app /app
+RUN rm -rf .pnpm-store
+ARG NPMCI_TOKEN_NPM2
+ENV NPMCI_TOKEN_NPM2 $NPMCI_TOKEN_NPM2
+RUN npmci npm prepare
+RUN pnpm config set store-dir .pnpm-store
+RUN rm -rf node_modules/ && pnpm install --prod

-ENV DCROUTER_MODE=OCI_CONTAINER
-ENV DCROUTER_HEAP_SIZE=512
-ENV UV_THREADPOOL_SIZE=16

+## STAGE 3 // rebuild dependencies for alpine
+FROM registry.gitlab.com/hosttoday/ht-docker-node:alpinenpmci as node3
+WORKDIR /app
+COPY --from=node2 /app /app
+ARG NPMCI_TOKEN_NPM2
+ENV NPMCI_TOKEN_NPM2 $NPMCI_TOKEN_NPM2
+RUN npmci npm prepare
+RUN pnpm config set store-dir .pnpm-store
+RUN pnpm rebuild -r
+
+## STAGE 4 // the final production image with all dependencies in place
+FROM registry.gitlab.com/hosttoday/ht-docker-node:alpine as node4
+WORKDIR /app
+COPY --from=node3 /app /app
+
+### Healthchecks
 RUN pnpm install -g @servezone/healthy
-HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ "healthy" ]
+HEALTHCHECK --interval=30s --timeout=30s --start-period=30s --retries=3 CMD [ "healthy" ]

-LABEL org.opencontainers.image.title="dcrouter" \
-      org.opencontainers.image.description="Multi-service datacenter gateway" \
-      org.opencontainers.image.source="https://code.foss.global/serve.zone/dcrouter"
-
-# HTTP/HTTPS, SMTP/Submission/SMTPS, DNS, RADIUS, OpsServer, RemoteIngress, dynamic range
-EXPOSE 80 443 25 587 465 53/tcp 53/udp 1812/udp 1813/udp 3000 8443 29000-30000
-
-CMD ["sh", "-c", "node --max_old_space_size=${DCROUTER_HEAP_SIZE} ./cli.js"]
+EXPOSE 80
+CMD ["npm", "start"]
@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2024 Task Venture Capital GmbH
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
@@ -22,8 +22,7 @@
        "to": "./dist_serve/bundle.js",
        "outputMode": "bundle",
        "bundler": "esbuild",
-        "production": true,
-        "includeFiles": ["./html/**/*.html"]
+        "production": true
      }
    ]
  },
@@ -72,14 +71,9 @@
    "dockerRegistryRepoMap": {
      "registry.gitlab.com": "code.foss.global/serve.zone/dcrouter"
    },
-    "npmRegistryUrl": "verdaccio.lossless.digital"
-  },
-  "@git.zone/tsdocker": {
-    "registries": ["code.foss.global"],
-    "registryRepoMap": {
-      "code.foss.global": "serve.zone/dcrouter",
-      "dockerregistry.lossless.digital": "serve.zone/dcrouter"
+    "dockerBuildargEnvMap": {
+      "NPMCI_TOKEN_NPM2": "NPMCI_TOKEN_NPM2"
    },
-    "platforms": ["linux/amd64", "linux/arm64"]
+    "npmRegistryUrl": "verdaccio.lossless.digital"
  }
 }
@@ -1,74 +1,66 @@
 {
  "name": "@serve.zone/dcrouter",
  "private": false,
-  "version": "13.2.2",
+  "version": "11.0.11",
  "description": "A multifaceted routing service handling mail and SMS delivery functions.",
  "type": "module",
  "exports": {
    ".": "./dist_ts/index.js",
-    "./interfaces": "./dist_ts_interfaces/index.js",
-    "./apiclient": "./dist_ts_apiclient/index.js"
+    "./interfaces": "./dist_ts_interfaces/index.js"
  },
  "author": "Task Venture Capital GmbH",
  "license": "MIT",
  "scripts": {
    "test": "(tstest test/ --logfile --timeout 60)",
-    "start": "(node ./cli.js)",
+    "start": "(node --max_old_space_size=250 ./cli.js)",
    "startTs": "(node cli.ts.js)",
-    "build": "(tsbuild tsfolders --allowimplicitany && npm run bundle)",
-    "build:docker": "tsdocker build --verbose",
-    "release:docker": "tsdocker push --verbose",
+    "build": "(tsbuild tsfolders --allowimplicitany && echo '=== DIST_TS AFTER TSBUILD ===' && find dist_ts -maxdepth 1 -type d | sort && echo '=== DIST_TS_INTERFACES ===' && find dist_ts_interfaces -maxdepth 1 -type d | sort && npm run bundle && echo '=== DIST_TS AFTER BUNDLE ===' && find dist_ts -maxdepth 1 -type d | sort)",
    "bundle": "(tsbundle)",
    "watch": "tswatch"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^4.4.0",
-    "@git.zone/tsbundle": "^2.10.0",
-    "@git.zone/tsrun": "^2.0.2",
-    "@git.zone/tstest": "^3.6.3",
-    "@git.zone/tswatch": "^3.3.2",
-    "@types/node": "^25.5.2"
+    "@git.zone/tsbuild": "^4.1.4",
+    "@git.zone/tsbundle": "^2.9.0",
+    "@git.zone/tsrun": "^2.0.1",
+    "@git.zone/tstest": "^3.2.0",
+    "@git.zone/tswatch": "^3.2.5",
+    "@types/node": "^25.3.3"
  },
  "dependencies": {
    "@api.global/typedrequest": "^3.3.0",
    "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^8.4.6",
+    "@api.global/typedserver": "^8.4.2",
    "@api.global/typedsocket": "^4.1.2",
    "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.67.1",
-    "@design.estate/dees-element": "^2.2.4",
-    "@push.rocks/lik": "^6.4.0",
-    "@push.rocks/projectinfo": "^5.1.0",
+    "@design.estate/dees-catalog": "^3.43.3",
+    "@design.estate/dees-element": "^2.1.6",
+    "@push.rocks/lik": "^6.3.1",
+    "@push.rocks/projectinfo": "^5.0.2",
    "@push.rocks/qenv": "^6.1.3",
-    "@push.rocks/smartacme": "^9.5.0",
-    "@push.rocks/smartdata": "^7.1.7",
-    "@push.rocks/smartdb": "^2.6.2",
+    "@push.rocks/smartacme": "^9.1.3",
+    "@push.rocks/smartdata": "^7.1.0",
    "@push.rocks/smartdns": "^7.9.0",
-    "@push.rocks/smartfs": "^1.5.0",
+    "@push.rocks/smartfile": "^13.1.2",
    "@push.rocks/smartguard": "^3.1.0",
    "@push.rocks/smartjwt": "^2.2.1",
-    "@push.rocks/smartlog": "^3.2.2",
-    "@push.rocks/smartmetrics": "^3.0.3",
-    "@push.rocks/smartmigration": "1.1.1",
+    "@push.rocks/smartlog": "^3.2.1",
+    "@push.rocks/smartmetrics": "^3.0.2",
+    "@push.rocks/smartmongo": "^5.1.0",
    "@push.rocks/smartmta": "^5.3.1",
-    "@push.rocks/smartnetwork": "^4.5.2",
+    "@push.rocks/smartnetwork": "^4.4.0",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^27.5.0",
+    "@push.rocks/smartproxy": "^25.9.1",
    "@push.rocks/smartradius": "^1.1.1",
    "@push.rocks/smartrequest": "^5.0.1",
    "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.3.0",
+    "@push.rocks/smartstate": "^2.2.0",
    "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smartvpn": "1.19.2",
-    "@push.rocks/taskbuffer": "^8.0.2",
-    "@serve.zone/catalog": "^2.12.3",
+    "@serve.zone/catalog": "^2.5.0",
    "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^4.15.3",
-    "@tsclass/tsclass": "^9.5.0",
-    "@types/qrcode": "^1.5.6",
-    "lru-cache": "^11.3.2",
-    "qrcode": "^1.5.4",
+    "@serve.zone/remoteingress": "^4.4.0",
+    "@tsclass/tsclass": "^9.3.0",
+    "lru-cache": "^11.2.6",
    "uuid": "^13.0.0"
  },
  "keywords": [
@@ -108,15 +100,13 @@
  "files": [
    "ts/**/*",
    "ts_web/**/*",
-    "ts_apiclient/**/*",
    "dist/**/*",
    "dist_*/**/*",
    "dist_ts/**/*",
    "dist_ts_web/**/*",
-    "dist_ts_apiclient/**/*",
    "assets/**/*",
    "cli.js",
-    ".smartconfig.json",
+    "npmextra.json",
    "readme.md"
  ]
 }
@@ -133,7 +133,7 @@ The project now uses tswatch for development:
 ```bash
 pnpm run watch
 ```
-Configuration in `.smartconfig.json`:
+Configuration in `npmextra.json`:
 ```json
 {
  "@git.zone/tswatch": {
@@ -4,7 +4,7 @@

 **dcrouter: The all-in-one gateway for your datacenter.** 🚀

-A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, RADIUS, VPN, and remote edge ingress — all from a single process. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, VPN-based access control, distributed edge networking, and enterprise-grade email infrastructure.
+A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, RADIUS, and remote edge ingress — all from a single process. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, distributed edge networking, and enterprise-grade email infrastructure.

 ## Issue Reporting and Security

@@ -18,28 +18,23 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - [Architecture](#architecture)
 - [Configuration Reference](#configuration-reference)
 - [HTTP/HTTPS & TCP/SNI Routing](#httphttps--tcpsni-routing)
- [HTTP/3 (QUIC) Support](#http3-quic-support)
 - [Email System](#email-system)
 - [DNS Server](#dns-server)
 - [RADIUS Server](#radius-server)
 - [Remote Ingress](#remote-ingress)
- [VPN Access Control](#vpn-access-control)
 - [Certificate Management](#certificate-management)
- [Storage & Database](#storage--database)
+- [Storage & Caching](#storage--caching)
 - [Security Features](#security-features)
 - [OpsServer Dashboard](#opsserver-dashboard)
- [API Client](#api-client)
 - [API Reference](#api-reference)
 - [Sub-Modules](#sub-modules)
 - [Testing](#testing)
- [Docker / OCI Container Deployment](#docker--oci-container-deployment)
 - [License and Legal Information](#license-and-legal-information)

 ## Features

 ### 🌐 Universal Traffic Router
 - **HTTP/HTTPS routing** with domain matching, path-based forwarding, and automatic TLS
- **HTTP/3 (QUIC) enabled by default** — qualifying HTTPS routes automatically get QUIC/H3 support with zero configuration
 - **TCP/SNI proxy** for any protocol with TLS termination or passthrough
 - **DNS server** (Rust-powered via [SmartDNS](https://code.foss.global/push.rocks/smartdns)) with authoritative zones, dynamic record management, and DNS-over-HTTPS
 - **Multi-protocol support** on the same infrastructure via [SmartProxy](https://code.foss.global/push.rocks/smartproxy)
@@ -74,17 +69,6 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **Real-time status monitoring** — connected/disconnected state, public IP, active tunnels, heartbeat tracking
 - **OpsServer dashboard** with enable/disable, edit, secret regeneration, token copy, and delete actions

-### 🔐 VPN Access Control (powered by [smartvpn](https://code.foss.global/push.rocks/smartvpn))
- **WireGuard + native transports** — standard WireGuard clients (iOS, Android, macOS, Windows, Linux) plus custom WebSocket/QUIC tunnels
- **Route-level VPN gating** — mark any route with `vpn: { enabled: true }` to restrict access to VPN clients only, or `vpn: { enabled: true, mandatory: false }` to add VPN clients alongside existing access rules
- **Tag-based access control** — assign `serverDefinedClientTags` to clients and restrict routes with `allowedServerDefinedClientTags`
- **Constructor-defined clients** — pre-define VPN clients with tags in config for declarative, code-driven setup
- **Rootless operation** — uses userspace NAT (smoltcp) with no root required
- **Destination policy** — configurable `forceTarget`, `block`, or `allow` with allowList/blockList for granular traffic control
- **Client management** — create, enable, disable, rotate keys, export WireGuard/SmartVPN configs via OpsServer API and dashboard
- **IP-based enforcement** — VPN clients get IPs from a configurable subnet; SmartProxy enforces `ipAllowList` per route
- **PROXY protocol v2** — the NAT engine sends PP v2 on outbound connections to preserve VPN client identity
-
 ### ⚡ High Performance
 - **Rust-powered proxy engine** via SmartProxy for maximum throughput
 - **Rust-powered MTA engine** via smartmta (TypeScript + Rust hybrid) for reliable email delivery
@@ -93,29 +77,18 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **Socket-handler mode** — direct socket passing eliminates internal port hops
 - **Real-time metrics** via SmartMetrics (CPU, memory, connections, throughput)

-### 💾 Unified Database
- **Two deployment modes**: embedded LocalSmartDb (zero-config) or external MongoDB
- **15 document classes** covering routes, certs, VPN, RADIUS, security profiles, network targets, and caches
+### 💾 Persistent Storage & Caching
+- **Multiple storage backends**: filesystem, custom functions, or in-memory
+- **Embedded cache database** via smartdata + LocalTsmDb (MongoDB-compatible)
 - **Automatic TTL-based cleanup** for cached emails and IP reputation data
- **Reusable references** — security profiles and network targets that propagate changes to all referencing routes

 ### 🖥️ OpsServer Dashboard
 - **Web-based management interface** with real-time monitoring
 - **JWT authentication** with session persistence
- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, remote ingress edges, VPN clients, and security events
+- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, remote ingress edges, and security events
 - **Domain-centric certificate overview** with backoff status and one-click reprovisioning
 - **Remote ingress management** with connection token generation and one-click copy
- **Security profiles & network targets** — reusable security configurations and host:port targets with propagation to referencing routes
- **Global warning banners** when database is disabled (management features unavailable)
- **Read-only configuration display** for system overview
- **Smart tab visibility handling** — auto-pauses all polling, WebSocket connections, and chart updates when the browser tab is hidden, preventing resource waste and tab freezing
-
-### 🔧 Programmatic API Client
- **Object-oriented API** — resource classes (`Route`, `Certificate`, `ApiToken`, `RemoteIngress`, `Email`) with instance methods
- **Builder pattern** — fluent `.setName().setMatch().save()` chains for creating routes, tokens, and edges
- **Auto-injected auth** — JWT identity and API tokens included automatically in every request
- **Dual auth modes** — login with credentials (JWT) or pass an API token for programmatic access
- **Full coverage** — wraps every OpsServer endpoint with typed request/response pairs
+- **Read-only configuration display** — DcRouter is configured through code

 ## Installation

@@ -263,17 +236,11 @@ const router = new DcRouter({
    hubDomain: 'hub.example.com',
  },

-  // VPN — restrict sensitive routes to VPN clients
-  vpnConfig: {
-    enabled: true,
-    serverEndpoint: 'vpn.example.com',
-    clients: [
-      { clientId: 'dev-laptop', serverDefinedClientTags: ['engineering'] },
-    ],
-  },
+  // Persistent storage
+  storage: { fsPath: '/var/lib/dcrouter/data' },

-  // Unified database (embedded LocalSmartDb or external MongoDB)
-  dbConfig: { enabled: true },
+  // Cache database
+  cacheConfig: { enabled: true, storagePath: '~/.serve.zone/dcrouter/tsmdb' },

  // TLS & ACME
  tls: { contactEmail: 'admin@example.com' },
@@ -297,7 +264,6 @@ graph TB
        DNS[DNS Queries]
        RAD[RADIUS Clients]
        EDGE[Edge Nodes]
-        VPN[VPN Clients]
    end

    subgraph "DcRouter Core"
@@ -307,11 +273,11 @@ graph TB
        DS[SmartDNS Server<br/><i>Rust-powered</i>]
        RS[SmartRadius Server]
        RI[RemoteIngress Hub<br/><i>Rust data plane</i>]
-        VS[SmartVPN Server<br/><i>Rust data plane</i>]
        CM[Certificate Manager<br/><i>smartacme v9</i>]
        OS[OpsServer Dashboard]
        MM[Metrics Manager]
-        DB2[DcRouterDb<br/><i>smartdata + smartdb</i>]
+        SM[Storage Manager]
+        CD[Cache Database]
    end

    subgraph "Backend Services"
@@ -327,18 +293,17 @@ graph TB
    DNS --> DS
    RAD --> RS
    EDGE --> RI
-    VPN --> VS

    DC --> SP
    DC --> ES
    DC --> DS
    DC --> RS
    DC --> RI
-    DC --> VS
    DC --> CM
    DC --> OS
    DC --> MM
-    DC --> DB2
+    DC --> SM
+    DC --> CD

    SP --> WEB
    SP --> API
@@ -363,14 +328,15 @@ graph TB
 | **RemoteIngress** | `@serve.zone/remoteingress` | Distributed edge tunneling with Rust data plane and TS management |
 | **OpsServer** | `@api.global/typedserver` | Web dashboard + TypedRequest API for monitoring and management |
 | **MetricsManager** | `@push.rocks/smartmetrics` | Real-time metrics collection (CPU, memory, email, DNS, security) |
-| **DcRouterDb** | `@push.rocks/smartdata` + `@push.rocks/smartdb` | Unified database — embedded LocalSmartDb or external MongoDB for all persistence |
+| **StorageManager** | built-in | Pluggable key-value storage (filesystem, custom, or in-memory) |
+| **CacheDb** | `@push.rocks/smartdata` | Embedded MongoDB-compatible database (LocalTsmDb) for persistent caching |

 ### How It Works

 DcRouter acts purely as an **orchestrator** — it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:

-1. **On `start()`**: DcRouter initializes OpsServer (default port 3000, configurable via `opsServerPort`), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and SmartVPN based on which configs are provided. Services start in dependency order via `ServiceManager`.
-2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartVPN runs a Rust data plane for WireGuard and custom transports. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
+1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, and RemoteIngress based on which configs are provided.
+2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
 3. **On `stop()`**: All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.

 ### Rust-Powered Architecture
@@ -383,7 +349,6 @@ DcRouter itself is a pure TypeScript orchestrator, but several of its core sub-c
 | **smartmta** | `mailer-bin` | SMTP server + client, DKIM/SPF/DMARC, content scanning, IP reputation |
 | **SmartDNS** | `smartdns-bin` | DNS server (UDP + DNS-over-HTTPS), DNSSEC, DNS client resolution |
 | **RemoteIngress** | `remoteingress-bin` | Edge tunnel data plane, multiplexed streams, heartbeat management |
-| **SmartVPN** | `smartvpn_daemon` | WireGuard (boringtun), Noise IK handshake, QUIC/WS transports, userspace NAT (smoltcp) |
 | **SmartRadius** | — | Pure TypeScript (no Rust component) |

 ## Configuration Reference
@@ -451,52 +416,6 @@ interface IDcRouterOptions {
    };
  };

-  // ── VPN ───────────────────────────────────────────────────────
-  /** VPN server for route-level access control */
-  vpnConfig?: {
-    enabled?: boolean;                   // default: false
-    subnet?: string;                     // default: '10.8.0.0/24'
-    wgListenPort?: number;               // default: 51820
-    dns?: string[];                      // DNS servers pushed to VPN clients
-    serverEndpoint?: string;             // Hostname in generated client configs
-    clients?: Array<{                    // Pre-defined VPN clients
-      clientId: string;
-      serverDefinedClientTags?: string[];
-      description?: string;
-    }>;
-    destinationPolicy?: {                // Traffic routing policy
-      default: 'forceTarget' | 'block' | 'allow';
-      target?: string;                   // IP for forceTarget (default: '127.0.0.1')
-      allowList?: string[];              // Pass through directly
-      blockList?: string[];              // Always block (overrides allowList)
-    };
-  };
-
-  // ── HTTP/3 (QUIC) ────────────────────────────────────────────
-  /** HTTP/3 config — enabled by default on qualifying HTTPS routes */
-  http3?: {
-    enabled?: boolean;                   // default: true
-    quicSettings?: {
-      maxIdleTimeout?: number;           // default: 30000ms
-      maxConcurrentBidiStreams?: number;  // default: 100
-      maxConcurrentUniStreams?: number;   // default: 100
-      initialCongestionWindow?: number;
-    };
-    altSvc?: {
-      port?: number;                     // default: listening port
-      maxAge?: number;                   // default: 86400s
-    };
-    udpSettings?: {
-      sessionTimeout?: number;           // default: 60000ms
-      maxSessionsPerIP?: number;         // default: 1000
-      maxDatagramSize?: number;          // default: 65535
-    };
-  };
-
-  // ── OpsServer ────────────────────────────────────────────────
-  /** Port for the OpsServer web dashboard (default: 3000) */
-  opsServerPort?: number;
-
  // ── TLS & Certificates ────────────────────────────────────────
  tls?: {
    contactEmail: string;
@@ -506,16 +425,24 @@ interface IDcRouterOptions {
  };
  dnsChallenge?: { cloudflareApiKey?: string };

-  // ── Database ────────────────────────────────────────────────────
-  /** Unified database for all persistence (routes, certs, VPN, RADIUS, etc.) */
-  dbConfig?: {
+  // ── Storage & Caching ─────────────────────────────────────────
+  storage?: {
+    fsPath?: string;
+    readFunction?: (key: string) => Promise<string>;
+    writeFunction?: (key: string, value: string) => Promise<void>;
+  };
+  cacheConfig?: {
    enabled?: boolean;                   // default: true
-    mongoDbUrl?: string;                 // External MongoDB URL (omit for embedded LocalSmartDb)
    storagePath?: string;                // default: '~/.serve.zone/dcrouter/tsmdb'
    dbName?: string;                     // default: 'dcrouter'
    cleanupIntervalHours?: number;       // default: 1
-    seedOnEmpty?: boolean;               // Seed default profiles/targets if DB is empty
-    seedData?: object;                   // Custom seed data
+    ttlConfig?: {
+      emails?: number;                   // default: 30 days
+      ipReputation?: number;             // default: 1 day
+      bounces?: number;                  // default: 30 days
+      dkimKeys?: number;                 // default: 90 days
+      suppression?: number;              // default: 30 days
+    };
  };
 }
 ```
@@ -576,102 +503,6 @@ DcRouter uses [SmartProxy](https://code.foss.global/push.rocks/smartproxy) for a
 }
 ```

-## HTTP/3 (QUIC) Support
-
-DcRouter ships with **HTTP/3 enabled by default** 🚀. All qualifying HTTPS routes on port 443 are automatically augmented with QUIC/H3 configuration — no extra setup needed. Under the hood, SmartProxy's native HTTP/3 support (via `IRouteQuic`) handles QUIC transport, Alt-Svc advertisement, and HTTP/3 negotiation.
-
-### How It Works
-
-When DcRouter assembles routes in `setupSmartProxy()`, it automatically augments qualifying routes with:
- `match.transport: 'all'` — listen on both TCP (HTTP/1.1 + HTTP/2) and UDP (QUIC/HTTP/3) on the same port
- `action.udp.quic` — QUIC configuration with `enableHttp3: true` and `altSvcMaxAge: 86400`
-
-Browsers that support HTTP/3 will discover it via the `Alt-Svc` header on initial TCP responses, then upgrade to QUIC for subsequent requests.
-
-### What Gets Augmented
-
-A route qualifies for HTTP/3 augmentation when **all** of these are true:
- Port includes **443** (single number, array, or range)
- Action type is **`forward`** (not `socket-handler`)
- **TLS is enabled** (passthrough, terminate, or terminate-and-reencrypt)
- Route is **not** an email route (ports 25/587/465)
- Route doesn't already have `transport: 'all'` or existing `udp.quic` config
-
-### Zero-Config (Default Behavior)
-
-```typescript
-// HTTP/3 is ON by default — this route automatically gets QUIC/H3:
-const router = new DcRouter({
-  smartProxyConfig: {
-    routes: [{
-      name: 'web-app',
-      match: { domains: ['example.com'], ports: [443] },
-      action: {
-        type: 'forward',
-        targets: [{ host: '192.168.1.10', port: 8080 }],
-        tls: { mode: 'terminate', certificate: 'auto' }
-      }
-    }]
-  }
-});
-```
-
-### Per-Route Opt-Out
-
-Disable HTTP/3 on a specific route using `action.options.http3`:
-
-```typescript
-{
-  name: 'legacy-app',
-  match: { domains: ['legacy.example.com'], ports: [443] },
-  action: {
-    type: 'forward',
-    targets: [{ host: '192.168.1.50', port: 8080 }],
-    tls: { mode: 'terminate', certificate: 'auto' },
-    options: { http3: false }  // ← This route stays TCP-only
-  }
-}
-```
-
-### Global Opt-Out
-
-Disable HTTP/3 across all routes:
-
-```typescript
-const router = new DcRouter({
-  http3: { enabled: false },
-  smartProxyConfig: { routes: [/* ... */] }
-});
-```
-
-### Custom QUIC Settings
-
-Fine-tune QUIC parameters globally:
-
-```typescript
-const router = new DcRouter({
-  http3: {
-    quicSettings: {
-      maxIdleTimeout: 60000,          // 60s idle timeout
-      maxConcurrentBidiStreams: 200,   // More parallel streams
-      maxConcurrentUniStreams: 50,
-    },
-    altSvc: {
-      maxAge: 3600,                   // 1 hour Alt-Svc cache
-    },
-    udpSettings: {
-      sessionTimeout: 120000,         // 2 min UDP session timeout
-      maxSessionsPerIP: 500,
-    }
-  },
-  smartProxyConfig: { routes: [/* ... */] }
-});
-```
-
-### Programmatic Routes
-
-Routes added at runtime via the Route Management API also get HTTP/3 augmentation automatically — the `RouteConfigManager` applies the same augmentation logic when merging programmatic routes.
-
 ## Email System

 The email system is powered by [`@push.rocks/smartmta`](https://code.foss.global/push.rocks/smartmta), a TypeScript + Rust hybrid MTA. DcRouter configures and orchestrates smartmta's **UnifiedEmailServer**, which handles SMTP sessions, route matching, delivery queuing, DKIM signing, and all email processing.
@@ -1011,129 +842,6 @@ The OpsServer Remote Ingress view provides:
 | **Copy Token** | Generate and copy a base64url connection token to clipboard |
 | **Delete** | Remove the edge registration |

-## VPN Access Control
-
-DcRouter integrates [`@push.rocks/smartvpn`](https://code.foss.global/push.rocks/smartvpn) to provide VPN-based route access control. VPN clients connect via standard WireGuard or native WebSocket/QUIC transports, receive an IP from a configurable subnet, and can then access routes that are restricted to VPN-only traffic.
-
-### How It Works
-
-1. **SmartVPN daemon** runs inside dcrouter with a Rust data plane (WireGuard via `boringtun`, custom protocol via Noise IK)
-2. Clients connect and get assigned an IP from the VPN subnet (e.g. `10.8.0.0/24`)
-3. **Smart split tunnel** — generated WireGuard configs auto-include the VPN subnet plus DNS-resolved IPs of VPN-gated domains. Domains from routes with `vpn.enabled` are resolved at config generation time, so clients route only the necessary traffic through the tunnel
-4. Routes with `vpn: { enabled: true }` get `security.ipAllowList` dynamically injected (re-computed on every client change). With `mandatory: true` (default), the allowlist is replaced; with `mandatory: false`, VPN IPs are appended to existing rules
-5. When `allowedServerDefinedClientTags` is set, only matching client IPs are injected (not the whole subnet)
-6. SmartProxy enforces the allowlist — only authorized VPN clients can access protected routes
-7. All VPN traffic is forced through SmartProxy via userspace NAT with PROXY protocol v2 — no root required
-
-### Destination Policy
-
-By default, VPN client traffic is redirected to localhost (SmartProxy) via `forceTarget`. You can customize this with a destination policy:
-
-```typescript
-// Default: all traffic → SmartProxy
-destinationPolicy: { default: 'forceTarget', target: '127.0.0.1' }
-
-// Allow direct access to a backend subnet
-destinationPolicy: {
-  default: 'forceTarget',
-  target: '127.0.0.1',
-  allowList: ['192.168.190.*'],     // direct access to this subnet
-  blockList: ['192.168.190.1'],     // except the gateway
-}
-
-// Block everything except specific IPs
-destinationPolicy: {
-  default: 'block',
-  allowList: ['10.0.0.*', '192.168.1.*'],
-}
-```
-
-### Configuration
-
-```typescript
-const router = new DcRouter({
-  vpnConfig: {
-    enabled: true,
-    subnet: '10.8.0.0/24',            // VPN client IP pool (default)
-    wgListenPort: 51820,               // WireGuard UDP port (default)
-    serverEndpoint: 'vpn.example.com', // Hostname in generated client configs
-    dns: ['1.1.1.1', '8.8.8.8'],      // DNS servers pushed to clients
-
-    // Pre-define VPN clients with server-defined tags
-    clients: [
-      { clientId: 'alice-laptop', serverDefinedClientTags: ['engineering'], description: 'Dev laptop' },
-      { clientId: 'bob-phone', serverDefinedClientTags: ['engineering', 'mobile'] },
-      { clientId: 'carol-desktop', serverDefinedClientTags: ['finance'] },
-    ],
-
-    // Optional: customize destination policy (default: forceTarget → localhost)
-    // destinationPolicy: { default: 'forceTarget', target: '127.0.0.1', allowList: ['192.168.1.*'] },
-  },
-  smartProxyConfig: {
-    routes: [
-      // 🔐 VPN-only: any VPN client can access
-      {
-        name: 'internal-app',
-        match: { domains: ['internal.example.com'], ports: [443] },
-        action: {
-          type: 'forward',
-          targets: [{ host: '192.168.1.50', port: 8080 }],
-          tls: { mode: 'terminate', certificate: 'auto' },
-        },
-        vpn: { enabled: true },
-      },
-      // 🔐 VPN + tag-restricted: only 'engineering' tagged clients
-      {
-        name: 'eng-dashboard',
-        match: { domains: ['eng.example.com'], ports: [443] },
-        action: {
-          type: 'forward',
-          targets: [{ host: '192.168.1.51', port: 8080 }],
-          tls: { mode: 'terminate', certificate: 'auto' },
-        },
-        vpn: { enabled: true, allowedServerDefinedClientTags: ['engineering'] },
-        // → alice + bob can access, carol cannot
-      },
-      // 🌐 Public: no VPN
-      {
-        name: 'public-site',
-        match: { domains: ['example.com'], ports: [443] },
-        action: {
-          type: 'forward',
-          targets: [{ host: '192.168.1.10', port: 80 }],
-          tls: { mode: 'terminate', certificate: 'auto' },
-        },
-      },
-    ],
-  },
-});
-```
-
-### Client Tags
-
-SmartVPN distinguishes between two types of client tags:
-
-| Tag Type | Set By | Purpose |
-|----------|--------|---------|
-| `serverDefinedClientTags` | Admin (via config or API) | **Trusted** — used for route access control |
-| `clientDefinedClientTags` | Connecting client | **Informational** — displayed in dashboard, never used for security |
-
-Routes with `allowedServerDefinedClientTags` only permit VPN clients whose admin-assigned tags match. Clients cannot influence their own server-defined tags.
-
-### Client Management via OpsServer
-
-The OpsServer dashboard and API provide full VPN client lifecycle management:
-
- **Create client** — generates WireGuard keypairs, assigns IP, returns a ready-to-use `.conf` file
- **QR code** — scan with the WireGuard mobile app (iOS/Android) for instant setup
- **Enable / Disable** — toggle client access without deleting
- **Rotate keys** — generate fresh keypairs (invalidates old ones)
- **Export config** — download in WireGuard (`.conf`), SmartVPN (`.json`), or scan as QR code
- **Telemetry** — per-client bytes sent/received, keepalives, rate limiting
- **Delete** — remove a client and revoke access
-
-Standard WireGuard clients on any platform (iOS, Android, macOS, Windows, Linux) can connect using the generated `.conf` file or by scanning the QR code — no custom VPN software needed.
-
 ## Certificate Management

 DcRouter uses [`@push.rocks/smartacme`](https://code.foss.global/push.rocks/smartacme) v9 for ACME certificate provisioning. smartacme v9 brings significant improvements over previous versions:
@@ -1202,55 +910,49 @@ The OpsServer includes a **Certificates** view showing:
 - One-click reprovisioning per domain
 - Certificate import and export

-## Storage & Database
+## Storage & Caching

-DcRouter uses a **unified database** (`DcRouterDb`) powered by [`@push.rocks/smartdata`](https://code.foss.global/push.rocks/smartdata) + [`@push.rocks/smartdb`](https://code.foss.global/push.rocks/smartdb) for all persistence. It supports two modes:
+### StorageManager

-### Embedded LocalSmartDb (Default)
-
-Zero-config, file-based MongoDB-compatible database — no external services needed:
+Provides a unified key-value interface with three backends:

 ```typescript
-dbConfig: { enabled: true }
-// Data stored at ~/.serve.zone/dcrouter/tsmdb by default
+// Filesystem backend
+storage: { fsPath: '/var/lib/dcrouter/data' }
+
+// Custom backend (Redis, S3, etc.)
+storage: {
+  readFunction: async (key) => await redis.get(key),
+  writeFunction: async (key, value) => await redis.set(key, value)
+}
+
+// In-memory (development only — data lost on restart)
+// Simply omit the storage config
 ```

-### External MongoDB
+Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state, remote ingress edge registrations.

-Connect to an existing MongoDB instance:
+### Cache Database
+
+An embedded MongoDB-compatible database (via smartdata + LocalTsmDb) for persistent caching with automatic TTL cleanup:

 ```typescript
-dbConfig: {
+cacheConfig: {
  enabled: true,
-  mongoDbUrl: 'mongodb://localhost:27017',
+  storagePath: '~/.serve.zone/dcrouter/tsmdb',
  dbName: 'dcrouter',
+  cleanupIntervalHours: 1,
+  ttlConfig: {
+    emails: 30,         // days
+    ipReputation: 1,    // days
+    bounces: 30,        // days
+    dkimKeys: 90,       // days
+    suppression: 30     // days
+  }
 }
 ```

-### Disabling the Database
-
-For static, constructor-only deployments where no runtime management is needed:
-
-```typescript
-dbConfig: { enabled: false }
-// Routes come exclusively from constructor config — no CRUD, no persistence
-// OpsServer still runs but management features are disabled
-```
-
-### What's Stored
-
-DcRouterDb persists all runtime state across 15 document classes:
-
-| Category | Documents | Purpose |
-|----------|-----------|---------|
-| **Routes** | `StoredRouteDoc`, `RouteOverrideDoc` | Programmatic routes and hardcoded route overrides |
-| **Certificates** | `ProxyCertDoc`, `AcmeCertDoc`, `CertBackoffDoc` | TLS certs, ACME state, per-domain backoff |
-| **Auth** | `ApiTokenDoc` | API token storage |
-| **Remote Ingress** | `RemoteIngressEdgeDoc` | Edge node registrations |
-| **VPN** | `VpnServerKeysDoc`, `VpnClientDoc` | Server keys and client registrations |
-| **RADIUS** | `VlanMappingsDoc`, `AccountingSessionDoc` | VLAN mappings and accounting sessions |
-| **References** | `SecurityProfileDoc`, `NetworkTargetDoc` | Reusable security profiles and network targets |
-| **Cache** | `CachedEmailDoc`, `CachedIpReputationDoc` | TTL-based caches with automatic cleanup |
+Cached document types: `CachedEmail`, `CachedIPReputation`.

 ## Security Features

@@ -1305,7 +1007,7 @@ action: {

 ## OpsServer Dashboard

-The OpsServer provides a web-based management interface served on port 3000 by default (configurable via `opsServerPort`). It's built with modern web components using [@design.estate/dees-catalog](https://code.foss.global/design.estate/dees-catalog).
+The OpsServer provides a web-based management interface served on port 3000. It's built with modern web components using [@design.estate/dees-catalog](https://code.foss.global/design.estate/dees-catalog).

 ### Dashboard Views

@@ -1314,14 +1016,8 @@ The OpsServer provides a web-based management interface served on port 3000 by d
 | 📊 **Overview** | Real-time server stats, CPU/memory, connection counts, email throughput |
 | 🌐 **Network** | Active connections, top IPs, throughput rates, SmartProxy metrics |
 | 📧 **Email** | Queue monitoring (queued/sent/failed), bounce records, security incidents |
-| 🛣️ **Routes** | Merged route list (hardcoded + programmatic), create/edit/toggle/override routes |
-| 🔑 **API Tokens** | Token management with scopes, create/revoke/roll/toggle |
 | 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning, import/export |
 | 🌍 **RemoteIngress** | Edge node management, connection status, token generation, enable/disable |
-| 🔐 **VPN** | VPN client management, server status, create/toggle/export/rotate/delete clients |
-| 🛡️ **Security Profiles** | Reusable security configurations (IP allow/block lists, rate limits) |
-| 🎯 **Network Targets** | Reusable host:port destinations for route references |
-| 📡 **RADIUS** | NAS client management, VLAN mappings, session monitoring, accounting |
 | 📜 **Logs** | Real-time log viewer with level filtering and search |
 | ⚙️ **Configuration** | Read-only view of current system configuration |
 | 🛡️ **Security** | IP reputation, rate limit status, blocked connections |
@@ -1342,9 +1038,12 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'getCombinedMetrics'                   // All metrics in one call

 // Email Operations
-'getAllEmails'                          // List all emails (queued/sent/failed)
-'getEmailDetail'                       // Full detail for a specific email
+'getQueuedEmails'                      // Emails pending delivery
+'getSentEmails'                        // Successfully delivered emails
+'getFailedEmails'                      // Failed emails
 'resendEmail'                          // Re-queue a failed email
+'getBounceRecords'                     // Bounce records
+'removeFromSuppressionList'            // Unsuppress an address

 // Certificates
 'getCertificateOverview'               // Domain-centric certificate status
@@ -1363,39 +1062,11 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'getRemoteIngressStatus'               // Runtime status of all edges
 'getRemoteIngressConnectionToken'      // Generate a connection token for an edge

-// Route Management (JWT or API token auth)
-'getMergedRoutes'                      // List all routes (hardcoded + programmatic)
-'createRoute'                          // Create a new programmatic route
-'updateRoute'                          // Update a programmatic route
-'deleteRoute'                          // Delete a programmatic route
-'toggleRoute'                          // Enable/disable a programmatic route
-'setRouteOverride'                     // Override a hardcoded route
-'removeRouteOverride'                  // Remove a hardcoded route override
-
-// API Token Management (admin JWT only)
-'createApiToken'                       // Create API token → returns raw value once
-'listApiTokens'                        // List all tokens (without secrets)
-'revokeApiToken'                       // Delete an API token
-'rollApiToken'                         // Regenerate token secret
-'toggleApiToken'                       // Enable/disable a token
-
 // Configuration (read-only)
 'getConfiguration'                     // Current system config

 // Logs
-'getRecentLogs'                        // Retrieve system logs with filtering
-'getLogStream'                         // Stream live logs
-
-// VPN
-'getVpnClients'                        // List all registered VPN clients
-'getVpnStatus'                         // VPN server status (running, subnet, port, keys)
-'createVpnClient'                      // Create client → returns WireGuard config (shown once)
-'deleteVpnClient'                      // Remove a VPN client
-'enableVpnClient'                      // Enable a disabled client
-'disableVpnClient'                     // Disable a client
-'rotateVpnClientKey'                   // Generate new keys (invalidates old ones)
-'exportVpnClientConfig'                // Export WireGuard (.conf) or SmartVPN (.json) config
-'getVpnClientTelemetry'                // Per-client bytes sent/received, keepalives
+'getLogs'                              // Retrieve system logs

 // RADIUS
 'getRadiusSessions'                    // Active RADIUS sessions
@@ -1407,95 +1078,8 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'setVlanMapping'                       // Add/update VLAN mapping
 'removeVlanMapping'                    // Remove VLAN mapping
 'testVlanAssignment'                   // Test what VLAN a MAC gets
-
-// Security Profiles
-'getSecurityProfiles'                  // List all security profiles
-'getSecurityProfile'                   // Get a single profile by ID
-'createSecurityProfile'                // Create a reusable security profile
-'updateSecurityProfile'                // Update a profile (propagates to referencing routes)
-'deleteSecurityProfile'                // Delete a profile (with optional force)
-'getSecurityProfileUsage'              // Get routes referencing a profile
-
-// Network Targets
-'getNetworkTargets'                    // List all network targets
-'getNetworkTarget'                     // Get a single target by ID
-'createNetworkTarget'                  // Create a reusable host:port target
-'updateNetworkTarget'                  // Update a target (propagates to referencing routes)
-'deleteNetworkTarget'                  // Delete a target (with optional force)
-'getNetworkTargetUsage'                // Get routes referencing a target
 ```

-## API Client
-
-DcRouter ships with a typed, object-oriented API client for programmatic management of a running instance. Install it separately or import from the main package:
-
-```bash
-pnpm add @serve.zone/dcrouter-apiclient
-# or import from the main package:
-# import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
-```
-
-### Quick Example
-
-```typescript
-import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
-
-const client = new DcRouterApiClient({ baseUrl: 'https://dcrouter.example.com' });
-await client.login('admin', 'password');
-
-// OO resource instances with methods
-const { routes } = await client.routes.list();
-await routes[0].toggle(false);
-
-// Builder pattern for creation
-const newRoute = await client.routes.build()
-  .setName('api-gateway')
-  .setMatch({ ports: 443, domains: ['api.example.com'] })
-  .setAction({ type: 'forward', targets: [{ host: 'backend', port: 8080 }] })
-  .setTls({ mode: 'terminate', certificate: 'auto' })
-  .save();
-
-// Manage certificates
-const { certificates, summary } = await client.certificates.list();
-await certificates[0].reprovision();
-
-// Create API tokens with builder
-const token = await client.apiTokens.build()
-  .setName('ci-token')
-  .setScopes(['routes:read', 'routes:write'])
-  .setExpiresInDays(90)
-  .save();
-console.log(token.tokenValue); // only available at creation
-
-// Remote ingress edges
-const edge = await client.remoteIngress.build()
-  .setName('edge-nyc-01')
-  .setListenPorts([80, 443])
-  .save();
-const connToken = await edge.getConnectionToken();
-
-// Read-only managers
-const health = await client.stats.getHealth();
-const config = await client.config.get();
-const { logs } = await client.logs.getRecent({ level: 'error', limit: 50 });
-```
-
-### Resource Managers
-
-| Manager | Operations |
-|---------|-----------|
-| `client.routes` | `list()`, `create()`, `build()` → Route: `update()`, `delete()`, `toggle()`, `setOverride()`, `removeOverride()` |
-| `client.certificates` | `list()`, `import()` → Certificate: `reprovision()`, `delete()`, `export()` |
-| `client.apiTokens` | `list()`, `create()`, `build()` → ApiToken: `revoke()`, `roll()`, `toggle()` |
-| `client.remoteIngress` | `list()`, `getStatuses()`, `create()`, `build()` → RemoteIngress: `update()`, `delete()`, `regenerateSecret()`, `getConnectionToken()` |
-| `client.stats` | `getServer()`, `getEmail()`, `getDns()`, `getSecurity()`, `getConnections()`, `getQueues()`, `getHealth()`, `getNetwork()`, `getCombined()` |
-| `client.config` | `get(section?)` |
-| `client.logs` | `getRecent()`, `getStream()` |
-| `client.emails` | `list()` → Email: `getDetail()`, `resend()` |
-| `client.radius` | `.clients`, `.vlans`, `.sessions` sub-managers + `getStatistics()`, `getAccountingSummary()` |
-
-See the [full API client documentation](./ts_apiclient/readme.md) for detailed usage of every manager, builder, and resource class.
-
 ## API Reference

 ### DcRouter Class
@@ -1530,17 +1114,16 @@ const router = new DcRouter(options: IDcRouterOptions);
 | `radiusServer` | `RadiusServer` | RADIUS server instance |
 | `remoteIngressManager` | `RemoteIngressManager` | Edge registration CRUD manager |
 | `tunnelManager` | `TunnelManager` | Tunnel lifecycle and status manager |
-| `vpnManager` | `VpnManager` | VPN server lifecycle and client CRUD manager |
+| `storageManager` | `StorageManager` | Storage backend |
 | `opsServer` | `OpsServer` | OpsServer/dashboard instance |
 | `metricsManager` | `MetricsManager` | Metrics collector |
-| `dcRouterDb` | `DcRouterDb` | Unified database instance (smartdata + smartdb) |
-| `routeConfigManager` | `RouteConfigManager` | Programmatic route CRUD manager |
-| `apiTokenManager` | `ApiTokenManager` | API token management |
-| `referenceResolver` | `ReferenceResolver` | Security profile and network target resolver |
+| `cacheDb` | `CacheDb` | Cache database instance |
+| `certProvisionScheduler` | `CertProvisionScheduler` | Per-domain backoff scheduler for cert provisioning |
+| `certificateStatusMap` | `Map<string, ...>` | Domain-keyed certificate status from SmartProxy events |

 ### Re-exported Types

-DcRouter re-exports key types for convenience:
+DcRouter re-exports key types from smartmta for convenience:

 ```typescript
 import {
@@ -1550,7 +1133,6 @@ import {
  type IUnifiedEmailServerOptions,
  type IEmailRoute,
  type IEmailDomainConfig,
-  type IHttp3Config,
 } from '@serve.zone/dcrouter';
 ```

@@ -1562,14 +1144,12 @@ DcRouter is published as a monorepo with separately-installable interface and we
 |---------|-------------|---------|
 | [`@serve.zone/dcrouter`](https://www.npmjs.com/package/@serve.zone/dcrouter) | Main package — the full router | `pnpm add @serve.zone/dcrouter` |
 | [`@serve.zone/dcrouter-interfaces`](https://www.npmjs.com/package/@serve.zone/dcrouter-interfaces) | TypedRequest interfaces for the OpsServer API | `pnpm add @serve.zone/dcrouter-interfaces` |
-| [`@serve.zone/dcrouter-apiclient`](https://www.npmjs.com/package/@serve.zone/dcrouter-apiclient) | OO API client with builder pattern | `pnpm add @serve.zone/dcrouter-apiclient` |
 | [`@serve.zone/dcrouter-web`](https://www.npmjs.com/package/@serve.zone/dcrouter-web) | Web dashboard components | `pnpm add @serve.zone/dcrouter-web` |

-You can also import directly from the main package:
+You can also import interfaces directly from the main package:

 ```typescript
 import { data, requests } from '@serve.zone/dcrouter/interfaces';
-import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
 ```

 ## Testing
@@ -1591,88 +1171,20 @@ tstest test/test.opsserver-api.ts --verbose --timeout 60

 | Test File | Area | Tests |
 |-----------|------|-------|
-| `test.apiclient.ts` | API client instantiation, builders, resource hydration, exports | 18 |
 | `test.contentscanner.ts` | Content scanning (spam, phishing, malware, attachments) | 13 |
 | `test.dcrouter.email.ts` | Email config, domain and route setup | 4 |
 | `test.dns-server-config.ts` | DNS record parsing, grouping, extraction | 5 |
 | `test.dns-socket-handler.ts` | DNS socket handler and route generation | 6 |
 | `test.errors.ts` | Error classes, handler, retry utilities | 5 |
-| `test.http3-augmentation.ts` | HTTP/3 route augmentation, qualification, opt-in/out, QUIC settings | 20 |
 | `test.ipreputationchecker.ts` | IP reputation, DNSBL, caching, risk classification | 10 |
 | `test.jwt-auth.ts` | JWT login, verification, logout, invalid credentials | 8 |
-| `test.opsserver-api.ts` | Health, statistics, configuration, log APIs | 8 |
+| `test.opsserver-api.ts` | Health, statistics, configuration, log APIs | 6 |
 | `test.protected-endpoint.ts` | Admin auth, identity verification, public endpoints | 8 |
-| `test.reference-resolver.ts` | Security profiles, network targets, route resolution | 20 |
-| `test.security-profiles-api.ts` | Profile/target API endpoints, auth enforcement | 13 |
-
-## Docker / OCI Container Deployment
-
-DcRouter ships with a production-ready `Dockerfile` and supports environment-variable-driven configuration for OCI container deployments. The container image includes tini as PID 1 (via the base image), proper health checks, and configurable resource limits. When `DCROUTER_MODE=OCI_CONTAINER` is set, DcRouter automatically reads configuration from environment variables (and optionally from a JSON config file).
-
-### Running with Docker
-
-```bash
-docker run -d \
-  --ulimit nofile=65536:65536 \
-  -e DCROUTER_TLS_EMAIL=admin@example.com \
-  -e DCROUTER_PUBLIC_IP=203.0.113.1 \
-  -e DCROUTER_DNS_NS_DOMAINS=ns1.example.com,ns2.example.com \
-  -e DCROUTER_DNS_SCOPES=example.com \
-  -p 80:80 -p 443:443 -p 25:25 -p 587:587 -p 465:465 \
-  -p 53:53/udp -p 3000:3000 -p 8443:8443 \
-  code.foss.global/serve.zone/dcrouter:latest
-```
-
-> ⚡ **Production tip:** Always set `--ulimit nofile=65536:65536` for production deployments. DcRouter will log a warning at startup if the file descriptor limit is below 65536.
-
-### Environment Variables
-
-| Variable | Description | Default | Example |
-|----------|-------------|---------|---------|
-| `DCROUTER_MODE` | Container mode (set automatically in image) | `OCI_CONTAINER` | — |
-| `DCROUTER_CONFIG_PATH` | Path to JSON config file (env vars override) | — | `/config/dcrouter.json` |
-| `DCROUTER_BASE_DIR` | Base data directory | `~/.serve.zone/dcrouter` | `/data/dcrouter` |
-| `DCROUTER_TLS_EMAIL` | ACME contact email | — | `admin@example.com` |
-| `DCROUTER_TLS_DOMAIN` | Primary TLS domain | — | `example.com` |
-| `DCROUTER_PUBLIC_IP` | Public IP for DNS records | — | `203.0.113.1` |
-| `DCROUTER_PROXY_IPS` | Comma-separated ingress proxy IPs | — | `198.51.100.1,198.51.100.2` |
-| `DCROUTER_DNS_NS_DOMAINS` | Comma-separated nameserver domains | — | `ns1.example.com,ns2.example.com` |
-| `DCROUTER_DNS_SCOPES` | Comma-separated authoritative domains | — | `example.com,other.com` |
-| `DCROUTER_EMAIL_HOSTNAME` | SMTP server hostname | — | `mail.example.com` |
-| `DCROUTER_EMAIL_PORTS` | Comma-separated email ports | — | `25,587,465` |
-| `DCROUTER_CACHE_ENABLED` | Enable/disable cache database | `true` | `false` |
-| `DCROUTER_HEAP_SIZE` | Node.js V8 heap size in MB | `512` | `1024` |
-| `DCROUTER_MAX_CONNECTIONS` | Global max concurrent connections | `50000` | `100000` |
-| `DCROUTER_MAX_CONNECTIONS_PER_IP` | Max connections per source IP | `100` | `200` |
-| `DCROUTER_CONNECTION_RATE_LIMIT` | Max new connections/min per IP | `600` | `1200` |
-
-### Exposed Ports
-
-The container exposes all service ports:
-
-| Port(s) | Protocol | Service |
-|---------|----------|---------|
-| 80, 443 | TCP | HTTP/HTTPS (SmartProxy) |
-| 25, 587, 465 | TCP | SMTP, Submission, SMTPS |
-| 53 | TCP/UDP | DNS |
-| 1812, 1813 | UDP | RADIUS auth/acct |
-| 3000 | TCP | OpsServer dashboard |
-| 8443 | TCP | Remote ingress tunnels |
-| 51820 | UDP | WireGuard VPN |
-| 29000–30000 | TCP | Dynamic port range |
-
-### Building the Image
-
-```bash
-pnpm run build:docker    # Build the container image
-pnpm run release:docker  # Push to registry
-```
-
-The Docker build supports multi-platform (`linux/amd64`, `linux/arm64`) via [tsdocker](https://code.foss.global/git.zone/tsdocker).
+| `test.storagemanager.ts` | Memory, filesystem, custom backends, concurrency | 8 |

 ## License and Legal Information

-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.

 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

@@ -1684,7 +1196,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G

 ### Company Information

-Task Venture Capital GmbH  
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany

 For any legal inquiries or further information, please contact us via email at hello@task.vc.
@@ -1,84 +0,0 @@
-# DCRouter Storage Overview
-
-DCRouter uses a **unified database layer** backed by `@push.rocks/smartdata` for all persistent data. All data is stored as typed document classes in a single database.
-
-## Database Modes
-
-### Embedded Mode (default)
-When no external MongoDB URL is provided, DCRouter starts an embedded `LocalSmartDb` (Rust-based MongoDB-compatible engine) via `@push.rocks/smartdb`.
-
-```
-~/.serve.zone/dcrouter/tsmdb/
-```
-
-### External Mode
-Connect to any MongoDB-compatible database by providing a connection URL.
-
-```typescript
-dbConfig: {
-  mongoDbUrl: 'mongodb://host:27017',
-  dbName: 'dcrouter',
-}
-```
-
-## Configuration
-
-```typescript
-dbConfig: {
-  enabled: true,                                    // default: true
-  mongoDbUrl: undefined,                            // default: embedded LocalSmartDb
-  storagePath: '~/.serve.zone/dcrouter/tsmdb',     // default (embedded mode only)
-  dbName: 'dcrouter',                               // default
-  cleanupIntervalHours: 1,                          // TTL cleanup interval
-}
-```
-
-## Document Classes
-
-All data is stored as smartdata document classes in `ts/db/documents/`.
-
-| Document Class | Collection | Unique Key | Purpose |
-|---|---|---|---|
-| `StoredRouteDoc` | storedRoutes | `id` | Programmatic routes (created via API) |
-| `RouteOverrideDoc` | routeOverrides | `routeName` | Hardcoded route enable/disable overrides |
-| `ApiTokenDoc` | apiTokens | `id` | API tokens (hashed secrets, scopes, expiry) |
-| `VpnServerKeysDoc` | vpnServerKeys | `configId` (singleton) | VPN server Noise + WireGuard keypairs |
-| `VpnClientDoc` | vpnClients | `clientId` | VPN client registrations |
-| `AcmeCertDoc` | acmeCerts | `domainName` | ACME certificates and keys |
-| `ProxyCertDoc` | proxyCerts | `domain` | SmartProxy TLS certificates |
-| `CertBackoffDoc` | certBackoff | `domain` | Per-domain cert provision backoff state |
-| `RemoteIngressEdgeDoc` | remoteIngressEdges | `id` | Edge node registrations |
-| `VlanMappingsDoc` | vlanMappings | `configId` (singleton) | MAC-to-VLAN mapping table |
-| `AccountingSessionDoc` | accountingSessions | `sessionId` | RADIUS accounting sessions |
-| `CachedEmail` | cachedEmails | `id` | Email metadata (TTL: 30 days) |
-| `CachedIPReputation` | cachedIPReputation | `ipAddress` | IP reputation results (TTL: 24 hours) |
-
-## Architecture
-
-```
-DcRouterDb (singleton)
-  ├── LocalSmartDb (embedded, Rust) ─── or ─── External MongoDB
-  └── SmartdataDb (ORM)
-        └── @Collection(() => getDb())
-              ├── StoredRouteDoc
-              ├── RouteOverrideDoc
-              ├── ApiTokenDoc
-              ├── VpnServerKeysDoc / VpnClientDoc
-              ├── AcmeCertDoc / ProxyCertDoc / CertBackoffDoc
-              ├── RemoteIngressEdgeDoc
-              ├── VlanMappingsDoc / AccountingSessionDoc
-              ├── CachedEmail (TTL)
-              └── CachedIPReputation (TTL)
-```
-
-### TTL Cleanup
-
-`CacheCleaner` runs on a configurable interval (default: 1 hour) and removes expired documents where `expiresAt < now()`.
-
-## Disabling
-
-For tests or lightweight deployments without persistence:
-
-```typescript
-dbConfig: { enabled: false }
-```
@@ -1,376 +0,0 @@
-import { tap, expect } from '@git.zone/tstest/tapbundle';
-import {
-  DcRouterApiClient,
-  Route,
-  RouteBuilder,
-  RouteManager,
-  Certificate,
-  CertificateManager,
-  ApiToken,
-  ApiTokenBuilder,
-  ApiTokenManager,
-  RemoteIngress,
-  RemoteIngressBuilder,
-  RemoteIngressManager,
-  Email,
-  EmailManager,
-  StatsManager,
-  ConfigManager,
-  LogManager,
-  RadiusManager,
-  RadiusClientManager,
-  RadiusVlanManager,
-  RadiusSessionManager,
-} from '../ts_apiclient/index.js';
-
-// =============================================================================
-// Instantiation & Structure
-// =============================================================================
-
-tap.test('DcRouterApiClient - should instantiate with baseUrl', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  expect(client).toBeTruthy();
-  expect(client.baseUrl).toEqual('https://localhost:3000');
-  expect(client.identity).toBeUndefined();
-});
-
-tap.test('DcRouterApiClient - should strip trailing slashes from baseUrl', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000///' });
-  expect(client.baseUrl).toEqual('https://localhost:3000');
-});
-
-tap.test('DcRouterApiClient - should accept optional apiToken', async () => {
-  const client = new DcRouterApiClient({
-    baseUrl: 'https://localhost:3000',
-    apiToken: 'dcr_test_token',
-  });
-  expect(client.apiToken).toEqual('dcr_test_token');
-});
-
-tap.test('DcRouterApiClient - should have all resource managers', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  expect(client.routes).toBeInstanceOf(RouteManager);
-  expect(client.certificates).toBeInstanceOf(CertificateManager);
-  expect(client.apiTokens).toBeInstanceOf(ApiTokenManager);
-  expect(client.remoteIngress).toBeInstanceOf(RemoteIngressManager);
-  expect(client.stats).toBeInstanceOf(StatsManager);
-  expect(client.config).toBeInstanceOf(ConfigManager);
-  expect(client.logs).toBeInstanceOf(LogManager);
-  expect(client.emails).toBeInstanceOf(EmailManager);
-  expect(client.radius).toBeInstanceOf(RadiusManager);
-});
-
-// =============================================================================
-// buildRequestPayload
-// =============================================================================
-
-tap.test('DcRouterApiClient - buildRequestPayload includes identity when set', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const identity = {
-    jwt: 'test-jwt',
-    userId: 'user1',
-    name: 'Admin',
-    expiresAt: Date.now() + 3600000,
-  };
-  client.identity = identity;
-
-  const payload = client.buildRequestPayload({ extra: 'data' });
-  expect(payload.identity).toEqual(identity);
-  expect(payload.extra).toEqual('data');
-});
-
-tap.test('DcRouterApiClient - buildRequestPayload includes apiToken when set', async () => {
-  const client = new DcRouterApiClient({
-    baseUrl: 'https://localhost:3000',
-    apiToken: 'dcr_abc123',
-  });
-
-  const payload = client.buildRequestPayload();
-  expect(payload.apiToken).toEqual('dcr_abc123');
-});
-
-tap.test('DcRouterApiClient - buildRequestPayload with both identity and apiToken', async () => {
-  const client = new DcRouterApiClient({
-    baseUrl: 'https://localhost:3000',
-    apiToken: 'dcr_abc123',
-  });
-  client.identity = {
-    jwt: 'test-jwt',
-    userId: 'user1',
-    name: 'Admin',
-    expiresAt: Date.now() + 3600000,
-  };
-
-  const payload = client.buildRequestPayload({ foo: 'bar' });
-  expect(payload.identity).toBeTruthy();
-  expect(payload.apiToken).toEqual('dcr_abc123');
-  expect(payload.foo).toEqual('bar');
-});
-
-// =============================================================================
-// Route Builder
-// =============================================================================
-
-tap.test('RouteBuilder - should support fluent builder pattern', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const builder = client.routes.build();
-  expect(builder).toBeInstanceOf(RouteBuilder);
-
-  // Fluent methods return `this` (same reference)
-  const result = builder
-    .setName('test-route')
-    .setMatch({ ports: 443, domains: 'example.com' })
-    .setAction({ type: 'forward', targets: [{ host: 'backend', port: 8080 }] })
-    .setEnabled(true);
-
-  expect(result === builder).toBeTrue();
-});
-
-// =============================================================================
-// ApiToken Builder
-// =============================================================================
-
-tap.test('ApiTokenBuilder - should support fluent builder pattern', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const builder = client.apiTokens.build();
-  expect(builder).toBeInstanceOf(ApiTokenBuilder);
-
-  const result = builder
-    .setName('ci-token')
-    .setScopes(['routes:read', 'routes:write'])
-    .addScope('config:read')
-    .setExpiresInDays(30);
-
-  expect(result === builder).toBeTrue();
-});
-
-// =============================================================================
-// RemoteIngress Builder
-// =============================================================================
-
-tap.test('RemoteIngressBuilder - should support fluent builder pattern', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const builder = client.remoteIngress.build();
-  expect(builder).toBeInstanceOf(RemoteIngressBuilder);
-
-  const result = builder
-    .setName('edge-1')
-    .setListenPorts([80, 443])
-    .setAutoDerivePorts(true)
-    .setTags(['production']);
-
-  expect(result === builder).toBeTrue();
-});
-
-// =============================================================================
-// Route resource class
-// =============================================================================
-
-tap.test('Route - should hydrate from IMergedRoute data', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const route = new Route(client, {
-    route: {
-      name: 'test-route',
-      match: { ports: 443, domains: 'example.com' },
-      action: { type: 'forward', targets: [{ host: 'backend', port: 8080 }] },
-    },
-    source: 'programmatic',
-    enabled: true,
-    overridden: false,
-    storedRouteId: 'route-123',
-    createdAt: 1000,
-    updatedAt: 2000,
-  });
-
-  expect(route.name).toEqual('test-route');
-  expect(route.source).toEqual('programmatic');
-  expect(route.enabled).toEqual(true);
-  expect(route.overridden).toEqual(false);
-  expect(route.storedRouteId).toEqual('route-123');
-  expect(route.routeConfig.match.ports).toEqual(443);
-});
-
-tap.test('Route - should throw on update/delete/toggle for hardcoded routes', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const route = new Route(client, {
-    route: {
-      name: 'hardcoded-route',
-      match: { ports: 80 },
-      action: { type: 'forward', targets: [{ host: 'localhost', port: 8080 }] },
-    },
-    source: 'hardcoded',
-    enabled: true,
-    overridden: false,
-    // No storedRouteId for hardcoded routes
-  });
-
-  let updateError: Error | undefined;
-  try {
-    await route.update({ name: 'new-name' });
-  } catch (e) {
-    updateError = e as Error;
-  }
-  expect(updateError).toBeTruthy();
-  expect(updateError!.message).toInclude('hardcoded');
-
-  let deleteError: Error | undefined;
-  try {
-    await route.delete();
-  } catch (e) {
-    deleteError = e as Error;
-  }
-  expect(deleteError).toBeTruthy();
-
-  let toggleError: Error | undefined;
-  try {
-    await route.toggle(false);
-  } catch (e) {
-    toggleError = e as Error;
-  }
-  expect(toggleError).toBeTruthy();
-});
-
-// =============================================================================
-// Certificate resource class
-// =============================================================================
-
-tap.test('Certificate - should hydrate from ICertificateInfo data', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const cert = new Certificate(client, {
-    domain: 'example.com',
-    routeNames: ['main-route'],
-    status: 'valid',
-    source: 'acme',
-    tlsMode: 'terminate',
-    expiryDate: '2027-01-01T00:00:00Z',
-    issuer: "Let's Encrypt",
-    canReprovision: true,
-  });
-
-  expect(cert.domain).toEqual('example.com');
-  expect(cert.status).toEqual('valid');
-  expect(cert.source).toEqual('acme');
-  expect(cert.canReprovision).toEqual(true);
-  expect(cert.routeNames.length).toEqual(1);
-});
-
-// =============================================================================
-// ApiToken resource class
-// =============================================================================
-
-tap.test('ApiToken - should hydrate from IApiTokenInfo data', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const token = new ApiToken(
-    client,
-    {
-      id: 'token-1',
-      name: 'ci-token',
-      scopes: ['routes:read', 'routes:write'],
-      createdAt: Date.now(),
-      expiresAt: null,
-      lastUsedAt: null,
-      enabled: true,
-    },
-    'dcr_secret_value',
-  );
-
-  expect(token.id).toEqual('token-1');
-  expect(token.name).toEqual('ci-token');
-  expect(token.scopes.length).toEqual(2);
-  expect(token.enabled).toEqual(true);
-  expect(token.tokenValue).toEqual('dcr_secret_value');
-});
-
-// =============================================================================
-// RemoteIngress resource class
-// =============================================================================
-
-tap.test('RemoteIngress - should hydrate from IRemoteIngress data', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const edge = new RemoteIngress(client, {
-    id: 'edge-1',
-    name: 'test-edge',
-    secret: 'secret123',
-    listenPorts: [80, 443],
-    enabled: true,
-    autoDerivePorts: true,
-    tags: ['prod'],
-    createdAt: 1000,
-    updatedAt: 2000,
-    effectiveListenPorts: [80, 443, 8080],
-    manualPorts: [80, 443],
-    derivedPorts: [8080],
-  });
-
-  expect(edge.id).toEqual('edge-1');
-  expect(edge.name).toEqual('test-edge');
-  expect(edge.listenPorts.length).toEqual(2);
-  expect(edge.effectiveListenPorts!.length).toEqual(3);
-  expect(edge.autoDerivePorts).toEqual(true);
-});
-
-// =============================================================================
-// Email resource class
-// =============================================================================
-
-tap.test('Email - should hydrate from IEmail data', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const email = new Email(client, {
-    id: 'email-1',
-    direction: 'inbound',
-    status: 'delivered',
-    from: 'sender@example.com',
-    to: 'recipient@example.com',
-    subject: 'Test email',
-    timestamp: '2026-03-06T00:00:00Z',
-    messageId: '<msg-1@example.com>',
-    size: '1234',
-  });
-
-  expect(email.id).toEqual('email-1');
-  expect(email.direction).toEqual('inbound');
-  expect(email.status).toEqual('delivered');
-  expect(email.from).toEqual('sender@example.com');
-  expect(email.subject).toEqual('Test email');
-});
-
-// =============================================================================
-// RadiusManager structure
-// =============================================================================
-
-tap.test('RadiusManager - should have sub-managers', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  expect(client.radius.clients).toBeInstanceOf(RadiusClientManager);
-  expect(client.radius.vlans).toBeInstanceOf(RadiusVlanManager);
-  expect(client.radius.sessions).toBeInstanceOf(RadiusSessionManager);
-});
-
-// =============================================================================
-// Exports verification
-// =============================================================================
-
-tap.test('Exports - all expected classes should be importable', async () => {
-  expect(DcRouterApiClient).toBeTruthy();
-  expect(Route).toBeTruthy();
-  expect(RouteBuilder).toBeTruthy();
-  expect(RouteManager).toBeTruthy();
-  expect(Certificate).toBeTruthy();
-  expect(CertificateManager).toBeTruthy();
-  expect(ApiToken).toBeTruthy();
-  expect(ApiTokenBuilder).toBeTruthy();
-  expect(ApiTokenManager).toBeTruthy();
-  expect(RemoteIngress).toBeTruthy();
-  expect(RemoteIngressBuilder).toBeTruthy();
-  expect(RemoteIngressManager).toBeTruthy();
-  expect(Email).toBeTruthy();
-  expect(EmailManager).toBeTruthy();
-  expect(StatsManager).toBeTruthy();
-  expect(ConfigManager).toBeTruthy();
-  expect(LogManager).toBeTruthy();
-  expect(RadiusManager).toBeTruthy();
-  expect(RadiusClientManager).toBeTruthy();
-  expect(RadiusVlanManager).toBeTruthy();
-  expect(RadiusSessionManager).toBeTruthy();
-});
-
-export default tap.start();
@@ -1,196 +0,0 @@
-import { tap, expect } from '@git.zone/tstest/tapbundle';
-import { deriveCertDomainName } from '../ts/opsserver/handlers/certificate.handler.js';
-
-// ──────────────────────────────────────────────────────────────────────────────
-// deriveCertDomainName — pure helper that mirrors smartacme's certmatcher.
-// Used by the force-renew sibling-propagation logic to identify which routes
-// share a single underlying ACME certificate.
-// ──────────────────────────────────────────────────────────────────────────────
-
-tap.test('deriveCertDomainName collapses 3-level subdomain to base', async () => {
-  expect(deriveCertDomainName('outline.task.vc')).toEqual('task.vc');
-  expect(deriveCertDomainName('pr.task.vc')).toEqual('task.vc');
-  expect(deriveCertDomainName('mtd.task.vc')).toEqual('task.vc');
-});
-
-tap.test('deriveCertDomainName returns base domain unchanged for 2-level domain', async () => {
-  expect(deriveCertDomainName('task.vc')).toEqual('task.vc');
-  expect(deriveCertDomainName('example.com')).toEqual('example.com');
-});
-
-tap.test('deriveCertDomainName strips wildcard prefix', async () => {
-  expect(deriveCertDomainName('*.task.vc')).toEqual('task.vc');
-  expect(deriveCertDomainName('*.example.com')).toEqual('example.com');
-});
-
-tap.test('deriveCertDomainName collapses subdomain and wildcard to same identity', async () => {
-  // This is the core property: outline.task.vc and *.task.vc must yield
-  // the same cert identity, otherwise sibling propagation cannot work.
-  const subdomain = deriveCertDomainName('outline.task.vc');
-  const wildcard = deriveCertDomainName('*.task.vc');
-  expect(subdomain).toEqual(wildcard);
-});
-
-tap.test('deriveCertDomainName returns undefined for 4+ level domains', async () => {
-  // Matches smartacme's "deeper domains not supported" behavior.
-  expect(deriveCertDomainName('a.b.task.vc')).toBeUndefined();
-  expect(deriveCertDomainName('one.two.three.example.com')).toBeUndefined();
-});
-
-tap.test('deriveCertDomainName returns undefined for malformed inputs', async () => {
-  expect(deriveCertDomainName('vc')).toBeUndefined();
-  expect(deriveCertDomainName('')).toBeUndefined();
-});
-
-// ──────────────────────────────────────────────────────────────────────────────
-// CertificateHandler.reprovisionCertificateDomain — verify the includeWildcard
-// option is forwarded to smartAcme.getCertificateForDomain on force renew.
-//
-// This is the regression test for Bug 1: previously the call passed only
-// `{ forceRenew: true }`, causing the re-issued cert to drop the wildcard SAN
-// and break every sibling subdomain.
-// ──────────────────────────────────────────────────────────────────────────────
-
-import { CertificateHandler } from '../ts/opsserver/handlers/certificate.handler.js';
-
-// Build a minimal stub of OpsServer + DcRouter that satisfies CertificateHandler.
-// We only need: viewRouter.addTypedHandler / adminRouter.addTypedHandler (no-op),
-// dcRouterRef.smartProxy.routeManager.getRoutes(), dcRouterRef.smartAcme,
-// dcRouterRef.findRouteNamesForDomain, dcRouterRef.certificateStatusMap.
-function makeStubOpsServer(opts: {
-  routes: Array<{ name: string; domains: string[] }>;
-  smartAcmeStub: { getCertificateForDomain: (domain: string, options: any) => Promise<any> };
-}) {
-  const captured: { typedHandlers: any[] } = { typedHandlers: [] };
-  const router = {
-    addTypedHandler(handler: any) { captured.typedHandlers.push(handler); },
-  };
-
-  const routes = opts.routes.map((r) => ({
-    name: r.name,
-    match: { domains: r.domains, ports: 443 },
-    action: { type: 'forward', tls: { certificate: 'auto' } },
-  }));
-
-  const dcRouterRef: any = {
-    smartProxy: {
-      routeManager: { getRoutes: () => routes },
-    },
-    smartAcme: opts.smartAcmeStub,
-    findRouteNamesForDomain: (domain: string) =>
-      routes.filter((r) => r.match.domains.includes(domain)).map((r) => r.name),
-    certificateStatusMap: new Map<string, any>(),
-    certProvisionScheduler: null,
-    routeConfigManager: null,
-  };
-
-  const opsServerRef: any = {
-    viewRouter: router,
-    adminRouter: router,
-    dcRouterRef,
-  };
-
-  return { opsServerRef, dcRouterRef, captured };
-}
-
-tap.test('reprovisionCertificateDomain passes includeWildcard=true for non-wildcard domain', async () => {
-  const calls: Array<{ domain: string; options: any }> = [];
-
-  const { opsServerRef, dcRouterRef } = makeStubOpsServer({
-    routes: [
-      { name: 'outline-route', domains: ['outline.task.vc'] },
-      { name: 'pr-route', domains: ['pr.task.vc'] },
-      { name: 'mtd-route', domains: ['mtd.task.vc'] },
-    ],
-    smartAcmeStub: {
-      getCertificateForDomain: async (domain: string, options: any) => {
-        calls.push({ domain, options });
-        // Return a cert object shaped like SmartacmeCert
-        return {
-          id: 'test-id',
-          domainName: 'task.vc',
-          created: Date.now(),
-          validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
-          privateKey: '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----',
-          publicKey: '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----',
-          csr: '',
-        };
-      },
-    },
-  });
-
-  // Override updateRoutes/applyRoutes to no-op so the test doesn't try to talk to a real proxy
-  dcRouterRef.smartProxy.updateRoutes = async () => {};
-
-  // Construct handler — registerHandlers will run and register typed handlers on our stub router.
-  const handler = new CertificateHandler(opsServerRef);
-
-  // Invoke the private reprovision method directly. The Bug 1 fix is verified
-  // by inspecting the captured smartAcme call options regardless of whether
-  // sibling propagation succeeds (it relies on a real DB for ProxyCertDoc).
-  await (handler as any).reprovisionCertificateDomain('outline.task.vc', true);
-
-  // Sibling propagation may fail because ProxyCertDoc.findByDomain needs a real DB.
-  // The Bug 1 fix is verified by the captured smartAcme call regardless.
-  expect(calls.length).toBeGreaterThanOrEqual(1);
-  expect(calls[0].domain).toEqual('outline.task.vc');
-  expect(calls[0].options).toEqual({ forceRenew: true, includeWildcard: true });
-});
-
-tap.test('reprovisionCertificateDomain passes includeWildcard=false for wildcard domain', async () => {
-  const calls: Array<{ domain: string; options: any }> = [];
-
-  const { opsServerRef, dcRouterRef } = makeStubOpsServer({
-    routes: [
-      { name: 'wildcard-route', domains: ['*.task.vc'] },
-    ],
-    smartAcmeStub: {
-      getCertificateForDomain: async (domain: string, options: any) => {
-        calls.push({ domain, options });
-        return {
-          id: 'test-id',
-          domainName: 'task.vc',
-          created: Date.now(),
-          validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
-          privateKey: '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----',
-          publicKey: '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----',
-          csr: '',
-        };
-      },
-    },
-  });
-
-  dcRouterRef.smartProxy.updateRoutes = async () => {};
-
-  const handler = new CertificateHandler(opsServerRef);
-  await (handler as any).reprovisionCertificateDomain('*.task.vc', true);
-
-  expect(calls.length).toBeGreaterThanOrEqual(1);
-  expect(calls[0].domain).toEqual('*.task.vc');
-  expect(calls[0].options).toEqual({ forceRenew: true, includeWildcard: false });
-});
-
-tap.test('reprovisionCertificateDomain does not call smartAcme when forceRenew is false', async () => {
-  const calls: Array<{ domain: string; options: any }> = [];
-
-  const { opsServerRef, dcRouterRef } = makeStubOpsServer({
-    routes: [{ name: 'outline-route', domains: ['outline.task.vc'] }],
-    smartAcmeStub: {
-      getCertificateForDomain: async (domain: string, options: any) => {
-        calls.push({ domain, options });
-        return {} as any;
-      },
-    },
-  });
-
-  dcRouterRef.smartProxy.updateRoutes = async () => {};
-
-  const handler = new CertificateHandler(opsServerRef);
-  await (handler as any).reprovisionCertificateDomain('outline.task.vc', false);
-
-  // forceRenew=false should NOT call getCertificateForDomain — it just triggers
-  // applyRoutes and lets the cert provisioning pipeline handle it.
-  expect(calls.length).toEqual(0);
-});
-
-export default tap.start();
@@ -129,8 +129,7 @@ tap.test('DcRouter class - Email config with domains and routes', async () => {
    tls: {
      contactEmail: 'test@example.com'
    },
-    opsServerPort: 3104,
-    dbConfig: {
+    cacheConfig: {
      enabled: false,
    }
  };
@@ -9,8 +9,7 @@ tap.test('should NOT instantiate DNS server when dnsNsDomains is not set', async
    smartProxyConfig: {
      routes: []
    },
-    opsServerPort: 3100,
-    dbConfig: { enabled: false }
+    cacheConfig: { enabled: false }
  });

  await dcRouter.start();
@@ -1,304 +0,0 @@
-import { tap, expect } from '@git.zone/tstest/tapbundle';
-import {
-  routeQualifiesForHttp3,
-  augmentRouteWithHttp3,
-  augmentRoutesWithHttp3,
-  type IHttp3Config,
-} from '../ts/http3/index.js';
-import type * as plugins from '../ts/plugins.js';
-
-// Helper to create a basic HTTPS forward route on port 443
-function makeRoute(
-  overrides: Partial<plugins.smartproxy.IRouteConfig> = {},
-): plugins.smartproxy.IRouteConfig {
-  return {
-    match: { ports: 443, ...overrides.match },
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-      tls: { mode: 'terminate', certificate: 'auto' },
-      ...overrides.action,
-    },
-    name: overrides.name ?? 'test-https-route',
-    ...Object.fromEntries(
-      Object.entries(overrides).filter(([k]) => !['match', 'action', 'name'].includes(k)),
-    ),
-  } as plugins.smartproxy.IRouteConfig;
-}
-
-const defaultConfig: IHttp3Config = { enabled: true };
-
-// ──────────────────────────────────────────────────────────────────────────────
-// Qualification tests
-// ──────────────────────────────────────────────────────────────────────────────
-
-tap.test('should augment qualifying HTTPS route on port 443', async () => {
-  const route = makeRoute();
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp).toBeTruthy();
-  expect(result.action.udp!.quic).toBeTruthy();
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-  expect(result.action.udp!.quic!.altSvcMaxAge).toEqual(86400);
-});
-
-tap.test('should NOT augment route on non-443 port', async () => {
-  const route = makeRoute({ match: { ports: 8080 } });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toBeUndefined();
-  expect(result.action.udp).toBeUndefined();
-});
-
-tap.test('should NOT augment socket-handler type route', async () => {
-  const route = makeRoute({
-    action: {
-      type: 'socket-handler' as any,
-      socketHandler: (() => {}) as any,
-    },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toBeUndefined();
-});
-
-tap.test('should NOT augment route without TLS', async () => {
-  const route: plugins.smartproxy.IRouteConfig = {
-    match: { ports: 443 },
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-    },
-    name: 'no-tls-route',
-  };
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toBeUndefined();
-});
-
-tap.test('should NOT augment email routes', async () => {
-  const emailNames = ['smtp-route', 'submission-route', 'smtps-route', 'email-port-2525-route'];
-  for (const name of emailNames) {
-    const route = makeRoute({ name });
-    const result = augmentRouteWithHttp3(route, defaultConfig);
-    expect(result.match.transport).toBeUndefined();
-  }
-});
-
-tap.test('should respect per-route opt-out (options.http3 = false)', async () => {
-  const route = makeRoute({
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-      tls: { mode: 'terminate', certificate: 'auto' },
-      options: { http3: false },
-    },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toBeUndefined();
-  expect(result.action.udp).toBeUndefined();
-});
-
-tap.test('should respect per-route opt-in when global is disabled', async () => {
-  const route = makeRoute({
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-      tls: { mode: 'terminate', certificate: 'auto' },
-      options: { http3: true },
-    },
-  });
-  const result = augmentRouteWithHttp3(route, { enabled: false });
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-});
-
-tap.test('should NOT double-augment routes with transport: all', async () => {
-  const route = makeRoute({
-    match: { ports: 443, transport: 'all' as any },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  // Should be the exact same object (no augmentation)
-  expect(result).toEqual(route);
-});
-
-tap.test('should NOT double-augment routes with existing udp.quic', async () => {
-  const route = makeRoute({
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-      tls: { mode: 'terminate', certificate: 'auto' },
-      udp: { quic: { enableHttp3: true } },
-    },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result).toEqual(route);
-});
-
-tap.test('should augment route with port range including 443', async () => {
-  const route = makeRoute({
-    match: { ports: [{ from: 400, to: 500 }] },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-});
-
-tap.test('should augment route with port array including 443', async () => {
-  const route = makeRoute({
-    match: { ports: [80, 443] },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-});
-
-tap.test('should NOT augment route with port range NOT including 443', async () => {
-  const route = makeRoute({
-    match: { ports: [{ from: 8000, to: 9000 }] },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toBeUndefined();
-});
-
-tap.test('should augment TLS passthrough routes', async () => {
-  const route = makeRoute({
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-      tls: { mode: 'passthrough' },
-    },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-});
-
-tap.test('should augment terminate-and-reencrypt routes', async () => {
-  const route = makeRoute({
-    action: {
-      type: 'forward',
-      targets: [{ host: 'localhost', port: 8080 }],
-      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' },
-    },
-  });
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-});
-
-// ──────────────────────────────────────────────────────────────────────────────
-// Configuration tests
-// ──────────────────────────────────────────────────────────────────────────────
-
-tap.test('should apply default QUIC settings when none provided', async () => {
-  const route = makeRoute();
-  const result = augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(result.action.udp!.quic!.altSvcMaxAge).toEqual(86400);
-  // Undefined means SmartProxy will use its own defaults
-  expect(result.action.udp!.quic!.maxIdleTimeout).toBeUndefined();
-  expect(result.action.udp!.quic!.altSvcPort).toBeUndefined();
-});
-
-tap.test('should apply custom QUIC settings', async () => {
-  const route = makeRoute();
-  const config: IHttp3Config = {
-    enabled: true,
-    quicSettings: {
-      maxIdleTimeout: 60000,
-      maxConcurrentBidiStreams: 200,
-      maxConcurrentUniStreams: 50,
-      initialCongestionWindow: 65536,
-    },
-    altSvc: {
-      port: 8443,
-      maxAge: 3600,
-    },
-    udpSettings: {
-      sessionTimeout: 120000,
-      maxSessionsPerIP: 500,
-      maxDatagramSize: 32768,
-    },
-  };
-  const result = augmentRouteWithHttp3(route, config);
-
-  expect(result.action.udp!.quic!.maxIdleTimeout).toEqual(60000);
-  expect(result.action.udp!.quic!.maxConcurrentBidiStreams).toEqual(200);
-  expect(result.action.udp!.quic!.maxConcurrentUniStreams).toEqual(50);
-  expect(result.action.udp!.quic!.initialCongestionWindow).toEqual(65536);
-  expect(result.action.udp!.quic!.altSvcPort).toEqual(8443);
-  expect(result.action.udp!.quic!.altSvcMaxAge).toEqual(3600);
-  expect(result.action.udp!.sessionTimeout).toEqual(120000);
-  expect(result.action.udp!.maxSessionsPerIP).toEqual(500);
-  expect(result.action.udp!.maxDatagramSize).toEqual(32768);
-});
-
-tap.test('should not mutate the original route', async () => {
-  const route = makeRoute();
-  const originalTransport = route.match.transport;
-  const originalUdp = route.action.udp;
-
-  augmentRouteWithHttp3(route, defaultConfig);
-
-  expect(route.match.transport).toEqual(originalTransport);
-  expect(route.action.udp).toEqual(originalUdp);
-});
-
-// ──────────────────────────────────────────────────────────────────────────────
-// Batch augmentation
-// ──────────────────────────────────────────────────────────────────────────────
-
-tap.test('should augment multiple routes in a batch', async () => {
-  const routes = [
-    makeRoute({ name: 'web-app' }),
-    makeRoute({ name: 'smtp-route', match: { ports: 25 } }),
-    makeRoute({ name: 'api-gateway' }),
-    makeRoute({
-      name: 'dns-query',
-      action: { type: 'socket-handler' as any, socketHandler: (() => {}) as any },
-    }),
-  ];
-
-  const results = augmentRoutesWithHttp3(routes, defaultConfig);
-
-  // web-app and api-gateway should be augmented
-  expect(results[0].match.transport).toEqual('all');
-  expect(results[2].match.transport).toEqual('all');
-
-  // smtp and dns should NOT be augmented
-  expect(results[1].match.transport).toBeUndefined();
-  expect(results[3].match.transport).toBeUndefined();
-});
-
-// ──────────────────────────────────────────────────────────────────────────────
-// Default enabled behavior
-// ──────────────────────────────────────────────────────────────────────────────
-
-tap.test('should treat undefined enabled as true (default on)', async () => {
-  const route = makeRoute();
-  const result = augmentRouteWithHttp3(route, {}); // no enabled field at all
-
-  expect(result.match.transport).toEqual('all');
-  expect(result.action.udp!.quic!.enableHttp3).toBeTrue();
-});
-
-tap.test('should disable when enabled is explicitly false', async () => {
-  const route = makeRoute();
-  const result = augmentRouteWithHttp3(route, { enabled: false });
-
-  expect(result.match.transport).toBeUndefined();
-  expect(result.action.udp).toBeUndefined();
-});
-
-export default tap.start();
@@ -9,8 +9,7 @@ let identity: interfaces.data.IIdentity;
 tap.test('should start DCRouter with OpsServer', async () => {
  testDcRouter = new DcRouter({
    // Minimal config for testing
-    opsServerPort: 3102,
-    dbConfig: { enabled: false },
+    cacheConfig: { enabled: false },
  });
  
  await testDcRouter.start();
@@ -19,7 +18,7 @@ tap.test('should start DCRouter with OpsServer', async () => {

 tap.test('should login with admin credentials and receive JWT', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3102/typedrequest',
+    'http://localhost:3000/typedrequest',
    'adminLoginWithUsernameAndPassword'
  );
  
@@ -42,7 +41,7 @@ tap.test('should login with admin credentials and receive JWT', async () => {

 tap.test('should verify valid JWT identity', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3102/typedrequest',
+    'http://localhost:3000/typedrequest',
    'verifyIdentity'
  );
  
@@ -58,7 +57,7 @@ tap.test('should verify valid JWT identity', async () => {

 tap.test('should reject invalid JWT', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3102/typedrequest',
+    'http://localhost:3000/typedrequest',
    'verifyIdentity'
  );
  
@@ -75,7 +74,7 @@ tap.test('should reject invalid JWT', async () => {

 tap.test('should verify JWT matches identity data', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3102/typedrequest',
+    'http://localhost:3000/typedrequest',
    'verifyIdentity'
  );
  
@@ -92,7 +91,7 @@ tap.test('should verify JWT matches identity data', async () => {

 tap.test('should handle logout', async () => {
  const logoutRequest = new TypedRequest<interfaces.requests.IReq_AdminLogout>(
-    'http://localhost:3102/typedrequest',
+    'http://localhost:3000/typedrequest',
    'adminLogout'
  );
  
@@ -106,7 +105,7 @@ tap.test('should handle logout', async () => {

 tap.test('should reject wrong credentials', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3102/typedrequest',
+    'http://localhost:3000/typedrequest',
    'adminLoginWithUsernameAndPassword'
  );
  
@@ -9,8 +9,7 @@ let adminIdentity: interfaces.data.IIdentity;
 tap.test('should start DCRouter with OpsServer', async () => {
  testDcRouter = new DcRouter({
    // Minimal config for testing
-    opsServerPort: 3101,
-    dbConfig: { enabled: false },
+    cacheConfig: { enabled: false },
  });

  await testDcRouter.start();
@@ -19,7 +18,7 @@ tap.test('should start DCRouter with OpsServer', async () => {

 tap.test('should login as admin', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3101/typedrequest',
+    'http://localhost:3000/typedrequest',
    'adminLoginWithUsernameAndPassword'
  );

@@ -34,7 +33,7 @@ tap.test('should login as admin', async () => {

 tap.test('should respond to health status request', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3101/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getHealthStatus'
  );

@@ -50,7 +49,7 @@ tap.test('should respond to health status request', async () => {

 tap.test('should respond to server statistics request', async () => {
  const statsRequest = new TypedRequest<interfaces.requests.IReq_GetServerStatistics>(
-    'http://localhost:3101/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getServerStatistics'
  );

@@ -67,7 +66,7 @@ tap.test('should respond to server statistics request', async () => {

 tap.test('should respond to configuration request', async () => {
  const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
-    'http://localhost:3101/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getConfiguration'
  );

@@ -88,7 +87,7 @@ tap.test('should respond to configuration request', async () => {

 tap.test('should handle log retrieval request', async () => {
  const logsRequest = new TypedRequest<interfaces.requests.IReq_GetRecentLogs>(
-    'http://localhost:3101/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getRecentLogs'
  );

@@ -105,7 +104,7 @@ tap.test('should handle log retrieval request', async () => {

 tap.test('should reject unauthenticated requests', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3101/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getHealthStatus'
  );

@@ -9,8 +9,7 @@ let adminIdentity: interfaces.data.IIdentity;
 tap.test('should start DCRouter with OpsServer', async () => {
  testDcRouter = new DcRouter({
    // Minimal config for testing
-    opsServerPort: 3103,
-    dbConfig: { enabled: false },
+    cacheConfig: { enabled: false },
  });

  await testDcRouter.start();
@@ -19,7 +18,7 @@ tap.test('should start DCRouter with OpsServer', async () => {

 tap.test('should login as admin', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3103/typedrequest',
+    'http://localhost:3000/typedrequest',
    'adminLoginWithUsernameAndPassword'
  );

@@ -35,7 +34,7 @@ tap.test('should login as admin', async () => {

 tap.test('should allow admin to verify identity', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3103/typedrequest',
+    'http://localhost:3000/typedrequest',
    'verifyIdentity'
  );

@@ -50,7 +49,7 @@ tap.test('should allow admin to verify identity', async () => {

 tap.test('should reject verify identity without identity', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3103/typedrequest',
+    'http://localhost:3000/typedrequest',
    'verifyIdentity'
  );

@@ -65,7 +64,7 @@ tap.test('should reject verify identity without identity', async () => {

 tap.test('should reject verify identity with invalid JWT', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3103/typedrequest',
+    'http://localhost:3000/typedrequest',
    'verifyIdentity'
  );

@@ -85,7 +84,7 @@ tap.test('should reject verify identity with invalid JWT', async () => {

 tap.test('should reject protected endpoints without auth', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3103/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getHealthStatus'
  );

@@ -101,7 +100,7 @@ tap.test('should reject protected endpoints without auth', async () => {

 tap.test('should allow authenticated access to protected endpoints', async () => {
  const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
-    'http://localhost:3103/typedrequest',
+    'http://localhost:3000/typedrequest',
    'getConfiguration'
  );

@@ -1,371 +0,0 @@
-import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { ReferenceResolver } from '../ts/config/classes.reference-resolver.js';
-import type { ISourceProfile, INetworkTarget, IRouteMetadata } from '../ts_interfaces/data/route-management.js';
-import type { IRouteConfig } from '@push.rocks/smartproxy';
-
-// ============================================================================
-// Helpers: access private maps for direct unit testing without DB
-// ============================================================================
-
-function injectProfile(resolver: ReferenceResolver, profile: ISourceProfile): void {
-  (resolver as any).profiles.set(profile.id, profile);
-}
-
-function injectTarget(resolver: ReferenceResolver, target: INetworkTarget): void {
-  (resolver as any).targets.set(target.id, target);
-}
-
-function makeProfile(overrides: Partial<ISourceProfile> = {}): ISourceProfile {
-  return {
-    id: 'profile-1',
-    name: 'STANDARD',
-    description: 'Test profile',
-    security: {
-      ipAllowList: ['192.168.0.0/16', '10.0.0.0/8'],
-      maxConnections: 1000,
-    },
-    createdAt: Date.now(),
-    updatedAt: Date.now(),
-    createdBy: 'test',
-    ...overrides,
-  };
-}
-
-function makeTarget(overrides: Partial<INetworkTarget> = {}): INetworkTarget {
-  return {
-    id: 'target-1',
-    name: 'INFRA',
-    description: 'Test target',
-    host: '192.168.5.247',
-    port: 443,
-    createdAt: Date.now(),
-    updatedAt: Date.now(),
-    createdBy: 'test',
-    ...overrides,
-  };
-}
-
-function makeRoute(overrides: Partial<IRouteConfig> = {}): IRouteConfig {
-  return {
-    name: 'test-route',
-    match: { ports: 443, domains: 'test.example.com' },
-    action: { type: 'forward', targets: [{ host: 'placeholder', port: 80 }] },
-    ...overrides,
-  } as IRouteConfig;
-}
-
-// ============================================================================
-// Resolution tests
-// ============================================================================
-
-let resolver: ReferenceResolver;
-
-tap.test('should create ReferenceResolver instance', async () => {
-  resolver = new ReferenceResolver();
-  expect(resolver).toBeTruthy();
-});
-
-tap.test('should list empty profiles and targets initially', async () => {
-  expect(resolver.listProfiles()).toBeArray();
-  expect(resolver.listProfiles().length).toEqual(0);
-  expect(resolver.listTargets()).toBeArray();
-  expect(resolver.listTargets().length).toEqual(0);
-});
-
-// ---- Source profile resolution ----
-
-tap.test('should resolve source profile onto a route', async () => {
-  const profile = makeProfile();
-  injectProfile(resolver, profile);
-
-  const route = makeRoute();
-  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  expect(result.route.security).toBeTruthy();
-  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
-  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.maxConnections).toEqual(1000);
-  expect(result.metadata.sourceProfileName).toEqual('STANDARD');
-  expect(result.metadata.lastResolvedAt).toBeTruthy();
-});
-
-tap.test('should merge inline route security with profile security', async () => {
-  const route = makeRoute({
-    security: {
-      ipAllowList: ['127.0.0.1'],
-      maxConnections: 5000,
-    },
-  });
-  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // IP lists are unioned
-  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
-  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.ipAllowList).toContain('127.0.0.1');
-
-  // Inline maxConnections overrides profile
-  expect(result.route.security!.maxConnections).toEqual(5000);
-});
-
-tap.test('should deduplicate IP lists during merge', async () => {
-  const route = makeRoute({
-    security: {
-      ipAllowList: ['192.168.0.0/16', '127.0.0.1'],
-    },
-  });
-  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // 192.168.0.0/16 appears in both profile and route, should be deduplicated
-  const count = result.route.security!.ipAllowList!.filter(ip => ip === '192.168.0.0/16').length;
-  expect(count).toEqual(1);
-});
-
-tap.test('should handle missing profile gracefully', async () => {
-  const route = makeRoute();
-  const metadata: IRouteMetadata = { sourceProfileRef: 'nonexistent-profile' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // Route should be unchanged
-  expect(result.route.security).toBeUndefined();
-  expect(result.metadata.sourceProfileName).toBeUndefined();
-});
-
-// ---- Profile inheritance ----
-
-tap.test('should resolve profile inheritance (extendsProfiles)', async () => {
-  const baseProfile = makeProfile({
-    id: 'base-profile',
-    name: 'BASE',
-    security: {
-      ipAllowList: ['10.0.0.0/8'],
-      maxConnections: 500,
-    },
-  });
-  injectProfile(resolver, baseProfile);
-
-  const extendedProfile = makeProfile({
-    id: 'extended-profile',
-    name: 'EXTENDED',
-    security: {
-      ipAllowList: ['160.79.104.0/21'],
-    },
-    extendsProfiles: ['base-profile'],
-  });
-  injectProfile(resolver, extendedProfile);
-
-  const route = makeRoute();
-  const metadata: IRouteMetadata = { sourceProfileRef: 'extended-profile' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // Should have IPs from both base and extended profiles
-  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.ipAllowList).toContain('160.79.104.0/21');
-  // maxConnections from base (extended doesn't override)
-  expect(result.route.security!.maxConnections).toEqual(500);
-  expect(result.metadata.sourceProfileName).toEqual('EXTENDED');
-});
-
-tap.test('should detect circular profile inheritance', async () => {
-  const profileA = makeProfile({
-    id: 'circular-a',
-    name: 'A',
-    security: { ipAllowList: ['1.1.1.1'] },
-    extendsProfiles: ['circular-b'],
-  });
-  const profileB = makeProfile({
-    id: 'circular-b',
-    name: 'B',
-    security: { ipAllowList: ['2.2.2.2'] },
-    extendsProfiles: ['circular-a'],
-  });
-  injectProfile(resolver, profileA);
-  injectProfile(resolver, profileB);
-
-  const route = makeRoute();
-  const metadata: IRouteMetadata = { sourceProfileRef: 'circular-a' };
-
-  // Should not infinite loop — resolves what it can
-  const result = resolver.resolveRoute(route, metadata);
-  expect(result.route.security).toBeTruthy();
-  expect(result.route.security!.ipAllowList).toContain('1.1.1.1');
-});
-
-// ---- Network target resolution ----
-
-tap.test('should resolve network target onto a route', async () => {
-  const target = makeTarget();
-  injectTarget(resolver, target);
-
-  const route = makeRoute();
-  const metadata: IRouteMetadata = { networkTargetRef: 'target-1' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  expect(result.route.action.targets).toBeTruthy();
-  expect(result.route.action.targets![0].host).toEqual('192.168.5.247');
-  expect(result.route.action.targets![0].port).toEqual(443);
-  expect(result.metadata.networkTargetName).toEqual('INFRA');
-  expect(result.metadata.lastResolvedAt).toBeTruthy();
-});
-
-tap.test('should handle missing target gracefully', async () => {
-  const route = makeRoute();
-  const metadata: IRouteMetadata = { networkTargetRef: 'nonexistent-target' };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // Route targets should be unchanged (still the placeholder)
-  expect(result.route.action.targets![0].host).toEqual('placeholder');
-  expect(result.metadata.networkTargetName).toBeUndefined();
-});
-
-// ---- Combined resolution ----
-
-tap.test('should resolve both profile and target simultaneously', async () => {
-  const route = makeRoute();
-  const metadata: IRouteMetadata = {
-    sourceProfileRef: 'profile-1',
-    networkTargetRef: 'target-1',
-  };
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // Security from profile
-  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
-  expect(result.route.security!.maxConnections).toEqual(1000);
-
-  // Target from network target
-  expect(result.route.action.targets![0].host).toEqual('192.168.5.247');
-  expect(result.route.action.targets![0].port).toEqual(443);
-
-  // Both names recorded
-  expect(result.metadata.sourceProfileName).toEqual('STANDARD');
-  expect(result.metadata.networkTargetName).toEqual('INFRA');
-});
-
-tap.test('should skip resolution when no metadata refs', async () => {
-  const route = makeRoute({
-    security: { ipAllowList: ['1.2.3.4'] },
-  });
-  const metadata: IRouteMetadata = {};
-
-  const result = resolver.resolveRoute(route, metadata);
-
-  // Route should be completely unchanged
-  expect(result.route.security!.ipAllowList).toContain('1.2.3.4');
-  expect(result.route.security!.ipAllowList!.length).toEqual(1);
-  expect(result.route.action.targets![0].host).toEqual('placeholder');
-});
-
-tap.test('should be idempotent — resolving twice gives same result', async () => {
-  const route = makeRoute();
-  const metadata: IRouteMetadata = {
-    sourceProfileRef: 'profile-1',
-    networkTargetRef: 'target-1',
-  };
-
-  const first = resolver.resolveRoute(route, metadata);
-  const second = resolver.resolveRoute(first.route, first.metadata);
-
-  expect(second.route.security!.ipAllowList!.length).toEqual(first.route.security!.ipAllowList!.length);
-  expect(second.route.action.targets![0].host).toEqual(first.route.action.targets![0].host);
-  expect(second.route.action.targets![0].port).toEqual(first.route.action.targets![0].port);
-});
-
-// ---- Lookup helpers ----
-
-tap.test('should find routes by profile ref (sync)', async () => {
-  const storedRoutes = new Map<string, any>();
-  storedRoutes.set('route-a', {
-    id: 'route-a',
-    route: makeRoute({ name: 'route-a' }),
-    enabled: true,
-    metadata: { sourceProfileRef: 'profile-1' },
-  });
-  storedRoutes.set('route-b', {
-    id: 'route-b',
-    route: makeRoute({ name: 'route-b' }),
-    enabled: true,
-    metadata: { networkTargetRef: 'target-1' },
-  });
-  storedRoutes.set('route-c', {
-    id: 'route-c',
-    route: makeRoute({ name: 'route-c' }),
-    enabled: true,
-    metadata: { sourceProfileRef: 'profile-1', networkTargetRef: 'target-1' },
-  });
-
-  const profileRefs = resolver.findRoutesByProfileRefSync('profile-1', storedRoutes);
-  expect(profileRefs.length).toEqual(2);
-  expect(profileRefs).toContain('route-a');
-  expect(profileRefs).toContain('route-c');
-
-  const targetRefs = resolver.findRoutesByTargetRefSync('target-1', storedRoutes);
-  expect(targetRefs.length).toEqual(2);
-  expect(targetRefs).toContain('route-b');
-  expect(targetRefs).toContain('route-c');
-});
-
-tap.test('should get profile usage for a specific profile ID', async () => {
-  const storedRoutes = new Map<string, any>();
-  storedRoutes.set('route-x', {
-    id: 'route-x',
-    route: makeRoute({ name: 'my-route' }),
-    enabled: true,
-    metadata: { sourceProfileRef: 'profile-1' },
-  });
-
-  const usage = resolver.getProfileUsageForId('profile-1', storedRoutes);
-  expect(usage.length).toEqual(1);
-  expect(usage[0].id).toEqual('route-x');
-  expect(usage[0].routeName).toEqual('my-route');
-});
-
-tap.test('should get target usage for a specific target ID', async () => {
-  const storedRoutes = new Map<string, any>();
-  storedRoutes.set('route-y', {
-    id: 'route-y',
-    route: makeRoute({ name: 'other-route' }),
-    enabled: true,
-    metadata: { networkTargetRef: 'target-1' },
-  });
-
-  const usage = resolver.getTargetUsageForId('target-1', storedRoutes);
-  expect(usage.length).toEqual(1);
-  expect(usage[0].id).toEqual('route-y');
-  expect(usage[0].routeName).toEqual('other-route');
-});
-
-// ---- Profile/target getters ----
-
-tap.test('should get profile by name', async () => {
-  const profile = resolver.getProfileByName('STANDARD');
-  expect(profile).toBeTruthy();
-  expect(profile!.id).toEqual('profile-1');
-});
-
-tap.test('should get target by name', async () => {
-  const target = resolver.getTargetByName('INFRA');
-  expect(target).toBeTruthy();
-  expect(target!.id).toEqual('target-1');
-});
-
-tap.test('should return undefined for nonexistent profile name', async () => {
-  const profile = resolver.getProfileByName('NONEXISTENT');
-  expect(profile).toBeUndefined();
-});
-
-tap.test('should return undefined for nonexistent target name', async () => {
-  const target = resolver.getTargetByName('NONEXISTENT');
-  expect(target).toBeUndefined();
-});
-
-export default tap.start();
@@ -1,208 +0,0 @@
-import { expect, tap } from '@git.zone/tstest/tapbundle';
-import { DcRouter } from '../ts/index.js';
-import { TypedRequest } from '@api.global/typedrequest';
-import * as interfaces from '../ts_interfaces/index.js';
-
-const TEST_PORT = 3200;
-const TEST_URL = `http://localhost:${TEST_PORT}/typedrequest`;
-
-let testDcRouter: DcRouter;
-let adminIdentity: interfaces.data.IIdentity;
-
-// ============================================================================
-// Setup — db disabled, handlers return graceful fallbacks
-// ============================================================================
-
-tap.test('should start DCRouter with OpsServer', async () => {
-  testDcRouter = new DcRouter({
-    opsServerPort: TEST_PORT,
-    dbConfig: { enabled: false },
-  });
-
-  await testDcRouter.start();
-  expect(testDcRouter.opsServer).toBeInstanceOf(Object);
-});
-
-tap.test('should login as admin', async () => {
-  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    TEST_URL,
-    'adminLoginWithUsernameAndPassword'
-  );
-
-  const response = await loginRequest.fire({
-    username: 'admin',
-    password: 'admin',
-  });
-
-  expect(response).toHaveProperty('identity');
-  adminIdentity = response.identity;
-});
-
-// ============================================================================
-// Source Profile endpoints (graceful fallbacks when resolver unavailable)
-// ============================================================================
-
-tap.test('should return empty profiles list when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfiles>(
-    TEST_URL,
-    'getSourceProfiles'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-  });
-
-  expect(response.profiles).toBeArray();
-  expect(response.profiles.length).toEqual(0);
-});
-
-tap.test('should return null for single profile when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfile>(
-    TEST_URL,
-    'getSourceProfile'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-    id: 'nonexistent',
-  });
-
-  expect(response.profile).toEqual(null);
-});
-
-tap.test('should return failure for create profile when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_CreateSourceProfile>(
-    TEST_URL,
-    'createSourceProfile'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-    name: 'TEST',
-    security: { ipAllowList: ['*'] },
-  });
-
-  expect(response.success).toBeFalse();
-  expect(response.message).toBeTruthy();
-});
-
-tap.test('should return empty profile usage when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfileUsage>(
-    TEST_URL,
-    'getSourceProfileUsage'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-    id: 'nonexistent',
-  });
-
-  expect(response.routes).toBeArray();
-  expect(response.routes.length).toEqual(0);
-});
-
-// ============================================================================
-// Network Target endpoints (graceful fallbacks when resolver unavailable)
-// ============================================================================
-
-tap.test('should return empty targets list when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTargets>(
-    TEST_URL,
-    'getNetworkTargets'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-  });
-
-  expect(response.targets).toBeArray();
-  expect(response.targets.length).toEqual(0);
-});
-
-tap.test('should return null for single target when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTarget>(
-    TEST_URL,
-    'getNetworkTarget'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-    id: 'nonexistent',
-  });
-
-  expect(response.target).toEqual(null);
-});
-
-tap.test('should return failure for create target when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_CreateNetworkTarget>(
-    TEST_URL,
-    'createNetworkTarget'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-    name: 'TEST',
-    host: '127.0.0.1',
-    port: 443,
-  });
-
-  expect(response.success).toBeFalse();
-  expect(response.message).toBeTruthy();
-});
-
-tap.test('should return empty target usage when resolver not initialized', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTargetUsage>(
-    TEST_URL,
-    'getNetworkTargetUsage'
-  );
-
-  const response = await req.fire({
-    identity: adminIdentity,
-    id: 'nonexistent',
-  });
-
-  expect(response.routes).toBeArray();
-  expect(response.routes.length).toEqual(0);
-});
-
-// ============================================================================
-// Auth rejection
-// ============================================================================
-
-tap.test('should reject unauthenticated profile requests', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfiles>(
-    TEST_URL,
-    'getSourceProfiles'
-  );
-
-  try {
-    await req.fire({} as any);
-    expect(true).toBeFalse();
-  } catch (error) {
-    expect(error).toBeTruthy();
-  }
-});
-
-tap.test('should reject unauthenticated target requests', async () => {
-  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTargets>(
-    TEST_URL,
-    'getNetworkTargets'
-  );
-
-  try {
-    await req.fire({} as any);
-    expect(true).toBeFalse();
-  } catch (error) {
-    expect(error).toBeTruthy();
-  }
-});
-
-// ============================================================================
-// Cleanup
-// ============================================================================
-
-tap.test('should stop DCRouter', async () => {
-  await testDcRouter.stop();
-});
-
-export default tap.start();
@@ -0,0 +1,289 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import * as paths from '../ts/paths.js';
+import { StorageManager } from '../ts/storage/classes.storagemanager.js';
+import { promises as fs } from 'fs';
+import * as path from 'path';
+
+// Test data
+const testData = {
+  string: 'Hello, World!',
+  json: { name: 'test', value: 42, nested: { data: true } },
+  largeString: 'x'.repeat(10000)
+};
+
+tap.test('Storage Manager - Memory Backend', async () => {
+  // Create StorageManager without config (defaults to memory)
+  const storage = new StorageManager();
+  
+  // Test basic get/set
+  await storage.set('/test/key', testData.string);
+  const value = await storage.get('/test/key');
+  expect(value).toEqual(testData.string);
+  
+  // Test JSON helpers
+  await storage.setJSON('/test/json', testData.json);
+  const jsonValue = await storage.getJSON('/test/json');
+  expect(jsonValue).toEqual(testData.json);
+  
+  // Test exists
+  expect(await storage.exists('/test/key')).toEqual(true);
+  expect(await storage.exists('/nonexistent')).toEqual(false);
+  
+  // Test delete
+  await storage.delete('/test/key');
+  expect(await storage.exists('/test/key')).toEqual(false);
+  
+  // Test list
+  await storage.set('/items/1', 'one');
+  await storage.set('/items/2', 'two');
+  await storage.set('/other/3', 'three');
+  
+  const items = await storage.list('/items');
+  expect(items.length).toEqual(2);
+  expect(items).toContain('/items/1');
+  expect(items).toContain('/items/2');
+  
+  // Verify memory backend
+  expect(storage.getBackend()).toEqual('memory');
+});
+
+tap.test('Storage Manager - Filesystem Backend', async () => {
+  const testDir = path.join(paths.dataDir, '.test-storage');
+  
+  // Clean up test directory if it exists
+  try {
+    await fs.rm(testDir, { recursive: true, force: true });
+  } catch {}
+  
+  // Create StorageManager with filesystem path
+  const storage = new StorageManager({ fsPath: testDir });
+  
+  // Test basic operations
+  await storage.set('/test/file', testData.string);
+  const value = await storage.get('/test/file');
+  expect(value).toEqual(testData.string);
+  
+  // Verify file exists on disk
+  const filePath = path.join(testDir, 'test', 'file');
+  const fileExists = await fs.access(filePath).then(() => true).catch(() => false);
+  expect(fileExists).toEqual(true);
+  
+  // Test atomic writes (temp file should not exist)
+  const tempPath = filePath + '.tmp';
+  const tempExists = await fs.access(tempPath).then(() => true).catch(() => false);
+  expect(tempExists).toEqual(false);
+  
+  // Test nested paths
+  await storage.set('/deeply/nested/path/to/file', testData.largeString);
+  const nestedValue = await storage.get('/deeply/nested/path/to/file');
+  expect(nestedValue).toEqual(testData.largeString);
+  
+  // Test list with filesystem
+  await storage.set('/fs/items/a', 'alpha');
+  await storage.set('/fs/items/b', 'beta');
+  await storage.set('/fs/other/c', 'gamma');
+  
+  // Filesystem backend now properly supports list
+  const fsItems = await storage.list('/fs/items');
+  expect(fsItems.length).toEqual(2); // Should find both items
+  
+  // Clean up
+  await fs.rm(testDir, { recursive: true, force: true });
+});
+
+tap.test('Storage Manager - Custom Function Backend', async () => {
+  // Create in-memory storage for custom functions
+  const customStore = new Map<string, string>();
+  
+  const storage = new StorageManager({
+    readFunction: async (key: string) => {
+      return customStore.get(key) || null;
+    },
+    writeFunction: async (key: string, value: string) => {
+      customStore.set(key, value);
+    }
+  });
+  
+  // Test basic operations
+  await storage.set('/custom/key', testData.string);
+  expect(customStore.has('/custom/key')).toEqual(true);
+  
+  const value = await storage.get('/custom/key');
+  expect(value).toEqual(testData.string);
+  
+  // Test that delete sets empty value (as per implementation)
+  await storage.delete('/custom/key');
+  expect(customStore.get('/custom/key')).toEqual('');
+  
+  // Verify custom backend (filesystem is implemented as custom backend internally)
+  expect(storage.getBackend()).toEqual('custom');
+});
+
+tap.test('Storage Manager - Key Validation', async () => {
+  const storage = new StorageManager();
+  
+  // Test key normalization
+  await storage.set('test/key', 'value1'); // Missing leading slash
+  const value1 = await storage.get('/test/key');
+  expect(value1).toEqual('value1');
+  
+  // Test dangerous path elements are removed
+  await storage.set('/test/../danger/key', 'value2');
+  const value2 = await storage.get('/test/danger/key'); // .. is removed, not the whole path segment
+  expect(value2).toEqual('value2');
+  
+  // Test multiple slashes are normalized
+  await storage.set('/test///multiple////slashes', 'value3');
+  const value3 = await storage.get('/test/multiple/slashes');
+  expect(value3).toEqual('value3');
+  
+  // Test invalid keys throw errors
+  let emptyKeyError: Error | null = null;
+  try {
+    await storage.set('', 'value');
+  } catch (error) {
+    emptyKeyError = error as Error;
+  }
+  expect(emptyKeyError).toBeTruthy();
+  expect(emptyKeyError?.message).toEqual('Storage key must be a non-empty string');
+  
+  let nullKeyError: Error | null = null;
+  try {
+    await storage.set(null as any, 'value');
+  } catch (error) {
+    nullKeyError = error as Error;
+  }
+  expect(nullKeyError).toBeTruthy();
+  expect(nullKeyError?.message).toEqual('Storage key must be a non-empty string');
+});
+
+tap.test('Storage Manager - Concurrent Access', async () => {
+  const storage = new StorageManager();
+  const promises: Promise<void>[] = [];
+  
+  // Simulate concurrent writes
+  for (let i = 0; i < 100; i++) {
+    promises.push(storage.set(`/concurrent/key${i}`, `value${i}`));
+  }
+  
+  await Promise.all(promises);
+  
+  // Verify all writes succeeded
+  for (let i = 0; i < 100; i++) {
+    const value = await storage.get(`/concurrent/key${i}`);
+    expect(value).toEqual(`value${i}`);
+  }
+  
+  // Test concurrent reads
+  const readPromises: Promise<string | null>[] = [];
+  for (let i = 0; i < 100; i++) {
+    readPromises.push(storage.get(`/concurrent/key${i}`));
+  }
+  
+  const results = await Promise.all(readPromises);
+  for (let i = 0; i < 100; i++) {
+    expect(results[i]).toEqual(`value${i}`);
+  }
+});
+
+tap.test('Storage Manager - Backend Priority', async () => {
+  const testDir = path.join(paths.dataDir, '.test-storage-priority');
+  
+  // Test that custom functions take priority over fsPath
+  let warningLogged = false;
+  const originalWarn = console.warn;
+  console.warn = (message: string) => {
+    if (message.includes('Using custom read/write functions')) {
+      warningLogged = true;
+    }
+  };
+  
+  const storage = new StorageManager({
+    fsPath: testDir,
+    readFunction: async () => 'custom-value',
+    writeFunction: async () => {}
+  });
+  
+  console.warn = originalWarn;
+  
+  expect(warningLogged).toEqual(true);
+  expect(storage.getBackend()).toEqual('custom'); // Custom functions take priority
+  
+  // Clean up
+  try {
+    await fs.rm(testDir, { recursive: true, force: true });
+  } catch {}
+});
+
+tap.test('Storage Manager - Error Handling', async () => {
+  // Test filesystem errors
+  const storage = new StorageManager({
+    readFunction: async () => {
+      throw new Error('Read error');
+    },
+    writeFunction: async () => {
+      throw new Error('Write error');
+    }
+  });
+  
+  // Read errors should return null
+  const value = await storage.get('/error/key');
+  expect(value).toEqual(null);
+  
+  // Write errors should propagate
+  let writeError: Error | null = null;
+  try {
+    await storage.set('/error/key', 'value');
+  } catch (error) {
+    writeError = error as Error;
+  }
+  expect(writeError).toBeTruthy();
+  expect(writeError?.message).toEqual('Write error');
+  
+  // Test JSON parse errors
+  const jsonStorage = new StorageManager({
+    readFunction: async () => 'invalid json',
+    writeFunction: async () => {}
+  });
+  
+  // Test JSON parse errors
+  let jsonError: Error | null = null;
+  try {
+    await jsonStorage.getJSON('/invalid/json');
+  } catch (error) {
+    jsonError = error as Error;
+  }
+  expect(jsonError).toBeTruthy();
+  expect(jsonError?.message).toContain('JSON');
+});
+
+tap.test('Storage Manager - List Operations', async () => {
+  const storage = new StorageManager();
+  
+  // Populate storage with hierarchical data
+  await storage.set('/app/config/database', 'db-config');
+  await storage.set('/app/config/cache', 'cache-config');
+  await storage.set('/app/data/users/1', 'user1');
+  await storage.set('/app/data/users/2', 'user2');
+  await storage.set('/app/logs/error.log', 'errors');
+  
+  // List root
+  const rootItems = await storage.list('/');
+  expect(rootItems.length).toBeGreaterThanOrEqual(5);
+  
+  // List specific paths
+  const configItems = await storage.list('/app/config');
+  expect(configItems.length).toEqual(2);
+  expect(configItems).toContain('/app/config/database');
+  expect(configItems).toContain('/app/config/cache');
+  
+  const userItems = await storage.list('/app/data/users');
+  expect(userItems.length).toEqual(2);
+  
+  // List non-existent path
+  const emptyList = await storage.list('/nonexistent/path');
+  expect(emptyList.length).toEqual(0);
+});
+
+export default tap.start();
@@ -1,8 +1,6 @@
 import { DcRouter } from '../ts/index.js';

 const devRouter = new DcRouter({
-  // Server public IP (used for VPN AllowedIPs)
-  publicIp: '203.0.113.1',
  // SmartProxy routes for development/demo
  smartProxyConfig: {
    routes: [
@@ -25,31 +23,10 @@ const devRouter = new DcRouter({
          tls: { mode: 'passthrough' },
        },
      },
-      {
-        name: 'vpn-internal-app',
-        match: { ports: [18080], domains: ['internal.example.com'] },
-        action: { type: 'forward', targets: [{ host: 'localhost', port: 5000 }] },
-        vpnOnly: true,
-      },
-      {
-        name: 'vpn-eng-dashboard',
-        match: { ports: [18080], domains: ['eng.example.com'] },
-        action: { type: 'forward', targets: [{ host: 'localhost', port: 5001 }] },
-        vpnOnly: true,
-      },
-    ] as any[],
-  },
-  // VPN with pre-defined clients
-  vpnConfig: {
-    enabled: true,
-    serverEndpoint: 'vpn.dev.local',
-    clients: [
-      { clientId: 'dev-laptop', description: 'Developer laptop' },
-      { clientId: 'ci-runner', description: 'CI/CD pipeline' },
-      { clientId: 'admin-desktop', description: 'Admin workstation' },
    ],
  },
-  dbConfig: { enabled: true },
+  // Disable cache/mongo for dev
+  cacheConfig: { enabled: false },
 });

 console.log('Starting DcRouter in development mode...');
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.2.2',
+  version: '11.0.11',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { DcRouterDb } from './classes.dcrouter-db.js';
+import { CacheDb } from './classes.cachedb.js';

 // Import document classes for cleanup
 import { CachedEmail } from './documents/classes.cached.email.js';
@@ -26,10 +26,10 @@ export class CacheCleaner {
  private cleanupInterval: ReturnType<typeof setInterval> | null = null;
  private isRunning: boolean = false;
  private options: Required<ICacheCleanerOptions>;
-  private dcRouterDb: DcRouterDb;
+  private cacheDb: CacheDb;

-  constructor(dcRouterDb: DcRouterDb, options: ICacheCleanerOptions = {}) {
-    this.dcRouterDb = dcRouterDb;
+  constructor(cacheDb: CacheDb, options: ICacheCleanerOptions = {}) {
+    this.cacheDb = cacheDb;
    this.options = {
      intervalMs: options.intervalMs || 60 * 60 * 1000, // 1 hour default
      verbose: options.verbose || false,
@@ -48,14 +48,14 @@ export class CacheCleaner {
    this.isRunning = true;

    // Run cleanup immediately on start
-    this.runCleanup().catch((error: unknown) => {
-      logger.log('error', `Initial cache cleanup failed: ${(error as Error).message}`);
+    this.runCleanup().catch((error) => {
+      logger.log('error', `Initial cache cleanup failed: ${error.message}`);
    });

    // Schedule periodic cleanup
    this.cleanupInterval = setInterval(() => {
-      this.runCleanup().catch((error: unknown) => {
-        logger.log('error', `Cache cleanup failed: ${(error as Error).message}`);
+      this.runCleanup().catch((error) => {
+        logger.log('error', `Cache cleanup failed: ${error.message}`);
      });
    }, this.options.intervalMs);

@@ -86,8 +86,8 @@ export class CacheCleaner {
   * Run a single cleanup cycle
   */
  public async runCleanup(): Promise<void> {
-    if (!this.dcRouterDb.isReady()) {
-      logger.log('warn', 'DcRouterDb not ready, skipping cleanup');
+    if (!this.cacheDb.isReady()) {
+      logger.log('warn', 'CacheDb not ready, skipping cleanup');
      return;
    }

@@ -113,8 +113,8 @@ export class CacheCleaner {
          `Cache cleanup completed. Deleted ${totalDeleted} expired documents. ${summary || 'No deletions.'}`
        );
      }
-    } catch (error: unknown) {
-      logger.log('error', `Cache cleanup error: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Cache cleanup error: ${error.message}`);
      throw error;
    }
  }
@@ -138,14 +138,14 @@ export class CacheCleaner {
        try {
          await doc.delete();
          deletedCount++;
-        } catch (deleteError: unknown) {
-          logger.log('warn', `Failed to delete expired document: ${(deleteError as Error).message}`);
+        } catch (deleteError) {
+          logger.log('warn', `Failed to delete expired document: ${deleteError.message}`);
        }
      }

      return deletedCount;
-    } catch (error: unknown) {
-      logger.log('error', `Error cleaning collection: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Error cleaning collection: ${error.message}`);
      return 0;
    }
  }
@@ -22,7 +22,7 @@ export abstract class CachedDocument<T extends CachedDocument<T>> extends plugin
   * Timestamp when the document expires and should be cleaned up
   * NOTE: Subclasses must add @svDb() decorator
   */
-  public expiresAt!: Date;
+  public expiresAt: Date;

  /**
   * Timestamp of last access (for LRU-style eviction if needed)
@@ -0,0 +1,155 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { defaultTsmDbPath } from '../paths.js';
+
+/**
+ * Configuration options for CacheDb
+ */
+export interface ICacheDbOptions {
+  /** Base storage path for TsmDB data (default: ~/.serve.zone/dcrouter/tsmdb) */
+  storagePath?: string;
+  /** Database name (default: dcrouter) */
+  dbName?: string;
+  /** Enable debug logging */
+  debug?: boolean;
+}
+
+/**
+ * CacheDb - Wrapper around LocalTsmDb and smartdata
+ *
+ * Provides persistent caching using smartdata as the ORM layer
+ * and LocalTsmDb as the embedded database engine.
+ */
+export class CacheDb {
+  private static instance: CacheDb | null = null;
+
+  private localTsmDb: plugins.smartmongo.LocalTsmDb;
+  private smartdataDb: plugins.smartdata.SmartdataDb;
+  private options: Required<ICacheDbOptions>;
+  private isStarted: boolean = false;
+
+  constructor(options: ICacheDbOptions = {}) {
+    this.options = {
+      storagePath: options.storagePath || defaultTsmDbPath,
+      dbName: options.dbName || 'dcrouter',
+      debug: options.debug || false,
+    };
+  }
+
+  /**
+   * Get or create the singleton instance
+   */
+  public static getInstance(options?: ICacheDbOptions): CacheDb {
+    if (!CacheDb.instance) {
+      CacheDb.instance = new CacheDb(options);
+    }
+    return CacheDb.instance;
+  }
+
+  /**
+   * Reset the singleton instance (useful for testing)
+   */
+  public static resetInstance(): void {
+    CacheDb.instance = null;
+  }
+
+  /**
+   * Start the cache database
+   * - Initializes LocalTsmDb with file persistence
+   * - Connects smartdata to the LocalTsmDb via Unix socket
+   */
+  public async start(): Promise<void> {
+    if (this.isStarted) {
+      logger.log('warn', 'CacheDb already started');
+      return;
+    }
+
+    try {
+      // Ensure storage directory exists
+      await plugins.fsUtils.ensureDir(this.options.storagePath);
+
+      // Create LocalTsmDb instance
+      this.localTsmDb = new plugins.smartmongo.LocalTsmDb({
+        folderPath: this.options.storagePath,
+      });
+
+      // Start LocalTsmDb and get connection info
+      const connectionInfo = await this.localTsmDb.start();
+
+      if (this.options.debug) {
+        logger.log('debug', `LocalTsmDb started with URI: ${connectionInfo.connectionUri}`);
+      }
+
+      // Initialize smartdata with the connection URI
+      this.smartdataDb = new plugins.smartdata.SmartdataDb({
+        mongoDbUrl: connectionInfo.connectionUri,
+        mongoDbName: this.options.dbName,
+      });
+      await this.smartdataDb.init();
+
+      this.isStarted = true;
+      logger.log('info', `CacheDb started at ${this.options.storagePath}`);
+    } catch (error) {
+      logger.log('error', `Failed to start CacheDb: ${error.message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Stop the cache database
+   */
+  public async stop(): Promise<void> {
+    if (!this.isStarted) {
+      return;
+    }
+
+    try {
+      // Close smartdata connection
+      if (this.smartdataDb) {
+        await this.smartdataDb.close();
+      }
+
+      // Stop LocalTsmDb
+      if (this.localTsmDb) {
+        await this.localTsmDb.stop();
+      }
+
+      this.isStarted = false;
+      logger.log('info', 'CacheDb stopped');
+    } catch (error) {
+      logger.log('error', `Error stopping CacheDb: ${error.message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Get the smartdata database instance
+   */
+  public getDb(): plugins.smartdata.SmartdataDb {
+    if (!this.isStarted) {
+      throw new Error('CacheDb not started. Call start() first.');
+    }
+    return this.smartdataDb;
+  }
+
+  /**
+   * Check if the database is ready
+   */
+  public isReady(): boolean {
+    return this.isStarted;
+  }
+
+  /**
+   * Get the storage path
+   */
+  public getStoragePath(): string {
+    return this.options.storagePath;
+  }
+
+  /**
+   * Get the database name
+   */
+  public getDbName(): string {
+    return this.options.dbName;
+  }
+}
@@ -1,6 +1,6 @@
 import * as plugins from '../../plugins.js';
 import { CachedDocument, TTL } from '../classes.cached.document.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
+import { CacheDb } from '../classes.cachedb.js';

 /**
 * Email status in the cache
@@ -10,7 +10,7 @@ export type TCachedEmailStatus = 'pending' | 'processing' | 'delivered' | 'faile
 /**
 * Helper to get the smartdata database instance
 */
-const getDb = () => DcRouterDb.getInstance().getDb();
+const getDb = () => CacheDb.getInstance().getDb();

 /**
 * CachedEmail - Stores email queue items in the cache
@@ -35,55 +35,55 @@ export class CachedEmail extends CachedDocument<CachedEmail> {
   */
  @plugins.smartdata.unI()
  @plugins.smartdata.svDb()
-  public id!: string;
+  public id: string;

  /**
   * Email message ID (RFC 822 Message-ID header)
   */
  @plugins.smartdata.svDb()
-  public messageId!: string;
+  public messageId: string;

  /**
   * Sender email address (envelope from)
   */
  @plugins.smartdata.svDb()
-  public from!: string;
+  public from: string;

  /**
   * Recipient email addresses
   */
  @plugins.smartdata.svDb()
-  public to!: string[];
+  public to: string[];

  /**
   * CC recipients
   */
  @plugins.smartdata.svDb()
-  public cc!: string[];
+  public cc: string[];

  /**
   * BCC recipients
   */
  @plugins.smartdata.svDb()
-  public bcc!: string[];
+  public bcc: string[];

  /**
   * Email subject
   */
  @plugins.smartdata.svDb()
-  public subject!: string;
+  public subject: string;

  /**
   * Raw RFC822 email content
   */
  @plugins.smartdata.svDb()
-  public rawContent!: string;
+  public rawContent: string;

  /**
   * Current status of the email
   */
  @plugins.smartdata.svDb()
-  public status!: TCachedEmailStatus;
+  public status: TCachedEmailStatus;

  /**
   * Number of delivery attempts
@@ -101,25 +101,25 @@ export class CachedEmail extends CachedDocument<CachedEmail> {
   * Timestamp for next delivery attempt
   */
  @plugins.smartdata.svDb()
-  public nextAttempt!: Date;
+  public nextAttempt: Date;

  /**
   * Last error message if delivery failed
   */
  @plugins.smartdata.svDb()
-  public lastError!: string;
+  public lastError: string;

  /**
   * Timestamp when the email was successfully delivered
   */
  @plugins.smartdata.svDb()
-  public deliveredAt!: Date;
+  public deliveredAt: Date;

  /**
   * Sender domain (for querying/filtering)
   */
  @plugins.smartdata.svDb()
-  public senderDomain!: string;
+  public senderDomain: string;

  /**
   * Priority level (higher = more important)
@@ -131,7 +131,7 @@ export class CachedEmail extends CachedDocument<CachedEmail> {
   * JSON-serialized route data
   */
  @plugins.smartdata.svDb()
-  public routeData!: string;
+  public routeData: string;

  /**
   * DKIM signature status
@@ -1,11 +1,11 @@
 import * as plugins from '../../plugins.js';
 import { CachedDocument, TTL } from '../classes.cached.document.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
+import { CacheDb } from '../classes.cachedb.js';

 /**
 * Helper to get the smartdata database instance
 */
-const getDb = () => DcRouterDb.getInstance().getDb();
+const getDb = () => CacheDb.getInstance().getDb();

 /**
 * IP reputation result data
@@ -45,61 +45,61 @@ export class CachedIPReputation extends CachedDocument<CachedIPReputation> {
   */
  @plugins.smartdata.unI()
  @plugins.smartdata.svDb()
-  public ipAddress!: string;
+  public ipAddress: string;

  /**
   * Reputation score (0-100, higher = better)
   */
  @plugins.smartdata.svDb()
-  public score!: number;
+  public score: number;

  /**
   * Whether the IP is flagged as spam source
   */
  @plugins.smartdata.svDb()
-  public isSpam!: boolean;
+  public isSpam: boolean;

  /**
   * Whether the IP is a known proxy
   */
  @plugins.smartdata.svDb()
-  public isProxy!: boolean;
+  public isProxy: boolean;

  /**
   * Whether the IP is a Tor exit node
   */
  @plugins.smartdata.svDb()
-  public isTor!: boolean;
+  public isTor: boolean;

  /**
   * Whether the IP is a VPN endpoint
   */
  @plugins.smartdata.svDb()
-  public isVPN!: boolean;
+  public isVPN: boolean;

  /**
   * Country code (ISO 3166-1 alpha-2)
   */
  @plugins.smartdata.svDb()
-  public country!: string;
+  public country: string;

  /**
   * Autonomous System Number
   */
  @plugins.smartdata.svDb()
-  public asn!: string;
+  public asn: string;

  /**
   * Organization name
   */
  @plugins.smartdata.svDb()
-  public org!: string;
+  public org: string;

  /**
   * List of blacklists the IP appears on
   */
  @plugins.smartdata.svDb()
-  public blacklists!: string[];
+  public blacklists: string[];

  /**
   * Number of times this IP has been checked
@@ -0,0 +1,2 @@
+export * from './classes.cached.email.js';
+export * from './classes.cached.ip.reputation.js';
@@ -1,10 +1,6 @@
-// Unified database manager
-export * from './classes.dcrouter-db.js';
-
-// TTL base class and constants
+// Core cache infrastructure
+export * from './classes.cachedb.js';
 export * from './classes.cached.document.js';
-
-// Cache cleaner
 export * from './classes.cache.cleaner.js';

 // Document classes
@@ -1,5 +1,5 @@
 import { logger } from './logger.js';
-import { CertBackoffDoc } from './db/index.js';
+import type { StorageManager } from './storage/index.js';

 interface IBackoffEntry {
  failures: number;
@@ -10,86 +10,65 @@ interface IBackoffEntry {

 /**
 * Manages certificate provisioning scheduling with:
- * - Per-domain exponential backoff persisted via CertBackoffDoc
+ * - Per-domain exponential backoff persisted in StorageManager
 *
 * Note: Serial stagger queue was removed — smartacme v9 handles
 * concurrency, per-domain dedup, and rate limiting internally.
 */
 export class CertProvisionScheduler {
+  private storageManager: StorageManager;
  private maxBackoffHours: number;

  // In-memory backoff cache (mirrors storage for fast lookups)
  private backoffCache = new Map<string, IBackoffEntry>();

  constructor(
+    storageManager: StorageManager,
    options?: { maxBackoffHours?: number }
  ) {
+    this.storageManager = storageManager;
    this.maxBackoffHours = options?.maxBackoffHours ?? 24;
  }

  /**
-   * Sanitized domain key for storage lookups
+   * Storage key for a domain's backoff entry
   */
-  private sanitizeDomain(domain: string): string {
-    return domain.replace(/\*/g, '_wildcard_').replace(/[^a-zA-Z0-9._-]/g, '_');
+  private backoffKey(domain: string): string {
+    const clean = domain.replace(/\*/g, '_wildcard_').replace(/[^a-zA-Z0-9._-]/g, '_');
+    return `/cert-backoff/${clean}`;
  }

  /**
-   * Load backoff entry from database (with in-memory cache)
+   * Load backoff entry from storage (with in-memory cache)
   */
  private async loadBackoff(domain: string): Promise<IBackoffEntry | null> {
    const cached = this.backoffCache.get(domain);
    if (cached) return cached;

-    const sanitized = this.sanitizeDomain(domain);
-    const doc = await CertBackoffDoc.findByDomain(sanitized);
-    if (doc) {
-      const entry: IBackoffEntry = {
-        failures: doc.failures,
-        lastFailure: doc.lastFailure,
-        retryAfter: doc.retryAfter,
-        lastError: doc.lastError,
-      };
+    const entry = await this.storageManager.getJSON<IBackoffEntry>(this.backoffKey(domain));
+    if (entry) {
      this.backoffCache.set(domain, entry);
-      return entry;
    }
-    return null;
+    return entry;
  }

  /**
-   * Save backoff entry to both cache and database
+   * Save backoff entry to both cache and storage
   */
  private async saveBackoff(domain: string, entry: IBackoffEntry): Promise<void> {
    this.backoffCache.set(domain, entry);
-    const sanitized = this.sanitizeDomain(domain);
-    let doc = await CertBackoffDoc.findByDomain(sanitized);
-    if (!doc) {
-      doc = new CertBackoffDoc();
-      doc.domain = sanitized;
-    }
-    doc.failures = entry.failures;
-    doc.lastFailure = entry.lastFailure;
-    doc.retryAfter = entry.retryAfter;
-    doc.lastError = entry.lastError || '';
-    await doc.save();
+    await this.storageManager.setJSON(this.backoffKey(domain), entry);
  }

  /**
-   * Check if a domain is currently in backoff.
-   * Expired entries are pruned from the cache to prevent unbounded growth.
+   * Check if a domain is currently in backoff
   */
  async isInBackoff(domain: string): Promise<boolean> {
    const entry = await this.loadBackoff(domain);
    if (!entry) return false;

    const retryAfter = new Date(entry.retryAfter);
-    if (retryAfter.getTime() > Date.now()) {
-      return true;
-    }
-
-    // Backoff has expired — prune the stale entry
-    this.backoffCache.delete(domain);
-    return false;
+    return retryAfter.getTime() > Date.now();
  }

  /**
@@ -121,13 +100,9 @@ export class CertProvisionScheduler {
  async clearBackoff(domain: string): Promise<void> {
    this.backoffCache.delete(domain);
    try {
-      const sanitized = this.sanitizeDomain(domain);
-      const doc = await CertBackoffDoc.findByDomain(sanitized);
-      if (doc) {
-        await doc.delete();
-      }
+      await this.storageManager.delete(this.backoffKey(domain));
    } catch {
-      // Ignore delete errors (doc may not exist)
+      // Ignore delete errors (key may not exist)
    }
  }

@@ -149,12 +124,9 @@ export class CertProvisionScheduler {
    const entry = await this.loadBackoff(domain);
    if (!entry) return null;

-    // Only return if still in backoff — prune expired entries
+    // Only return if still in backoff
    const retryAfter = new Date(entry.retryAfter);
-    if (retryAfter.getTime() <= Date.now()) {
-      this.backoffCache.delete(domain);
-      return null;
-    }
+    if (retryAfter.getTime() <= Date.now()) return null;

    return {
      failures: entry.failures,
@@ -1,58 +1,46 @@
 import * as plugins from './plugins.js';
-import { AcmeCertDoc } from './db/index.js';
+import { StorageManager } from './storage/index.js';

 /**
- * ICertManager implementation backed by smartdata document classes.
- * Persists SmartAcme certificates via AcmeCertDoc so they
+ * ICertManager implementation backed by StorageManager.
+ * Persists SmartAcme certificates under a /certs/ key prefix so they
 * survive process restarts without re-hitting ACME.
 */
 export class StorageBackedCertManager implements plugins.smartacme.ICertManager {
-  constructor() {}
+  private keyPrefix = '/certs/';
+
+  constructor(private storageManager: StorageManager) {}

  async init(): Promise<void> {}

  async retrieveCertificate(domainName: string): Promise<plugins.smartacme.Cert | null> {
-    const doc = await AcmeCertDoc.findByDomain(domainName);
-    if (!doc) return null;
-    return new plugins.smartacme.Cert({
-      id: doc.id,
-      domainName: doc.domainName,
-      created: doc.created,
-      privateKey: doc.privateKey,
-      publicKey: doc.publicKey,
-      csr: doc.csr,
-      validUntil: doc.validUntil,
-    });
+    const data = await this.storageManager.getJSON(this.keyPrefix + domainName);
+    if (!data) return null;
+    return new plugins.smartacme.Cert(data);
  }

  async storeCertificate(cert: plugins.smartacme.Cert): Promise<void> {
-    let doc = await AcmeCertDoc.findByDomain(cert.domainName);
-    if (!doc) {
-      doc = new AcmeCertDoc();
-      doc.id = cert.id;
-      doc.domainName = cert.domainName;
-    }
-    doc.created = cert.created;
-    doc.privateKey = cert.privateKey;
-    doc.publicKey = cert.publicKey;
-    doc.csr = cert.csr;
-    doc.validUntil = cert.validUntil;
-    await doc.save();
+    await this.storageManager.setJSON(this.keyPrefix + cert.domainName, {
+      id: cert.id,
+      domainName: cert.domainName,
+      created: cert.created,
+      privateKey: cert.privateKey,
+      publicKey: cert.publicKey,
+      csr: cert.csr,
+      validUntil: cert.validUntil,
+    });
  }

  async deleteCertificate(domainName: string): Promise<void> {
-    const doc = await AcmeCertDoc.findByDomain(domainName);
-    if (doc) {
-      await doc.delete();
-    }
+    await this.storageManager.delete(this.keyPrefix + domainName);
  }

  async close(): Promise<void> {}

  async wipe(): Promise<void> {
-    const docs = await AcmeCertDoc.findAll();
-    for (const doc of docs) {
-      await doc.delete();
+    const keys = await this.storageManager.list(this.keyPrefix);
+    for (const key of keys) {
+      await this.storageManager.delete(key);
    }
  }
 }
@@ -1,18 +1,19 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { ApiTokenDoc } from '../db/index.js';
+import type { StorageManager } from '../storage/index.js';
 import type {
  IStoredApiToken,
  IApiTokenInfo,
  TApiTokenScope,
 } from '../../ts_interfaces/data/route-management.js';

+const TOKENS_PREFIX = '/config-api/tokens/';
 const TOKEN_PREFIX_STR = 'dcr_';

 export class ApiTokenManager {
  private tokens = new Map<string, IStoredApiToken>();

-  constructor() {}
+  constructor(private storageManager: StorageManager) {}

  public async initialize(): Promise<void> {
    await this.loadTokens();
@@ -116,8 +117,7 @@ export class ApiTokenManager {
    if (!this.tokens.has(id)) return false;
    const token = this.tokens.get(id)!;
    this.tokens.delete(id);
-    const doc = await ApiTokenDoc.findById(id);
-    if (doc) await doc.delete();
+    await this.storageManager.delete(`${TOKENS_PREFIX}${id}.json`);
    logger.log('info', `API token '${token.name}' revoked (id: ${id})`);
    return true;
  }
@@ -157,48 +157,17 @@ export class ApiTokenManager {
  // =========================================================================

  private async loadTokens(): Promise<void> {
-    const docs = await ApiTokenDoc.findAll();
-    for (const doc of docs) {
-      if (doc.id) {
-        this.tokens.set(doc.id, {
-          id: doc.id,
-          name: doc.name,
-          tokenHash: doc.tokenHash,
-          scopes: doc.scopes,
-          createdAt: doc.createdAt,
-          expiresAt: doc.expiresAt,
-          lastUsedAt: doc.lastUsedAt,
-          createdBy: doc.createdBy,
-          enabled: doc.enabled,
-        });
+    const keys = await this.storageManager.list(TOKENS_PREFIX);
+    for (const key of keys) {
+      if (!key.endsWith('.json')) continue;
+      const stored = await this.storageManager.getJSON<IStoredApiToken>(key);
+      if (stored?.id) {
+        this.tokens.set(stored.id, stored);
      }
    }
  }

  private async persistToken(stored: IStoredApiToken): Promise<void> {
-    const existing = await ApiTokenDoc.findById(stored.id);
-    if (existing) {
-      existing.name = stored.name;
-      existing.tokenHash = stored.tokenHash;
-      existing.scopes = stored.scopes;
-      existing.createdAt = stored.createdAt;
-      existing.expiresAt = stored.expiresAt;
-      existing.lastUsedAt = stored.lastUsedAt;
-      existing.createdBy = stored.createdBy;
-      existing.enabled = stored.enabled;
-      await existing.save();
-    } else {
-      const doc = new ApiTokenDoc();
-      doc.id = stored.id;
-      doc.name = stored.name;
-      doc.tokenHash = stored.tokenHash;
-      doc.scopes = stored.scopes;
-      doc.createdAt = stored.createdAt;
-      doc.expiresAt = stored.expiresAt;
-      doc.lastUsedAt = stored.lastUsedAt;
-      doc.createdBy = stored.createdBy;
-      doc.enabled = stored.enabled;
-      await doc.save();
-    }
+    await this.storageManager.setJSON(`${TOKENS_PREFIX}${stored.id}.json`, stored);
  }
 }
@@ -1,95 +0,0 @@
-import { logger } from '../logger.js';
-import type { ReferenceResolver } from './classes.reference-resolver.js';
-import type { IRouteSecurity } from '../../ts_interfaces/data/route-management.js';
-
-export interface ISeedData {
-  profiles?: Array<{
-    name: string;
-    description?: string;
-    security: IRouteSecurity;
-    extendsProfiles?: string[];
-  }>;
-  targets?: Array<{
-    name: string;
-    description?: string;
-    host: string | string[];
-    port: number;
-  }>;
-}
-
-export class DbSeeder {
-  constructor(private referenceResolver: ReferenceResolver) {}
-
-  /**
-   * Check if DB is empty and seed if configured.
-   * Called once during ConfigManagers service startup, after initialize().
-   */
-  public async seedIfEmpty(
-    seedOnEmpty?: boolean,
-    seedData?: ISeedData,
-  ): Promise<void> {
-    if (!seedOnEmpty) return;
-
-    const existingProfiles = this.referenceResolver.listProfiles();
-    const existingTargets = this.referenceResolver.listTargets();
-
-    if (existingProfiles.length > 0 || existingTargets.length > 0) {
-      logger.log('info', 'DB already contains profiles/targets, skipping seed');
-      return;
-    }
-
-    logger.log('info', 'Seeding database with initial profiles and targets...');
-
-    const profilesToSeed: NonNullable<ISeedData['profiles']> = seedData?.profiles ?? DEFAULT_PROFILES;
-    const targetsToSeed: NonNullable<ISeedData['targets']> = seedData?.targets ?? DEFAULT_TARGETS;
-
-    for (const p of profilesToSeed) {
-      await this.referenceResolver.createProfile({
-        name: p.name,
-        description: p.description,
-        security: p.security,
-        extendsProfiles: p.extendsProfiles,
-        createdBy: 'system-seed',
-      });
-    }
-
-    for (const t of targetsToSeed) {
-      await this.referenceResolver.createTarget({
-        name: t.name,
-        description: t.description,
-        host: t.host,
-        port: t.port,
-        createdBy: 'system-seed',
-      });
-    }
-
-    logger.log('info', `Seeded ${profilesToSeed.length} profile(s) and ${targetsToSeed.length} target(s)`);
-  }
-}
-
-const DEFAULT_PROFILES: Array<NonNullable<ISeedData['profiles']>[number]> = [
-  {
-    name: 'PUBLIC',
-    description: 'Allow all traffic — no IP restrictions',
-    security: {
-      ipAllowList: ['*'],
-    },
-  },
-  {
-    name: 'STANDARD',
-    description: 'Standard internal access with common private subnets',
-    security: {
-      ipAllowList: ['192.168.0.0/16', '10.0.0.0/8', '127.0.0.1', '::1'],
-      maxConnections: 1000,
-    },
-  },
-];
-
-const DEFAULT_TARGETS: Array<NonNullable<ISeedData['targets']>[number]> = [
-  {
-    name: 'LOCALHOST',
-    description: 'Local machine on port 443',
-    host: '127.0.0.1',
-    port: 443,
-  },
-];
@@ -1,577 +0,0 @@
-import * as plugins from '../plugins.js';
-import { logger } from '../logger.js';
-import { SourceProfileDoc, NetworkTargetDoc, StoredRouteDoc } from '../db/index.js';
-import type {
-  ISourceProfile,
-  INetworkTarget,
-  IRouteMetadata,
-  IStoredRoute,
-  IRouteSecurity,
-} from '../../ts_interfaces/data/route-management.js';
-
-const MAX_INHERITANCE_DEPTH = 5;
-
-export class ReferenceResolver {
-  private profiles = new Map<string, ISourceProfile>();
-  private targets = new Map<string, INetworkTarget>();
-
-  // =========================================================================
-  // Lifecycle
-  // =========================================================================
-
-  public async initialize(): Promise<void> {
-    await this.loadProfiles();
-    await this.loadTargets();
-  }
-
-  // =========================================================================
-  // Profile CRUD
-  // =========================================================================
-
-  public async createProfile(data: {
-    name: string;
-    description?: string;
-    security: IRouteSecurity;
-    extendsProfiles?: string[];
-    createdBy: string;
-  }): Promise<string> {
-    const id = plugins.uuid.v4();
-    const now = Date.now();
-
-    const profile: ISourceProfile = {
-      id,
-      name: data.name,
-      description: data.description,
-      security: data.security,
-      extendsProfiles: data.extendsProfiles,
-      createdAt: now,
-      updatedAt: now,
-      createdBy: data.createdBy,
-    };
-
-    this.profiles.set(id, profile);
-    await this.persistProfile(profile);
-    logger.log('info', `Created source profile '${profile.name}' (${id})`);
-    return id;
-  }
-
-  public async updateProfile(
-    id: string,
-    patch: Partial<Omit<ISourceProfile, 'id' | 'createdAt' | 'createdBy'>>,
-  ): Promise<{ affectedRouteIds: string[] }> {
-    const profile = this.profiles.get(id);
-    if (!profile) {
-      throw new Error(`Source profile '${id}' not found`);
-    }
-
-    if (patch.name !== undefined) profile.name = patch.name;
-    if (patch.description !== undefined) profile.description = patch.description;
-    if (patch.security !== undefined) profile.security = patch.security;
-    if (patch.extendsProfiles !== undefined) profile.extendsProfiles = patch.extendsProfiles;
-    profile.updatedAt = Date.now();
-
-    await this.persistProfile(profile);
-    logger.log('info', `Updated source profile '${profile.name}' (${id})`);
-
-    // Find routes referencing this profile
-    const affectedRouteIds = await this.findRoutesByProfileRef(id);
-    return { affectedRouteIds };
-  }
-
-  public async deleteProfile(
-    id: string,
-    force: boolean,
-    storedRoutes?: Map<string, IStoredRoute>,
-  ): Promise<{ success: boolean; message?: string }> {
-    const profile = this.profiles.get(id);
-    if (!profile) {
-      return { success: false, message: `Source profile '${id}' not found` };
-    }
-
-    // Check usage
-    const affectedIds = storedRoutes
-      ? this.findRoutesByProfileRefSync(id, storedRoutes)
-      : await this.findRoutesByProfileRef(id);
-
-    if (affectedIds.length > 0 && !force) {
-      return {
-        success: false,
-        message: `Profile '${profile.name}' is in use by ${affectedIds.length} route(s). Use force=true to delete.`,
-      };
-    }
-
-    // Delete from DB
-    const doc = await SourceProfileDoc.findById(id);
-    if (doc) await doc.delete();
-    this.profiles.delete(id);
-
-    // If force-deleting with referencing routes, clear refs but keep resolved values
-    if (affectedIds.length > 0) {
-      await this.clearProfileRefsOnRoutes(affectedIds);
-      logger.log('warn', `Force-deleted profile '${profile.name}'; cleared refs on ${affectedIds.length} route(s)`);
-    } else {
-      logger.log('info', `Deleted source profile '${profile.name}' (${id})`);
-    }
-
-    return { success: true };
-  }
-
-  public getProfile(id: string): ISourceProfile | undefined {
-    return this.profiles.get(id);
-  }
-
-  public getProfileByName(name: string): ISourceProfile | undefined {
-    for (const profile of this.profiles.values()) {
-      if (profile.name === name) return profile;
-    }
-    return undefined;
-  }
-
-  public listProfiles(): ISourceProfile[] {
-    return [...this.profiles.values()];
-  }
-
-  public getProfileUsage(storedRoutes: Map<string, IStoredRoute>): Map<string, Array<{ id: string; routeName: string }>> {
-    const usage = new Map<string, Array<{ id: string; routeName: string }>>();
-    for (const profile of this.profiles.values()) {
-      usage.set(profile.id, []);
-    }
-    for (const [routeId, stored] of storedRoutes) {
-      const ref = stored.metadata?.sourceProfileRef;
-      if (ref && usage.has(ref)) {
-        usage.get(ref)!.push({ id: routeId, routeName: stored.route.name || routeId });
-      }
-    }
-    return usage;
-  }
-
-  public getProfileUsageForId(
-    profileId: string,
-    storedRoutes: Map<string, IStoredRoute>,
-  ): Array<{ id: string; routeName: string }> {
-    const routes: Array<{ id: string; routeName: string }> = [];
-    for (const [routeId, stored] of storedRoutes) {
-      if (stored.metadata?.sourceProfileRef === profileId) {
-        routes.push({ id: routeId, routeName: stored.route.name || routeId });
-      }
-    }
-    return routes;
-  }
-
-  // =========================================================================
-  // Target CRUD
-  // =========================================================================
-
-  public async createTarget(data: {
-    name: string;
-    description?: string;
-    host: string | string[];
-    port: number;
-    createdBy: string;
-  }): Promise<string> {
-    const id = plugins.uuid.v4();
-    const now = Date.now();
-
-    const target: INetworkTarget = {
-      id,
-      name: data.name,
-      description: data.description,
-      host: data.host,
-      port: data.port,
-      createdAt: now,
-      updatedAt: now,
-      createdBy: data.createdBy,
-    };
-
-    this.targets.set(id, target);
-    await this.persistTarget(target);
-    logger.log('info', `Created network target '${target.name}' (${id})`);
-    return id;
-  }
-
-  public async updateTarget(
-    id: string,
-    patch: Partial<Omit<INetworkTarget, 'id' | 'createdAt' | 'createdBy'>>,
-  ): Promise<{ affectedRouteIds: string[] }> {
-    const target = this.targets.get(id);
-    if (!target) {
-      throw new Error(`Network target '${id}' not found`);
-    }
-
-    if (patch.name !== undefined) target.name = patch.name;
-    if (patch.description !== undefined) target.description = patch.description;
-    if (patch.host !== undefined) target.host = patch.host;
-    if (patch.port !== undefined) target.port = patch.port;
-    target.updatedAt = Date.now();
-
-    await this.persistTarget(target);
-    logger.log('info', `Updated network target '${target.name}' (${id})`);
-
-    const affectedRouteIds = await this.findRoutesByTargetRef(id);
-    return { affectedRouteIds };
-  }
-
-  public async deleteTarget(
-    id: string,
-    force: boolean,
-    storedRoutes?: Map<string, IStoredRoute>,
-  ): Promise<{ success: boolean; message?: string }> {
-    const target = this.targets.get(id);
-    if (!target) {
-      return { success: false, message: `Network target '${id}' not found` };
-    }
-
-    const affectedIds = storedRoutes
-      ? this.findRoutesByTargetRefSync(id, storedRoutes)
-      : await this.findRoutesByTargetRef(id);
-
-    if (affectedIds.length > 0 && !force) {
-      return {
-        success: false,
-        message: `Target '${target.name}' is in use by ${affectedIds.length} route(s). Use force=true to delete.`,
-      };
-    }
-
-    const doc = await NetworkTargetDoc.findById(id);
-    if (doc) await doc.delete();
-    this.targets.delete(id);
-
-    if (affectedIds.length > 0) {
-      await this.clearTargetRefsOnRoutes(affectedIds);
-      logger.log('warn', `Force-deleted target '${target.name}'; cleared refs on ${affectedIds.length} route(s)`);
-    } else {
-      logger.log('info', `Deleted network target '${target.name}' (${id})`);
-    }
-
-    return { success: true };
-  }
-
-  public getTarget(id: string): INetworkTarget | undefined {
-    return this.targets.get(id);
-  }
-
-  public getTargetByName(name: string): INetworkTarget | undefined {
-    for (const target of this.targets.values()) {
-      if (target.name === name) return target;
-    }
-    return undefined;
-  }
-
-  public listTargets(): INetworkTarget[] {
-    return [...this.targets.values()];
-  }
-
-  public getTargetUsageForId(
-    targetId: string,
-    storedRoutes: Map<string, IStoredRoute>,
-  ): Array<{ id: string; routeName: string }> {
-    const routes: Array<{ id: string; routeName: string }> = [];
-    for (const [routeId, stored] of storedRoutes) {
-      if (stored.metadata?.networkTargetRef === targetId) {
-        routes.push({ id: routeId, routeName: stored.route.name || routeId });
-      }
-    }
-    return routes;
-  }
-
-  // =========================================================================
-  // Resolution
-  // =========================================================================
-
-  /**
-   * Resolve references for a single route.
-   * Materializes source profile and/or network target into the route's fields.
-   * Returns the resolved route and updated metadata.
-   */
-  public resolveRoute(
-    route: plugins.smartproxy.IRouteConfig,
-    metadata?: IRouteMetadata,
-  ): { route: plugins.smartproxy.IRouteConfig; metadata: IRouteMetadata } {
-    const resolvedMetadata: IRouteMetadata = { ...metadata };
-
-    if (resolvedMetadata.sourceProfileRef) {
-      const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
-      if (resolvedSecurity) {
-        const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
-        // Merge: profile provides base, route's inline values override
-        route = {
-          ...route,
-          security: this.mergeSecurityFields(resolvedSecurity, route.security),
-        };
-        resolvedMetadata.sourceProfileName = profile?.name;
-        resolvedMetadata.lastResolvedAt = Date.now();
-      } else {
-        logger.log('warn', `Source profile '${resolvedMetadata.sourceProfileRef}' not found during resolution`);
-      }
-    }
-
-    if (resolvedMetadata.networkTargetRef) {
-      const target = this.targets.get(resolvedMetadata.networkTargetRef);
-      if (target) {
-        const hosts = Array.isArray(target.host) ? target.host : [target.host];
-        route = {
-          ...route,
-          action: {
-            ...route.action,
-            targets: hosts.map((h) => ({
-              host: h,
-              port: target.port,
-            })),
-          },
-        };
-        resolvedMetadata.networkTargetName = target.name;
-        resolvedMetadata.lastResolvedAt = Date.now();
-      } else {
-        logger.log('warn', `Network target '${resolvedMetadata.networkTargetRef}' not found during resolution`);
-      }
-    }
-
-    return { route, metadata: resolvedMetadata };
-  }
-
-  // =========================================================================
-  // Reference lookup helpers
-  // =========================================================================
-
-  public async findRoutesByProfileRef(profileId: string): Promise<string[]> {
-    const docs = await StoredRouteDoc.findAll();
-    return docs
-      .filter((doc) => doc.metadata?.sourceProfileRef === profileId)
-      .map((doc) => doc.id);
-  }
-
-  public async findRoutesByTargetRef(targetId: string): Promise<string[]> {
-    const docs = await StoredRouteDoc.findAll();
-    return docs
-      .filter((doc) => doc.metadata?.networkTargetRef === targetId)
-      .map((doc) => doc.id);
-  }
-
-  public findRoutesByProfileRefSync(profileId: string, storedRoutes: Map<string, IStoredRoute>): string[] {
-    const ids: string[] = [];
-    for (const [routeId, stored] of storedRoutes) {
-      if (stored.metadata?.sourceProfileRef === profileId) {
-        ids.push(routeId);
-      }
-    }
-    return ids;
-  }
-
-  public findRoutesByTargetRefSync(targetId: string, storedRoutes: Map<string, IStoredRoute>): string[] {
-    const ids: string[] = [];
-    for (const [routeId, stored] of storedRoutes) {
-      if (stored.metadata?.networkTargetRef === targetId) {
-        ids.push(routeId);
-      }
-    }
-    return ids;
-  }
-
-  // =========================================================================
-  // Private: source profile resolution with inheritance
-  // =========================================================================
-
-  private resolveSourceProfile(
-    profileId: string,
-    visited: Set<string> = new Set(),
-    depth: number = 0,
-  ): IRouteSecurity | null {
-    if (depth > MAX_INHERITANCE_DEPTH) {
-      logger.log('warn', `Max inheritance depth (${MAX_INHERITANCE_DEPTH}) exceeded resolving profile '${profileId}'`);
-      return null;
-    }
-
-    if (visited.has(profileId)) {
-      logger.log('warn', `Circular inheritance detected for profile '${profileId}'`);
-      return null;
-    }
-
-    const profile = this.profiles.get(profileId);
-    if (!profile) return null;
-
-    visited.add(profileId);
-
-    // Start with an empty base
-    let baseSecurity: IRouteSecurity = {};
-
-    // Resolve parent profiles first (top-down, later overrides earlier)
-    if (profile.extendsProfiles?.length) {
-      for (const parentId of profile.extendsProfiles) {
-        const parentSecurity = this.resolveSourceProfile(parentId, new Set(visited), depth + 1);
-        if (parentSecurity) {
-          baseSecurity = this.mergeSecurityFields(baseSecurity, parentSecurity);
-        }
-      }
-    }
-
-    // Apply this profile's security on top
-    return this.mergeSecurityFields(baseSecurity, profile.security);
-  }
-
-  /**
-   * Merge two IRouteSecurity objects.
-   * `override` values take precedence over `base` values.
-   * For ipAllowList/ipBlockList: union arrays and deduplicate.
-   * For scalar/object fields: override wins if present.
-   */
-  private mergeSecurityFields(
-    base: IRouteSecurity | undefined,
-    override: IRouteSecurity | undefined,
-  ): IRouteSecurity {
-    if (!base && !override) return {};
-    if (!base) return { ...override };
-    if (!override) return { ...base };
-
-    const merged: IRouteSecurity = { ...base };
-
-    // IP lists: union
-    if (override.ipAllowList || base.ipAllowList) {
-      merged.ipAllowList = [...new Set([
-        ...(base.ipAllowList || []),
-        ...(override.ipAllowList || []),
-      ])];
-    }
-
-    if (override.ipBlockList || base.ipBlockList) {
-      merged.ipBlockList = [...new Set([
-        ...(base.ipBlockList || []),
-        ...(override.ipBlockList || []),
-      ])];
-    }
-
-    // Scalar/object fields: override wins
-    if (override.maxConnections !== undefined) merged.maxConnections = override.maxConnections;
-    if (override.rateLimit !== undefined) merged.rateLimit = override.rateLimit;
-    if (override.authentication !== undefined) merged.authentication = override.authentication;
-    if (override.basicAuth !== undefined) merged.basicAuth = override.basicAuth;
-    if (override.jwtAuth !== undefined) merged.jwtAuth = override.jwtAuth;
-
-    return merged;
-  }
-
-  // =========================================================================
-  // Private: persistence
-  // =========================================================================
-
-  private async loadProfiles(): Promise<void> {
-    const docs = await SourceProfileDoc.findAll();
-    for (const doc of docs) {
-      if (doc.id) {
-        this.profiles.set(doc.id, {
-          id: doc.id,
-          name: doc.name,
-          description: doc.description,
-          security: doc.security,
-          extendsProfiles: doc.extendsProfiles,
-          createdAt: doc.createdAt,
-          updatedAt: doc.updatedAt,
-          createdBy: doc.createdBy,
-        });
-      }
-    }
-    if (this.profiles.size > 0) {
-      logger.log('info', `Loaded ${this.profiles.size} source profile(s) from storage`);
-    }
-  }
-
-  private async loadTargets(): Promise<void> {
-    const docs = await NetworkTargetDoc.findAll();
-    for (const doc of docs) {
-      if (doc.id) {
-        this.targets.set(doc.id, {
-          id: doc.id,
-          name: doc.name,
-          description: doc.description,
-          host: doc.host,
-          port: doc.port,
-          createdAt: doc.createdAt,
-          updatedAt: doc.updatedAt,
-          createdBy: doc.createdBy,
-        });
-      }
-    }
-    if (this.targets.size > 0) {
-      logger.log('info', `Loaded ${this.targets.size} network target(s) from storage`);
-    }
-  }
-
-  private async persistProfile(profile: ISourceProfile): Promise<void> {
-    const existingDoc = await SourceProfileDoc.findById(profile.id);
-    if (existingDoc) {
-      existingDoc.name = profile.name;
-      existingDoc.description = profile.description;
-      existingDoc.security = profile.security;
-      existingDoc.extendsProfiles = profile.extendsProfiles;
-      existingDoc.updatedAt = profile.updatedAt;
-      await existingDoc.save();
-    } else {
-      const doc = new SourceProfileDoc();
-      doc.id = profile.id;
-      doc.name = profile.name;
-      doc.description = profile.description;
-      doc.security = profile.security;
-      doc.extendsProfiles = profile.extendsProfiles;
-      doc.createdAt = profile.createdAt;
-      doc.updatedAt = profile.updatedAt;
-      doc.createdBy = profile.createdBy;
-      await doc.save();
-    }
-  }
-
-  private async persistTarget(target: INetworkTarget): Promise<void> {
-    const existingDoc = await NetworkTargetDoc.findById(target.id);
-    if (existingDoc) {
-      existingDoc.name = target.name;
-      existingDoc.description = target.description;
-      existingDoc.host = target.host;
-      existingDoc.port = target.port;
-      existingDoc.updatedAt = target.updatedAt;
-      await existingDoc.save();
-    } else {
-      const doc = new NetworkTargetDoc();
-      doc.id = target.id;
-      doc.name = target.name;
-      doc.description = target.description;
-      doc.host = target.host;
-      doc.port = target.port;
-      doc.createdAt = target.createdAt;
-      doc.updatedAt = target.updatedAt;
-      doc.createdBy = target.createdBy;
-      await doc.save();
-    }
-  }
-
-  // =========================================================================
-  // Private: ref cleanup on force-delete
-  // =========================================================================
-
-  private async clearProfileRefsOnRoutes(routeIds: string[]): Promise<void> {
-    for (const routeId of routeIds) {
-      const doc = await StoredRouteDoc.findById(routeId);
-      if (doc?.metadata) {
-        doc.metadata = {
-          ...doc.metadata,
-          sourceProfileRef: undefined,
-          sourceProfileName: undefined,
-        };
-        doc.updatedAt = Date.now();
-        await doc.save();
-      }
-    }
-  }
-
-  private async clearTargetRefsOnRoutes(routeIds: string[]): Promise<void> {
-    for (const routeId of routeIds) {
-      const doc = await StoredRouteDoc.findById(routeId);
-      if (doc?.metadata) {
-        doc.metadata = {
-          ...doc.metadata,
-          networkTargetRef: undefined,
-          networkTargetName: undefined,
-        };
-        doc.updatedAt = Date.now();
-        await doc.save();
-      }
-    }
-  }
-}
@@ -1,70 +1,27 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { StoredRouteDoc, RouteOverrideDoc } from '../db/index.js';
+import type { StorageManager } from '../storage/index.js';
 import type {
  IStoredRoute,
  IRouteOverride,
  IMergedRoute,
  IRouteWarning,
-  IRouteMetadata,
 } from '../../ts_interfaces/data/route-management.js';
-import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
-import { type IHttp3Config, augmentRouteWithHttp3 } from '../http3/index.js';
-import type { ReferenceResolver } from './classes.reference-resolver.js';

-/** An IP allow entry: plain IP/CIDR or domain-scoped. */
-export type TIpAllowEntry = string | { ip: string; domains: string[] };
-
-/**
- * Simple async mutex — serializes concurrent applyRoutes() calls so the Rust engine
- * never receives rapid overlapping route updates that can churn UDP/QUIC listeners.
- */
-class RouteUpdateMutex {
-  private locked = false;
-  private queue: Array<() => void> = [];
-
-  async runExclusive<T>(fn: () => Promise<T>): Promise<T> {
-    await new Promise<void>((resolve) => {
-      if (!this.locked) {
-        this.locked = true;
-        resolve();
-      } else {
-        this.queue.push(resolve);
-      }
-    });
-    try {
-      return await fn();
-    } finally {
-      this.locked = false;
-      const next = this.queue.shift();
-      if (next) {
-        this.locked = true;
-        next();
-      }
-    }
-  }
-}
+const ROUTES_PREFIX = '/config-api/routes/';
+const OVERRIDES_PREFIX = '/config-api/overrides/';

 export class RouteConfigManager {
  private storedRoutes = new Map<string, IStoredRoute>();
  private overrides = new Map<string, IRouteOverride>();
  private warnings: IRouteWarning[] = [];
-  private routeUpdateMutex = new RouteUpdateMutex();

  constructor(
+    private storageManager: StorageManager,
    private getHardcodedRoutes: () => plugins.smartproxy.IRouteConfig[],
    private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
-    private getHttp3Config?: () => IHttp3Config | undefined,
-    private getVpnClientIpsForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
-    private referenceResolver?: ReferenceResolver,
-    private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void,
  ) {}

-  /** Expose stored routes map for reference resolution lookups. */
-  public getStoredRoutes(): Map<string, IStoredRoute> {
-    return this.storedRoutes;
-  }
-
  /**
   * Load persisted routes and overrides, compute warnings, apply to SmartProxy.
   */
@@ -105,7 +62,6 @@ export class RouteConfigManager {
        storedRouteId: stored.id,
        createdAt: stored.createdAt,
        updatedAt: stored.updatedAt,
-        metadata: stored.metadata,
      });
    }

@@ -117,10 +73,9 @@ export class RouteConfigManager {
  // =========================================================================

  public async createRoute(
-    route: IDcRouterRouteConfig,
+    route: plugins.smartproxy.IRouteConfig,
    createdBy: string,
    enabled = true,
-    metadata?: IRouteMetadata,
  ): Promise<string> {
    const id = plugins.uuid.v4();
    const now = Date.now();
@@ -130,14 +85,6 @@ export class RouteConfigManager {
      route.name = `programmatic-${id.slice(0, 8)}`;
    }

-    // Resolve references if metadata has refs and resolver is available
-    let resolvedMetadata = metadata;
-    if (metadata && this.referenceResolver) {
-      const resolved = this.referenceResolver.resolveRoute(route, metadata);
-      route = resolved.route;
-      resolvedMetadata = resolved.metadata;
-    }
-
    const stored: IStoredRoute = {
      id,
      route,
@@ -145,7 +92,6 @@ export class RouteConfigManager {
      createdAt: now,
      updatedAt: now,
      createdBy,
-      metadata: resolvedMetadata,
    };

    this.storedRoutes.set(id, stored);
@@ -156,43 +102,17 @@ export class RouteConfigManager {

  public async updateRoute(
    id: string,
-    patch: {
-      route?: Partial<IDcRouterRouteConfig>;
-      enabled?: boolean;
-      metadata?: Partial<IRouteMetadata>;
-    },
+    patch: { route?: Partial<plugins.smartproxy.IRouteConfig>; enabled?: boolean },
  ): Promise<boolean> {
    const stored = this.storedRoutes.get(id);
    if (!stored) return false;

    if (patch.route) {
-      const mergedAction = patch.route.action
-        ? { ...stored.route.action, ...patch.route.action }
-        : stored.route.action;
-      // Handle explicit null to remove nested action properties (e.g., tls: null)
-      if (patch.route.action) {
-        for (const [key, val] of Object.entries(patch.route.action)) {
-          if (val === null) {
-            delete (mergedAction as any)[key];
-          }
-        }
-      }
-      stored.route = { ...stored.route, ...patch.route, action: mergedAction } as IDcRouterRouteConfig;
+      stored.route = { ...stored.route, ...patch.route } as plugins.smartproxy.IRouteConfig;
    }
    if (patch.enabled !== undefined) {
      stored.enabled = patch.enabled;
    }
-    if (patch.metadata !== undefined) {
-      stored.metadata = { ...stored.metadata, ...patch.metadata };
-    }
-
-    // Re-resolve if metadata refs exist and resolver is available
-    if (stored.metadata && this.referenceResolver) {
-      const resolved = this.referenceResolver.resolveRoute(stored.route, stored.metadata);
-      stored.route = resolved.route;
-      stored.metadata = resolved.metadata;
-    }
-
    stored.updatedAt = Date.now();

    await this.persistRoute(stored);
@@ -203,8 +123,7 @@ export class RouteConfigManager {
  public async deleteRoute(id: string): Promise<boolean> {
    if (!this.storedRoutes.has(id)) return false;
    this.storedRoutes.delete(id);
-    const doc = await StoredRouteDoc.findById(id);
-    if (doc) await doc.delete();
+    await this.storageManager.delete(`${ROUTES_PREFIX}${id}.json`);
    await this.applyRoutes();
    return true;
  }
@@ -225,20 +144,7 @@ export class RouteConfigManager {
      updatedBy,
    };
    this.overrides.set(routeName, override);
-    const existingDoc = await RouteOverrideDoc.findByRouteName(routeName);
-    if (existingDoc) {
-      existingDoc.enabled = override.enabled;
-      existingDoc.updatedAt = override.updatedAt;
-      existingDoc.updatedBy = override.updatedBy;
-      await existingDoc.save();
-    } else {
-      const doc = new RouteOverrideDoc();
-      doc.routeName = override.routeName;
-      doc.enabled = override.enabled;
-      doc.updatedAt = override.updatedAt;
-      doc.updatedBy = override.updatedBy;
-      await doc.save();
-    }
+    await this.storageManager.setJSON(`${OVERRIDES_PREFIX}${routeName}.json`, override);
    this.computeWarnings();
    await this.applyRoutes();
  }
@@ -246,8 +152,7 @@ export class RouteConfigManager {
  public async removeOverride(routeName: string): Promise<boolean> {
    if (!this.overrides.has(routeName)) return false;
    this.overrides.delete(routeName);
-    const doc = await RouteOverrideDoc.findByRouteName(routeName);
-    if (doc) await doc.delete();
+    await this.storageManager.delete(`${OVERRIDES_PREFIX}${routeName}.json`);
    this.computeWarnings();
    await this.applyRoutes();
    return true;
@@ -258,18 +163,12 @@ export class RouteConfigManager {
  // =========================================================================

  private async loadStoredRoutes(): Promise<void> {
-    const docs = await StoredRouteDoc.findAll();
-    for (const doc of docs) {
-      if (doc.id) {
-        this.storedRoutes.set(doc.id, {
-          id: doc.id,
-          route: doc.route,
-          enabled: doc.enabled,
-          createdAt: doc.createdAt,
-          updatedAt: doc.updatedAt,
-          createdBy: doc.createdBy,
-          metadata: doc.metadata,
-        });
+    const keys = await this.storageManager.list(ROUTES_PREFIX);
+    for (const key of keys) {
+      if (!key.endsWith('.json')) continue;
+      const stored = await this.storageManager.getJSON<IStoredRoute>(key);
+      if (stored?.id) {
+        this.storedRoutes.set(stored.id, stored);
      }
    }
    if (this.storedRoutes.size > 0) {
@@ -278,15 +177,12 @@ export class RouteConfigManager {
  }

  private async loadOverrides(): Promise<void> {
-    const docs = await RouteOverrideDoc.findAll();
-    for (const doc of docs) {
-      if (doc.routeName) {
-        this.overrides.set(doc.routeName, {
-          routeName: doc.routeName,
-          enabled: doc.enabled,
-          updatedAt: doc.updatedAt,
-          updatedBy: doc.updatedBy,
-        });
+    const keys = await this.storageManager.list(OVERRIDES_PREFIX);
+    for (const key of keys) {
+      if (!key.endsWith('.json')) continue;
+      const override = await this.storageManager.getJSON<IRouteOverride>(key);
+      if (override?.routeName) {
+        this.overrides.set(override.routeName, override);
      }
    }
    if (this.overrides.size > 0) {
@@ -295,25 +191,7 @@ export class RouteConfigManager {
  }

  private async persistRoute(stored: IStoredRoute): Promise<void> {
-    const existingDoc = await StoredRouteDoc.findById(stored.id);
-    if (existingDoc) {
-      existingDoc.route = stored.route;
-      existingDoc.enabled = stored.enabled;
-      existingDoc.updatedAt = stored.updatedAt;
-      existingDoc.createdBy = stored.createdBy;
-      existingDoc.metadata = stored.metadata;
-      await existingDoc.save();
-    } else {
-      const doc = new StoredRouteDoc();
-      doc.id = stored.id;
-      doc.route = stored.route;
-      doc.enabled = stored.enabled;
-      doc.createdAt = stored.createdAt;
-      doc.updatedAt = stored.updatedAt;
-      doc.createdBy = stored.createdBy;
-      doc.metadata = stored.metadata;
-      await doc.save();
-    }
+    await this.storageManager.setJSON(`${ROUTES_PREFIX}${stored.id}.json`, stored);
  }

  // =========================================================================
@@ -360,91 +238,34 @@ export class RouteConfigManager {
    }
  }

-  // =========================================================================
-  // Re-resolve routes after profile/target changes
-  // =========================================================================
-
-  /**
-   * Re-resolve specific routes by ID (after a profile or target is updated).
-   * Persists each route and calls applyRoutes() once at the end.
-   */
-  public async reResolveRoutes(routeIds: string[]): Promise<void> {
-    if (!this.referenceResolver || routeIds.length === 0) return;
-
-    for (const routeId of routeIds) {
-      const stored = this.storedRoutes.get(routeId);
-      if (!stored?.metadata) continue;
-
-      const resolved = this.referenceResolver.resolveRoute(stored.route, stored.metadata);
-      stored.route = resolved.route;
-      stored.metadata = resolved.metadata;
-      stored.updatedAt = Date.now();
-      await this.persistRoute(stored);
-    }
-
-    await this.applyRoutes();
-    logger.log('info', `Re-resolved ${routeIds.length} route(s) after profile/target change`);
-  }
-
  // =========================================================================
  // Private: apply merged routes to SmartProxy
  // =========================================================================

-  public async applyRoutes(): Promise<void> {
-    await this.routeUpdateMutex.runExclusive(async () => {
-      const smartProxy = this.getSmartProxy();
-      if (!smartProxy) return;
+  private async applyRoutes(): Promise<void> {
+    const smartProxy = this.getSmartProxy();
+    if (!smartProxy) return;

-      const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];
+    const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];

-      const http3Config = this.getHttp3Config?.();
-      const vpnCallback = this.getVpnClientIpsForRoute;
-
-      // Helper: inject VPN security into a vpnOnly route
-      const injectVpn = (route: plugins.smartproxy.IRouteConfig, routeId?: string): plugins.smartproxy.IRouteConfig => {
-        if (!vpnCallback) return route;
-        const dcRoute = route as IDcRouterRouteConfig;
-        if (!dcRoute.vpnOnly) return route;
-        const vpnEntries = vpnCallback(dcRoute, routeId);
-        const existingEntries = route.security?.ipAllowList || [];
-        return {
-          ...route,
-          security: {
-            ...route.security,
-            ipAllowList: [...existingEntries, ...vpnEntries],
-          },
-        };
-      };
-
-      // Add enabled hardcoded routes (respecting overrides, with fresh VPN injection)
-      for (const route of this.getHardcodedRoutes()) {
-        const name = route.name || '';
-        const override = this.overrides.get(name);
-        if (override && !override.enabled) {
-          continue; // Skip disabled hardcoded route
-        }
-        enabledRoutes.push(injectVpn(route));
+    // Add enabled hardcoded routes (respecting overrides)
+    for (const route of this.getHardcodedRoutes()) {
+      const name = route.name || '';
+      const override = this.overrides.get(name);
+      if (override && !override.enabled) {
+        continue; // Skip disabled hardcoded route
      }
+      enabledRoutes.push(route);
+    }

-      // Add enabled programmatic routes (with HTTP/3 and VPN augmentation)
-      for (const stored of this.storedRoutes.values()) {
-        if (stored.enabled) {
-          let route = stored.route;
-          if (http3Config?.enabled !== false) {
-            route = augmentRouteWithHttp3(route, { enabled: true, ...http3Config });
-          }
-          enabledRoutes.push(injectVpn(route, stored.id));
-        }
+    // Add enabled programmatic routes
+    for (const stored of this.storedRoutes.values()) {
+      if (stored.enabled) {
+        enabledRoutes.push(stored.route);
      }
+    }

-      await smartProxy.updateRoutes(enabledRoutes);
-
-      // Notify listeners (e.g. RemoteIngressManager) of the merged route set
-      if (this.onRoutesApplied) {
-        this.onRoutesApplied(enabledRoutes);
-      }
-
-      logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.storedRoutes.size} programmatic, ${this.overrides.size} overrides)`);
-    });
+    await smartProxy.updateRoutes(enabledRoutes);
+    logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.storedRoutes.size} programmatic, ${this.overrides.size} overrides)`);
  }
 }
@@ -1,428 +0,0 @@
-import * as plugins from '../plugins.js';
-import { logger } from '../logger.js';
-import { TargetProfileDoc, VpnClientDoc } from '../db/index.js';
-import type { ITargetProfile, ITargetProfileTarget } from '../../ts_interfaces/data/target-profile.js';
-import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
-import type { IStoredRoute } from '../../ts_interfaces/data/route-management.js';
-
-/**
- * Manages TargetProfiles (target-side: what can be accessed).
- * TargetProfiles define what resources a VPN client can reach:
- * domains, specific IP:port targets, and/or direct route references.
- */
-export class TargetProfileManager {
-  private profiles = new Map<string, ITargetProfile>();
-
-  // =========================================================================
-  // Lifecycle
-  // =========================================================================
-
-  public async initialize(): Promise<void> {
-    await this.loadProfiles();
-  }
-
-  // =========================================================================
-  // CRUD
-  // =========================================================================
-
-  public async createProfile(data: {
-    name: string;
-    description?: string;
-    domains?: string[];
-    targets?: ITargetProfileTarget[];
-    routeRefs?: string[];
-    createdBy: string;
-  }): Promise<string> {
-    // Enforce unique profile names
-    for (const existing of this.profiles.values()) {
-      if (existing.name === data.name) {
-        throw new Error(`Target profile with name '${data.name}' already exists (id: ${existing.id})`);
-      }
-    }
-
-    const id = plugins.uuid.v4();
-    const now = Date.now();
-
-    const profile: ITargetProfile = {
-      id,
-      name: data.name,
-      description: data.description,
-      domains: data.domains,
-      targets: data.targets,
-      routeRefs: data.routeRefs,
-      createdAt: now,
-      updatedAt: now,
-      createdBy: data.createdBy,
-    };
-
-    this.profiles.set(id, profile);
-    await this.persistProfile(profile);
-    logger.log('info', `Created target profile '${profile.name}' (${id})`);
-    return id;
-  }
-
-  public async updateProfile(
-    id: string,
-    patch: Partial<Omit<ITargetProfile, 'id' | 'createdAt' | 'createdBy'>>,
-  ): Promise<void> {
-    const profile = this.profiles.get(id);
-    if (!profile) {
-      throw new Error(`Target profile '${id}' not found`);
-    }
-
-    if (patch.name !== undefined) profile.name = patch.name;
-    if (patch.description !== undefined) profile.description = patch.description;
-    if (patch.domains !== undefined) profile.domains = patch.domains;
-    if (patch.targets !== undefined) profile.targets = patch.targets;
-    if (patch.routeRefs !== undefined) profile.routeRefs = patch.routeRefs;
-    profile.updatedAt = Date.now();
-
-    await this.persistProfile(profile);
-    logger.log('info', `Updated target profile '${profile.name}' (${id})`);
-  }
-
-  public async deleteProfile(
-    id: string,
-    force?: boolean,
-  ): Promise<{ success: boolean; message?: string }> {
-    const profile = this.profiles.get(id);
-    if (!profile) {
-      return { success: false, message: `Target profile '${id}' not found` };
-    }
-
-    // Check if any VPN clients reference this profile
-    const clients = await VpnClientDoc.findAll();
-    const referencingClients = clients.filter(
-      (c) => c.targetProfileIds?.includes(id),
-    );
-
-    if (referencingClients.length > 0 && !force) {
-      return {
-        success: false,
-        message: `Profile '${profile.name}' is in use by ${referencingClients.length} VPN client(s). Use force=true to delete.`,
-      };
-    }
-
-    // Delete from DB
-    const doc = await TargetProfileDoc.findById(id);
-    if (doc) await doc.delete();
-    this.profiles.delete(id);
-
-    if (referencingClients.length > 0) {
-      // Remove profile ref from clients
-      for (const client of referencingClients) {
-        client.targetProfileIds = client.targetProfileIds?.filter((pid) => pid !== id);
-        client.updatedAt = Date.now();
-        await client.save();
-      }
-      logger.log('warn', `Force-deleted target profile '${profile.name}'; removed refs from ${referencingClients.length} client(s)`);
-    } else {
-      logger.log('info', `Deleted target profile '${profile.name}' (${id})`);
-    }
-
-    return { success: true };
-  }
-
-  public getProfile(id: string): ITargetProfile | undefined {
-    return this.profiles.get(id);
-  }
-
-  public listProfiles(): ITargetProfile[] {
-    return [...this.profiles.values()];
-  }
-
-  /**
-   * Get which VPN clients reference a target profile.
-   */
-  public async getProfileUsage(profileId: string): Promise<Array<{ clientId: string; description?: string }>> {
-    const clients = await VpnClientDoc.findAll();
-    return clients
-      .filter((c) => c.targetProfileIds?.includes(profileId))
-      .map((c) => ({ clientId: c.clientId, description: c.description }));
-  }
-
-  // =========================================================================
-  // Direct target IPs (bypass SmartProxy)
-  // =========================================================================
-
-  /**
-   * For a set of target profile IDs, collect all explicit target IPs.
-   * These IPs bypass the SmartProxy forceTarget rewrite — VPN clients can
-   * connect to them directly through the tunnel.
-   */
-  public getDirectTargetIps(targetProfileIds: string[]): string[] {
-    const ips = new Set<string>();
-    for (const profileId of targetProfileIds) {
-      const profile = this.profiles.get(profileId);
-      if (!profile?.targets?.length) continue;
-      for (const t of profile.targets) {
-        ips.add(t.ip);
-      }
-    }
-    return [...ips];
-  }
-
-  // =========================================================================
-  // Core matching: route → client IPs
-  // =========================================================================
-
-  /**
-   * For a vpnOnly route, find all enabled VPN clients whose assigned TargetProfile
-   * matches the route. Returns IP allow entries for injection into ipAllowList.
-   *
-   * Entries are domain-scoped when a profile matches via specific domains that are
-   * a subset of the route's wildcard. Plain IPs are returned for routeRef/target matches
-   * or when profile domains exactly equal the route's domains.
-   */
-  public getMatchingClientIps(
-    route: IDcRouterRouteConfig,
-    routeId: string | undefined,
-    clients: VpnClientDoc[],
-  ): Array<string | { ip: string; domains: string[] }> {
-    const entries: Array<string | { ip: string; domains: string[] }> = [];
-    const routeDomains: string[] = (route.match as any)?.domains || [];
-
-    for (const client of clients) {
-      if (!client.enabled || !client.assignedIp) continue;
-      if (!client.targetProfileIds?.length) continue;
-
-      // Collect scoped domains from all matching profiles for this client
-      let fullAccess = false;
-      const scopedDomains = new Set<string>();
-
-      for (const profileId of client.targetProfileIds) {
-        const profile = this.profiles.get(profileId);
-        if (!profile) continue;
-
-        const matchResult = this.routeMatchesProfileDetailed(route, routeId, profile, routeDomains);
-        if (matchResult === 'full') {
-          fullAccess = true;
-          break; // No need to check more profiles
-        }
-        if (matchResult !== 'none') {
-          for (const d of matchResult.domains) scopedDomains.add(d);
-        }
-      }
-
-      if (fullAccess) {
-        entries.push(client.assignedIp);
-      } else if (scopedDomains.size > 0) {
-        entries.push({ ip: client.assignedIp, domains: [...scopedDomains] });
-      }
-    }
-
-    return entries;
-  }
-
-  /**
-   * For a given client (by its targetProfileIds), compute the set of
-   * domains and target IPs it can access. Used for WireGuard AllowedIPs.
-   */
-  public getClientAccessSpec(
-    targetProfileIds: string[],
-    allRoutes: IDcRouterRouteConfig[],
-    storedRoutes: Map<string, IStoredRoute>,
-  ): { domains: string[]; targetIps: string[] } {
-    const domains = new Set<string>();
-    const targetIps = new Set<string>();
-
-    // Collect all access specifiers from assigned profiles
-    for (const profileId of targetProfileIds) {
-      const profile = this.profiles.get(profileId);
-      if (!profile) continue;
-
-      // Direct domain entries
-      if (profile.domains?.length) {
-        for (const d of profile.domains) {
-          domains.add(d);
-        }
-      }
-
-      // Direct target IP entries
-      if (profile.targets?.length) {
-        for (const t of profile.targets) {
-          targetIps.add(t.ip);
-        }
-      }
-
-      // Route references: scan constructor routes
-      for (const route of allRoutes) {
-        if (this.routeMatchesProfile(route as IDcRouterRouteConfig, undefined, profile)) {
-          const routeDomains = (route.match as any)?.domains;
-          if (Array.isArray(routeDomains)) {
-            for (const d of routeDomains) {
-              domains.add(d);
-            }
-          }
-        }
-      }
-
-      // Route references: scan stored routes
-      for (const [storedId, stored] of storedRoutes) {
-        if (!stored.enabled) continue;
-        if (this.routeMatchesProfile(stored.route as IDcRouterRouteConfig, storedId, profile)) {
-          const routeDomains = (stored.route.match as any)?.domains;
-          if (Array.isArray(routeDomains)) {
-            for (const d of routeDomains) {
-              domains.add(d);
-            }
-          }
-        }
-      }
-    }
-
-    return {
-      domains: [...domains],
-      targetIps: [...targetIps],
-    };
-  }
-
-  // =========================================================================
-  // Private: matching logic
-  // =========================================================================
-
-  /**
-   * Check if a route matches a profile (boolean convenience wrapper).
-   */
-  private routeMatchesProfile(
-    route: IDcRouterRouteConfig,
-    routeId: string | undefined,
-    profile: ITargetProfile,
-  ): boolean {
-    const routeDomains: string[] = (route.match as any)?.domains || [];
-    const result = this.routeMatchesProfileDetailed(route, routeId, profile, routeDomains);
-    return result !== 'none';
-  }
-
-  /**
-   * Detailed match: returns 'full' (plain IP, entire route), 'scoped' (domain-limited),
-   * or 'none' (no match).
-   *
-   * - routeRefs / target matches → 'full' (explicit reference = full access)
-   * - domain match where profile domains are a subset of route wildcard → 'scoped'
-   * - domain match where domains are identical or profile is a wildcard → 'full'
-   */
-  private routeMatchesProfileDetailed(
-    route: IDcRouterRouteConfig,
-    routeId: string | undefined,
-    profile: ITargetProfile,
-    routeDomains: string[],
-  ): 'full' | { type: 'scoped'; domains: string[] } | 'none' {
-    // 1. Route reference match → full access
-    if (profile.routeRefs?.length) {
-      if (routeId && profile.routeRefs.includes(routeId)) return 'full';
-      if (route.name && profile.routeRefs.includes(route.name)) return 'full';
-    }
-
-    // 2. Domain match
-    if (profile.domains?.length && routeDomains.length) {
-      const matchedProfileDomains: string[] = [];
-
-      for (const profileDomain of profile.domains) {
-        for (const routeDomain of routeDomains) {
-          if (this.domainMatchesPattern(routeDomain, profileDomain) ||
-              this.domainMatchesPattern(profileDomain, routeDomain)) {
-            matchedProfileDomains.push(profileDomain);
-            break; // This profileDomain matched, move to the next
-          }
-        }
-      }
-
-      if (matchedProfileDomains.length > 0) {
-        // Check if profile domains cover the route entirely (same wildcards = full access)
-        const isFullCoverage = routeDomains.every((rd) =>
-          matchedProfileDomains.some((pd) =>
-            rd === pd || this.domainMatchesPattern(rd, pd),
-          ),
-        );
-        if (isFullCoverage) return 'full';
-
-        // Profile domains are a subset → scoped access to those specific domains
-        return { type: 'scoped', domains: matchedProfileDomains };
-      }
-    }
-
-    // 3. Target match (host + port) → full access (precise by nature)
-    if (profile.targets?.length) {
-      const routeTargets = (route.action as any)?.targets;
-      if (Array.isArray(routeTargets)) {
-        for (const profileTarget of profile.targets) {
-          for (const routeTarget of routeTargets) {
-            const routeHost = routeTarget.host;
-            const routePort = routeTarget.port;
-            if (routeHost === profileTarget.ip && routePort === profileTarget.port) {
-              return 'full';
-            }
-          }
-        }
-      }
-    }
-
-    return 'none';
-  }
-
-  /**
-   * Check if a domain matches a pattern.
-   * - '*.example.com' matches 'sub.example.com', 'a.b.example.com'
-   * - 'example.com' matches only 'example.com'
-   */
-  private domainMatchesPattern(domain: string, pattern: string): boolean {
-    if (pattern === domain) return true;
-    if (pattern.startsWith('*.')) {
-      const suffix = pattern.slice(1); // '.example.com'
-      return domain.endsWith(suffix) && domain.length > suffix.length;
-    }
-    return false;
-  }
-
-  // =========================================================================
-  // Private: persistence
-  // =========================================================================
-
-  private async loadProfiles(): Promise<void> {
-    const docs = await TargetProfileDoc.findAll();
-    for (const doc of docs) {
-      if (doc.id) {
-        this.profiles.set(doc.id, {
-          id: doc.id,
-          name: doc.name,
-          description: doc.description,
-          domains: doc.domains,
-          targets: doc.targets,
-          routeRefs: doc.routeRefs,
-          createdAt: doc.createdAt,
-          updatedAt: doc.updatedAt,
-          createdBy: doc.createdBy,
-        });
-      }
-    }
-    if (this.profiles.size > 0) {
-      logger.log('info', `Loaded ${this.profiles.size} target profile(s) from storage`);
-    }
-  }
-
-  private async persistProfile(profile: ITargetProfile): Promise<void> {
-    const existingDoc = await TargetProfileDoc.findById(profile.id);
-    if (existingDoc) {
-      existingDoc.name = profile.name;
-      existingDoc.description = profile.description;
-      existingDoc.domains = profile.domains;
-      existingDoc.targets = profile.targets;
-      existingDoc.routeRefs = profile.routeRefs;
-      existingDoc.updatedAt = profile.updatedAt;
-      await existingDoc.save();
-    } else {
-      const doc = new TargetProfileDoc();
-      doc.id = profile.id;
-      doc.name = profile.name;
-      doc.description = profile.description;
-      doc.domains = profile.domains;
-      doc.targets = profile.targets;
-      doc.routeRefs = profile.routeRefs;
-      doc.createdAt = profile.createdAt;
-      doc.updatedAt = profile.updatedAt;
-      doc.createdBy = profile.createdBy;
-      await doc.save();
-    }
-  }
-}
@@ -1,7 +1,4 @@
 // Export validation tools only
 export * from './validator.js';
 export { RouteConfigManager } from './classes.route-config-manager.js';
-export { ApiTokenManager } from './classes.api-token-manager.js';
-export { ReferenceResolver } from './classes.reference-resolver.js';
-export { DbSeeder } from './classes.db-seeder.js';
-export { TargetProfileManager } from './classes.target-profile-manager.js';
+export { ApiTokenManager } from './classes.api-token-manager.js';
@@ -170,7 +170,7 @@ export class ConfigValidator {
                } else if (rules.items.schema && itemType === 'object') {
                  const itemResult = this.validate(value[i], rules.items.schema);
                  if (!itemResult.valid) {
-                    errors.push(...itemResult.errors!.map(err => `${key}[${i}].${err}`));
+                    errors.push(...itemResult.errors.map(err => `${key}[${i}].${err}`));
                  }
                }
              }
@@ -181,7 +181,7 @@ export class ConfigValidator {
            if (rules.schema) {
              const nestedResult = this.validate(value, rules.schema);
              if (!nestedResult.valid) {
-                errors.push(...nestedResult.errors!.map(err => `${key}.${err}`));
+                errors.push(...nestedResult.errors.map(err => `${key}.${err}`));
              }
              validatedConfig[key] = nestedResult.config;
            }
@@ -233,8 +233,8 @@ export class ConfigValidator {

      // Apply defaults to array items
      if (result[key] && rules.type === 'array' && rules.items && rules.items.schema) {
-        result[key] = result[key].map(item =>
-          typeof item === 'object' ? this.applyDefaults(item, rules.items!.schema!) : item
+        result[key] = result[key].map(item => 
+          typeof item === 'object' ? this.applyDefaults(item, rules.items.schema) : item
        );
      }
    }
@@ -255,7 +255,7 @@ export class ConfigValidator {
    
    if (!result.valid) {
      throw new ValidationError(
-        `Configuration validation failed: ${result.errors!.join(', ')}`,
+        `Configuration validation failed: ${result.errors.join(', ')}`,
        'CONFIG_VALIDATION_ERROR',
        { data: { errors: result.errors } }
      );
@@ -1,179 +0,0 @@
-import * as plugins from '../plugins.js';
-import { logger } from '../logger.js';
-import { defaultTsmDbPath } from '../paths.js';
-
-/**
- * Configuration options for the unified DCRouter database
- */
-export interface IDcRouterDbConfig {
-  /** External MongoDB connection URL. If absent, uses embedded LocalSmartDb. */
-  mongoDbUrl?: string;
-  /** Storage path for embedded LocalSmartDb data (default: ~/.serve.zone/dcrouter/tsmdb) */
-  storagePath?: string;
-  /** Database name (default: dcrouter) */
-  dbName?: string;
-  /** Enable debug logging */
-  debug?: boolean;
-}
-
-/**
- * DcRouterDb - Unified database layer for DCRouter
- *
- * Replaces both StorageManager (flat-file key-value) and CacheDb (embedded MongoDB).
- * All data is stored as smartdata document classes in a single database.
- *
- * Two modes:
- * - **Embedded** (default): Spawns a LocalSmartDb (Rust-based MongoDB-compatible engine)
- * - **External**: Connects to a provided MongoDB URL
- */
-export class DcRouterDb {
-  private static instance: DcRouterDb | null = null;
-
-  private localSmartDb: plugins.smartdb.LocalSmartDb | null = null;
-  private smartdataDb!: plugins.smartdata.SmartdataDb;
-  private options: Required<IDcRouterDbConfig>;
-  private isStarted: boolean = false;
-
-  constructor(options: IDcRouterDbConfig = {}) {
-    this.options = {
-      mongoDbUrl: options.mongoDbUrl || '',
-      storagePath: options.storagePath || defaultTsmDbPath,
-      dbName: options.dbName || 'dcrouter',
-      debug: options.debug || false,
-    };
-  }
-
-  /**
-   * Get or create the singleton instance
-   */
-  public static getInstance(options?: IDcRouterDbConfig): DcRouterDb {
-    if (!DcRouterDb.instance) {
-      DcRouterDb.instance = new DcRouterDb(options);
-    }
-    return DcRouterDb.instance;
-  }
-
-  /**
-   * Reset the singleton instance (useful for testing)
-   */
-  public static resetInstance(): void {
-    DcRouterDb.instance = null;
-  }
-
-  /**
-   * Start the database
-   * - If mongoDbUrl is provided, connects directly to external MongoDB
-   * - Otherwise, starts an embedded LocalSmartDb instance
-   */
-  public async start(): Promise<void> {
-    if (this.isStarted) {
-      logger.log('warn', 'DcRouterDb already started');
-      return;
-    }
-
-    try {
-      let connectionUri: string;
-
-      if (this.options.mongoDbUrl) {
-        // External MongoDB mode
-        connectionUri = this.options.mongoDbUrl;
-        logger.log('info', `DcRouterDb connecting to external MongoDB`);
-      } else {
-        // Embedded LocalSmartDb mode
-        await plugins.fsUtils.ensureDir(this.options.storagePath);
-
-        this.localSmartDb = new plugins.smartdb.LocalSmartDb({
-          folderPath: this.options.storagePath,
-        });
-
-        const connectionInfo = await this.localSmartDb.start();
-        connectionUri = connectionInfo.connectionUri;
-
-        if (this.options.debug) {
-          logger.log('debug', `LocalSmartDb started with URI: ${connectionUri}`);
-        }
-
-        logger.log('info', `DcRouterDb started embedded instance at ${this.options.storagePath}`);
-      }
-
-      // Initialize smartdata ORM
-      this.smartdataDb = new plugins.smartdata.SmartdataDb({
-        mongoDbUrl: connectionUri,
-        mongoDbName: this.options.dbName,
-      });
-      await this.smartdataDb.init();
-
-      this.isStarted = true;
-      logger.log('info', `DcRouterDb ready (db: ${this.options.dbName})`);
-    } catch (error: unknown) {
-      logger.log('error', `Failed to start DcRouterDb: ${(error as Error).message}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Stop the database
-   */
-  public async stop(): Promise<void> {
-    if (!this.isStarted) {
-      return;
-    }
-
-    try {
-      // Close smartdata connection
-      if (this.smartdataDb) {
-        await this.smartdataDb.close();
-      }
-
-      // Stop embedded LocalSmartDb if running
-      if (this.localSmartDb) {
-        await this.localSmartDb.stop();
-        this.localSmartDb = null;
-      }
-
-      this.isStarted = false;
-      logger.log('info', 'DcRouterDb stopped');
-    } catch (error: unknown) {
-      logger.log('error', `Error stopping DcRouterDb: ${(error as Error).message}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Get the smartdata database instance for @Collection decorators
-   */
-  public getDb(): plugins.smartdata.SmartdataDb {
-    if (!this.isStarted) {
-      throw new Error('DcRouterDb not started. Call start() first.');
-    }
-    return this.smartdataDb;
-  }
-
-  /**
-   * Check if the database is ready
-   */
-  public isReady(): boolean {
-    return this.isStarted;
-  }
-
-  /**
-   * Whether running in embedded mode (LocalSmartDb) vs external MongoDB
-   */
-  public isEmbedded(): boolean {
-    return !this.options.mongoDbUrl;
-  }
-
-  /**
-   * Get the storage path (only relevant for embedded mode)
-   */
-  public getStoragePath(): string {
-    return this.options.storagePath;
-  }
-
-  /**
-   * Get the database name
-   */
-  public getDbName(): string {
-    return this.options.dbName;
-  }
-}
@@ -1,106 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class AccountingSessionDoc extends plugins.smartdata.SmartDataDbDoc<AccountingSessionDoc, AccountingSessionDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public sessionId!: string;
-
-  @plugins.smartdata.svDb()
-  public username!: string;
-
-  @plugins.smartdata.svDb()
-  public macAddress!: string;
-
-  @plugins.smartdata.svDb()
-  public nasIpAddress!: string;
-
-  @plugins.smartdata.svDb()
-  public nasPort!: number;
-
-  @plugins.smartdata.svDb()
-  public nasPortType!: string;
-
-  @plugins.smartdata.svDb()
-  public nasIdentifier!: string;
-
-  @plugins.smartdata.svDb()
-  public vlanId!: number;
-
-  @plugins.smartdata.svDb()
-  public framedIpAddress!: string;
-
-  @plugins.smartdata.svDb()
-  public calledStationId!: string;
-
-  @plugins.smartdata.svDb()
-  public callingStationId!: string;
-
-  @plugins.smartdata.svDb()
-  public startTime!: number;
-
-  @plugins.smartdata.svDb()
-  public endTime!: number;
-
-  @plugins.smartdata.svDb()
-  public lastUpdateTime!: number;
-
-  @plugins.smartdata.index()
-  @plugins.smartdata.svDb()
-  public status!: 'active' | 'stopped' | 'terminated';
-
-  @plugins.smartdata.svDb()
-  public terminateCause!: string;
-
-  @plugins.smartdata.svDb()
-  public inputOctets!: number;
-
-  @plugins.smartdata.svDb()
-  public outputOctets!: number;
-
-  @plugins.smartdata.svDb()
-  public inputPackets!: number;
-
-  @plugins.smartdata.svDb()
-  public outputPackets!: number;
-
-  @plugins.smartdata.svDb()
-  public sessionTime!: number;
-
-  @plugins.smartdata.svDb()
-  public serviceType!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findBySessionId(sessionId: string): Promise<AccountingSessionDoc | null> {
-    return await AccountingSessionDoc.getInstance({ sessionId });
-  }
-
-  public static async findActive(): Promise<AccountingSessionDoc[]> {
-    return await AccountingSessionDoc.getInstances({ status: 'active' });
-  }
-
-  public static async findByUsername(username: string): Promise<AccountingSessionDoc[]> {
-    return await AccountingSessionDoc.getInstances({ username });
-  }
-
-  public static async findByNas(nasIpAddress: string): Promise<AccountingSessionDoc[]> {
-    return await AccountingSessionDoc.getInstances({ nasIpAddress });
-  }
-
-  public static async findByVlan(vlanId: number): Promise<AccountingSessionDoc[]> {
-    return await AccountingSessionDoc.getInstances({ vlanId });
-  }
-
-  public static async findStoppedBefore(cutoffTime: number): Promise<AccountingSessionDoc[]> {
-    return await AccountingSessionDoc.getInstances({
-      status: { $in: ['stopped', 'terminated'] } as any,
-      endTime: { $lt: cutoffTime, $gt: 0 } as any,
-    });
-  }
-}
@@ -1,41 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class AcmeCertDoc extends plugins.smartdata.SmartDataDbDoc<AcmeCertDoc, AcmeCertDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public domainName!: string;
-
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public created!: number;
-
-  @plugins.smartdata.svDb()
-  public privateKey!: string;
-
-  @plugins.smartdata.svDb()
-  public publicKey!: string;
-
-  @plugins.smartdata.svDb()
-  public csr!: string;
-
-  @plugins.smartdata.svDb()
-  public validUntil!: number;
-
-  constructor() {
-    super();
-  }
-
-  public static async findByDomain(domainName: string): Promise<AcmeCertDoc | null> {
-    return await AcmeCertDoc.getInstance({ domainName });
-  }
-
-  public static async findAll(): Promise<AcmeCertDoc[]> {
-    return await AcmeCertDoc.getInstances({});
-  }
-}
@@ -1,56 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-import type { TApiTokenScope } from '../../../ts_interfaces/data/route-management.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class ApiTokenDoc extends plugins.smartdata.SmartDataDbDoc<ApiTokenDoc, ApiTokenDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public name: string = '';
-
-  @plugins.smartdata.svDb()
-  public tokenHash!: string;
-
-  @plugins.smartdata.svDb()
-  public scopes!: TApiTokenScope[];
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public expiresAt!: number | null;
-
-  @plugins.smartdata.svDb()
-  public lastUsedAt!: number | null;
-
-  @plugins.smartdata.svDb()
-  public createdBy!: string;
-
-  @plugins.smartdata.svDb()
-  public enabled!: boolean;
-
-  constructor() {
-    super();
-  }
-
-  public static async findById(id: string): Promise<ApiTokenDoc | null> {
-    return await ApiTokenDoc.getInstance({ id });
-  }
-
-  public static async findByTokenHash(tokenHash: string): Promise<ApiTokenDoc | null> {
-    return await ApiTokenDoc.getInstance({ tokenHash });
-  }
-
-  public static async findAll(): Promise<ApiTokenDoc[]> {
-    return await ApiTokenDoc.getInstances({});
-  }
-
-  public static async findEnabled(): Promise<ApiTokenDoc[]> {
-    return await ApiTokenDoc.getInstances({ enabled: true });
-  }
-}
@@ -1,35 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class CertBackoffDoc extends plugins.smartdata.SmartDataDbDoc<CertBackoffDoc, CertBackoffDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public domain!: string;
-
-  @plugins.smartdata.svDb()
-  public failures!: number;
-
-  @plugins.smartdata.svDb()
-  public lastFailure!: string;
-
-  @plugins.smartdata.svDb()
-  public retryAfter!: string;
-
-  @plugins.smartdata.svDb()
-  public lastError!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findByDomain(domain: string): Promise<CertBackoffDoc | null> {
-    return await CertBackoffDoc.getInstance({ domain });
-  }
-
-  public static async findAll(): Promise<CertBackoffDoc[]> {
-    return await CertBackoffDoc.getInstances({});
-  }
-}
@@ -1,48 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class NetworkTargetDoc extends plugins.smartdata.SmartDataDbDoc<NetworkTargetDoc, NetworkTargetDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public name: string = '';
-
-  @plugins.smartdata.svDb()
-  public description?: string;
-
-  @plugins.smartdata.svDb()
-  public host!: string | string[];
-
-  @plugins.smartdata.svDb()
-  public port!: number;
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public createdBy!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findById(id: string): Promise<NetworkTargetDoc | null> {
-    return await NetworkTargetDoc.getInstance({ id });
-  }
-
-  public static async findByName(name: string): Promise<NetworkTargetDoc | null> {
-    return await NetworkTargetDoc.getInstance({ name });
-  }
-
-  public static async findAll(): Promise<NetworkTargetDoc[]> {
-    return await NetworkTargetDoc.getInstances({});
-  }
-}
@@ -1,38 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class ProxyCertDoc extends plugins.smartdata.SmartDataDbDoc<ProxyCertDoc, ProxyCertDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public domain!: string;
-
-  @plugins.smartdata.svDb()
-  public publicKey!: string;
-
-  @plugins.smartdata.svDb()
-  public privateKey!: string;
-
-  @plugins.smartdata.svDb()
-  public ca!: string;
-
-  @plugins.smartdata.svDb()
-  public validUntil!: number;
-
-  @plugins.smartdata.svDb()
-  public validFrom!: number;
-
-  constructor() {
-    super();
-  }
-
-  public static async findByDomain(domain: string): Promise<ProxyCertDoc | null> {
-    return await ProxyCertDoc.getInstance({ domain });
-  }
-
-  public static async findAll(): Promise<ProxyCertDoc[]> {
-    return await ProxyCertDoc.getInstances({});
-  }
-}
@@ -1,54 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class RemoteIngressEdgeDoc extends plugins.smartdata.SmartDataDbDoc<RemoteIngressEdgeDoc, RemoteIngressEdgeDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public name: string = '';
-
-  @plugins.smartdata.svDb()
-  public secret!: string;
-
-  @plugins.smartdata.svDb()
-  public listenPorts!: number[];
-
-  @plugins.smartdata.svDb()
-  public listenPortsUdp!: number[];
-
-  @plugins.smartdata.svDb()
-  public enabled!: boolean;
-
-  @plugins.smartdata.svDb()
-  public autoDerivePorts!: boolean;
-
-  @plugins.smartdata.svDb()
-  public tags!: string[];
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  constructor() {
-    super();
-  }
-
-  public static async findById(id: string): Promise<RemoteIngressEdgeDoc | null> {
-    return await RemoteIngressEdgeDoc.getInstance({ id });
-  }
-
-  public static async findAll(): Promise<RemoteIngressEdgeDoc[]> {
-    return await RemoteIngressEdgeDoc.getInstances({});
-  }
-
-  public static async findEnabled(): Promise<RemoteIngressEdgeDoc[]> {
-    return await RemoteIngressEdgeDoc.getInstances({ enabled: true });
-  }
-}
@@ -1,32 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class RouteOverrideDoc extends plugins.smartdata.SmartDataDbDoc<RouteOverrideDoc, RouteOverrideDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public routeName!: string;
-
-  @plugins.smartdata.svDb()
-  public enabled!: boolean;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedBy!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findByRouteName(routeName: string): Promise<RouteOverrideDoc | null> {
-    return await RouteOverrideDoc.getInstance({ routeName });
-  }
-
-  public static async findAll(): Promise<RouteOverrideDoc[]> {
-    return await RouteOverrideDoc.getInstances({});
-  }
-}
@@ -1,45 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-import type { IRouteSecurity } from '../../../ts_interfaces/data/route-management.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class SourceProfileDoc extends plugins.smartdata.SmartDataDbDoc<SourceProfileDoc, SourceProfileDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public name: string = '';
-
-  @plugins.smartdata.svDb()
-  public description?: string;
-
-  @plugins.smartdata.svDb()
-  public security!: IRouteSecurity;
-
-  @plugins.smartdata.svDb()
-  public extendsProfiles?: string[];
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public createdBy!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findById(id: string): Promise<SourceProfileDoc | null> {
-    return await SourceProfileDoc.getInstance({ id });
-  }
-
-  public static async findAll(): Promise<SourceProfileDoc[]> {
-    return await SourceProfileDoc.getInstances({});
-  }
-}
@@ -1,43 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-import type { IRouteMetadata } from '../../../ts_interfaces/data/route-management.js';
-import type { IDcRouterRouteConfig } from '../../../ts_interfaces/data/remoteingress.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class StoredRouteDoc extends plugins.smartdata.SmartDataDbDoc<StoredRouteDoc, StoredRouteDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public route!: IDcRouterRouteConfig;
-
-  @plugins.smartdata.svDb()
-  public enabled!: boolean;
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public createdBy!: string;
-
-  @plugins.smartdata.svDb()
-  public metadata?: IRouteMetadata;
-
-  constructor() {
-    super();
-  }
-
-  public static async findById(id: string): Promise<StoredRouteDoc | null> {
-    return await StoredRouteDoc.getInstance({ id });
-  }
-
-  public static async findAll(): Promise<StoredRouteDoc[]> {
-    return await StoredRouteDoc.getInstances({});
-  }
-}
@@ -1,48 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-import type { ITargetProfileTarget } from '../../../ts_interfaces/data/target-profile.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class TargetProfileDoc extends plugins.smartdata.SmartDataDbDoc<TargetProfileDoc, TargetProfileDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public id!: string;
-
-  @plugins.smartdata.svDb()
-  public name: string = '';
-
-  @plugins.smartdata.svDb()
-  public description?: string;
-
-  @plugins.smartdata.svDb()
-  public domains?: string[];
-
-  @plugins.smartdata.svDb()
-  public targets?: ITargetProfileTarget[];
-
-  @plugins.smartdata.svDb()
-  public routeRefs?: string[];
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public createdBy!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async findById(id: string): Promise<TargetProfileDoc | null> {
-    return await TargetProfileDoc.getInstance({ id });
-  }
-
-  public static async findAll(): Promise<TargetProfileDoc[]> {
-    return await TargetProfileDoc.getInstances({});
-  }
-}
@@ -1,32 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-export interface IMacVlanMapping {
-  mac: string;
-  vlan: number;
-  description?: string;
-  enabled: boolean;
-  createdAt: number;
-  updatedAt: number;
-}
-
-@plugins.smartdata.Collection(() => getDb())
-export class VlanMappingsDoc extends plugins.smartdata.SmartDataDbDoc<VlanMappingsDoc, VlanMappingsDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public configId: string = 'vlan-mappings';
-
-  @plugins.smartdata.svDb()
-  public mappings!: IMacVlanMapping[];
-
-  constructor() {
-    super();
-    this.mappings = [];
-  }
-
-  public static async load(): Promise<VlanMappingsDoc | null> {
-    return await VlanMappingsDoc.getInstance({ configId: 'vlan-mappings' });
-  }
-}
@@ -1,70 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class VpnClientDoc extends plugins.smartdata.SmartDataDbDoc<VpnClientDoc, VpnClientDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public clientId!: string;
-
-  @plugins.smartdata.svDb()
-  public enabled!: boolean;
-
-  @plugins.smartdata.svDb()
-  public targetProfileIds?: string[];
-
-  @plugins.smartdata.svDb()
-  public description?: string;
-
-  @plugins.smartdata.svDb()
-  public assignedIp?: string;
-
-  @plugins.smartdata.svDb()
-  public noisePublicKey!: string;
-
-  @plugins.smartdata.svDb()
-  public wgPublicKey!: string;
-
-  @plugins.smartdata.svDb()
-  public wgPrivateKey?: string;
-
-  @plugins.smartdata.svDb()
-  public createdAt!: number;
-
-  @plugins.smartdata.svDb()
-  public updatedAt!: number;
-
-  @plugins.smartdata.svDb()
-  public expiresAt?: string;
-
-  @plugins.smartdata.svDb()
-  public destinationAllowList?: string[];
-
-  @plugins.smartdata.svDb()
-  public destinationBlockList?: string[];
-
-  @plugins.smartdata.svDb()
-  public useHostIp?: boolean;
-
-  @plugins.smartdata.svDb()
-  public useDhcp?: boolean;
-
-  @plugins.smartdata.svDb()
-  public staticIp?: string;
-
-  @plugins.smartdata.svDb()
-  public forceVlan?: boolean;
-
-  @plugins.smartdata.svDb()
-  public vlanId?: number;
-
-  constructor() {
-    super();
-  }
-
-  public static async findAll(): Promise<VpnClientDoc[]> {
-    return await VpnClientDoc.getInstances({});
-  }
-}
@@ -1,31 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { DcRouterDb } from '../classes.dcrouter-db.js';
-
-const getDb = () => DcRouterDb.getInstance().getDb();
-
-@plugins.smartdata.Collection(() => getDb())
-export class VpnServerKeysDoc extends plugins.smartdata.SmartDataDbDoc<VpnServerKeysDoc, VpnServerKeysDoc> {
-  @plugins.smartdata.unI()
-  @plugins.smartdata.svDb()
-  public configId: string = 'vpn-server-keys';
-
-  @plugins.smartdata.svDb()
-  public noisePrivateKey!: string;
-
-  @plugins.smartdata.svDb()
-  public noisePublicKey!: string;
-
-  @plugins.smartdata.svDb()
-  public wgPrivateKey!: string;
-
-  @plugins.smartdata.svDb()
-  public wgPublicKey!: string;
-
-  constructor() {
-    super();
-  }
-
-  public static async load(): Promise<VpnServerKeysDoc | null> {
-    return await VpnServerKeysDoc.getInstance({ configId: 'vpn-server-keys' });
-  }
-}
@@ -1,27 +0,0 @@
-// Cached/TTL document classes
-export * from './classes.cached.email.js';
-export * from './classes.cached.ip.reputation.js';
-
-// Config document classes
-export * from './classes.stored-route.doc.js';
-export * from './classes.route-override.doc.js';
-export * from './classes.api-token.doc.js';
-export * from './classes.source-profile.doc.js';
-export * from './classes.target-profile.doc.js';
-export * from './classes.network-target.doc.js';
-
-// VPN document classes
-export * from './classes.vpn-server-keys.doc.js';
-export * from './classes.vpn-client.doc.js';
-
-// Certificate document classes
-export * from './classes.acme-cert.doc.js';
-export * from './classes.proxy-cert.doc.js';
-export * from './classes.cert-backoff.doc.js';
-
-// Remote ingress document classes
-export * from './classes.remote-ingress-edge.doc.js';
-
-// RADIUS document classes
-export * from './classes.vlan-mappings.doc.js';
-export * from './classes.accounting-session.doc.js';
@@ -227,7 +227,7 @@ export class PlatformError extends Error {
    const { retry } = this.context;
    if (!retry) return false;
    
-    return (retry.currentRetry ?? 0) < (retry.maxRetries ?? 0);
+    return retry.currentRetry < retry.maxRetries;
  }

  /**
@@ -1,153 +0,0 @@
-import type * as plugins from '../plugins.js';
-
-/**
- * Configuration for HTTP/3 (QUIC) route augmentation.
- * HTTP/3 is enabled by default on all qualifying HTTPS routes.
- */
-export interface IHttp3Config {
-  /** Enable HTTP/3 augmentation on qualifying routes (default: true) */
-  enabled?: boolean;
-  /** QUIC-specific settings applied to all augmented routes */
-  quicSettings?: {
-    /** QUIC connection idle timeout in ms (default: 30000) */
-    maxIdleTimeout?: number;
-    /** Max concurrent bidirectional streams per connection (default: 100) */
-    maxConcurrentBidiStreams?: number;
-    /** Max concurrent unidirectional streams per connection (default: 100) */
-    maxConcurrentUniStreams?: number;
-    /** Initial congestion window size in bytes */
-    initialCongestionWindow?: number;
-  };
-  /** Alt-Svc header settings */
-  altSvc?: {
-    /** Port advertised in Alt-Svc header (default: same as listening port) */
-    port?: number;
-    /** Max age for Alt-Svc advertisement in seconds (default: 86400) */
-    maxAge?: number;
-  };
-  /** UDP session settings */
-  udpSettings?: {
-    /** Idle timeout for UDP sessions in ms (default: 60000) */
-    sessionTimeout?: number;
-    /** Max concurrent UDP sessions per source IP (default: 1000) */
-    maxSessionsPerIP?: number;
-    /** Max accepted datagram size in bytes (default: 65535) */
-    maxDatagramSize?: number;
-  };
-}
-
-type TPortRange = plugins.smartproxy.IRouteConfig['match']['ports'];
-
-/**
- * Check whether a TPortRange includes port 443.
- */
-function portRangeIncludes443(ports: TPortRange): boolean {
-  if (typeof ports === 'number') return ports === 443;
-  if (Array.isArray(ports)) {
-    return ports.some((p) => {
-      if (typeof p === 'number') return p === 443;
-      return p.from <= 443 && p.to >= 443;
-    });
-  }
-  return false;
-}
-
-/**
- * Check if a route name indicates an email route that should not get HTTP/3.
- */
-function isEmailRoute(route: plugins.smartproxy.IRouteConfig): boolean {
-  const name = route.name?.toLowerCase() || '';
-  return (
-    name.startsWith('smtp-') ||
-    name.startsWith('submission-') ||
-    name.startsWith('smtps-') ||
-    name.startsWith('email-')
-  );
-}
-
-/**
- * Determine if a route qualifies for HTTP/3 augmentation.
- */
-export function routeQualifiesForHttp3(
-  route: plugins.smartproxy.IRouteConfig,
-  globalConfig: IHttp3Config,
-): boolean {
-  // Check global enable + per-route override
-  const globalEnabled = globalConfig.enabled !== false; // default true
-  const perRouteOverride = route.action.options?.http3;
-
-  // If per-route explicitly set, use that; otherwise use global
-  const shouldAugment =
-    perRouteOverride !== undefined ? perRouteOverride : globalEnabled;
-  if (!shouldAugment) return false;
-
-  // Must be forward type
-  if (route.action.type !== 'forward') return false;
-
-  // Must include port 443
-  if (!portRangeIncludes443(route.match.ports)) return false;
-
-  // Must have TLS
-  if (!route.action.tls) return false;
-
-  // Skip email routes
-  if (isEmailRoute(route)) return false;
-
-  // Skip if already configured with transport 'all' or 'udp'
-  if (route.match.transport === 'all' || route.match.transport === 'udp') return false;
-
-  // Skip if already has QUIC config
-  if (route.action.udp?.quic) return false;
-
-  return true;
-}
-
-/**
- * Augment a single route with HTTP/3 fields.
- * Returns a new route object (does not mutate the original).
- */
-export function augmentRouteWithHttp3(
-  route: plugins.smartproxy.IRouteConfig,
-  config: IHttp3Config,
-): plugins.smartproxy.IRouteConfig {
-  if (!routeQualifiesForHttp3(route, config)) {
-    return route;
-  }
-
-  return {
-    ...route,
-    match: {
-      ...route.match,
-      transport: 'all' as const,
-    },
-    action: {
-      ...route.action,
-      udp: {
-        ...(route.action.udp || {}),
-        sessionTimeout: config.udpSettings?.sessionTimeout,
-        maxSessionsPerIP: config.udpSettings?.maxSessionsPerIP,
-        maxDatagramSize: config.udpSettings?.maxDatagramSize,
-        quic: {
-          enableHttp3: true,
-          maxIdleTimeout: config.quicSettings?.maxIdleTimeout,
-          maxConcurrentBidiStreams: config.quicSettings?.maxConcurrentBidiStreams,
-          maxConcurrentUniStreams: config.quicSettings?.maxConcurrentUniStreams,
-          altSvcPort: config.altSvc?.port,
-          altSvcMaxAge: config.altSvc?.maxAge ?? 86400,
-          initialCongestionWindow: config.quicSettings?.initialCongestionWindow,
-        },
-      },
-    },
-  };
-}
-
-/**
- * Augment all qualifying routes in an array.
- * Returns a new array (does not mutate originals).
- */
-export function augmentRoutesWithHttp3(
-  routes: plugins.smartproxy.IRouteConfig[],
-  config: IHttp3Config,
-): plugins.smartproxy.IRouteConfig[] {
-  return routes.map((route) => augmentRouteWithHttp3(route, config));
-}
@@ -1 +0,0 @@
-export * from './http3-route-augmentation.js';
@@ -5,7 +5,6 @@ export { UnifiedEmailServer } from '@push.rocks/smartmta';
 export type { IUnifiedEmailServerOptions, IEmailRoute, IEmailDomainConfig } from '@push.rocks/smartmta';

 // DcRouter
-import { DcRouter } from './classes.dcrouter.js';
 export * from './classes.dcrouter.js';

 // RADIUS module
@@ -14,27 +13,4 @@ export * from './radius/index.js';
 // Remote Ingress module
 export * from './remoteingress/index.js';

-// HTTP/3 module
-export type { IHttp3Config } from './http3/index.js';
-
-export const runCli = async () => {
-  let options: import('./classes.dcrouter.js').IDcRouterOptions = {};
-
-  if (process.env.DCROUTER_MODE === 'OCI_CONTAINER') {
-    const { getOciContainerConfig } = await import('../ts_oci_container/index.js');
-    options = getOciContainerConfig();
-    console.log('[DCRouter] Starting in OCI Container mode...');
-  }
-
-  const dcRouter = new DcRouter(options);
-  await dcRouter.start();
-  console.log('[DCRouter] Running. Send SIGTERM or SIGINT to stop.');
-
-  const shutdown = async () => {
-    console.log('[DCRouter] Shutting down...');
-    await dcRouter.stop();
-    process.exit(0);
-  };
-  process.once('SIGINT', shutdown);
-  process.once('SIGTERM', shutdown);
-};
+export const runCli = async () => {};
@@ -296,11 +296,11 @@ export class MetricsManager {
      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
      
      if (!proxyMetrics) {
-        return [] as Array<{ type: string; count: number; source: string; lastActivity: Date }>;
+        return [];
      }
-
+      
      const connectionsByRoute = proxyMetrics.connections.byRoute();
-      const connectionInfo: Array<{ type: string; count: number; source: string; lastActivity: Date }> = [];
+      const connectionInfo = [];
      
      for (const [routeName, count] of connectionsByRoute) {
        connectionInfo.push({
@@ -558,7 +558,6 @@ export class MetricsManager {
          throughputByIP: new Map<string, { in: number; out: number }>(),
          requestsPerSecond: 0,
          requestsTotal: 0,
-          backends: [] as Array<any>,
        };
      }

@@ -591,114 +590,6 @@ export class MetricsManager {
      const requestsPerSecond = proxyMetrics.requests.perSecond();
      const requestsTotal = proxyMetrics.requests.total();

-      // Get frontend/backend protocol distribution
-      const frontendProtocols = proxyMetrics.connections.frontendProtocols() ?? null;
-      const backendProtocols = proxyMetrics.connections.backendProtocols() ?? null;
-
-      // Collect backend protocol data
-      const backendMetrics = proxyMetrics.backends.byBackend();
-      const protocolCache = proxyMetrics.backends.detectedProtocols();
-
-      // Group protocol cache entries by host:port so we can match them to backend metrics.
-      // The protocol cache is keyed by (host, port, domain) in Rust, so the same host:port
-      // can have multiple entries for different domains.
-      const cacheByBackend = new Map<string, (typeof protocolCache)[number][]>();
-      for (const entry of protocolCache) {
-        const backendKey = `${entry.host}:${entry.port}`;
-        let entries = cacheByBackend.get(backendKey);
-        if (!entries) {
-          entries = [];
-          cacheByBackend.set(backendKey, entries);
-        }
-        entries.push(entry);
-      }
-
-      const backends: Array<any> = [];
-      const seenCacheKeys = new Set<string>();
-
-      for (const [key, bm] of backendMetrics) {
-        const cacheEntries = cacheByBackend.get(key);
-        if (!cacheEntries || cacheEntries.length === 0) {
-          // No protocol cache entry — emit one row with backend metrics only
-          backends.push({
-            backend: key,
-            domain: null,
-            protocol: bm.protocol,
-            activeConnections: bm.activeConnections,
-            totalConnections: bm.totalConnections,
-            connectErrors: bm.connectErrors,
-            handshakeErrors: bm.handshakeErrors,
-            requestErrors: bm.requestErrors,
-            avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
-            poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
-            h2Failures: bm.h2Failures,
-            h2Suppressed: false,
-            h3Suppressed: false,
-            h2CooldownRemainingSecs: null,
-            h3CooldownRemainingSecs: null,
-            h2ConsecutiveFailures: null,
-            h3ConsecutiveFailures: null,
-            h3Port: null,
-            cacheAgeSecs: null,
-          });
-        } else {
-          // One row per domain, each enriched with the shared backend metrics
-          for (const cache of cacheEntries) {
-            const compositeKey = `${cache.host}:${cache.port}:${cache.domain ?? ''}`;
-            seenCacheKeys.add(compositeKey);
-            backends.push({
-              backend: key,
-              domain: cache.domain ?? null,
-              protocol: cache.protocol ?? bm.protocol,
-              activeConnections: bm.activeConnections,
-              totalConnections: bm.totalConnections,
-              connectErrors: bm.connectErrors,
-              handshakeErrors: bm.handshakeErrors,
-              requestErrors: bm.requestErrors,
-              avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
-              poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
-              h2Failures: bm.h2Failures,
-              h2Suppressed: cache.h2Suppressed,
-              h3Suppressed: cache.h3Suppressed,
-              h2CooldownRemainingSecs: cache.h2CooldownRemainingSecs,
-              h3CooldownRemainingSecs: cache.h3CooldownRemainingSecs,
-              h2ConsecutiveFailures: cache.h2ConsecutiveFailures,
-              h3ConsecutiveFailures: cache.h3ConsecutiveFailures,
-              h3Port: cache.h3Port,
-              cacheAgeSecs: cache.ageSecs,
-            });
-          }
-        }
-      }
-
-      // Include protocol cache entries with no matching backend metric
-      for (const entry of protocolCache) {
-        const compositeKey = `${entry.host}:${entry.port}:${entry.domain ?? ''}`;
-        if (!seenCacheKeys.has(compositeKey)) {
-          backends.push({
-            backend: `${entry.host}:${entry.port}`,
-            domain: entry.domain,
-            protocol: entry.protocol,
-            activeConnections: 0,
-            totalConnections: 0,
-            connectErrors: 0,
-            handshakeErrors: 0,
-            requestErrors: 0,
-            avgConnectTimeMs: 0,
-            poolHitRate: 0,
-            h2Failures: 0,
-            h2Suppressed: entry.h2Suppressed,
-            h3Suppressed: entry.h3Suppressed,
-            h2CooldownRemainingSecs: entry.h2CooldownRemainingSecs,
-            h3CooldownRemainingSecs: entry.h3CooldownRemainingSecs,
-            h2ConsecutiveFailures: entry.h2ConsecutiveFailures,
-            h3ConsecutiveFailures: entry.h3ConsecutiveFailures,
-            h3Port: entry.h3Port,
-            cacheAgeSecs: entry.ageSecs,
-          });
-        }
-      }
-
      return {
        connectionsByIP,
        throughputRate,
@@ -708,9 +599,6 @@ export class MetricsManager {
        throughputByIP,
        requestsPerSecond,
        requestsTotal,
-        backends,
-        frontendProtocols,
-        backendProtocols,
      };
    }, 1000); // 1s cache — matches typical dashboard poll interval
  }
@@ -7,7 +7,7 @@ import { requireValidIdentity, requireAdminIdentity } from './helpers/guards.js'

 export class OpsServer {
  public dcRouterRef: DcRouter;
-  public server!: plugins.typedserver.utilityservers.UtilityWebsiteServer;
+  public server: plugins.typedserver.utilityservers.UtilityWebsiteServer;

  // Main TypedRouter — unauthenticated endpoints (login/logout/verify) and own-auth handlers
  public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -17,21 +17,17 @@ export class OpsServer {
  public adminRouter = new plugins.typedrequest.TypedRouter<{ request: { identity: interfaces.data.IIdentity } }>();

  // Handler instances
-  public adminHandler!: handlers.AdminHandler;
-  private configHandler!: handlers.ConfigHandler;
-  private logsHandler!: handlers.LogsHandler;
-  private securityHandler!: handlers.SecurityHandler;
-  private statsHandler!: handlers.StatsHandler;
-  private radiusHandler!: handlers.RadiusHandler;
-  private emailOpsHandler!: handlers.EmailOpsHandler;
-  private certificateHandler!: handlers.CertificateHandler;
-  private remoteIngressHandler!: handlers.RemoteIngressHandler;
-  private routeManagementHandler!: handlers.RouteManagementHandler;
-  private apiTokenHandler!: handlers.ApiTokenHandler;
-  private vpnHandler!: handlers.VpnHandler;
-  private sourceProfileHandler!: handlers.SourceProfileHandler;
-  private targetProfileHandler!: handlers.TargetProfileHandler;
-  private networkTargetHandler!: handlers.NetworkTargetHandler;
+  public adminHandler: handlers.AdminHandler;
+  private configHandler: handlers.ConfigHandler;
+  private logsHandler: handlers.LogsHandler;
+  private securityHandler: handlers.SecurityHandler;
+  private statsHandler: handlers.StatsHandler;
+  private radiusHandler: handlers.RadiusHandler;
+  private emailOpsHandler: handlers.EmailOpsHandler;
+  private certificateHandler: handlers.CertificateHandler;
+  private remoteIngressHandler: handlers.RemoteIngressHandler;
+  private routeManagementHandler: handlers.RouteManagementHandler;
+  private apiTokenHandler: handlers.ApiTokenHandler;

  constructor(dcRouterRefArg: DcRouter) {
    this.dcRouterRef = dcRouterRefArg;
@@ -43,7 +39,7 @@ export class OpsServer {
  public async start() {
    this.server = new plugins.typedserver.utilityservers.UtilityWebsiteServer({
      domain: 'localhost',
-      feedMetadata: undefined,
+      feedMetadata: null,
      serveDir: paths.distServe,
    });
    
@@ -54,7 +50,7 @@ export class OpsServer {
    // Set up handlers
    await this.setupHandlers();

-    await this.server.start(this.dcRouterRef.options.opsServerPort ?? 3000);
+    await this.server.start(3000);
  }
  
  /**
@@ -90,10 +86,6 @@ export class OpsServer {
    this.remoteIngressHandler = new handlers.RemoteIngressHandler(this);
    this.routeManagementHandler = new handlers.RouteManagementHandler(this);
    this.apiTokenHandler = new handlers.ApiTokenHandler(this);
-    this.vpnHandler = new handlers.VpnHandler(this);
-    this.sourceProfileHandler = new handlers.SourceProfileHandler(this);
-    this.targetProfileHandler = new handlers.TargetProfileHandler(this);
-    this.networkTargetHandler = new handlers.NetworkTargetHandler(this);

    console.log('✅ OpsServer TypedRequest handlers initialized');
  }
@@ -12,7 +12,7 @@ export class AdminHandler {
  public typedrouter = new plugins.typedrequest.TypedRouter();
  
  // JWT instance
-  public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
+  public smartjwtInstance: plugins.smartjwt.SmartJwt<IJwtData>;
  
  // Simple in-memory user storage (in production, use proper database)
  private users = new Map<string, {
@@ -1,29 +1,6 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
-import { AcmeCertDoc, ProxyCertDoc } from '../../db/index.js';
-import { logger } from '../../logger.js';
-
-/**
- * Mirrors `SmartacmeCertMatcher.getCertificateDomainNameByDomainName` from
- * @push.rocks/smartacme. Inlined here because the original is `private` on
- * SmartAcme. The cert identity ('task.vc' for both 'outline.task.vc' and
- * '*.task.vc') is what AcmeCertDoc is keyed by, so two route domains with
- * the same identity share the same underlying ACME cert.
- *
- * Returns undefined for domains with 4+ levels (matching smartacme's
- * "deeper domains not supported" behavior) and for malformed inputs.
- *
- * Exported for unit testing.
- */
-export function deriveCertDomainName(domain: string): string | undefined {
-  if (domain.startsWith('*.')) {
-    return domain.slice(2);
-  }
-  const parts = domain.split('.');
-  if (parts.length < 2 || parts.length > 3) return undefined;
-  return parts.slice(-2).join('.');
-}

 export class CertificateHandler {
  constructor(private opsServerRef: OpsServer) {
@@ -65,7 +42,7 @@ export class CertificateHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificateDomain>(
        'reprovisionCertificateDomain',
        async (dataArg) => {
-          return this.reprovisionCertificateDomain(dataArg.domain, dataArg.forceRenew);
+          return this.reprovisionCertificateDomain(dataArg.domain);
        }
      )
    );
@@ -210,32 +187,30 @@ export class CertificateHandler {
        }
      }

-      // Check persisted cert data from smartdata document classes
+      // Check persisted cert data from StorageManager
      if (status === 'unknown') {
        const cleanDomain = domain.replace(/^\*\.?/, '');
-        // SmartAcme stores certs under the base domain (e.g. example.com for api.example.com)
-        const parts = cleanDomain.split('.');
-        const baseDomain = parts.length > 2 ? parts.slice(-2).join('.') : cleanDomain;
-        const acmeDoc = await AcmeCertDoc.findByDomain(baseDomain)
-          || (baseDomain !== cleanDomain ? await AcmeCertDoc.findByDomain(cleanDomain) : null);
-        const proxyDoc = !acmeDoc ? await ProxyCertDoc.findByDomain(domain) : null;
-
-        if (acmeDoc?.validUntil) {
-          expiryDate = new Date(acmeDoc.validUntil).toISOString();
-          if (acmeDoc.created) {
-            issuedAt = new Date(acmeDoc.created).toISOString();
+        let certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
+        if (!certData) {
+          // Also check certStore path (proxy-certs)
+          certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${domain}`);
+        }
+        if (certData?.validUntil) {
+          expiryDate = new Date(certData.validUntil).toISOString();
+          if (certData.created) {
+            issuedAt = new Date(certData.created).toISOString();
          }
          issuer = 'smartacme-dns-01';
-        } else if (proxyDoc?.publicKey) {
+        } else if (certData?.publicKey) {
          // certStore has the cert — parse PEM for expiry
          try {
-            const x509 = new plugins.crypto.X509Certificate(proxyDoc.publicKey);
+            const x509 = new plugins.crypto.X509Certificate(certData.publicKey);
            expiryDate = new Date(x509.validTo).toISOString();
            issuedAt = new Date(x509.validFrom).toISOString();
          } catch { /* PEM parsing failed */ }
          status = 'valid';
          issuer = 'cert-store';
-        } else if (acmeDoc || proxyDoc) {
+        } else if (certData) {
          status = 'valid';
          issuer = 'cert-store';
        }
@@ -317,12 +292,7 @@ export class CertificateHandler {
  }

  /**
-   * Legacy route-based reprovisioning. Kept for backward compatibility with
-   * older clients that send `reprovisionCertificate` typed-requests.
-   *
-   * Like reprovisionCertificateDomain, this triggers the full route apply
-   * pipeline rather than smartProxy.provisionCertificate(routeName) — which
-   * is a no-op when certProvisionFunction is set (Rust ACME disabled).
+   * Legacy route-based reprovisioning
   */
  private async reprovisionCertificateByRoute(routeName: string): Promise<{ success: boolean; message?: string }> {
    const dcRouter = this.opsServerRef.dcRouterRef;
@@ -332,39 +302,24 @@ export class CertificateHandler {
      return { success: false, message: 'SmartProxy is not running' };
    }

-    // Clear event-based status for domains in this route so the
-    // certificate-issued event can refresh them
-    for (const [domain, entry] of dcRouter.certificateStatusMap) {
-      if (entry.routeNames.includes(routeName)) {
-        dcRouter.certificateStatusMap.delete(domain);
-      }
-    }
-
    try {
-      if (dcRouter.routeConfigManager) {
-        await dcRouter.routeConfigManager.applyRoutes();
-      } else {
-        await smartProxy.updateRoutes(smartProxy.routeManager.getRoutes());
+      await smartProxy.provisionCertificate(routeName);
+      // Clear event-based status for domains in this route
+      for (const [domain, entry] of dcRouter.certificateStatusMap) {
+        if (entry.routeNames.includes(routeName)) {
+          dcRouter.certificateStatusMap.delete(domain);
+        }
      }
      return { success: true, message: `Certificate reprovisioning triggered for route '${routeName}'` };
-    } catch (err: unknown) {
-      return { success: false, message: (err as Error).message || 'Failed to reprovision certificate' };
+    } catch (err) {
+      return { success: false, message: err.message || 'Failed to reprovision certificate' };
    }
  }

  /**
-   * Domain-based reprovisioning — clears backoff first, refreshes the smartacme
-   * cert (when forceRenew is set), then re-applies routes so the running Rust
-   * proxy actually picks up the new cert.
-   *
-   * Why applyRoutes (not smartProxy.provisionCertificate)?
-   *   smartProxy.provisionCertificate(routeName) routes through the Rust ACME
-   *   path, which is forcibly disabled whenever certProvisionFunction is set
-   *   (smart-proxy.ts:168-171). The only path that re-invokes
-   *   certProvisionFunction → bridge.loadCertificate is updateRoutes(), which
-   *   we trigger via routeConfigManager.applyRoutes().
+   * Domain-based reprovisioning — clears backoff first, then triggers provision
   */
-  private async reprovisionCertificateDomain(domain: string, forceRenew?: boolean): Promise<{ success: boolean; message?: string }> {
+  private async reprovisionCertificateDomain(domain: string): Promise<{ success: boolean; message?: string }> {
    const dcRouter = this.opsServerRef.dcRouterRef;
    const smartProxy = dcRouter.smartProxy;

@@ -377,143 +332,31 @@ export class CertificateHandler {
      await dcRouter.certProvisionScheduler.clearBackoff(domain);
    }

-    // Find routes matching this domain — fail early if none exist
-    const routeNames = dcRouter.findRouteNamesForDomain(domain);
-    if (routeNames.length === 0) {
-      return { success: false, message: `No routes found for domain '${domain}'` };
-    }
-
-    // If forceRenew, order a fresh cert from ACME now so it's already in
-    // AcmeCertDoc by the time certProvisionFunction is invoked below.
-    //
-    // includeWildcard: when forcing a non-wildcard subdomain renewal, we still
-    // want the wildcard SAN in the order so the new cert keeps covering every
-    // sibling. Without this, smartacme defaults to includeWildcard: false and
-    // the re-issued cert would have only the base domain as SAN, breaking every
-    // sibling subdomain that was previously covered by the same wildcard cert.
-    if (forceRenew && dcRouter.smartAcme) {
-      let newCert: plugins.smartacme.Cert;
-      try {
-        newCert = await dcRouter.smartAcme.getCertificateForDomain(domain, {
-          forceRenew: true,
-          includeWildcard: !domain.startsWith('*.'),
-        });
-      } catch (err: unknown) {
-        return { success: false, message: `Failed to renew certificate for ${domain}: ${(err as Error).message}` };
-      }
-
-      // Propagate the freshly-issued cert PEM to every sibling route domain that
-      // shares the same cert identity. Without this, the rust hot-swap (keyed by
-      // exact domain in `loaded_certs`) only fires for the clicked route via the
-      // fire-and-forget cert provisioning path, leaving siblings serving the
-      // stale in-memory cert until the next background reload completes.
-      try {
-        await this.propagateCertToSiblings(domain, newCert);
-      } catch (err: unknown) {
-        // Best-effort: failure here doesn't undo the cert issuance, just log.
-        logger.log('warn', `Failed to propagate force-renewed cert to siblings of ${domain}: ${(err as Error).message}`);
-      }
-    }
-
-    // Clear status map entry so it gets refreshed by the certificate-issued event
+    // Clear status map entry so it gets refreshed
    dcRouter.certificateStatusMap.delete(domain);

-    // Trigger the full route apply pipeline:
-    //   applyRoutes → updateRoutes → provisionCertificatesViaCallback →
-    //   certProvisionFunction(domain) → smartAcme.getCertificateForDomain →
-    //   bridge.loadCertificate → Rust hot-swaps `loaded_certs` →
-    //   certificate-issued event → certificateStatusMap updated
-    try {
-      if (dcRouter.routeConfigManager) {
-        await dcRouter.routeConfigManager.applyRoutes();
-      } else {
-        // Fallback when DB is disabled and there is no RouteConfigManager
-        await smartProxy.updateRoutes(smartProxy.routeManager.getRoutes());
-      }
-      return { success: true, message: forceRenew ? `Certificate force-renewed for domain '${domain}'` : `Certificate reprovisioning triggered for domain '${domain}'` };
-    } catch (err: unknown) {
-      return { success: false, message: (err as Error).message || `Failed to reprovision certificate for ${domain}` };
-    }
-  }
-
-  /**
-   * After a force-renew, walk every route in the smartproxy that resolves to
-   * the same cert identity as `forcedDomain` and write the freshly-issued cert
-   * PEM into ProxyCertDoc for each. This guarantees that the next applyRoutes
-   * → provisionCertificatesViaCallback iteration will hot-swap every sibling's
-   * rust loaded_certs entry with the new (correct) PEM, rather than relying on
-   * the in-memory cert returned by smartacme's per-domain cache.
-   *
-   * Why this is necessary:
-   *   Rust's `loaded_certs` is a HashMap<domain, TlsCertConfig>. Each
-   *   bridge.loadCertificate(domain, ...) only swaps that one entry. The
-   *   fire-and-forget cert provisioning path triggered by updateRoutes does
-   *   eventually iterate every auto-cert route, but it returns the cached
-   *   (broken pre-fix) cert from smartacme's per-domain mutex. With this
-   *   helper, ProxyCertDoc is updated synchronously to the correct PEM before
-   *   applyRoutes runs, so even the transient window stays consistent.
-   */
-  private async propagateCertToSiblings(
-    forcedDomain: string,
-    newCert: plugins.smartacme.Cert,
-  ): Promise<void> {
-    const dcRouter = this.opsServerRef.dcRouterRef;
-    const smartProxy = dcRouter.smartProxy;
-    if (!smartProxy) return;
-
-    const certIdentity = deriveCertDomainName(forcedDomain);
-    if (!certIdentity) return;
-
-    // Collect every route domain whose cert identity matches.
-    const affected = new Set<string>();
-    for (const route of smartProxy.routeManager.getRoutes()) {
-      if (!route.match.domains) continue;
-      const routeDomains = Array.isArray(route.match.domains)
-        ? route.match.domains
-        : [route.match.domains];
-      for (const routeDomain of routeDomains) {
-        if (deriveCertDomainName(routeDomain) === certIdentity) {
-          affected.add(routeDomain);
-        }
-      }
-    }
-
-    if (affected.size === 0) return;
-
-    // Parse expiry from PEM (defense-in-depth — same pattern as
-    // ts/classes.dcrouter.ts:988-995 and the existing certStore.save callback).
-    let validUntil = newCert.validUntil;
-    let validFrom: number | undefined;
-    if (newCert.publicKey) {
+    // Try to provision via SmartAcme directly
+    if (dcRouter.smartAcme) {
      try {
-        const x509 = new plugins.crypto.X509Certificate(newCert.publicKey);
-        validUntil = new Date(x509.validTo).getTime();
-        validFrom = new Date(x509.validFrom).getTime();
-      } catch { /* fall back to smartacme's value */ }
-    }
-
-    // Persist new cert PEM under each affected route domain
-    for (const routeDomain of affected) {
-      let doc = await ProxyCertDoc.findByDomain(routeDomain);
-      if (!doc) {
-        doc = new ProxyCertDoc();
-        doc.domain = routeDomain;
+        await dcRouter.smartAcme.getCertificateForDomain(domain);
+        return { success: true, message: `Certificate reprovisioning triggered for domain '${domain}'` };
+      } catch (err) {
+        return { success: false, message: err.message || `Failed to reprovision certificate for ${domain}` };
      }
-      doc.publicKey = newCert.publicKey;
-      doc.privateKey = newCert.privateKey;
-      doc.ca = '';
-      doc.validUntil = validUntil || 0;
-      doc.validFrom = validFrom || 0;
-      await doc.save();
-
-      // Clear status so the next event refresh shows the new cert
-      dcRouter.certificateStatusMap.delete(routeDomain);
    }

-    logger.log(
-      'info',
-      `Propagated force-renewed cert for ${forcedDomain} (cert identity '${certIdentity}') to ${affected.size} sibling route domain(s): ${[...affected].join(', ')}`,
-    );
+    // Fallback: try provisioning via the first matching route
+    const routeNames = dcRouter.findRouteNamesForDomain(domain);
+    if (routeNames.length > 0) {
+      try {
+        await smartProxy.provisionCertificate(routeNames[0]);
+        return { success: true, message: `Certificate reprovisioning triggered for domain '${domain}' via route '${routeNames[0]}'` };
+      } catch (err) {
+        return { success: false, message: err.message || `Failed to reprovision certificate for ${domain}` };
+      }
+    }
+
+    return { success: false, message: `No routes found for domain '${domain}'` };
  }

  /**
@@ -522,21 +365,19 @@ export class CertificateHandler {
  private async deleteCertificate(domain: string): Promise<{ success: boolean; message?: string }> {
    const dcRouter = this.opsServerRef.dcRouterRef;
    const cleanDomain = domain.replace(/^\*\.?/, '');
-    const parts = cleanDomain.split('.');
-    const baseDomain = parts.length > 2 ? parts.slice(-2).join('.') : cleanDomain;

-    // Delete from smartdata document classes (try base domain first, then exact)
-    const acmeDoc = await AcmeCertDoc.findByDomain(baseDomain)
-      || (baseDomain !== cleanDomain ? await AcmeCertDoc.findByDomain(cleanDomain) : null);
-    if (acmeDoc) {
-      await acmeDoc.delete();
-    }
+    // Delete from all known storage paths
+    const paths = [
+      `/proxy-certs/${domain}`,
+      `/proxy-certs/${cleanDomain}`,
+      `/certs/${cleanDomain}`,
+    ];

-    // Try both original domain and clean domain for proxy certs
-    for (const d of [domain, cleanDomain]) {
-      const proxyDoc = await ProxyCertDoc.findByDomain(d);
-      if (proxyDoc) {
-        await proxyDoc.delete();
+    for (const path of paths) {
+      try {
+        await dcRouter.storageManager.delete(path);
+      } catch {
+        // Path may not exist — ignore
      }
    }

@@ -567,41 +408,43 @@ export class CertificateHandler {
    };
    message?: string;
  }> {
+    const dcRouter = this.opsServerRef.dcRouterRef;
    const cleanDomain = domain.replace(/^\*\.?/, '');

-    // Try AcmeCertDoc first (has full ICert fields)
-    const acmeDoc = await AcmeCertDoc.findByDomain(cleanDomain);
-    if (acmeDoc && acmeDoc.publicKey && acmeDoc.privateKey) {
+    // Try SmartAcme /certs/ path first (has full ICert fields)
+    let certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
+    if (certData && certData.publicKey && certData.privateKey) {
      return {
        success: true,
        cert: {
-          id: acmeDoc.id || plugins.crypto.randomUUID(),
-          domainName: acmeDoc.domainName || domain,
-          created: acmeDoc.created || Date.now(),
-          validUntil: acmeDoc.validUntil || 0,
-          privateKey: acmeDoc.privateKey,
-          publicKey: acmeDoc.publicKey,
-          csr: acmeDoc.csr || '',
+          id: certData.id || plugins.crypto.randomUUID(),
+          domainName: certData.domainName || domain,
+          created: certData.created || Date.now(),
+          validUntil: certData.validUntil || 0,
+          privateKey: certData.privateKey,
+          publicKey: certData.publicKey,
+          csr: certData.csr || '',
        },
      };
    }

-    // Fallback: try ProxyCertDoc with original domain, then clean domain
-    let proxyDoc = await ProxyCertDoc.findByDomain(domain);
-    if (!proxyDoc || !proxyDoc.publicKey) {
-      proxyDoc = await ProxyCertDoc.findByDomain(cleanDomain);
+    // Fallback: try /proxy-certs/ with original domain
+    certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${domain}`);
+    if (!certData || !certData.publicKey) {
+      // Try with clean domain
+      certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${cleanDomain}`);
    }

-    if (proxyDoc && proxyDoc.publicKey && proxyDoc.privateKey) {
+    if (certData && certData.publicKey && certData.privateKey) {
      return {
        success: true,
        cert: {
          id: plugins.crypto.randomUUID(),
          domainName: domain,
-          created: proxyDoc.validFrom || Date.now(),
-          validUntil: proxyDoc.validUntil || 0,
-          privateKey: proxyDoc.privateKey,
-          publicKey: proxyDoc.publicKey,
+          created: certData.validFrom || Date.now(),
+          validUntil: certData.validUntil || 0,
+          privateKey: certData.privateKey,
+          publicKey: certData.publicKey,
          csr: '',
        },
      };
@@ -633,32 +476,26 @@ export class CertificateHandler {
    const dcRouter = this.opsServerRef.dcRouterRef;
    const cleanDomain = cert.domainName.replace(/^\*\.?/, '');

-    // Save to AcmeCertDoc (SmartAcme-compatible)
-    let acmeDoc = await AcmeCertDoc.findByDomain(cleanDomain);
-    if (!acmeDoc) {
-      acmeDoc = new AcmeCertDoc();
-      acmeDoc.domainName = cleanDomain;
-    }
-    acmeDoc.id = cert.id;
-    acmeDoc.created = cert.created;
-    acmeDoc.validUntil = cert.validUntil;
-    acmeDoc.privateKey = cert.privateKey;
-    acmeDoc.publicKey = cert.publicKey;
-    acmeDoc.csr = cert.csr || '';
-    await acmeDoc.save();
+    // Save to /certs/ (SmartAcme-compatible path)
+    await dcRouter.storageManager.setJSON(`/certs/${cleanDomain}`, {
+      id: cert.id,
+      domainName: cert.domainName,
+      created: cert.created,
+      validUntil: cert.validUntil,
+      privateKey: cert.privateKey,
+      publicKey: cert.publicKey,
+      csr: cert.csr || '',
+    });

-    // Also save to ProxyCertDoc (proxy-cert format)
-    let proxyDoc = await ProxyCertDoc.findByDomain(cert.domainName);
-    if (!proxyDoc) {
-      proxyDoc = new ProxyCertDoc();
-      proxyDoc.domain = cert.domainName;
-    }
-    proxyDoc.publicKey = cert.publicKey;
-    proxyDoc.privateKey = cert.privateKey;
-    proxyDoc.ca = '';
-    proxyDoc.validUntil = cert.validUntil;
-    proxyDoc.validFrom = cert.created;
-    await proxyDoc.save();
+    // Also save to /proxy-certs/ (proxy-cert format)
+    await dcRouter.storageManager.setJSON(`/proxy-certs/${cert.domainName}`, {
+      domain: cert.domainName,
+      publicKey: cert.publicKey,
+      privateKey: cert.privateKey,
+      ca: undefined,
+      validUntil: cert.validUntil,
+      validFrom: cert.created,
+    });

    // Update in-memory status map
    dcRouter.certificateStatusMap.set(cert.domainName, {
@@ -33,9 +33,11 @@ export class ConfigHandler {
    const resolvedPaths = dcRouter.resolvedPaths;

    // --- System ---
-    const storageBackend: 'filesystem' | 'custom' | 'memory' = opts.dbConfig?.mongoDbUrl
+    const storageBackend: 'filesystem' | 'custom' | 'memory' = opts.storage?.readFunction
      ? 'custom'
-      : 'filesystem';
+      : opts.storage?.fsPath
+        ? 'filesystem'
+        : 'memory';

    // Resolve proxy IPs: fall back to SmartProxy's runtime proxyIPs if not in opts
    let proxyIps = opts.proxyIps || [];
@@ -53,7 +55,7 @@ export class ConfigHandler {
      proxyIps,
      uptime: Math.floor(process.uptime()),
      storageBackend,
-      storagePath: opts.dbConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
+      storagePath: opts.storage?.fsPath || null,
    };

    // --- SmartProxy ---
@@ -149,15 +151,15 @@ export class ConfigHandler {
      keyPath: opts.tls?.keyPath || null,
    };

-    // --- Database ---
-    const dbConfig = opts.dbConfig;
+    // --- Cache ---
+    const cacheConfig = opts.cacheConfig;
    const cache: interfaces.requests.IConfigData['cache'] = {
-      enabled: dbConfig?.enabled !== false,
-      storagePath: dbConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
-      dbName: dbConfig?.dbName || 'dcrouter',
-      defaultTTLDays: 30,
-      cleanupIntervalHours: dbConfig?.cleanupIntervalHours || 1,
-      ttlConfig: {},
+      enabled: cacheConfig?.enabled !== false,
+      storagePath: cacheConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
+      dbName: cacheConfig?.dbName || 'dcrouter',
+      defaultTTLDays: cacheConfig?.defaultTTLDays || 30,
+      cleanupIntervalHours: cacheConfig?.cleanupIntervalHours || 1,
+      ttlConfig: cacheConfig?.ttlConfig ? { ...cacheConfig.ttlConfig } as Record<string, number> : {},
    };

    // --- RADIUS ---
@@ -183,8 +185,7 @@ export class ConfigHandler {
      tlsMode = 'custom';
    } else if (riCfg?.hubDomain) {
      try {
-        const { ProxyCertDoc } = await import('../../db/index.js');
-        const stored = await ProxyCertDoc.findByDomain(riCfg.hubDomain);
+        const stored = await dcRouter.storageManager.getJSON(`/proxy-certs/${riCfg.hubDomain}`);
        if (stored?.publicKey && stored?.privateKey) {
          tlsMode = 'acme';
        }
@@ -8,8 +8,4 @@ export * from './email-ops.handler.js';
 export * from './certificate.handler.js';
 export * from './remoteingress.handler.js';
 export * from './route-management.handler.js';
-export * from './api-token.handler.js';
-export * from './vpn.handler.js';
-export * from './source-profile.handler.js';
-export * from './target-profile.handler.js';
-export * from './network-target.handler.js';
+export * from './api-token.handler.js';
@@ -255,7 +255,7 @@ export class LogsHandler {
  } {
    let intervalId: NodeJS.Timeout | null = null;
    let stopped = false;
-    let lastTimestamp = Date.now();
+    let logIndex = 0;

    const stop = () => {
      stopped = true;
@@ -284,65 +284,53 @@ export class LogsHandler {
        return;
      }

-      // For follow mode, tail real log entries from the in-memory buffer
+      // For follow mode, simulate real-time log streaming
      intervalId = setInterval(async () => {
        if (stopped) {
+          // Guard: clear interval if stop() was called between ticks
          clearInterval(intervalId!);
          intervalId = null;
          return;
        }

-        // Fetch new entries since last poll
-        const rawEntries = logBuffer.getEntries({
-          since: lastTimestamp,
-          limit: 50,
-        });
+        const categories: Array<'smtp' | 'dns' | 'security' | 'system' | 'email'> = ['smtp', 'dns', 'security', 'system', 'email'];
+        const levels: Array<'debug' | 'info' | 'warn' | 'error'> = ['info', 'warn', 'error', 'debug'];

-        if (rawEntries.length === 0) return;
+        const mockCategory = categories[Math.floor(Math.random() * categories.length)];
+        const mockLevel = levels[Math.floor(Math.random() * levels.length)];

-        for (const raw of rawEntries) {
-          const mappedLevel = LogsHandler.mapLogLevel(raw.level);
-          const mappedCategory = LogsHandler.deriveCategory(
-            (raw as any).context?.zone,
-            raw.message,
-          );
+        // Filter by requested criteria
+        if (levelFilter && !levelFilter.includes(mockLevel)) return;
+        if (categoryFilter && !categoryFilter.includes(mockCategory)) return;

-          // Apply filters
-          if (levelFilter && !levelFilter.includes(mappedLevel)) continue;
-          if (categoryFilter && !categoryFilter.includes(mappedCategory)) continue;
+        const logEntry = {
+          timestamp: Date.now(),
+          level: mockLevel,
+          category: mockCategory,
+          message: `Real-time log ${logIndex++} from ${mockCategory}`,
+          metadata: {
+            requestId: plugins.uuid.v4(),
+          },
+        };

-          const logEntry = {
-            timestamp: raw.timestamp || Date.now(),
-            level: mappedLevel,
-            category: mappedCategory,
-            message: raw.message,
-            metadata: (raw as any).data,
-          };
-
-          const logData = JSON.stringify(logEntry);
-          const encoder = new TextEncoder();
-          try {
-            let timeoutHandle: ReturnType<typeof setTimeout>;
-            await Promise.race([
-              virtualStream.sendData(encoder.encode(logData)).then((result) => {
-                clearTimeout(timeoutHandle);
-                return result;
-              }),
-              new Promise<never>((_, reject) => {
-                timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
-              }),
-            ]);
-          } catch {
-            // Stream closed, errored, or timed out — clean up
-            stop();
-            return;
-          }
-        }
-
-        // Advance the watermark past all entries we just processed
-        const newest = rawEntries[rawEntries.length - 1];
-        if (newest.timestamp && newest.timestamp >= lastTimestamp) {
-          lastTimestamp = newest.timestamp + 1;
+        const logData = JSON.stringify(logEntry);
+        const encoder = new TextEncoder();
+        try {
+          // Use a timeout to detect hung streams (sendData can hang if the
+          // VirtualStream's keepAlive loop has ended)
+          let timeoutHandle: ReturnType<typeof setTimeout>;
+          await Promise.race([
+            virtualStream.sendData(encoder.encode(logData)).then((result) => {
+              clearTimeout(timeoutHandle);
+              return result;
+            }),
+            new Promise<never>((_, reject) => {
+              timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
+            }),
+          ]);
+        } catch {
+          // Stream closed, errored, or timed out — clean up
+          stop();
        }
      }, 2000);
    };
@@ -1,167 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { OpsServer } from '../classes.opsserver.js';
-import * as interfaces from '../../../ts_interfaces/index.js';
-
-export class NetworkTargetHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
-  constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
-    this.registerHandlers();
-  }
-
-  private async requireAuth(
-    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
-    requiredScope?: interfaces.data.TApiTokenScope,
-  ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
-  }
-
-  private registerHandlers(): void {
-    // Get all network targets
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargets>(
-        'getNetworkTargets',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'targets:read');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          if (!resolver) {
-            return { targets: [] };
-          }
-          return { targets: resolver.listTargets() };
-        },
-      ),
-    );
-
-    // Get a single network target
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTarget>(
-        'getNetworkTarget',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'targets:read');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          if (!resolver) {
-            return { target: null };
-          }
-          return { target: resolver.getTarget(dataArg.id) || null };
-        },
-      ),
-    );
-
-    // Create a network target
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNetworkTarget>(
-        'createNetworkTarget',
-        async (dataArg) => {
-          const userId = await this.requireAuth(dataArg, 'targets:write');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          if (!resolver) {
-            return { success: false, message: 'Reference resolver not initialized' };
-          }
-          const id = await resolver.createTarget({
-            name: dataArg.name,
-            description: dataArg.description,
-            host: dataArg.host,
-            port: dataArg.port,
-            createdBy: userId,
-          });
-          return { success: true, id };
-        },
-      ),
-    );
-
-    // Update a network target
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNetworkTarget>(
-        'updateNetworkTarget',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'targets:write');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!resolver || !manager) {
-            return { success: false, message: 'Not initialized' };
-          }
-
-          const { affectedRouteIds } = await resolver.updateTarget(dataArg.id, {
-            name: dataArg.name,
-            description: dataArg.description,
-            host: dataArg.host,
-            port: dataArg.port,
-          });
-
-          if (affectedRouteIds.length > 0) {
-            await manager.reResolveRoutes(affectedRouteIds);
-          }
-
-          return { success: true, affectedRouteCount: affectedRouteIds.length };
-        },
-      ),
-    );
-
-    // Delete a network target
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNetworkTarget>(
-        'deleteNetworkTarget',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'targets:write');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!resolver || !manager) {
-            return { success: false, message: 'Not initialized' };
-          }
-
-          const result = await resolver.deleteTarget(
-            dataArg.id,
-            dataArg.force ?? false,
-            manager.getStoredRoutes(),
-          );
-
-          if (result.success && dataArg.force) {
-            await manager.applyRoutes();
-          }
-
-          return result;
-        },
-      ),
-    );
-
-    // Get routes using a network target
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargetUsage>(
-        'getNetworkTargetUsage',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'targets:read');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!resolver || !manager) {
-            return { routes: [] };
-          }
-          const usage = resolver.getTargetUsageForId(dataArg.id, manager.getStoredRoutes());
-          return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
-        },
-      ),
-    );
-  }
-}
@@ -52,8 +52,8 @@ export class RadiusHandler {
          try {
            await radiusServer.addClient(dataArg.client);
            return { success: true };
-          } catch (error: unknown) {
-            return { success: false, message: (error as Error).message };
+          } catch (error) {
+            return { success: false, message: error.message };
          }
        }
      )
@@ -144,8 +144,8 @@ export class RadiusHandler {
                updatedAt: mapping.updatedAt,
              },
            };
-          } catch (error: unknown) {
-            return { success: false, message: (error as Error).message };
+          } catch (error) {
+            return { success: false, message: error.message };
          }
        }
      )
@@ -71,7 +71,7 @@ export class RouteManagementHandler {
          if (!manager) {
            return { success: false, message: 'Route management not initialized' };
          }
-          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true, dataArg.metadata);
+          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true);
          return { success: true, storedRouteId: id };
        },
      ),
@@ -90,7 +90,6 @@ export class RouteManagementHandler {
          const ok = await manager.updateRoute(dataArg.id, {
            route: dataArg.route as any,
            enabled: dataArg.enabled,
-            metadata: dataArg.metadata,
          });
          return { success: ok, message: ok ? undefined : 'Route not found' };
        },
@@ -101,7 +101,6 @@ export class SecurityHandler {
              throughputByIP,
              requestsPerSecond: networkStats.requestsPerSecond || 0,
              requestsTotal: networkStats.requestsTotal || 0,
-              backends: networkStats.backends || [],
            };
          }

@@ -115,7 +114,6 @@ export class SecurityHandler {
            throughputByIP: [],
            requestsPerSecond: 0,
            requestsTotal: 0,
-            backends: [],
          };
        }
      )
@@ -1,169 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { OpsServer } from '../classes.opsserver.js';
-import * as interfaces from '../../../ts_interfaces/index.js';
-
-export class SourceProfileHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
-  constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
-    this.registerHandlers();
-  }
-
-  private async requireAuth(
-    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
-    requiredScope?: interfaces.data.TApiTokenScope,
-  ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
-  }
-
-  private registerHandlers(): void {
-    // Get all source profiles
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfiles>(
-        'getSourceProfiles',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'source-profiles:read');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          if (!resolver) {
-            return { profiles: [] };
-          }
-          return { profiles: resolver.listProfiles() };
-        },
-      ),
-    );
-
-    // Get a single source profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfile>(
-        'getSourceProfile',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'source-profiles:read');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          if (!resolver) {
-            return { profile: null };
-          }
-          return { profile: resolver.getProfile(dataArg.id) || null };
-        },
-      ),
-    );
-
-    // Create a source profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSourceProfile>(
-        'createSourceProfile',
-        async (dataArg) => {
-          const userId = await this.requireAuth(dataArg, 'source-profiles:write');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          if (!resolver) {
-            return { success: false, message: 'Reference resolver not initialized' };
-          }
-          const id = await resolver.createProfile({
-            name: dataArg.name,
-            description: dataArg.description,
-            security: dataArg.security,
-            extendsProfiles: dataArg.extendsProfiles,
-            createdBy: userId,
-          });
-          return { success: true, id };
-        },
-      ),
-    );
-
-    // Update a source profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSourceProfile>(
-        'updateSourceProfile',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'source-profiles:write');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!resolver || !manager) {
-            return { success: false, message: 'Not initialized' };
-          }
-
-          const { affectedRouteIds } = await resolver.updateProfile(dataArg.id, {
-            name: dataArg.name,
-            description: dataArg.description,
-            security: dataArg.security,
-            extendsProfiles: dataArg.extendsProfiles,
-          });
-
-          // Propagate to affected routes
-          if (affectedRouteIds.length > 0) {
-            await manager.reResolveRoutes(affectedRouteIds);
-          }
-
-          return { success: true, affectedRouteCount: affectedRouteIds.length };
-        },
-      ),
-    );
-
-    // Delete a source profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSourceProfile>(
-        'deleteSourceProfile',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'source-profiles:write');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!resolver || !manager) {
-            return { success: false, message: 'Not initialized' };
-          }
-
-          const result = await resolver.deleteProfile(
-            dataArg.id,
-            dataArg.force ?? false,
-            manager.getStoredRoutes(),
-          );
-
-          // If force-deleted with affected routes, re-apply
-          if (result.success && dataArg.force) {
-            await manager.applyRoutes();
-          }
-
-          return result;
-        },
-      ),
-    );
-
-    // Get routes using a source profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfileUsage>(
-        'getSourceProfileUsage',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'source-profiles:read');
-          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!resolver || !manager) {
-            return { routes: [] };
-          }
-          const usage = resolver.getProfileUsageForId(dataArg.id, manager.getStoredRoutes());
-          return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
-        },
-      ),
-    );
-  }
-}
@@ -3,7 +3,6 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 import { MetricsManager } from '../../monitoring/index.js';
 import { SecurityLogger } from '../../security/classes.securitylogger.js';
-import { commitinfo } from '../../00_commitinfo_data.js';

 export class StatsHandler {
  constructor(private opsServerRef: OpsServer) {
@@ -159,7 +158,7 @@ export class StatsHandler {
                };
                return acc;
              }, {} as any),
-              version: commitinfo.version,
+              version: '2.12.0', // TODO: Get from package.json
            },
          };
        }
@@ -280,7 +279,7 @@ export class StatsHandler {
          if (sections.network && this.opsServerRef.dcRouterRef.metricsManager) {
            promises.push(
              (async () => {
-                const stats = await this.opsServerRef.dcRouterRef.metricsManager!.getNetworkStats();
+                const stats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
                const serverStats = await this.collectServerStats();

                // Build per-IP bandwidth lookup from throughputByIP
@@ -310,54 +309,11 @@ export class StatsHandler {
                  throughputHistory: stats.throughputHistory || [],
                  requestsPerSecond: stats.requestsPerSecond || 0,
                  requestsTotal: stats.requestsTotal || 0,
-                  backends: stats.backends || [],
-                  frontendProtocols: stats.frontendProtocols || null,
-                  backendProtocols: stats.backendProtocols || null,
                };
              })()
            );
          }
-
-          if (sections.radius) {
-            promises.push(
-              (async () => {
-                const radiusServer = this.opsServerRef.dcRouterRef.radiusServer;
-                if (!radiusServer) return;
-                const stats = radiusServer.getStats();
-                const accountingStats = radiusServer.getAccountingManager().getStats();
-                metrics.radius = {
-                  running: stats.running,
-                  uptime: stats.uptime,
-                  authRequests: stats.authRequests,
-                  authAccepts: stats.authAccepts,
-                  authRejects: stats.authRejects,
-                  accountingRequests: stats.accountingRequests,
-                  activeSessions: stats.activeSessions,
-                  totalInputBytes: accountingStats.totalInputBytes,
-                  totalOutputBytes: accountingStats.totalOutputBytes,
-                };
-              })()
-            );
-          }
-
-          if (sections.vpn) {
-            promises.push(
-              (async () => {
-                const vpnManager = this.opsServerRef.dcRouterRef.vpnManager;
-                const vpnConfig = this.opsServerRef.dcRouterRef.options.vpnConfig;
-                if (!vpnManager) return;
-                const connected = await vpnManager.getConnectedClients();
-                metrics.vpn = {
-                  running: vpnManager.running,
-                  subnet: vpnManager.getSubnet(),
-                  registeredClients: vpnManager.listClients().length,
-                  connectedClients: connected.length,
-                  wgListenPort: vpnConfig?.wgListenPort ?? 51820,
-                };
-              })()
-            );
-          }
-
+          
          await Promise.all(promises);
          
          return {
@@ -533,41 +489,44 @@ export class StatsHandler {
      message?: string;
    }>;
  }> {
-    const dcRouter = this.opsServerRef.dcRouterRef;
-    const health = dcRouter.serviceManager.getHealth();
-
-    const services = health.services.map((svc) => {
-      let status: 'healthy' | 'degraded' | 'unhealthy';
-      switch (svc.state) {
-        case 'running':
-          status = 'healthy';
-          break;
-        case 'starting':
-        case 'degraded':
-          status = 'degraded';
-          break;
-        case 'failed':
-          status = svc.criticality === 'critical' ? 'unhealthy' : 'degraded';
-          break;
-        case 'stopped':
-        case 'stopping':
-        default:
-          status = 'degraded';
-          break;
-      }
-
-      let message: string | undefined;
-      if (svc.state === 'failed' && svc.lastError) {
-        message = svc.lastError;
-      } else if (svc.retryCount > 0 && svc.state !== 'running') {
-        message = `Retry attempt ${svc.retryCount}`;
-      }
-
-      return { name: svc.name, status, message };
+    const services: Array<{
+      name: string;
+      status: 'healthy' | 'degraded' | 'unhealthy';
+      message?: string;
+    }> = [];
+    
+    // Check HTTP Proxy
+    if (this.opsServerRef.dcRouterRef.smartProxy) {
+      services.push({
+        name: 'HTTP/HTTPS Proxy',
+        status: 'healthy',
+      });
+    }
+    
+    // Check Email Server
+    if (this.opsServerRef.dcRouterRef.emailServer) {
+      services.push({
+        name: 'Email Server',
+        status: 'healthy',
+      });
+    }
+    
+    // Check DNS Server
+    if (this.opsServerRef.dcRouterRef.dnsServer) {
+      services.push({
+        name: 'DNS Server',
+        status: 'healthy',
+      });
+    }
+    
+    // Check OpsServer
+    services.push({
+      name: 'OpsServer',
+      status: 'healthy',
    });
-
-    const healthy = health.overall === 'healthy';
-
+    
+    const healthy = services.every(s => s.status === 'healthy');
+    
    return {
      healthy,
      services,
@@ -1,157 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { OpsServer } from '../classes.opsserver.js';
-import * as interfaces from '../../../ts_interfaces/index.js';
-
-export class TargetProfileHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
-  constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
-    this.registerHandlers();
-  }
-
-  private async requireAuth(
-    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
-    requiredScope?: interfaces.data.TApiTokenScope,
-  ): Promise<string> {
-    if (request.identity?.jwt) {
-      try {
-        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
-          identity: request.identity,
-        });
-        if (isAdmin) return request.identity.userId;
-      } catch { /* fall through */ }
-    }
-
-    if (request.apiToken) {
-      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
-      if (tokenManager) {
-        const token = await tokenManager.validateToken(request.apiToken);
-        if (token) {
-          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
-            return token.createdBy;
-          }
-          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
-        }
-      }
-    }
-
-    throw new plugins.typedrequest.TypedResponseError('unauthorized');
-  }
-
-  private registerHandlers(): void {
-    // Get all target profiles
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTargetProfiles>(
-        'getTargetProfiles',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'target-profiles:read');
-          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
-          if (!manager) {
-            return { profiles: [] };
-          }
-          return { profiles: manager.listProfiles() };
-        },
-      ),
-    );
-
-    // Get a single target profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTargetProfile>(
-        'getTargetProfile',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'target-profiles:read');
-          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
-          if (!manager) {
-            return { profile: null };
-          }
-          return { profile: manager.getProfile(dataArg.id) || null };
-        },
-      ),
-    );
-
-    // Create a target profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateTargetProfile>(
-        'createTargetProfile',
-        async (dataArg) => {
-          const userId = await this.requireAuth(dataArg, 'target-profiles:write');
-          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
-          if (!manager) {
-            return { success: false, message: 'Target profile manager not initialized' };
-          }
-          const id = await manager.createProfile({
-            name: dataArg.name,
-            description: dataArg.description,
-            domains: dataArg.domains,
-            targets: dataArg.targets,
-            routeRefs: dataArg.routeRefs,
-            createdBy: userId,
-          });
-          return { success: true, id };
-        },
-      ),
-    );
-
-    // Update a target profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateTargetProfile>(
-        'updateTargetProfile',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'target-profiles:write');
-          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
-          if (!manager) {
-            return { success: false, message: 'Not initialized' };
-          }
-          await manager.updateProfile(dataArg.id, {
-            name: dataArg.name,
-            description: dataArg.description,
-            domains: dataArg.domains,
-            targets: dataArg.targets,
-            routeRefs: dataArg.routeRefs,
-          });
-          // Re-apply routes and refresh VPN client security to update access
-          await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
-          await this.opsServerRef.dcRouterRef.vpnManager?.refreshAllClientSecurity();
-          return { success: true };
-        },
-      ),
-    );
-
-    // Delete a target profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteTargetProfile>(
-        'deleteTargetProfile',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'target-profiles:write');
-          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
-          if (!manager) {
-            return { success: false, message: 'Not initialized' };
-          }
-          const result = await manager.deleteProfile(dataArg.id, dataArg.force);
-          if (result.success) {
-            // Re-apply routes and refresh VPN client security to update access
-            await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
-            await this.opsServerRef.dcRouterRef.vpnManager?.refreshAllClientSecurity();
-          }
-          return result;
-        },
-      ),
-    );
-
-    // Get VPN clients using a target profile
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTargetProfileUsage>(
-        'getTargetProfileUsage',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'target-profiles:read');
-          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
-          if (!manager) {
-            return { clients: [] };
-          }
-          return { clients: await manager.getProfileUsage(dataArg.id) };
-        },
-      ),
-    );
-  }
-}
@@ -1,336 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { OpsServer } from '../classes.opsserver.js';
-import * as interfaces from '../../../ts_interfaces/index.js';
-
-export class VpnHandler {
-  constructor(private opsServerRef: OpsServer) {
-    this.registerHandlers();
-  }
-
-  private registerHandlers(): void {
-    const viewRouter = this.opsServerRef.viewRouter;
-    const adminRouter = this.opsServerRef.adminRouter;
-
-    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
-
-    // Get all registered VPN clients
-    viewRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnClients>(
-        'getVpnClients',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { clients: [] };
-          }
-          const clients = manager.listClients().map((c) => ({
-            clientId: c.clientId,
-            enabled: c.enabled,
-            targetProfileIds: c.targetProfileIds,
-            description: c.description,
-            assignedIp: c.assignedIp,
-            createdAt: c.createdAt,
-            updatedAt: c.updatedAt,
-            expiresAt: c.expiresAt,
-            destinationAllowList: c.destinationAllowList,
-            destinationBlockList: c.destinationBlockList,
-            useHostIp: c.useHostIp,
-            useDhcp: c.useDhcp,
-            staticIp: c.staticIp,
-            forceVlan: c.forceVlan,
-            vlanId: c.vlanId,
-          }));
-          return { clients };
-        },
-      ),
-    );
-
-    // Get VPN server status
-    viewRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnStatus>(
-        'getVpnStatus',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          const vpnConfig = this.opsServerRef.dcRouterRef.options.vpnConfig;
-          if (!manager) {
-            return {
-              status: {
-                running: false,
-                subnet: vpnConfig?.subnet || '10.8.0.0/24',
-                wgListenPort: vpnConfig?.wgListenPort ?? 51820,
-                serverPublicKeys: null,
-                registeredClients: 0,
-                connectedClients: 0,
-              },
-            };
-          }
-
-          const connected = await manager.getConnectedClients();
-          return {
-            status: {
-              running: manager.running,
-              subnet: manager.getSubnet(),
-              wgListenPort: vpnConfig?.wgListenPort ?? 51820,
-              serverPublicKeys: manager.getServerPublicKeys(),
-              registeredClients: manager.listClients().length,
-              connectedClients: connected.length,
-            },
-          };
-        },
-      ),
-    );
-
-    // Get currently connected VPN clients
-    viewRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnConnectedClients>(
-        'getVpnConnectedClients',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { connectedClients: [] };
-          }
-
-          const connected = await manager.getConnectedClients();
-          return {
-            connectedClients: connected.map((c) => ({
-              clientId: c.registeredClientId || c.clientId,
-              assignedIp: c.assignedIp,
-              connectedSince: c.connectedSince,
-              bytesSent: c.bytesSent,
-              bytesReceived: c.bytesReceived,
-              transport: c.transportType,
-            })),
-          };
-        },
-      ),
-    );
-
-    // ---- Write endpoints (adminRouter — admin identity required via middleware) ----
-
-    // Create a new VPN client
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateVpnClient>(
-        'createVpnClient',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            const bundle = await manager.createClient({
-              clientId: dataArg.clientId,
-              targetProfileIds: dataArg.targetProfileIds,
-              description: dataArg.description,
-              destinationAllowList: dataArg.destinationAllowList,
-              destinationBlockList: dataArg.destinationBlockList,
-              useHostIp: dataArg.useHostIp,
-              useDhcp: dataArg.useDhcp,
-              staticIp: dataArg.staticIp,
-              forceVlan: dataArg.forceVlan,
-              vlanId: dataArg.vlanId,
-            });
-
-            // Retrieve the persisted doc to get dcrouter-level fields
-            const persistedClient = manager.listClients().find(
-              (c) => c.clientId === bundle.entry.clientId,
-            );
-
-            return {
-              success: true,
-              client: {
-                clientId: bundle.entry.clientId,
-                enabled: bundle.entry.enabled ?? true,
-                targetProfileIds: persistedClient?.targetProfileIds,
-                description: bundle.entry.description,
-                assignedIp: bundle.entry.assignedIp,
-                createdAt: Date.now(),
-                updatedAt: Date.now(),
-                expiresAt: bundle.entry.expiresAt,
-                destinationAllowList: persistedClient?.destinationAllowList,
-                destinationBlockList: persistedClient?.destinationBlockList,
-                useHostIp: persistedClient?.useHostIp,
-                useDhcp: persistedClient?.useDhcp,
-                staticIp: persistedClient?.staticIp,
-                forceVlan: persistedClient?.forceVlan,
-                vlanId: persistedClient?.vlanId,
-              },
-              wireguardConfig: bundle.wireguardConfig,
-            };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Update a VPN client's metadata
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateVpnClient>(
-        'updateVpnClient',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            await manager.updateClient(dataArg.clientId, {
-              description: dataArg.description,
-              targetProfileIds: dataArg.targetProfileIds,
-              destinationAllowList: dataArg.destinationAllowList,
-              destinationBlockList: dataArg.destinationBlockList,
-              useHostIp: dataArg.useHostIp,
-              useDhcp: dataArg.useDhcp,
-              staticIp: dataArg.staticIp,
-              forceVlan: dataArg.forceVlan,
-              vlanId: dataArg.vlanId,
-            });
-            return { success: true };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Delete a VPN client
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteVpnClient>(
-        'deleteVpnClient',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            await manager.removeClient(dataArg.clientId);
-            return { success: true };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Enable a VPN client
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_EnableVpnClient>(
-        'enableVpnClient',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            await manager.enableClient(dataArg.clientId);
-            return { success: true };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Disable a VPN client
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DisableVpnClient>(
-        'disableVpnClient',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            await manager.disableClient(dataArg.clientId);
-            return { success: true };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Rotate a VPN client's keys
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RotateVpnClientKey>(
-        'rotateVpnClientKey',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            const bundle = await manager.rotateClientKey(dataArg.clientId);
-            return {
-              success: true,
-              wireguardConfig: bundle.wireguardConfig,
-            };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Export a VPN client config
-    adminRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportVpnClientConfig>(
-        'exportVpnClientConfig',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            const config = await manager.exportClientConfig(dataArg.clientId, dataArg.format);
-            return { success: true, config };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-
-    // Get telemetry for a specific VPN client
-    viewRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVpnClientTelemetry>(
-        'getVpnClientTelemetry',
-        async (dataArg, toolsArg) => {
-          const manager = this.opsServerRef.dcRouterRef.vpnManager;
-          if (!manager) {
-            return { success: false, message: 'VPN not configured' };
-          }
-
-          try {
-            const telemetry = await manager.getClientTelemetry(dataArg.clientId);
-            if (!telemetry) {
-              return { success: false, message: 'Client not found or not connected' };
-            }
-            return {
-              success: true,
-              telemetry: {
-                clientId: telemetry.clientId,
-                assignedIp: telemetry.assignedIp,
-                bytesSent: telemetry.bytesSent,
-                bytesReceived: telemetry.bytesReceived,
-                packetsDropped: telemetry.packetsDropped,
-                bytesDropped: telemetry.bytesDropped,
-                lastKeepaliveAt: telemetry.lastKeepaliveAt,
-                keepalivesReceived: telemetry.keepalivesReceived,
-                rateLimitBytesPerSec: telemetry.rateLimitBytesPerSec,
-                burstBytes: telemetry.burstBytes,
-              },
-            };
-          } catch (err: unknown) {
-            return { success: false, message: (err as Error).message };
-          }
-        },
-      ),
-    );
-  }
-}
@@ -34,6 +34,7 @@ export function resolvePaths(baseDir?: string) {
    dcrouterHomeDir: root,
    dataDir: resolvedDataDir,
    defaultTsmDbPath: plugins.path.join(root, 'tsmdb'),
+    defaultStoragePath: plugins.path.join(root, 'storage'),
    dnsRecordsDir: plugins.path.join(resolvedDataDir, 'dns'),
  };
 }
@@ -47,25 +47,23 @@ import * as qenv from '@push.rocks/qenv';
 import * as smartacme from '@push.rocks/smartacme';
 import * as smartdata from '@push.rocks/smartdata';
 import * as smartdns from '@push.rocks/smartdns';
-import * as smartfs from '@push.rocks/smartfs';
+import * as smartfile from '@push.rocks/smartfile';
 import * as smartguard from '@push.rocks/smartguard';
 import * as smartjwt from '@push.rocks/smartjwt';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartmetrics from '@push.rocks/smartmetrics';
 import * as smartmta from '@push.rocks/smartmta';
-import * as smartdb from '@push.rocks/smartdb';
+import * as smartmongo from '@push.rocks/smartmongo';
 import * as smartnetwork from '@push.rocks/smartnetwork';
 import * as smartpath from '@push.rocks/smartpath';
 import * as smartproxy from '@push.rocks/smartproxy';
 import * as smartpromise from '@push.rocks/smartpromise';
-import * as smartvpn from '@push.rocks/smartvpn';
 import * as smartradius from '@push.rocks/smartradius';
 import * as smartrequest from '@push.rocks/smartrequest';
 import * as smartrx from '@push.rocks/smartrx';
 import * as smartunique from '@push.rocks/smartunique';
-import * as taskbuffer from '@push.rocks/taskbuffer';

-export { projectinfo, qenv, smartacme, smartdata, smartdns, smartfs, smartguard, smartjwt, smartlog, smartmetrics, smartdb, smartmta, smartnetwork, smartpath, smartproxy, smartpromise, smartradius, smartrequest, smartrx, smartunique, smartvpn, taskbuffer };
+export { projectinfo, qenv, smartacme, smartdata, smartdns, smartfile, smartguard, smartjwt, smartlog, smartmetrics, smartmongo, smartmta, smartnetwork, smartpath, smartproxy, smartpromise, smartradius, smartrequest, smartrx, smartunique };

 // Define SmartLog types for use in error handling
 export type TLogLevel = 'error' | 'warn' | 'info' | 'success' | 'debug';
@@ -91,7 +89,7 @@ export {
  uuid,
 }

-// Filesystem utilities
+// Filesystem utilities (compatibility helpers for smartfile v13+)
 export const fsUtils = {
  /**
   * Ensure a directory exists, creating it recursively if needed (sync)
@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { AccountingSessionDoc } from '../db/index.js';
+import type { StorageManager } from '../storage/index.js';

 /**
 * RADIUS accounting session
@@ -84,14 +84,14 @@ export interface IAccountingSummary {
 * Accounting manager configuration
 */
 export interface IAccountingManagerConfig {
+  /** Storage key prefix */
+  storagePrefix?: string;
  /** Session retention period in days (default: 30) */
  retentionDays?: number;
  /** Enable detailed session logging */
  detailedLogging?: boolean;
  /** Maximum active sessions to track in memory */
  maxActiveSessions?: number;
-  /** Stale session timeout in hours — sessions with no update for this long are evicted (default: 24) */
-  staleSessionTimeoutHours?: number;
 }

 /**
@@ -104,7 +104,7 @@ export interface IAccountingManagerConfig {
 export class AccountingManager {
  private activeSessions: Map<string, IAccountingSession> = new Map();
  private config: Required<IAccountingManagerConfig>;
-  private staleSessionSweepTimer?: ReturnType<typeof setInterval>;
+  private storageManager?: StorageManager;

  // Counters for statistics
  private stats = {
@@ -115,72 +115,26 @@ export class AccountingManager {
    interimUpdatesReceived: 0,
  };

-  constructor(config?: IAccountingManagerConfig) {
+  constructor(config?: IAccountingManagerConfig, storageManager?: StorageManager) {
    this.config = {
+      storagePrefix: config?.storagePrefix ?? '/radius/accounting',
      retentionDays: config?.retentionDays ?? 30,
      detailedLogging: config?.detailedLogging ?? false,
      maxActiveSessions: config?.maxActiveSessions ?? 10000,
-      staleSessionTimeoutHours: config?.staleSessionTimeoutHours ?? 24,
    };
+    this.storageManager = storageManager;
  }

  /**
   * Initialize the accounting manager
   */
  async initialize(): Promise<void> {
-    await this.loadActiveSessions();
-
-    // Start periodic sweep to evict stale sessions (every 15 minutes)
-    this.staleSessionSweepTimer = setInterval(() => {
-      this.sweepStaleSessions();
-    }, 15 * 60 * 1000);
-    // Allow the process to exit even if the timer is pending
-    if (this.staleSessionSweepTimer.unref) {
-      this.staleSessionSweepTimer.unref();
+    if (this.storageManager) {
+      await this.loadActiveSessions();
    }
-
    logger.log('info', `AccountingManager initialized with ${this.activeSessions.size} active sessions`);
  }

-  /**
-   * Stop the accounting manager and clean up timers
-   */
-  stop(): void {
-    if (this.staleSessionSweepTimer) {
-      clearInterval(this.staleSessionSweepTimer);
-      this.staleSessionSweepTimer = undefined;
-    }
-  }
-
-  /**
-   * Sweep stale active sessions that have not received any update
-   * within the configured timeout. These are orphaned sessions where
-   * the Stop packet was never received.
-   */
-  private sweepStaleSessions(): void {
-    const timeoutMs = this.config.staleSessionTimeoutHours * 60 * 60 * 1000;
-    const cutoff = Date.now() - timeoutMs;
-    let swept = 0;
-
-    for (const [sessionId, session] of this.activeSessions) {
-      if (session.lastUpdateTime < cutoff) {
-        session.status = 'terminated';
-        session.terminateCause = 'StaleSessionTimeout';
-        session.endTime = Date.now();
-        session.sessionTime = Math.floor((session.endTime - session.startTime) / 1000);
-
-        this.persistSession(session).catch(() => {});
-
-        this.activeSessions.delete(sessionId);
-        swept++;
-      }
-    }
-
-    if (swept > 0) {
-      logger.log('info', `Swept ${swept} stale RADIUS sessions (no update for ${this.config.staleSessionTimeoutHours}h)`);
-    }
-  }
-
  /**
   * Handle accounting start request
   */
@@ -241,7 +195,9 @@ export class AccountingManager {
    }

    // Persist session
-    await this.persistSession(session);
+    if (this.storageManager) {
+      await this.persistSession(session);
+    }
  }

  /**
@@ -287,7 +243,9 @@ export class AccountingManager {
    }

    // Update persisted session
-    await this.persistSession(session);
+    if (this.storageManager) {
+      await this.persistSession(session);
+    }
  }

  /**
@@ -340,8 +298,10 @@ export class AccountingManager {
      logger.log('info', `Accounting Stop: session=${data.sessionId}, duration=${session.sessionTime}s, in=${session.inputOctets}, out=${session.outputOctets}`);
    }

-    // Update status in the database (single collection, no active->archive move needed)
-    await this.persistSession(session);
+    // Archive the session
+    if (this.storageManager) {
+      await this.archiveSession(session);
+    }

    // Remove from active sessions
    this.activeSessions.delete(data.sessionId);
@@ -478,16 +438,23 @@ export class AccountingManager {
   * Clean up old archived sessions based on retention policy
   */
  async cleanupOldSessions(): Promise<number> {
+    if (!this.storageManager) {
+      return 0;
+    }
+
    const cutoffTime = Date.now() - this.config.retentionDays * 24 * 60 * 60 * 1000;
    let deletedCount = 0;

    try {
-      const oldDocs = await AccountingSessionDoc.findStoppedBefore(cutoffTime);
+      const keys = await this.storageManager.list(`${this.config.storagePrefix}/archive/`);

-      for (const doc of oldDocs) {
+      for (const key of keys) {
        try {
-          await doc.delete();
-          deletedCount++;
+          const session = await this.storageManager.getJSON<IAccountingSession>(key);
+          if (session && session.endTime > 0 && session.endTime < cutoffTime) {
+            await this.storageManager.delete(key);
+            deletedCount++;
+          }
        } catch (error) {
          // Ignore individual errors
        }
@@ -496,8 +463,8 @@ export class AccountingManager {
      if (deletedCount > 0) {
        logger.log('info', `Cleaned up ${deletedCount} old accounting sessions`);
      }
-    } catch (error: unknown) {
-      logger.log('error', `Failed to cleanup old sessions: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Failed to cleanup old sessions: ${error.message}`);
    }

    return deletedCount;
@@ -530,7 +497,9 @@ export class AccountingManager {
      session.terminateCause = 'SessionEvicted';
      session.endTime = Date.now();

-      await this.persistSession(session);
+      if (this.storageManager) {
+        await this.archiveSession(session);
+      }

      this.activeSessions.delete(sessionId);
      logger.log('warn', `Evicted session ${sessionId} due to capacity limit`);
@@ -538,101 +507,99 @@ export class AccountingManager {
  }

  /**
-   * Load active sessions from database
+   * Load active sessions from storage
   */
  private async loadActiveSessions(): Promise<void> {
-    try {
-      const docs = await AccountingSessionDoc.findActive();
+    if (!this.storageManager) {
+      return;
+    }

-      for (const doc of docs) {
-        const session: IAccountingSession = {
-          sessionId: doc.sessionId,
-          username: doc.username,
-          macAddress: doc.macAddress,
-          nasIpAddress: doc.nasIpAddress,
-          nasPort: doc.nasPort,
-          nasPortType: doc.nasPortType,
-          nasIdentifier: doc.nasIdentifier,
-          vlanId: doc.vlanId,
-          framedIpAddress: doc.framedIpAddress,
-          calledStationId: doc.calledStationId,
-          callingStationId: doc.callingStationId,
-          startTime: doc.startTime,
-          endTime: doc.endTime,
-          lastUpdateTime: doc.lastUpdateTime,
-          status: doc.status,
-          terminateCause: doc.terminateCause,
-          inputOctets: doc.inputOctets,
-          outputOctets: doc.outputOctets,
-          inputPackets: doc.inputPackets,
-          outputPackets: doc.outputPackets,
-          sessionTime: doc.sessionTime,
-          serviceType: doc.serviceType,
-        };
-        this.activeSessions.set(session.sessionId, session);
+    try {
+      const keys = await this.storageManager.list(`${this.config.storagePrefix}/active/`);
+
+      for (const key of keys) {
+        try {
+          const session = await this.storageManager.getJSON<IAccountingSession>(key);
+          if (session && session.status === 'active') {
+            this.activeSessions.set(session.sessionId, session);
+          }
+        } catch (error) {
+          // Ignore individual errors
+        }
      }
-    } catch (error: unknown) {
-      logger.log('warn', `Failed to load active sessions: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('warn', `Failed to load active sessions: ${error.message}`);
    }
  }

  /**
-   * Persist a session to the database (create or update)
+   * Persist a session to storage
   */
  private async persistSession(session: IAccountingSession): Promise<void> {
+    if (!this.storageManager) {
+      return;
+    }
+
+    const key = `${this.config.storagePrefix}/active/${session.sessionId}.json`;
    try {
-      let doc = await AccountingSessionDoc.findBySessionId(session.sessionId);
-      if (!doc) {
-        doc = new AccountingSessionDoc();
-      }
-      Object.assign(doc, session);
-      await doc.save();
-    } catch (error: unknown) {
-      logger.log('error', `Failed to persist session ${session.sessionId}: ${(error as Error).message}`);
+      await this.storageManager.setJSON(key, session);
+    } catch (error) {
+      logger.log('error', `Failed to persist session ${session.sessionId}: ${error.message}`);
    }
  }

  /**
-   * Get archived (stopped/terminated) sessions for a time period
+   * Archive a completed session
+   */
+  private async archiveSession(session: IAccountingSession): Promise<void> {
+    if (!this.storageManager) {
+      return;
+    }
+
+    try {
+      // Remove from active
+      const activeKey = `${this.config.storagePrefix}/active/${session.sessionId}.json`;
+      await this.storageManager.delete(activeKey);
+
+      // Add to archive with date-based path
+      const date = new Date(session.endTime);
+      const archiveKey = `${this.config.storagePrefix}/archive/${date.getFullYear()}/${String(date.getMonth() + 1).padStart(2, '0')}/${String(date.getDate()).padStart(2, '0')}/${session.sessionId}.json`;
+      await this.storageManager.setJSON(archiveKey, session);
+    } catch (error) {
+      logger.log('error', `Failed to archive session ${session.sessionId}: ${error.message}`);
+    }
+  }
+
+  /**
+   * Get archived sessions for a time period
   */
  private async getArchivedSessions(startTime: number, endTime: number): Promise<IAccountingSession[]> {
+    if (!this.storageManager) {
+      return [];
+    }
+
    const sessions: IAccountingSession[] = [];

    try {
-      const docs = await AccountingSessionDoc.getInstances({
-        status: { $in: ['stopped', 'terminated'] } as any,
-        endTime: { $gt: 0, $gte: startTime } as any,
-        startTime: { $lte: endTime } as any,
-      });
+      const keys = await this.storageManager.list(`${this.config.storagePrefix}/archive/`);

-      for (const doc of docs) {
-        sessions.push({
-          sessionId: doc.sessionId,
-          username: doc.username,
-          macAddress: doc.macAddress,
-          nasIpAddress: doc.nasIpAddress,
-          nasPort: doc.nasPort,
-          nasPortType: doc.nasPortType,
-          nasIdentifier: doc.nasIdentifier,
-          vlanId: doc.vlanId,
-          framedIpAddress: doc.framedIpAddress,
-          calledStationId: doc.calledStationId,
-          callingStationId: doc.callingStationId,
-          startTime: doc.startTime,
-          endTime: doc.endTime,
-          lastUpdateTime: doc.lastUpdateTime,
-          status: doc.status,
-          terminateCause: doc.terminateCause,
-          inputOctets: doc.inputOctets,
-          outputOctets: doc.outputOctets,
-          inputPackets: doc.inputPackets,
-          outputPackets: doc.outputPackets,
-          sessionTime: doc.sessionTime,
-          serviceType: doc.serviceType,
-        });
+      for (const key of keys) {
+        try {
+          const session = await this.storageManager.getJSON<IAccountingSession>(key);
+          if (
+            session &&
+            session.endTime > 0 &&
+            session.startTime <= endTime &&
+            session.endTime >= startTime
+          ) {
+            sessions.push(session);
+          }
+        } catch (error) {
+          // Ignore individual errors
+        }
      }
-    } catch (error: unknown) {
-      logger.log('warn', `Failed to get archived sessions: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('warn', `Failed to get archived sessions: ${error.message}`);
    }

    return sessions;
@@ -1,5 +1,6 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
+import type { StorageManager } from '../storage/index.js';
 import { VlanManager, type IMacVlanMapping, type IVlanManagerConfig } from './classes.vlan.manager.js';
 import { AccountingManager, type IAccountingSession, type IAccountingManagerConfig } from './classes.accounting.manager.js';

@@ -91,6 +92,7 @@ export class RadiusServer {
  private vlanManager: VlanManager;
  private accountingManager: AccountingManager;
  private config: IRadiusServerConfig;
+  private storageManager?: StorageManager;
  private clientSecrets: Map<string, string> = new Map();
  private running: boolean = false;

@@ -103,19 +105,20 @@ export class RadiusServer {
    startTime: 0,
  };

-  constructor(config: IRadiusServerConfig) {
+  constructor(config: IRadiusServerConfig, storageManager?: StorageManager) {
    this.config = {
      authPort: config.authPort ?? 1812,
      acctPort: config.acctPort ?? 1813,
      bindAddress: config.bindAddress ?? '0.0.0.0',
      ...config,
    };
+    this.storageManager = storageManager;

    // Initialize VLAN manager
-    this.vlanManager = new VlanManager(config.vlanAssignment);
+    this.vlanManager = new VlanManager(config.vlanAssignment, storageManager);

    // Initialize accounting manager
-    this.accountingManager = new AccountingManager(config.accounting);
+    this.accountingManager = new AccountingManager(config.accounting, storageManager);
  }

  /**
@@ -180,8 +183,6 @@ export class RadiusServer {
      this.radiusServer = undefined;
    }

-    this.accountingManager.stop();
-
    this.running = false;
    logger.log('info', 'RADIUS server stopped');
  }
@@ -307,8 +308,8 @@ export class RadiusServer {
        default:
          logger.log('debug', `RADIUS Acct Unknown status type: ${statusType}`);
      }
-    } catch (error: unknown) {
-      logger.log('error', `RADIUS accounting error: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `RADIUS accounting error: ${error.message}`);
    }

    return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { VlanMappingsDoc } from '../db/index.js';
+import type { StorageManager } from '../storage/index.js';

 /**
 * MAC address to VLAN mapping
@@ -42,6 +42,8 @@ export interface IVlanManagerConfig {
  defaultVlan?: number;
  /** Whether to allow unknown MACs (assign default VLAN) or reject */
  allowUnknownMacs?: boolean;
+  /** Storage key prefix for persistence */
+  storagePrefix?: string;
 }

 /**
@@ -54,22 +56,27 @@ export interface IVlanManagerConfig {
 export class VlanManager {
  private mappings: Map<string, IMacVlanMapping> = new Map();
  private config: Required<IVlanManagerConfig>;
+  private storageManager?: StorageManager;

  // Cache for normalized MAC lookups
  private normalizedMacCache: Map<string, string> = new Map();

-  constructor(config?: IVlanManagerConfig) {
+  constructor(config?: IVlanManagerConfig, storageManager?: StorageManager) {
    this.config = {
      defaultVlan: config?.defaultVlan ?? 1,
      allowUnknownMacs: config?.allowUnknownMacs ?? true,
+      storagePrefix: config?.storagePrefix ?? '/radius/vlan-mappings',
    };
+    this.storageManager = storageManager;
  }

  /**
   * Initialize the VLAN manager and load persisted mappings
   */
  async initialize(): Promise<void> {
-    await this.loadMappings();
+    if (this.storageManager) {
+      await this.loadMappings();
+    }
    logger.log('info', `VlanManager initialized with ${this.mappings.size} mappings, default VLAN: ${this.config.defaultVlan}`);
  }

@@ -97,7 +104,7 @@ export class VlanManager {
    if (this.normalizedMacCache.size > 10000) {
      const iterator = this.normalizedMacCache.keys();
      for (let i = 0; i < 1000; i++) {
-        this.normalizedMacCache.delete(iterator.next().value!);
+        this.normalizedMacCache.delete(iterator.next().value);
      }
    }

@@ -150,8 +157,10 @@ export class VlanManager {

    this.mappings.set(normalizedMac, fullMapping);

-    // Persist to database
-    await this.saveMappings();
+    // Persist to storage
+    if (this.storageManager) {
+      await this.saveMappings();
+    }

    logger.log('info', `VLAN mapping ${existingMapping ? 'updated' : 'added'}: ${normalizedMac} -> VLAN ${mapping.vlan}`);
    return fullMapping;
@@ -164,7 +173,7 @@ export class VlanManager {
    const normalizedMac = this.normalizeMac(mac);
    const removed = this.mappings.delete(normalizedMac);

-    if (removed) {
+    if (removed && this.storageManager) {
      await this.saveMappings();
      logger.log('info', `VLAN mapping removed: ${normalizedMac}`);
    }
@@ -324,36 +333,39 @@ export class VlanManager {
  }

  /**
-   * Load mappings from database
+   * Load mappings from storage
   */
  private async loadMappings(): Promise<void> {
+    if (!this.storageManager) {
+      return;
+    }
+
    try {
-      const doc = await VlanMappingsDoc.load();
-      if (doc && Array.isArray(doc.mappings)) {
-        for (const mapping of doc.mappings) {
+      const data = await this.storageManager.getJSON<IMacVlanMapping[]>(this.config.storagePrefix);
+      if (data && Array.isArray(data)) {
+        for (const mapping of data) {
          this.mappings.set(this.normalizeMac(mapping.mac), mapping);
        }
-        logger.log('info', `Loaded ${doc.mappings.length} VLAN mappings from database`);
+        logger.log('info', `Loaded ${data.length} VLAN mappings from storage`);
      }
-    } catch (error: unknown) {
-      logger.log('warn', `Failed to load VLAN mappings from database: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('warn', `Failed to load VLAN mappings from storage: ${error.message}`);
    }
  }

  /**
-   * Save mappings to database
+   * Save mappings to storage
   */
  private async saveMappings(): Promise<void> {
+    if (!this.storageManager) {
+      return;
+    }
+
    try {
      const mappings = Array.from(this.mappings.values());
-      let doc = await VlanMappingsDoc.load();
-      if (!doc) {
-        doc = new VlanMappingsDoc();
-      }
-      doc.mappings = mappings;
-      await doc.save();
-    } catch (error: unknown) {
-      logger.log('error', `Failed to save VLAN mappings to database: ${(error as Error).message}`);
+      await this.storageManager.setJSON(this.config.storagePrefix, mappings);
+    } catch (error) {
+      logger.log('error', `Failed to save VLAN mappings to storage: ${error.message}`);
    }
  }
 }
@@ -6,7 +6,7 @@
 * - VLAN assignment based on MAC addresses
 * - OUI (vendor prefix) pattern matching for device categorization
 * - RADIUS accounting for session tracking and billing
- * - Integration with smartdata document classes for persistence
+ * - Integration with StorageManager for persistence
 */

 export * from './classes.radius.server.js';
@@ -37,7 +37,7 @@ const router = new DcRouter({
 });

 await router.start();
-// OpsServer dashboard at http://localhost:3000 (configurable via opsServerPort)
+// OpsServer dashboard at http://localhost:3000

 // Graceful shutdown
 await router.stop();
@@ -60,9 +60,6 @@ ts/
 │   └── documents/                  # Cached document models
 ├── config/                         # Configuration utilities
 ├── errors/                         # Error classes and retry logic
-├── http3/                          # HTTP/3 (QUIC) route augmentation
-│   ├── index.ts                    # Barrel export
-│   └── http3-route-augmentation.ts # Pure utility: augmentRoutesWithHttp3(), IHttp3Config
 ├── monitoring/                     # MetricsManager (SmartMetrics integration)
 ├── opsserver/                      # OpsServer dashboard + API handlers
 │   ├── classes.opsserver.ts        # HTTP server + TypedRouter setup
@@ -74,10 +71,7 @@ ts/
 │       ├── email.handler.ts        # Email operations
 │       ├── certificate.handler.ts  # Certificate management
 │       ├── radius.handler.ts       # RADIUS management
-│       ├── remoteingress.handler.ts # Remote ingress edge + token management
-│       ├── route-management.handler.ts # Programmatic route CRUD
-│       ├── api-token.handler.ts    # API token management
-│       └── security.handler.ts     # Security metrics + connections
+│       └── remoteingress.handler.ts # Remote ingress edge + token management
 ├── radius/                         # RADIUS server integration
 ├── remoteingress/                  # Remote ingress hub integration
 │   ├── classes.remoteingress-manager.ts  # Edge CRUD + port derivation
@@ -102,9 +96,6 @@ export { RadiusServer, IRadiusServerConfig } from './radius/index.js';

 // Remote Ingress
 export { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
-
-// HTTP/3
-export type { IHttp3Config } from './http3/index.js';
 ```

 ## Key Classes
@@ -121,7 +112,6 @@ The central orchestrator. Accepts `IDcRouterOptions` and manages the lifecycle o
 | `radiusConfig` | RadiusServer (auth + accounting) | `@push.rocks/smartradius` |
 | `remoteIngressConfig` | RemoteIngressManager + TunnelManager | `@serve.zone/remoteingress` |
 | `tls` + `dnsChallenge` | SmartAcme (ACME cert provisioning) | `@push.rocks/smartacme` |
-| `http3` | HTTP/3 route augmentation (enabled by default) | built-in |
 | `cacheConfig` | CacheDb (embedded MongoDB) | `@push.rocks/smartdata` |
 | *(always)* | OpsServer (dashboard + API) | `@api.global/typedserver` |
 | *(always)* | MetricsManager | `@push.rocks/smartmetrics` |
@@ -136,7 +126,7 @@ Manages the Rust-based RemoteIngressHub lifecycle. Syncs allowed edges, tracks c

 ## License and Legal Information

-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.

 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

@@ -1,11 +1,13 @@
 import * as plugins from '../plugins.js';
+import type { StorageManager } from '../storage/classes.storagemanager.js';
 import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
-import { RemoteIngressEdgeDoc } from '../db/index.js';
+
+const STORAGE_PREFIX = '/remote-ingress/';

 /**
 * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
 */
-function extractPorts(portRange: number | Array<number | { from: number; to: number }>): number[] {
+function extractPorts(portRange: number | number[] | Array<{ from: number; to: number }>): number[] {
  const ports = new Set<number>();
  if (typeof portRange === 'number') {
    ports.add(portRange);
@@ -25,40 +27,33 @@ function extractPorts(portRange: number | Array<number | { from: number; to: num

 /**
 * Manages CRUD for remote ingress edge registrations.
- * Persists edge configs via smartdata document classes and provides
+ * Persists edge configs via StorageManager and provides
 * the allowed edges list for the Rust hub.
 */
 export class RemoteIngressManager {
+  private storageManager: StorageManager;
  private edges: Map<string, IRemoteIngress> = new Map();
  private routes: IDcRouterRouteConfig[] = [];

-  constructor() {
+  constructor(storageManager: StorageManager) {
+    this.storageManager = storageManager;
  }

  /**
-   * Load all edge registrations from the database into memory.
+   * Load all edge registrations from storage into memory.
   */
  public async initialize(): Promise<void> {
-    const docs = await RemoteIngressEdgeDoc.findAll();
-    for (const doc of docs) {
-      // Migration: old edges without autoDerivePorts default to true
-      if ((doc as any).autoDerivePorts === undefined) {
-        doc.autoDerivePorts = true;
-        await doc.save();
+    const keys = await this.storageManager.list(STORAGE_PREFIX);
+    for (const key of keys) {
+      const edge = await this.storageManager.getJSON<IRemoteIngress>(key);
+      if (edge) {
+        // Migration: old edges without autoDerivePorts default to true
+        if ((edge as any).autoDerivePorts === undefined) {
+          edge.autoDerivePorts = true;
+          await this.storageManager.setJSON(key, edge);
+        }
+        this.edges.set(edge.id, edge);
      }
-      const edge: IRemoteIngress = {
-        id: doc.id,
-        name: doc.name,
-        secret: doc.secret,
-        listenPorts: doc.listenPorts,
-        listenPortsUdp: doc.listenPortsUdp,
-        enabled: doc.enabled,
-        autoDerivePorts: doc.autoDerivePorts,
-        tags: doc.tags,
-        createdAt: doc.createdAt,
-        updatedAt: doc.updatedAt,
-      };
-      this.edges.set(edge.id, edge);
    }
  }

@@ -99,38 +94,6 @@ export class RemoteIngressManager {
    return [...ports].sort((a, b) => a - b);
  }

-  /**
-   * Derive UDP listen ports for an edge from routes with transport 'udp' or 'all'.
-   * These ports need UDP listeners on the edge (e.g. for QUIC/HTTP3).
-   */
-  public deriveUdpPortsForEdge(edgeId: string, edgeTags?: string[]): number[] {
-    const ports = new Set<number>();
-
-    for (const route of this.routes) {
-      if (!route.remoteIngress?.enabled) continue;
-
-      // Apply edge filter if present
-      const filter = route.remoteIngress.edgeFilter;
-      if (filter && filter.length > 0) {
-        const idMatch = filter.includes(edgeId);
-        const tagMatch = edgeTags?.some((tag) => filter.includes(tag)) ?? false;
-        if (!idMatch && !tagMatch) continue;
-      }
-
-      // Only include ports from routes that listen on UDP
-      const transport = route.match?.transport;
-      if (transport === 'udp' || transport === 'all') {
-        if (route.match?.ports) {
-          for (const p of extractPorts(route.match.ports)) {
-            ports.add(p);
-          }
-        }
-      }
-    }
-
-    return [...ports].sort((a, b) => a - b);
-  }
-
  /**
   * Get the effective listen ports for an edge.
   * Manual ports are always included. Auto-derived ports are added (union) when autoDerivePorts is true.
@@ -143,18 +106,6 @@ export class RemoteIngressManager {
    return [...new Set([...manualPorts, ...derivedPorts])].sort((a, b) => a - b);
  }

-  /**
-   * Get the effective UDP listen ports for an edge.
-   * Manual UDP ports are always included. Auto-derived UDP ports are added when autoDerivePorts is true.
-   */
-  public getEffectiveListenPortsUdp(edge: IRemoteIngress): number[] {
-    const manualPorts = edge.listenPortsUdp || [];
-    const shouldDerive = edge.autoDerivePorts !== false;
-    if (!shouldDerive) return [...manualPorts].sort((a, b) => a - b);
-    const derivedPorts = this.deriveUdpPortsForEdge(edge.id, edge.tags);
-    return [...new Set([...manualPorts, ...derivedPorts])].sort((a, b) => a - b);
-  }
-
  /**
   * Get manual and derived port breakdown for an edge (used in API responses).
   * Derived ports exclude any ports already present in the manual list.
@@ -194,9 +145,7 @@ export class RemoteIngressManager {
      updatedAt: now,
    };

-    const doc = new RemoteIngressEdgeDoc();
-    Object.assign(doc, edge);
-    await doc.save();
+    await this.storageManager.setJSON(`${STORAGE_PREFIX}${id}`, edge);
    this.edges.set(id, edge);
    return edge;
  }
@@ -240,11 +189,7 @@ export class RemoteIngressManager {
    if (updates.tags !== undefined) edge.tags = updates.tags;
    edge.updatedAt = Date.now();

-    const doc = await RemoteIngressEdgeDoc.findById(id);
-    if (doc) {
-      Object.assign(doc, edge);
-      await doc.save();
-    }
+    await this.storageManager.setJSON(`${STORAGE_PREFIX}${id}`, edge);
    this.edges.set(id, edge);
    return edge;
  }
@@ -256,10 +201,7 @@ export class RemoteIngressManager {
    if (!this.edges.has(id)) {
      return false;
    }
-    const doc = await RemoteIngressEdgeDoc.findById(id);
-    if (doc) {
-      await doc.delete();
-    }
+    await this.storageManager.delete(`${STORAGE_PREFIX}${id}`);
    this.edges.delete(id);
    return true;
  }
@@ -276,11 +218,7 @@ export class RemoteIngressManager {
    edge.secret = plugins.crypto.randomBytes(32).toString('hex');
    edge.updatedAt = Date.now();

-    const doc = await RemoteIngressEdgeDoc.findById(id);
-    if (doc) {
-      Object.assign(doc, edge);
-      await doc.save();
-    }
+    await this.storageManager.setJSON(`${STORAGE_PREFIX}${id}`, edge);
    this.edges.set(id, edge);
    return edge.secret;
  }
@@ -303,18 +241,15 @@ export class RemoteIngressManager {

  /**
   * Get the list of allowed edges (enabled only) for the Rust hub.
-   * Includes listenPortsUdp when routes with transport 'udp' or 'all' are present.
   */
-  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[] }> {
-    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[] }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[] }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[] }> = [];
    for (const edge of this.edges.values()) {
      if (edge.enabled) {
-        const listenPortsUdp = this.getEffectiveListenPortsUdp(edge);
        result.push({
          id: edge.id,
          secret: edge.secret,
          listenPorts: this.getEffectiveListenPorts(edge),
-          ...(listenPortsUdp.length > 0 ? { listenPortsUdp } : {}),
        });
      }
    }
@@ -60,7 +60,7 @@ export enum ThreatCategory {
 * Content Scanner for detecting malicious email content
 */
 export class ContentScanner {
-  private static instance: ContentScanner | undefined;
+  private static instance: ContentScanner;
  private scanCache: LRUCache<string, IScanResult>;
  private options: Required<IContentScannerOptions>;
  
@@ -258,12 +258,12 @@ export class ContentScanner {
      }
      
      return result;
-    } catch (error: unknown) {
-      logger.log('error', `Error scanning email: ${(error as Error).message}`, {
+    } catch (error) {
+      logger.log('error', `Error scanning email: ${error.message}`, {
        messageId: email.getMessageId(),
-        error: (error as Error).stack
+        error: error.stack
      });
-
+      
      // Return a safe default with error indication
      return {
        isClean: true, // Let it pass if scanner fails (configure as desired)
@@ -271,7 +271,7 @@ export class ContentScanner {
        scannedElements: ['error'],
        timestamp: Date.now(),
        threatType: 'scan_error',
-        threatDetails: `Scan error: ${(error as Error).message}`
+        threatDetails: `Scan error: ${error.message}`
      };
    }
  }
@@ -625,8 +625,8 @@ export class ContentScanner {
      return sample.toString('utf8')
        .replace(/[\x00-\x09\x0B-\x1F\x7F-\x9F]/g, '') // Remove control chars
        .replace(/\uFFFD/g, ''); // Remove replacement char
-    } catch (error: unknown) {
-      logger.log('warn', `Error extracting text from buffer: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('warn', `Error extracting text from buffer: ${error.message}`);
      return '';
    }
  }
@@ -699,10 +699,10 @@ export class ContentScanner {
        subject: email.subject
      },
      success: false,
-      domain: email.getFromDomain() ?? undefined
+      domain: email.getFromDomain()
    });
  }
-
+  
  /**
   * Log a threat finding to the security logger
   * @param email The email containing the threat
@@ -722,10 +722,10 @@ export class ContentScanner {
        subject: email.subject
      },
      success: false,
-      domain: email.getFromDomain() ?? undefined
+      domain: email.getFromDomain()
    });
  }
-
+  
  /**
   * Get threat level description based on score
   * @param score Threat score
@@ -1,8 +1,8 @@
 import * as plugins from '../plugins.js';
+import * as paths from '../paths.js';
 import { logger } from '../logger.js';
 import { SecurityLogger, SecurityLogLevel, SecurityEventType } from './classes.securitylogger.js';
 import { LRUCache } from 'lru-cache';
-import { CachedIPReputation } from '../db/documents/classes.cached.ip.reputation.js';

 /**
 * Reputation check result information
@@ -52,7 +52,7 @@ export interface IIPReputationOptions {
  highRiskThreshold?: number; // Score below this is high risk
  mediumRiskThreshold?: number; // Score below this is medium risk
  lowRiskThreshold?: number; // Score below this is low risk
-  enableLocalCache?: boolean; // Whether to persist cache to database (default: true)
+  enableLocalCache?: boolean; // Whether to persist cache to disk (default: true)
  enableDNSBL?: boolean; // Whether to use DNSBL checks (default: true)
  enableIPInfo?: boolean; // Whether to use IP info service (default: true)
 }
@@ -61,10 +61,13 @@ export interface IIPReputationOptions {
 * Class for checking IP reputation of inbound email senders
 */
 export class IPReputationChecker {
-  private static instance: IPReputationChecker | undefined;
+  private static instance: IPReputationChecker;
  private reputationCache: LRUCache<string, IReputationResult>;
  private options: Required<IIPReputationOptions>;
-
+  private storageManager?: any; // StorageManager instance
+  private saveCacheTimer: ReturnType<typeof setTimeout> | null = null;
+  private static readonly SAVE_CACHE_DEBOUNCE_MS = 30_000;
+  
  // Default DNSBL servers
  private static readonly DEFAULT_DNSBL_SERVERS = [
    'zen.spamhaus.org',         // Spamhaus
@@ -72,13 +75,13 @@ export class IPReputationChecker {
    'b.barracudacentral.org',   // Barracuda
    'spam.dnsbl.sorbs.net',     // SORBS
    'dnsbl.sorbs.net',          // SORBS (expanded)
-    'cbl.abuseat.org',          // Composite Blocking List
+    'cbl.abuseat.org',          // Composite Blocking List 
    'xbl.spamhaus.org',         // Spamhaus XBL
    'pbl.spamhaus.org',         // Spamhaus PBL
    'dnsbl-1.uceprotect.net',   // UCEPROTECT
    'psbl.surriel.com'          // PSBL
  ];
-
+  
  // Default options
  private static readonly DEFAULT_OPTIONS: Required<IIPReputationOptions> = {
    maxCacheSize: 10000,
@@ -91,40 +94,54 @@ export class IPReputationChecker {
    enableDNSBL: true,
    enableIPInfo: true
  };
-
+  
  /**
   * Constructor for IPReputationChecker
   * @param options Configuration options
+   * @param storageManager Optional StorageManager instance for persistence
   */
-  constructor(options: IIPReputationOptions = {}) {
+  constructor(options: IIPReputationOptions = {}, storageManager?: any) {
    // Merge with default options
    this.options = {
      ...IPReputationChecker.DEFAULT_OPTIONS,
      ...options
    };
-
+    
+    this.storageManager = storageManager;
+    
+    // If no storage manager provided, log warning
+    if (!storageManager && this.options.enableLocalCache) {
+      logger.log('warn', 
+        '⚠️  WARNING: IPReputationChecker initialized without StorageManager.\n' +
+        '   IP reputation cache will only be stored to filesystem.\n' +
+        '   Consider passing a StorageManager instance for better storage flexibility.'
+      );
+    }
+    
    // Initialize reputation cache
    this.reputationCache = new LRUCache<string, IReputationResult>({
      max: this.options.maxCacheSize,
      ttl: this.options.cacheTTL, // Cache TTL
    });
-
-    // Load persisted reputations into in-memory cache
+    
+    // Load cache from disk if enabled
    if (this.options.enableLocalCache) {
-      this.loadCacheFromDb().catch((error: unknown) => {
-        logger.log('error', `Failed to load IP reputation cache during initialization: ${(error as Error).message}`);
+      // Fire and forget the load operation
+      this.loadCache().catch(error => {
+        logger.log('error', `Failed to load IP reputation cache during initialization: ${error.message}`);
      });
    }
  }
-
+  
  /**
   * Get the singleton instance of the checker
   * @param options Configuration options
+   * @param storageManager Optional StorageManager instance for persistence
   * @returns Singleton instance
   */
-  public static getInstance(options: IIPReputationOptions = {}): IPReputationChecker {
+  public static getInstance(options: IIPReputationOptions = {}, storageManager?: any): IPReputationChecker {
    if (!IPReputationChecker.instance) {
-      IPReputationChecker.instance = new IPReputationChecker(options);
+      IPReputationChecker.instance = new IPReputationChecker(options, storageManager);
    }
    return IPReputationChecker.instance;
  }
@@ -133,6 +150,12 @@ export class IPReputationChecker {
   * Reset the singleton instance (for shutdown/testing)
   */
  public static resetInstance(): void {
+    if (IPReputationChecker.instance) {
+      if (IPReputationChecker.instance.saveCacheTimer) {
+        clearTimeout(IPReputationChecker.instance.saveCacheTimer);
+        IPReputationChecker.instance.saveCacheTimer = null;
+      }
+    }
    IPReputationChecker.instance = undefined;
  }

@@ -148,8 +171,8 @@ export class IPReputationChecker {
        logger.log('warn', `Invalid IP address format: ${ip}`);
        return this.createErrorResult(ip, 'Invalid IP address format');
      }
-
-      // Check in-memory LRU cache first (fast path)
+      
+      // Check cache first
      const cachedResult = this.reputationCache.get(ip);
      if (cachedResult) {
        logger.log('info', `Using cached reputation data for IP ${ip}`, {
@@ -158,7 +181,7 @@ export class IPReputationChecker {
        });
        return cachedResult;
      }
-
+      
      // Initialize empty result
      const result: IReputationResult = {
        score: 100, // Start with perfect score
@@ -168,64 +191,62 @@ export class IPReputationChecker {
        isVPN: false,
        timestamp: Date.now()
      };
-
+      
      // Check IP against DNS blacklists if enabled
      if (this.options.enableDNSBL) {
        const dnsblResult = await this.checkDNSBL(ip);
-
+        
        // Update result with DNSBL information
        result.score -= dnsblResult.listCount * 10; // Subtract 10 points per blacklist
        result.isSpam = dnsblResult.listCount > 0;
        result.blacklists = dnsblResult.lists;
      }
-
+      
      // Get additional IP information if enabled
      if (this.options.enableIPInfo) {
        const ipInfo = await this.getIPInfo(ip);
-
+        
        // Update result with IP info
        result.country = ipInfo.country;
        result.asn = ipInfo.asn;
        result.org = ipInfo.org;
-
+        
        // Adjust score based on IP type
        if (ipInfo.type === IPType.PROXY || ipInfo.type === IPType.TOR || ipInfo.type === IPType.VPN) {
          result.score -= 30; // Subtract 30 points for proxies, Tor, VPNs
-
+          
          // Set proxy flags
          result.isProxy = ipInfo.type === IPType.PROXY;
          result.isTor = ipInfo.type === IPType.TOR;
          result.isVPN = ipInfo.type === IPType.VPN;
        }
      }
-
+      
      // Ensure score is between 0 and 100
      result.score = Math.max(0, Math.min(100, result.score));
-
-      // Update in-memory LRU cache
+      
+      // Update cache with result
      this.reputationCache.set(ip, result);
-
-      // Persist to database if enabled (fire and forget)
+      
+      // Schedule debounced cache save if enabled
      if (this.options.enableLocalCache) {
-        this.persistReputationToDb(ip, result).catch((error: unknown) => {
-          logger.log('error', `Failed to persist IP reputation for ${ip}: ${(error as Error).message}`);
-        });
+        this.debouncedSaveCache();
      }
-
+      
      // Log the reputation check
      this.logReputationCheck(ip, result);
-
+      
      return result;
-    } catch (error: unknown) {
-      logger.log('error', `Error checking IP reputation for ${ip}: ${(error as Error).message}`, {
+    } catch (error) {
+      logger.log('error', `Error checking IP reputation for ${ip}: ${error.message}`, {
        ip,
-        stack: (error as Error).stack
+        stack: error.stack
      });
-
-      return this.createErrorResult(ip, (error as Error).message);
+      
+      return this.createErrorResult(ip, error.message);
    }
  }
-
+  
  /**
   * Check an IP against DNS blacklists
   * @param ip IP address to check
@@ -238,42 +259,42 @@ export class IPReputationChecker {
    try {
      // Reverse the IP for DNSBL queries
      const reversedIP = this.reverseIP(ip);
-
+      
      const results = await Promise.allSettled(
        this.options.dnsblServers.map(async (server) => {
          try {
            const lookupDomain = `${reversedIP}.${server}`;
            await plugins.dns.promises.resolve(lookupDomain);
            return server; // IP is listed in this DNSBL
-          } catch (error: unknown) {
-            if ((error as any).code === 'ENOTFOUND') {
+          } catch (error) {
+            if (error.code === 'ENOTFOUND') {
              return null; // IP is not listed in this DNSBL
            }
            throw error; // Other error
          }
        })
      );
-
+      
      // Extract successful lookups (listed in DNSBL)
      const lists = results
-        .filter((result): result is PromiseFulfilledResult<string> =>
+        .filter((result): result is PromiseFulfilledResult<string> => 
          result.status === 'fulfilled' && result.value !== null
        )
        .map(result => result.value);
-
+      
      return {
        listCount: lists.length,
        lists
      };
-    } catch (error: unknown) {
-      logger.log('error', `Error checking DNSBL for ${ip}: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Error checking DNSBL for ${ip}: ${error.message}`);
      return {
        listCount: 0,
        lists: []
      };
    }
  }
-
+  
  /**
   * Get information about an IP address
   * @param ip IP address to check
@@ -288,16 +309,16 @@ export class IPReputationChecker {
    try {
      // In a real implementation, this would use an IP data service API
      // For this implementation, we'll use a simplified approach
-
+      
      // Check if it's a known Tor exit node (simplified)
      const isTor = ip.startsWith('171.25.') || ip.startsWith('185.220.') || ip.startsWith('95.216.');
-
+      
      // Check if it's a known VPN (simplified)
      const isVPN = ip.startsWith('185.156.') || ip.startsWith('37.120.');
-
+      
      // Check if it's a known proxy (simplified)
      const isProxy = ip.startsWith('34.92.') || ip.startsWith('34.206.');
-
+      
      // Determine IP type
      let type = IPType.UNKNOWN;
      if (isTor) {
@@ -320,7 +341,7 @@ export class IPReputationChecker {
          type = IPType.RESIDENTIAL;
        }
      }
-
+      
      // Return the information
      return {
        country: this.determineCountry(ip), // Simplified, would use geolocation service
@@ -328,14 +349,14 @@ export class IPReputationChecker {
        org: this.determineOrg(ip), // Simplified, would use real org data
        type
      };
-    } catch (error: unknown) {
-      logger.log('error', `Error getting IP info for ${ip}: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Error getting IP info for ${ip}: ${error.message}`);
      return {
        type: IPType.UNKNOWN
      };
    }
  }
-
+  
  /**
   * Simplified method to determine country from IP
   * In a real implementation, this would use a geolocation database or service
@@ -350,7 +371,7 @@ export class IPReputationChecker {
    if (ip.startsWith('171.')) return 'DE';
    return 'XX'; // Unknown
  }
-
+  
  /**
   * Simplified method to determine organization from IP
   * In a real implementation, this would use an IP-to-org database or service
@@ -366,7 +387,7 @@ export class IPReputationChecker {
    if (ip.startsWith('185.220.')) return 'Tor Exit Node';
    return 'Unknown';
  }
-
+  
  /**
   * Reverse an IP address for DNSBL lookups (e.g., 1.2.3.4 -> 4.3.2.1)
   * @param ip IP address to reverse
@@ -375,7 +396,7 @@ export class IPReputationChecker {
  private reverseIP(ip: string): string {
    return ip.split('.').reverse().join('.');
  }
-
+  
  /**
   * Create an error result for when reputation check fails
   * @param ip IP address
@@ -393,7 +414,7 @@ export class IPReputationChecker {
      error: errorMessage
    };
  }
-
+  
  /**
   * Validate IP address format
   * @param ip IP address to validate
@@ -404,7 +425,7 @@ export class IPReputationChecker {
    const ipv4Pattern = /^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
    return ipv4Pattern.test(ip);
  }
-
+  
  /**
   * Log reputation check to security logger
   * @param ip IP address
@@ -418,7 +439,7 @@ export class IPReputationChecker {
    } else if (result.score < this.options.mediumRiskThreshold) {
      logLevel = SecurityLogLevel.INFO;
    }
-
+    
    // Log the check
    SecurityLogger.getInstance().logEvent({
      level: logLevel,
@@ -437,76 +458,131 @@ export class IPReputationChecker {
      success: !result.isSpam
    });
  }
+  
+  /**
+   * Schedule a debounced cache save (at most once per SAVE_CACHE_DEBOUNCE_MS)
+   */
+  private debouncedSaveCache(): void {
+    if (this.saveCacheTimer) {
+      return; // already scheduled
+    }
+    this.saveCacheTimer = setTimeout(() => {
+      this.saveCacheTimer = null;
+      this.saveCache().catch(error => {
+        logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
+      });
+    }, IPReputationChecker.SAVE_CACHE_DEBOUNCE_MS);
+  }

  /**
-   * Persist a single IP reputation result to the database via CachedIPReputation
+   * Save cache to disk or storage manager
   */
-  private async persistReputationToDb(ip: string, result: IReputationResult): Promise<void> {
+  private async saveCache(): Promise<void> {
    try {
-      const data = {
-        score: result.score,
-        isSpam: result.isSpam,
-        isProxy: result.isProxy,
-        isTor: result.isTor,
-        isVPN: result.isVPN,
-        country: result.country,
-        asn: result.asn,
-        org: result.org,
-        blacklists: result.blacklists,
-      };
-
-      const existing = await CachedIPReputation.findByIP(ip);
-      if (existing) {
-        existing.updateReputation(data);
-        await existing.save();
+      // Convert cache entries to serializable array
+      const entries = Array.from(this.reputationCache.entries()).map(([ip, data]) => ({
+        ip,
+        data
+      }));
+      
+      // Only save if we have entries
+      if (entries.length === 0) {
+        return;
+      }
+      
+      const cacheData = JSON.stringify(entries);
+      
+      // Save to storage manager if available
+      if (this.storageManager) {
+        await this.storageManager.set('/security/ip-reputation-cache.json', cacheData);
+        logger.log('info', `Saved ${entries.length} IP reputation cache entries to StorageManager`);
      } else {
-        const doc = CachedIPReputation.fromReputationData(ip, data);
-        await doc.save();
+        // Fall back to filesystem
+        const cacheDir = plugins.path.join(paths.dataDir, 'security');
+        plugins.fsUtils.ensureDirSync(cacheDir);
+        
+        const cacheFile = plugins.path.join(cacheDir, 'ip_reputation_cache.json');
+        plugins.fsUtils.toFsSync(cacheData, cacheFile);
+        
+        logger.log('info', `Saved ${entries.length} IP reputation cache entries to disk`);
      }
-    } catch (error: unknown) {
-      logger.log('error', `Failed to persist IP reputation for ${ip}: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
    }
  }
-
+  
  /**
-   * Load persisted reputations from CachedIPReputation documents into the in-memory LRU cache
+   * Load cache from disk or storage manager
   */
-  private async loadCacheFromDb(): Promise<void> {
+  private async loadCache(): Promise<void> {
    try {
-      const docs = await CachedIPReputation.getInstances({});
-      let loadedCount = 0;
-
-      for (const doc of docs) {
-        // Skip expired documents
-        if (doc.isExpired()) {
-          continue;
+      let cacheData: string | null = null;
+      let fromFilesystem = false;
+      
+      // Try to load from storage manager first
+      if (this.storageManager) {
+        try {
+          cacheData = await this.storageManager.get('/security/ip-reputation-cache.json');
+          
+          if (!cacheData) {
+            // Check if data exists in filesystem and migrate it
+            const cacheFile = plugins.path.join(paths.dataDir, 'security', 'ip_reputation_cache.json');
+            
+            if (plugins.fs.existsSync(cacheFile)) {
+              logger.log('info', 'Migrating IP reputation cache from filesystem to StorageManager');
+              cacheData = plugins.fs.readFileSync(cacheFile, 'utf8');
+              fromFilesystem = true;
+              
+              // Migrate to storage manager
+              await this.storageManager.set('/security/ip-reputation-cache.json', cacheData);
+              logger.log('info', 'IP reputation cache migrated to StorageManager successfully');
+              
+              // Optionally delete the old file after successful migration
+              try {
+                plugins.fs.unlinkSync(cacheFile);
+                logger.log('info', 'Old cache file removed after migration');
+              } catch (deleteError) {
+                logger.log('warn', `Could not delete old cache file: ${deleteError.message}`);
+              }
+            }
+          }
+        } catch (error) {
+          logger.log('error', `Error loading from StorageManager: ${error.message}`);
+        }
+      } else {
+        // No storage manager, load from filesystem
+        const cacheFile = plugins.path.join(paths.dataDir, 'security', 'ip_reputation_cache.json');
+        
+        if (plugins.fs.existsSync(cacheFile)) {
+          cacheData = plugins.fs.readFileSync(cacheFile, 'utf8');
+          fromFilesystem = true;
        }
-
-        const result: IReputationResult = {
-          score: doc.score,
-          isSpam: doc.isSpam,
-          isProxy: doc.isProxy,
-          isTor: doc.isTor,
-          isVPN: doc.isVPN,
-          country: doc.country || undefined,
-          asn: doc.asn || undefined,
-          org: doc.org || undefined,
-          blacklists: doc.blacklists || [],
-          timestamp: doc.lastAccessedAt?.getTime() ?? doc.createdAt?.getTime() ?? Date.now(),
-        };
-
-        this.reputationCache.set(doc.ipAddress, result);
-        loadedCount++;
      }
-
-      if (loadedCount > 0) {
-        logger.log('info', `Loaded ${loadedCount} IP reputation cache entries from database`);
+      
+      // Parse and restore cache if data was found
+      if (cacheData) {
+        const entries = JSON.parse(cacheData);
+        
+        // Validate and filter entries
+        const now = Date.now();
+        const validEntries = entries.filter(entry => {
+          const age = now - entry.data.timestamp;
+          return age < this.options.cacheTTL; // Only load entries that haven't expired
+        });
+        
+        // Restore cache
+        for (const entry of validEntries) {
+          this.reputationCache.set(entry.ip, entry.data);
+        }
+        
+        const source = fromFilesystem ? 'disk' : 'StorageManager';
+        logger.log('info', `Loaded ${validEntries.length} IP reputation cache entries from ${source}`);
      }
-    } catch (error: unknown) {
-      logger.log('error', `Failed to load IP reputation cache from database: ${(error as Error).message}`);
+    } catch (error) {
+      logger.log('error', `Failed to load IP reputation cache: ${error.message}`);
    }
  }
-
+  
  /**
   * Get the risk level for a reputation score
   * @param score Reputation score (0-100)
@@ -523,4 +599,21 @@ export class IPReputationChecker {
      return 'trusted';
    }
  }
-}
+  
+  /**
+   * Update the storage manager after instantiation
+   * This is useful when the storage manager is not available at construction time
+   * @param storageManager The StorageManager instance to use
+   */
+  public updateStorageManager(storageManager: any): void {
+    this.storageManager = storageManager;
+    logger.log('info', 'IPReputationChecker storage manager updated');
+    
+    // If cache is enabled and we have entries, save them to the new storage manager
+    if (this.options.enableLocalCache && this.reputationCache.size > 0) {
+      this.saveCache().catch(error => {
+        logger.log('error', `Failed to save cache to new storage manager: ${error.message}`);
+      });
+    }
+  }
+}
@@ -58,7 +58,7 @@ export interface ISecurityEvent {
 * Security logger for enhanced security monitoring
 */
 export class SecurityLogger {
-  private static instance: SecurityLogger | undefined;
+  private static instance: SecurityLogger;
  private securityEvents: ISecurityEvent[] = [];
  private maxEventHistory: number;
  private enableNotifications: boolean;
@@ -154,13 +154,11 @@ export class SecurityLogger {
      }
      
      if (filter.fromTimestamp) {
-        const fromTs = filter.fromTimestamp;
-        filteredEvents = filteredEvents.filter(event => event.timestamp >= fromTs);
+        filteredEvents = filteredEvents.filter(event => event.timestamp >= filter.fromTimestamp);
      }
-
+      
      if (filter.toTimestamp) {
-        const toTs = filter.toTimestamp;
-        filteredEvents = filteredEvents.filter(event => event.timestamp <= toTs);
+        filteredEvents = filteredEvents.filter(event => event.timestamp <= filter.toTimestamp);
      }
    }
    
@@ -7,7 +7,7 @@ import { smsConfigSchema } from './config/sms.schema.js';
 import { ConfigValidator } from '../config/validator.js';

 export class SmsService {
-  public projectinfo!: plugins.projectinfo.ProjectInfo;
+  public projectinfo: plugins.projectinfo.ProjectInfo;
  public typedrouter = new plugins.typedrequest.TypedRouter();
  public config: ISmsConfig;

@@ -16,7 +16,7 @@ export class SmsService {
    const validationResult = ConfigValidator.validate(options, smsConfigSchema);
    
    if (!validationResult.valid) {
-      logger.warn(`SMS service configuration has validation errors: ${validationResult.errors!.join(', ')}`);
+      logger.warn(`SMS service configuration has validation errors: ${validationResult.errors.join(', ')}`);
    }
    
    // Set configuration with defaults
@@ -30,7 +30,7 @@ export class SmsService {
   */
  public async start() {
    logger.log('info', `starting sms service`);
-    this.projectinfo = await plugins.projectinfo.ProjectInfo.create(paths.packageDir);
+    this.projectinfo = new plugins.projectinfo.ProjectInfo(paths.packageDir);
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<plugins.servezoneInterfaces.platformservice.sms.IRequest_SendSms>(
        'sendSms',
@@ -0,0 +1,406 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+
+// Promisify filesystem operations
+const readFile = plugins.util.promisify(plugins.fs.readFile);
+const writeFile = plugins.util.promisify(plugins.fs.writeFile);
+const unlink = plugins.util.promisify(plugins.fs.unlink);
+const rename = plugins.util.promisify(plugins.fs.rename);
+const readdir = plugins.util.promisify(plugins.fs.readdir);
+
+/**
+ * Storage configuration interface
+ */
+export interface IStorageConfig {
+  /** Filesystem path for storage */
+  fsPath?: string;
+  /** Custom read function */
+  readFunction?: (key: string) => Promise<string>;
+  /** Custom write function */
+  writeFunction?: (key: string, value: string) => Promise<void>;
+}
+
+/**
+ * Storage backend type
+ */
+export type StorageBackend = 'filesystem' | 'custom' | 'memory';
+
+/**
+ * Central storage manager for DcRouter
+ * Provides unified key-value storage with multiple backend support
+ */
+export class StorageManager {
+  private static readonly MAX_MEMORY_ENTRIES = 10_000;
+  private backend: StorageBackend;
+  private memoryStore: Map<string, string> = new Map();
+  private config: IStorageConfig;
+  private fsBasePath?: string;
+  
+  constructor(config?: IStorageConfig) {
+    this.config = config || {};
+    
+    // Check if both fsPath and custom functions are provided
+    if (config?.fsPath && (config?.readFunction || config?.writeFunction)) {
+      console.warn(
+        '⚠️  WARNING: Both fsPath and custom read/write functions are configured.\n' +
+        '   Using custom read/write functions. fsPath will be ignored.'
+      );
+    }
+    
+    // Determine backend based on configuration
+    if (config?.readFunction && config?.writeFunction) {
+      this.backend = 'custom';
+    } else if (config?.fsPath) {
+      // Set up internal read/write functions for filesystem
+      this.backend = 'custom'; // Use custom backend with internal functions
+      this.fsBasePath = plugins.path.resolve(config.fsPath);
+      this.ensureDirectory(this.fsBasePath);
+      
+      // Set up internal filesystem read/write functions
+      this.config.readFunction = async (key: string) => {
+        return this.fsRead(key);
+      };
+      this.config.writeFunction = async (key: string, value: string) => {
+        await this.fsWrite(key, value);
+      };
+    } else {
+      this.backend = 'memory';
+      this.showMemoryWarning();
+    }
+    
+    logger.log('info', `StorageManager initialized with ${this.backend} backend`);
+  }
+  
+  /**
+   * Show warning when using memory backend
+   */
+  private showMemoryWarning(): void {
+    console.warn(
+      '⚠️  WARNING: StorageManager is using in-memory storage.\n' +
+      '   Data will be lost when the process restarts.\n' +
+      '   Configure storage.fsPath or storage functions for persistence.'
+    );
+  }
+  
+  /**
+   * Ensure directory exists for filesystem backend
+   */
+  private async ensureDirectory(dirPath: string): Promise<void> {
+    try {
+      await plugins.fsUtils.ensureDir(dirPath);
+    } catch (error) {
+      logger.log('error', `Failed to create storage directory: ${error.message}`);
+      throw error;
+    }
+  }
+  
+  /**
+   * Validate and sanitize storage key
+   */
+  private validateKey(key: string): string {
+    if (!key || typeof key !== 'string') {
+      throw new Error('Storage key must be a non-empty string');
+    }
+    
+    // Ensure key starts with /
+    if (!key.startsWith('/')) {
+      key = '/' + key;
+    }
+    
+    // Remove any dangerous path elements
+    key = key.replace(/\.\./g, '').replace(/\/+/g, '/');
+    
+    return key;
+  }
+  
+  /**
+   * Convert key to filesystem path
+   */
+  private keyToPath(key: string): string {
+    if (!this.fsBasePath) {
+      throw new Error('Filesystem base path not configured');
+    }
+    
+    // Remove leading slash and convert to path
+    const relativePath = key.substring(1);
+    return plugins.path.join(this.fsBasePath, relativePath);
+  }
+  
+  /**
+   * Internal filesystem read function
+   */
+  private async fsRead(key: string): Promise<string> {
+    const filePath = this.keyToPath(key);
+    try {
+      const content = await readFile(filePath, 'utf8');
+      return content;
+    } catch (error) {
+      if (error.code === 'ENOENT') {
+        return null;
+      }
+      throw error;
+    }
+  }
+  
+  /**
+   * Internal filesystem write function
+   */
+  private async fsWrite(key: string, value: string): Promise<void> {
+    const filePath = this.keyToPath(key);
+    const dir = plugins.path.dirname(filePath);
+    
+    // Ensure directory exists
+    await plugins.fsUtils.ensureDir(dir);
+    
+    // Write atomically with temp file
+    const tempPath = `${filePath}.tmp`;
+    await writeFile(tempPath, value, 'utf8');
+    await rename(tempPath, filePath);
+  }
+  
+  /**
+   * Get value by key
+   */
+  async get(key: string): Promise<string | null> {
+    key = this.validateKey(key);
+    
+    try {
+      switch (this.backend) {
+        
+        case 'custom': {
+          if (!this.config.readFunction) {
+            throw new Error('Read function not configured');
+          }
+          try {
+            return await this.config.readFunction(key);
+          } catch (error) {
+            // Assume null if read fails (key doesn't exist)
+            return null;
+          }
+        }
+        
+        case 'memory': {
+          return this.memoryStore.get(key) || null;
+        }
+        
+        default:
+          throw new Error(`Unknown backend: ${this.backend}`);
+      }
+    } catch (error) {
+      logger.log('error', `Storage get error for key ${key}: ${error.message}`);
+      throw error;
+    }
+  }
+  
+  /**
+   * Set value by key
+   */
+  async set(key: string, value: string): Promise<void> {
+    key = this.validateKey(key);
+    
+    if (typeof value !== 'string') {
+      throw new Error('Storage value must be a string');
+    }
+    
+    try {
+      switch (this.backend) {
+        case 'filesystem': {
+          const filePath = this.keyToPath(key);
+          const dirPath = plugins.path.dirname(filePath);
+          
+          // Ensure directory exists
+          await plugins.fsUtils.ensureDir(dirPath);
+          
+          // Write atomically
+          const tempPath = filePath + '.tmp';
+          await writeFile(tempPath, value, 'utf8');
+          await rename(tempPath, filePath);
+          break;
+        }
+        
+        case 'custom': {
+          if (!this.config.writeFunction) {
+            throw new Error('Write function not configured');
+          }
+          await this.config.writeFunction(key, value);
+          break;
+        }
+        
+        case 'memory': {
+          this.memoryStore.set(key, value);
+          // Evict oldest entries if memory store exceeds limit
+          while (this.memoryStore.size > StorageManager.MAX_MEMORY_ENTRIES) {
+            const firstKey = this.memoryStore.keys().next().value;
+            this.memoryStore.delete(firstKey);
+          }
+          break;
+        }
+        
+        default:
+          throw new Error(`Unknown backend: ${this.backend}`);
+      }
+    } catch (error) {
+      logger.log('error', `Storage set error for key ${key}: ${error.message}`);
+      throw error;
+    }
+  }
+  
+  /**
+   * Delete value by key
+   */
+  async delete(key: string): Promise<void> {
+    key = this.validateKey(key);
+    
+    try {
+      switch (this.backend) {
+        case 'filesystem': {
+          const filePath = this.keyToPath(key);
+          try {
+            await unlink(filePath);
+          } catch (error) {
+            if (error.code !== 'ENOENT') {
+              throw error;
+            }
+          }
+          break;
+        }
+        
+        case 'custom': {
+          // Try to delete by setting empty value
+          if (this.config.writeFunction) {
+            await this.config.writeFunction(key, '');
+          }
+          break;
+        }
+        
+        case 'memory': {
+          this.memoryStore.delete(key);
+          break;
+        }
+        
+        default:
+          throw new Error(`Unknown backend: ${this.backend}`);
+      }
+    } catch (error) {
+      logger.log('error', `Storage delete error for key ${key}: ${error.message}`);
+      throw error;
+    }
+  }
+  
+  /**
+   * List keys by prefix
+   */
+  async list(prefix?: string): Promise<string[]> {
+    prefix = prefix ? this.validateKey(prefix) : '/';
+    
+    try {
+      switch (this.backend) {
+        case 'custom': {
+          // If we have fsBasePath, this is actually filesystem backend
+          if (this.fsBasePath) {
+            const basePath = this.keyToPath(prefix);
+            const keys: string[] = [];
+            
+            const walkDir = async (dir: string, baseDir: string): Promise<void> => {
+              try {
+                const entries = await readdir(dir, { withFileTypes: true });
+                
+                for (const entry of entries) {
+                  const fullPath = plugins.path.join(dir, entry.name);
+                  
+                  if (entry.isDirectory()) {
+                    await walkDir(fullPath, baseDir);
+                  } else if (entry.isFile()) {
+                    // Convert path back to key
+                    const relativePath = plugins.path.relative(this.fsBasePath!, fullPath);
+                    const key = '/' + relativePath.replace(/\\/g, '/');
+                    if (key.startsWith(prefix)) {
+                      keys.push(key);
+                    }
+                  }
+                }
+              } catch (error) {
+                if (error.code !== 'ENOENT') {
+                  throw error;
+                }
+              }
+            };
+            
+            await walkDir(basePath, basePath);
+            return keys.sort();
+          } else {
+            // True custom backends need to implement their own listing
+            logger.log('warn', 'List operation not supported for custom backend');
+            return [];
+          }
+        }
+        
+        case 'memory': {
+          const keys: string[] = [];
+          for (const key of this.memoryStore.keys()) {
+            if (key.startsWith(prefix)) {
+              keys.push(key);
+            }
+          }
+          return keys.sort();
+        }
+        
+        default:
+          throw new Error(`Unknown backend: ${this.backend}`);
+      }
+    } catch (error) {
+      logger.log('error', `Storage list error for prefix ${prefix}: ${error.message}`);
+      throw error;
+    }
+  }
+  
+  /**
+   * Check if key exists
+   */
+  async exists(key: string): Promise<boolean> {
+    key = this.validateKey(key);
+    
+    try {
+      const value = await this.get(key);
+      return value !== null;
+    } catch (error) {
+      return false;
+    }
+  }
+  
+  /**
+   * Get storage backend type
+   */
+  getBackend(): StorageBackend {
+    // If we're using custom backend with fsBasePath, report it as filesystem
+    if (this.backend === 'custom' && this.fsBasePath) {
+      return 'filesystem' as StorageBackend;
+    }
+    return this.backend;
+  }
+  
+  /**
+   * JSON helper: Get and parse JSON value
+   */
+  async getJSON<T = any>(key: string): Promise<T | null> {
+    const value = await this.get(key);
+    if (value === null || value.trim() === '') {
+      return null;
+    }
+    
+    try {
+      return JSON.parse(value) as T;
+    } catch (error) {
+      logger.log('error', `Failed to parse JSON for key ${key}: ${error.message}`);
+      throw error;
+    }
+  }
+  
+  /**
+   * JSON helper: Set value as JSON
+   */
+  async setJSON(key: string, value: any): Promise<void> {
+    const jsonString = JSON.stringify(value, null, 2);
+    await this.set(key, jsonString);
+  }
+}
@@ -0,0 +1,2 @@
+// Storage module exports
+export * from './classes.storagemanager.js';
@@ -1,3 +1,3 @@
 {
-  "order": 3
+  "order": 2
 }
@@ -1,563 +0,0 @@
-import * as plugins from '../plugins.js';
-import { logger } from '../logger.js';
-import { VpnServerKeysDoc, VpnClientDoc } from '../db/index.js';
-
-export interface IVpnManagerConfig {
-  /** VPN subnet CIDR (default: '10.8.0.0/24') */
-  subnet?: string;
-  /** WireGuard UDP listen port (default: 51820) */
-  wgListenPort?: number;
-  /** DNS servers pushed to VPN clients */
-  dns?: string[];
-  /** Server endpoint hostname for client configs (e.g. 'vpn.example.com') */
-  serverEndpoint?: string;
-  /** Pre-defined VPN clients created on startup (idempotent — skips already-persisted clients) */
-  initialClients?: Array<{
-    clientId: string;
-    targetProfileIds?: string[];
-    description?: string;
-  }>;
-  /** Called when clients are created/deleted/toggled — triggers route re-application */
-  onClientChanged?: () => void;
-  /** Destination routing policy override. Default: forceTarget to 127.0.0.1 */
-  destinationPolicy?: {
-    default: 'forceTarget' | 'block' | 'allow';
-    target?: string;
-    allowList?: string[];
-    blockList?: string[];
-  };
-  /** Compute per-client AllowedIPs based on the client's target profile IDs.
-   *  Called at config generation time (create/export). Returns CIDRs for WireGuard AllowedIPs.
-   *  When not set, defaults to [subnet]. */
-  getClientAllowedIPs?: (targetProfileIds: string[]) => Promise<string[]>;
-  /** Resolve per-client destination allow-list IPs from target profile IDs.
-   *  Returns IP strings that should bypass forceTarget and go direct to the real destination. */
-  getClientDirectTargets?: (targetProfileIds: string[]) => string[];
-  /** Forwarding mode: 'socket' (default, userspace NAT), 'bridge' (L2 bridge to host LAN),
-   *  or 'hybrid' (socket default, bridge for clients with useHostIp=true) */
-  forwardingMode?: 'socket' | 'bridge' | 'hybrid';
-  /** LAN subnet CIDR for bridge mode (e.g., '192.168.1.0/24') */
-  bridgeLanSubnet?: string;
-  /** Physical network interface for bridge mode (auto-detected if omitted) */
-  bridgePhysicalInterface?: string;
-  /** Start of VPN client IP range in LAN subnet (host offset, default: 200) */
-  bridgeIpRangeStart?: number;
-  /** End of VPN client IP range in LAN subnet (host offset, default: 250) */
-  bridgeIpRangeEnd?: number;
-}
-
-/**
- * Manages the SmartVPN server lifecycle and VPN client CRUD.
- * Persists server keys and client registrations via smartdata document classes.
- */
-export class VpnManager {
-  private config: IVpnManagerConfig;
-  private vpnServer?: plugins.smartvpn.VpnServer;
-  private clients: Map<string, VpnClientDoc> = new Map();
-  private serverKeys?: VpnServerKeysDoc;
-
-  constructor(config: IVpnManagerConfig) {
-    this.config = config;
-  }
-
-  /** The VPN subnet CIDR. */
-  public getSubnet(): string {
-    return this.config.subnet || '10.8.0.0/24';
-  }
-
-  /** Whether the VPN server is running. */
-  public get running(): boolean {
-    return this.vpnServer?.running ?? false;
-  }
-
-  /**
-   * Start the VPN server.
-   * Loads or generates server keys, loads persisted clients, starts VpnServer.
-   */
-  public async start(): Promise<void> {
-    // Load or generate server keys
-    this.serverKeys = await this.loadOrGenerateServerKeys();
-
-    // Load persisted clients
-    await this.loadPersistedClients();
-
-    // Build client entries for the daemon
-    const clientEntries: plugins.smartvpn.IClientEntry[] = [];
-    let anyClientUsesHostIp = false;
-    for (const client of this.clients.values()) {
-      if (client.useHostIp) {
-        anyClientUsesHostIp = true;
-      }
-      const entry: plugins.smartvpn.IClientEntry = {
-        clientId: client.clientId,
-        publicKey: client.noisePublicKey,
-        wgPublicKey: client.wgPublicKey,
-        enabled: client.enabled,
-        description: client.description,
-        assignedIp: client.assignedIp,
-        expiresAt: client.expiresAt,
-        security: this.buildClientSecurity(client),
-      };
-      // Pass per-client bridge fields if present (for hybrid/bridge mode)
-      if (client.useHostIp !== undefined) (entry as any).useHostIp = client.useHostIp;
-      if (client.useDhcp !== undefined) (entry as any).useDhcp = client.useDhcp;
-      if (client.staticIp !== undefined) (entry as any).staticIp = client.staticIp;
-      if (client.forceVlan !== undefined) (entry as any).forceVlan = client.forceVlan;
-      if (client.vlanId !== undefined) (entry as any).vlanId = client.vlanId;
-      clientEntries.push(entry);
-    }
-
-    const subnet = this.getSubnet();
-    const wgListenPort = this.config.wgListenPort ?? 51820;
-
-    // Auto-detect hybrid mode: if any persisted client uses host IP and mode is
-    // 'socket' (or unset), upgrade to 'hybrid' so the daemon can handle both
-    let configuredMode = this.config.forwardingMode ?? 'socket';
-    if (anyClientUsesHostIp && configuredMode === 'socket') {
-      configuredMode = 'hybrid';
-      logger.log('info', 'VPN: Auto-upgrading forwarding mode to hybrid (client with useHostIp detected)');
-    }
-    const forwardingMode = configuredMode === 'hybrid' ? 'hybrid' : configuredMode;
-    const isBridge = forwardingMode === 'bridge';
-
-    // Create and start VpnServer
-    this.vpnServer = new plugins.smartvpn.VpnServer({
-      transport: { transport: 'stdio' },
-    });
-
-    // Default destination policy: bridge mode allows traffic through directly,
-    // socket mode forces traffic to SmartProxy on 127.0.0.1
-    const defaultDestinationPolicy: plugins.smartvpn.IDestinationPolicy = isBridge
-      ? { default: 'allow' as const }
-      : { default: 'forceTarget' as const, target: '127.0.0.1' };
-
-    const serverConfig: plugins.smartvpn.IVpnServerConfig = {
-      listenAddr: '0.0.0.0:0', // WS listener not strictly needed but required field
-      privateKey: this.serverKeys.noisePrivateKey,
-      publicKey: this.serverKeys.noisePublicKey,
-      subnet,
-      dns: this.config.dns,
-      forwardingMode: forwardingMode as any,
-      transportMode: 'all',
-      wgPrivateKey: this.serverKeys.wgPrivateKey,
-      wgListenPort,
-      clients: clientEntries,
-      socketForwardProxyProtocol: !isBridge,
-      destinationPolicy: this.config.destinationPolicy ?? defaultDestinationPolicy,
-      serverEndpoint: this.config.serverEndpoint
-        ? `${this.config.serverEndpoint}:${wgListenPort}`
-        : undefined,
-      clientAllowedIPs: [subnet],
-      // Bridge-specific config
-      ...(isBridge ? {
-        bridgeLanSubnet: this.config.bridgeLanSubnet,
-        bridgePhysicalInterface: this.config.bridgePhysicalInterface,
-        bridgeIpRangeStart: this.config.bridgeIpRangeStart,
-        bridgeIpRangeEnd: this.config.bridgeIpRangeEnd,
-      } : {}),
-    };
-
-    await this.vpnServer.start(serverConfig);
-
-    // Create initial clients from config (idempotent — skip already-persisted)
-    if (this.config.initialClients) {
-      for (const initial of this.config.initialClients) {
-        if (!this.clients.has(initial.clientId)) {
-          const bundle = await this.createClient({
-            clientId: initial.clientId,
-            targetProfileIds: initial.targetProfileIds,
-            description: initial.description,
-          });
-          logger.log('info', `VPN: Created initial client '${initial.clientId}' (IP: ${bundle.entry.assignedIp})`);
-        }
-      }
-    }
-
-    logger.log('info', `VPN server started: subnet=${subnet}, wg=:${wgListenPort}, clients=${this.clients.size}`);
-  }
-
-  /**
-   * Stop the VPN server.
-   */
-  public async stop(): Promise<void> {
-    if (this.vpnServer) {
-      try {
-        await this.vpnServer.stopServer();
-      } catch {
-        // Ignore stop errors
-      }
-      this.vpnServer.stop();
-      this.vpnServer = undefined;
-    }
-    logger.log('info', 'VPN server stopped');
-  }
-
-  // ── Client CRUD ────────────────────────────────────────────────────────
-
-  /**
-   * Create a new VPN client. Returns the config bundle (secrets only shown once).
-   */
-  public async createClient(opts: {
-    clientId: string;
-    targetProfileIds?: string[];
-    description?: string;
-    destinationAllowList?: string[];
-    destinationBlockList?: string[];
-    useHostIp?: boolean;
-    useDhcp?: boolean;
-    staticIp?: string;
-    forceVlan?: boolean;
-    vlanId?: number;
-  }): Promise<plugins.smartvpn.IClientConfigBundle> {
-    if (!this.vpnServer) {
-      throw new Error('VPN server not running');
-    }
-
-    const bundle = await this.vpnServer.createClient({
-      clientId: opts.clientId,
-      description: opts.description,
-    });
-
-    // Override AllowedIPs with per-client values based on target profiles
-    if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(opts.targetProfileIds || []);
-      bundle.wireguardConfig = bundle.wireguardConfig.replace(
-        /AllowedIPs\s*=\s*.+/,
-        `AllowedIPs = ${allowedIPs.join(', ')}`,
-      );
-    }
-
-    // Persist client entry (including WG private key for export/QR)
-    const doc = new VpnClientDoc();
-    doc.clientId = bundle.entry.clientId;
-    doc.enabled = bundle.entry.enabled ?? true;
-    doc.targetProfileIds = opts.targetProfileIds;
-    doc.description = bundle.entry.description;
-    doc.assignedIp = bundle.entry.assignedIp;
-    doc.noisePublicKey = bundle.entry.publicKey;
-    doc.wgPublicKey = bundle.entry.wgPublicKey || '';
-    doc.wgPrivateKey = bundle.secrets?.wgPrivateKey
-      || bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim();
-    doc.createdAt = Date.now();
-    doc.updatedAt = Date.now();
-    doc.expiresAt = bundle.entry.expiresAt;
-    if (opts.destinationAllowList !== undefined) {
-      doc.destinationAllowList = opts.destinationAllowList;
-    }
-    if (opts.destinationBlockList !== undefined) {
-      doc.destinationBlockList = opts.destinationBlockList;
-    }
-    if (opts.useHostIp !== undefined) {
-      doc.useHostIp = opts.useHostIp;
-    }
-    if (opts.useDhcp !== undefined) {
-      doc.useDhcp = opts.useDhcp;
-    }
-    if (opts.staticIp !== undefined) {
-      doc.staticIp = opts.staticIp;
-    }
-    if (opts.forceVlan !== undefined) {
-      doc.forceVlan = opts.forceVlan;
-    }
-    if (opts.vlanId !== undefined) {
-      doc.vlanId = opts.vlanId;
-    }
-    this.clients.set(doc.clientId, doc);
-    try {
-      await this.persistClient(doc);
-    } catch (err) {
-      // Rollback: remove from in-memory map and daemon to stay consistent with DB
-      this.clients.delete(doc.clientId);
-      try {
-        await this.vpnServer!.removeClient(doc.clientId);
-      } catch {
-        // best-effort daemon cleanup
-      }
-      throw err;
-    }
-
-    // Sync per-client security to the running daemon
-    const security = this.buildClientSecurity(doc);
-    if (security.destinationPolicy) {
-      await this.vpnServer!.updateClient(doc.clientId, { security });
-    }
-
-    this.config.onClientChanged?.();
-    return bundle;
-  }
-
-  /**
-   * Remove a VPN client.
-   */
-  public async removeClient(clientId: string): Promise<void> {
-    if (!this.vpnServer) {
-      throw new Error('VPN server not running');
-    }
-    await this.vpnServer.removeClient(clientId);
-    const doc = this.clients.get(clientId);
-    this.clients.delete(clientId);
-    if (doc) {
-      await doc.delete();
-    }
-    this.config.onClientChanged?.();
-  }
-
-  /**
-   * List all registered clients (without secrets).
-   */
-  public listClients(): VpnClientDoc[] {
-    return [...this.clients.values()];
-  }
-
-  /**
-   * Enable a client.
-   */
-  public async enableClient(clientId: string): Promise<void> {
-    if (!this.vpnServer) throw new Error('VPN server not running');
-    await this.vpnServer.enableClient(clientId);
-    const client = this.clients.get(clientId);
-    if (client) {
-      client.enabled = true;
-      client.updatedAt = Date.now();
-      await this.persistClient(client);
-    }
-    this.config.onClientChanged?.();
-  }
-
-  /**
-   * Disable a client.
-   */
-  public async disableClient(clientId: string): Promise<void> {
-    if (!this.vpnServer) throw new Error('VPN server not running');
-    await this.vpnServer.disableClient(clientId);
-    const client = this.clients.get(clientId);
-    if (client) {
-      client.enabled = false;
-      client.updatedAt = Date.now();
-      await this.persistClient(client);
-    }
-    this.config.onClientChanged?.();
-  }
-
-  /**
-   * Update a client's metadata (description, target profiles) without rotating keys.
-   */
-  public async updateClient(clientId: string, update: {
-    description?: string;
-    targetProfileIds?: string[];
-    destinationAllowList?: string[];
-    destinationBlockList?: string[];
-    useHostIp?: boolean;
-    useDhcp?: boolean;
-    staticIp?: string;
-    forceVlan?: boolean;
-    vlanId?: number;
-  }): Promise<void> {
-    const client = this.clients.get(clientId);
-    if (!client) throw new Error(`Client not found: ${clientId}`);
-    if (update.description !== undefined) client.description = update.description;
-    if (update.targetProfileIds !== undefined) client.targetProfileIds = update.targetProfileIds;
-    if (update.destinationAllowList !== undefined) client.destinationAllowList = update.destinationAllowList;
-    if (update.destinationBlockList !== undefined) client.destinationBlockList = update.destinationBlockList;
-    if (update.useHostIp !== undefined) client.useHostIp = update.useHostIp;
-    if (update.useDhcp !== undefined) client.useDhcp = update.useDhcp;
-    if (update.staticIp !== undefined) client.staticIp = update.staticIp;
-    if (update.forceVlan !== undefined) client.forceVlan = update.forceVlan;
-    if (update.vlanId !== undefined) client.vlanId = update.vlanId;
-    client.updatedAt = Date.now();
-    await this.persistClient(client);
-
-    // Sync per-client security to the running daemon
-    if (this.vpnServer) {
-      const security = this.buildClientSecurity(client);
-      await this.vpnServer.updateClient(clientId, { security });
-    }
-
-    this.config.onClientChanged?.();
-  }
-
-  /**
-   * Rotate a client's keys. Returns the new config bundle.
-   */
-  public async rotateClientKey(clientId: string): Promise<plugins.smartvpn.IClientConfigBundle> {
-    if (!this.vpnServer) throw new Error('VPN server not running');
-    const bundle = await this.vpnServer.rotateClientKey(clientId);
-
-    // Update persisted entry with new keys (including private key for export/QR)
-    const client = this.clients.get(clientId);
-    if (client) {
-      client.noisePublicKey = bundle.entry.publicKey;
-      client.wgPublicKey = bundle.entry.wgPublicKey || '';
-      client.wgPrivateKey = bundle.secrets?.wgPrivateKey
-        || bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim();
-      client.updatedAt = Date.now();
-      await this.persistClient(client);
-    }
-
-    return bundle;
-  }
-
-  /**
-   * Export a client config. Injects stored WG private key and per-client AllowedIPs.
-   */
-  public async exportClientConfig(clientId: string, format: 'smartvpn' | 'wireguard'): Promise<string> {
-    if (!this.vpnServer) throw new Error('VPN server not running');
-    let config = await this.vpnServer.exportClientConfig(clientId, format);
-
-    if (format === 'wireguard') {
-      const persisted = this.clients.get(clientId);
-
-      // Inject stored WG private key so exports produce valid, scannable configs
-      if (persisted?.wgPrivateKey) {
-        config = config.replace(
-          '[Interface]\n',
-          `[Interface]\nPrivateKey = ${persisted.wgPrivateKey}\n`,
-        );
-      }
-
-      // Override AllowedIPs with per-client values based on target profiles
-      if (this.config.getClientAllowedIPs) {
-        const profileIds = persisted?.targetProfileIds || [];
-        const allowedIPs = await this.config.getClientAllowedIPs(profileIds);
-        config = config.replace(
-          /AllowedIPs\s*=\s*.+/,
-          `AllowedIPs = ${allowedIPs.join(', ')}`,
-        );
-      }
-    }
-
-    return config;
-  }
-
-  // ── Status and telemetry ───────────────────────────────────────────────
-
-  /**
-   * Get server status.
-   */
-  public async getStatus(): Promise<plugins.smartvpn.IVpnStatus | null> {
-    if (!this.vpnServer) return null;
-    return this.vpnServer.getStatus();
-  }
-
-  /**
-   * Get server statistics.
-   */
-  public async getStatistics(): Promise<plugins.smartvpn.IVpnServerStatistics | null> {
-    if (!this.vpnServer) return null;
-    return this.vpnServer.getStatistics();
-  }
-
-  /**
-   * List currently connected clients.
-   */
-  public async getConnectedClients(): Promise<plugins.smartvpn.IVpnClientInfo[]> {
-    if (!this.vpnServer) return [];
-    return this.vpnServer.listClients();
-  }
-
-  /**
-   * Get telemetry for a specific client.
-   */
-  public async getClientTelemetry(clientId: string): Promise<plugins.smartvpn.IVpnClientTelemetry | null> {
-    if (!this.vpnServer) return null;
-    return this.vpnServer.getClientTelemetry(clientId);
-  }
-
-  /**
-   * Get server public keys (for display/info).
-   */
-  public getServerPublicKeys(): { noisePublicKey: string; wgPublicKey: string } | null {
-    if (!this.serverKeys) return null;
-    return {
-      noisePublicKey: this.serverKeys.noisePublicKey,
-      wgPublicKey: this.serverKeys.wgPublicKey,
-    };
-  }
-
-  // ── Per-client security ────────────────────────────────────────────────
-
-  /**
-   * Build per-client security settings for the smartvpn daemon.
-   * All VPN traffic is forced through SmartProxy (forceTarget to 127.0.0.1).
-   * TargetProfile direct IP:port targets bypass SmartProxy via allowList.
-   */
-  private buildClientSecurity(client: VpnClientDoc): plugins.smartvpn.IClientSecurity {
-    const security: plugins.smartvpn.IClientSecurity = {};
-
-    // Collect direct targets from assigned TargetProfiles (bypass forceTarget for these IPs)
-    const profileDirectTargets = this.config.getClientDirectTargets?.(client.targetProfileIds || []) || [];
-
-    // Merge with per-client explicit allow list
-    const mergedAllowList = [
-      ...(client.destinationAllowList || []),
-      ...profileDirectTargets,
-    ];
-
-    security.destinationPolicy = {
-      default: 'forceTarget' as const,
-      target: '127.0.0.1',
-      allowList: mergedAllowList.length ? mergedAllowList : undefined,
-      blockList: client.destinationBlockList,
-    };
-
-    return security;
-  }
-
-  /**
-   * Refresh all client security policies against the running daemon.
-   * Call this when TargetProfiles change so destination allow-lists stay in sync.
-   */
-  public async refreshAllClientSecurity(): Promise<void> {
-    if (!this.vpnServer) return;
-    for (const client of this.clients.values()) {
-      const security = this.buildClientSecurity(client);
-      if (security.destinationPolicy) {
-        await this.vpnServer.updateClient(client.clientId, { security });
-      }
-    }
-  }
-
-  // ── Private helpers ────────────────────────────────────────────────────
-
-  private async loadOrGenerateServerKeys(): Promise<VpnServerKeysDoc> {
-    const stored = await VpnServerKeysDoc.load();
-    if (stored?.noisePrivateKey && stored?.wgPrivateKey) {
-      logger.log('info', 'Loaded VPN server keys from storage');
-      return stored;
-    }
-
-    // Generate new keys via the daemon
-    const tempServer = new plugins.smartvpn.VpnServer({
-      transport: { transport: 'stdio' },
-    });
-    await tempServer.start();
-
-    const noiseKeys = await tempServer.generateKeypair();
-    const wgKeys = await tempServer.generateWgKeypair();
-    tempServer.stop();
-
-    const doc = stored || new VpnServerKeysDoc();
-    doc.noisePrivateKey = noiseKeys.privateKey;
-    doc.noisePublicKey = noiseKeys.publicKey;
-    doc.wgPrivateKey = wgKeys.privateKey;
-    doc.wgPublicKey = wgKeys.publicKey;
-    await doc.save();
-
-    logger.log('info', 'Generated and persisted new VPN server keys');
-    return doc;
-  }
-
-  private async loadPersistedClients(): Promise<void> {
-    const docs = await VpnClientDoc.findAll();
-    for (const doc of docs) {
-      this.clients.set(doc.clientId, doc);
-    }
-    if (this.clients.size > 0) {
-      logger.log('info', `Loaded ${this.clients.size} persisted VPN client(s)`);
-    }
-  }
-
-  private async persistClient(client: VpnClientDoc): Promise<void> {
-    await client.save();
-  }
-}
@@ -1 +0,0 @@
-export * from './classes.vpn-manager.js';
@@ -1,157 +0,0 @@
-import * as interfaces from '../ts_interfaces/index.js';
-import type { DcRouterApiClient } from './classes.dcrouterapiclient.js';
-
-export class ApiToken {
-  private clientRef: DcRouterApiClient;
-
-  // Data from IApiTokenInfo
-  public id: string;
-  public name: string;
-  public scopes: interfaces.data.TApiTokenScope[];
-  public createdAt: number;
-  public expiresAt: number | null;
-  public lastUsedAt: number | null;
-  public enabled: boolean;
-
-  /** Only set on creation or roll. Not persisted on server side. */
-  public tokenValue?: string;
-
-  constructor(clientRef: DcRouterApiClient, data: interfaces.data.IApiTokenInfo, tokenValue?: string) {
-    this.clientRef = clientRef;
-    this.id = data.id;
-    this.name = data.name;
-    this.scopes = data.scopes;
-    this.createdAt = data.createdAt;
-    this.expiresAt = data.expiresAt;
-    this.lastUsedAt = data.lastUsedAt;
-    this.enabled = data.enabled;
-    this.tokenValue = tokenValue;
-  }
-
-  public async revoke(): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_RevokeApiToken>(
-      'revokeApiToken',
-      this.clientRef.buildRequestPayload({ id: this.id }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to revoke token');
-    }
-  }
-
-  public async roll(): Promise<string> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_RollApiToken>(
-      'rollApiToken',
-      this.clientRef.buildRequestPayload({ id: this.id }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to roll token');
-    }
-    this.tokenValue = response.tokenValue;
-    return response.tokenValue!;
-  }
-
-  public async toggle(enabled: boolean): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_ToggleApiToken>(
-      'toggleApiToken',
-      this.clientRef.buildRequestPayload({ id: this.id, enabled }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to toggle token');
-    }
-    this.enabled = enabled;
-  }
-}
-
-export class ApiTokenBuilder {
-  private clientRef: DcRouterApiClient;
-  private tokenName: string = '';
-  private tokenScopes: interfaces.data.TApiTokenScope[] = [];
-  private tokenExpiresInDays?: number | null;
-
-  constructor(clientRef: DcRouterApiClient) {
-    this.clientRef = clientRef;
-  }
-
-  public setName(name: string): this {
-    this.tokenName = name;
-    return this;
-  }
-
-  public setScopes(scopes: interfaces.data.TApiTokenScope[]): this {
-    this.tokenScopes = scopes;
-    return this;
-  }
-
-  public addScope(scope: interfaces.data.TApiTokenScope): this {
-    if (!this.tokenScopes.includes(scope)) {
-      this.tokenScopes.push(scope);
-    }
-    return this;
-  }
-
-  public setExpiresInDays(days: number | null): this {
-    this.tokenExpiresInDays = days;
-    return this;
-  }
-
-  public async save(): Promise<ApiToken> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_CreateApiToken>(
-      'createApiToken',
-      this.clientRef.buildRequestPayload({
-        name: this.tokenName,
-        scopes: this.tokenScopes,
-        expiresInDays: this.tokenExpiresInDays,
-      }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to create API token');
-    }
-    return new ApiToken(
-      this.clientRef,
-      {
-        id: response.tokenId!,
-        name: this.tokenName,
-        scopes: this.tokenScopes,
-        createdAt: Date.now(),
-        expiresAt: this.tokenExpiresInDays
-          ? Date.now() + this.tokenExpiresInDays * 24 * 60 * 60 * 1000
-          : null,
-        lastUsedAt: null,
-        enabled: true,
-      },
-      response.tokenValue,
-    );
-  }
-}
-
-export class ApiTokenManager {
-  private clientRef: DcRouterApiClient;
-
-  constructor(clientRef: DcRouterApiClient) {
-    this.clientRef = clientRef;
-  }
-
-  public async list(): Promise<ApiToken[]> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_ListApiTokens>(
-      'listApiTokens',
-      this.clientRef.buildRequestPayload() as any,
-    );
-    return response.tokens.map((t) => new ApiToken(this.clientRef, t));
-  }
-
-  public async create(options: {
-    name: string;
-    scopes: interfaces.data.TApiTokenScope[];
-    expiresInDays?: number | null;
-  }): Promise<ApiToken> {
-    return this.build()
-      .setName(options.name)
-      .setScopes(options.scopes)
-      .setExpiresInDays(options.expiresInDays ?? null)
-      .save();
-  }
-
-  public build(): ApiTokenBuilder {
-    return new ApiTokenBuilder(this.clientRef);
-  }
-}
@@ -1,123 +0,0 @@
-import * as interfaces from '../ts_interfaces/index.js';
-import type { DcRouterApiClient } from './classes.dcrouterapiclient.js';
-
-export class Certificate {
-  private clientRef: DcRouterApiClient;
-
-  // Data from ICertificateInfo
-  public domain: string;
-  public routeNames: string[];
-  public status: interfaces.requests.TCertificateStatus;
-  public source: interfaces.requests.TCertificateSource;
-  public tlsMode: 'terminate' | 'terminate-and-reencrypt' | 'passthrough';
-  public expiryDate?: string;
-  public issuer?: string;
-  public issuedAt?: string;
-  public error?: string;
-  public canReprovision: boolean;
-  public backoffInfo?: {
-    failures: number;
-    retryAfter?: string;
-    lastError?: string;
-  };
-
-  constructor(clientRef: DcRouterApiClient, data: interfaces.requests.ICertificateInfo) {
-    this.clientRef = clientRef;
-    this.domain = data.domain;
-    this.routeNames = data.routeNames;
-    this.status = data.status;
-    this.source = data.source;
-    this.tlsMode = data.tlsMode;
-    this.expiryDate = data.expiryDate;
-    this.issuer = data.issuer;
-    this.issuedAt = data.issuedAt;
-    this.error = data.error;
-    this.canReprovision = data.canReprovision;
-    this.backoffInfo = data.backoffInfo;
-  }
-
-  public async reprovision(): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_ReprovisionCertificateDomain>(
-      'reprovisionCertificateDomain',
-      this.clientRef.buildRequestPayload({ domain: this.domain }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to reprovision certificate');
-    }
-  }
-
-  public async delete(): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_DeleteCertificate>(
-      'deleteCertificate',
-      this.clientRef.buildRequestPayload({ domain: this.domain }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to delete certificate');
-    }
-  }
-
-  public async export(): Promise<{
-    id: string;
-    domainName: string;
-    created: number;
-    validUntil: number;
-    privateKey: string;
-    publicKey: string;
-    csr: string;
-  } | undefined> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_ExportCertificate>(
-      'exportCertificate',
-      this.clientRef.buildRequestPayload({ domain: this.domain }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to export certificate');
-    }
-    return response.cert;
-  }
-}
-
-export interface ICertificateSummary {
-  total: number;
-  valid: number;
-  expiring: number;
-  expired: number;
-  failed: number;
-  unknown: number;
-}
-
-export class CertificateManager {
-  private clientRef: DcRouterApiClient;
-
-  constructor(clientRef: DcRouterApiClient) {
-    this.clientRef = clientRef;
-  }
-
-  public async list(): Promise<{ certificates: Certificate[]; summary: ICertificateSummary }> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_GetCertificateOverview>(
-      'getCertificateOverview',
-      this.clientRef.buildRequestPayload() as any,
-    );
-    return {
-      certificates: response.certificates.map((c) => new Certificate(this.clientRef, c)),
-      summary: response.summary,
-    };
-  }
-
-  public async import(cert: {
-    id: string;
-    domainName: string;
-    created: number;
-    validUntil: number;
-    privateKey: string;
-    publicKey: string;
-    csr: string;
-  }): Promise<void> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_ImportCertificate>(
-      'importCertificate',
-      this.clientRef.buildRequestPayload({ cert }) as any,
-    );
-    if (!response.success) {
-      throw new Error(response.message || 'Failed to import certificate');
-    }
-  }
-}
@@ -1,17 +0,0 @@
-import * as interfaces from '../ts_interfaces/index.js';
-import type { DcRouterApiClient } from './classes.dcrouterapiclient.js';
-
-export class ConfigManager {
-  private clientRef: DcRouterApiClient;
-
-  constructor(clientRef: DcRouterApiClient) {
-    this.clientRef = clientRef;
-  }
-
-  public async get(section?: string): Promise<interfaces.requests.IReq_GetConfiguration['response']> {
-    return this.clientRef.request<interfaces.requests.IReq_GetConfiguration>(
-      'getConfiguration',
-      this.clientRef.buildRequestPayload({ section }) as any,
-    );
-  }
-}
@@ -1,112 +0,0 @@
-import * as plugins from './plugins.js';
-import * as interfaces from '../ts_interfaces/index.js';
-
-import { RouteManager } from './classes.route.js';
-import { CertificateManager } from './classes.certificate.js';
-import { ApiTokenManager } from './classes.apitoken.js';
-import { RemoteIngressManager } from './classes.remoteingress.js';
-import { StatsManager } from './classes.stats.js';
-import { ConfigManager } from './classes.config.js';
-import { LogManager } from './classes.logs.js';
-import { EmailManager } from './classes.email.js';
-import { RadiusManager } from './classes.radius.js';
-
-export interface IDcRouterApiClientOptions {
-  baseUrl: string;
-  apiToken?: string;
-}
-
-export class DcRouterApiClient {
-  public baseUrl: string;
-  public apiToken?: string;
-  public identity?: interfaces.data.IIdentity;
-
-  // Resource managers
-  public routes: RouteManager;
-  public certificates: CertificateManager;
-  public apiTokens: ApiTokenManager;
-  public remoteIngress: RemoteIngressManager;
-  public stats: StatsManager;
-  public config: ConfigManager;
-  public logs: LogManager;
-  public emails: EmailManager;
-  public radius: RadiusManager;
-
-  constructor(options: IDcRouterApiClientOptions) {
-    this.baseUrl = options.baseUrl.replace(/\/+$/, '');
-    this.apiToken = options.apiToken;
-
-    this.routes = new RouteManager(this);
-    this.certificates = new CertificateManager(this);
-    this.apiTokens = new ApiTokenManager(this);
-    this.remoteIngress = new RemoteIngressManager(this);
-    this.stats = new StatsManager(this);
-    this.config = new ConfigManager(this);
-    this.logs = new LogManager(this);
-    this.emails = new EmailManager(this);
-    this.radius = new RadiusManager(this);
-  }
-
-  // =====================
-  // Auth
-  // =====================
-
-  public async login(username: string, password: string): Promise<interfaces.data.IIdentity> {
-    const response = await this.request<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-      'adminLoginWithUsernameAndPassword',
-      { username, password },
-    );
-    if (response.identity) {
-      this.identity = response.identity;
-    }
-    return response.identity!;
-  }
-
-  public async logout(): Promise<void> {
-    await this.request<interfaces.requests.IReq_AdminLogout>(
-      'adminLogout',
-      { identity: this.identity! },
-    );
-    this.identity = undefined;
-  }
-
-  public async verifyIdentity(): Promise<{ valid: boolean; identity?: interfaces.data.IIdentity }> {
-    const response = await this.request<interfaces.requests.IReq_VerifyIdentity>(
-      'verifyIdentity',
-      { identity: this.identity! },
-    );
-    if (response.identity) {
-      this.identity = response.identity;
-    }
-    return response;
-  }
-
-  // =====================
-  // Internal request helper
-  // =====================
-
-  public async request<T extends plugins.typedrequestInterfaces.ITypedRequest>(
-    method: string,
-    requestData: T['request'],
-  ): Promise<T['response']> {
-    const typedRequest = new plugins.typedrequest.TypedRequest<T>(
-      `${this.baseUrl}/typedrequest`,
-      method,
-    );
-    return typedRequest.fire(requestData);
-  }
-
-  /**
-   * Build a request payload with identity and optional API token auto-injected.
-   */
-  public buildRequestPayload(extra: Record<string, any> = {}): Record<string, any> {
-    const payload: Record<string, any> = { ...extra };
-    if (this.identity) {
-      payload.identity = this.identity;
-    }
-    if (this.apiToken) {
-      payload.apiToken = this.apiToken;
-    }
-    return payload;
-  }
-}
@@ -1,77 +0,0 @@
-import * as interfaces from '../ts_interfaces/index.js';
-import type { DcRouterApiClient } from './classes.dcrouterapiclient.js';
-
-export class Email {
-  private clientRef: DcRouterApiClient;
-
-  // Data from IEmail
-  public id: string;
-  public direction: interfaces.requests.TEmailDirection;
-  public status: interfaces.requests.TEmailStatus;
-  public from: string;
-  public to: string;
-  public subject: string;
-  public timestamp: string;
-  public messageId: string;
-  public size: string;
-
-  constructor(clientRef: DcRouterApiClient, data: interfaces.requests.IEmail) {
-    this.clientRef = clientRef;
-    this.id = data.id;
-    this.direction = data.direction;
-    this.status = data.status;
-    this.from = data.from;
-    this.to = data.to;
-    this.subject = data.subject;
-    this.timestamp = data.timestamp;
-    this.messageId = data.messageId;
-    this.size = data.size;
-  }
-
-  public async getDetail(): Promise<interfaces.requests.IEmailDetail | null> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_GetEmailDetail>(
-      'getEmailDetail',
-      this.clientRef.buildRequestPayload({ emailId: this.id }) as any,
-    );
-    return response.email;
-  }
-
-  public async resend(): Promise<{ success: boolean; newQueueId?: string }> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_ResendEmail>(
-      'resendEmail',
-      this.clientRef.buildRequestPayload({ emailId: this.id }) as any,
-    );
-    return response;
-  }
-}
-
-export class EmailManager {
-  private clientRef: DcRouterApiClient;
-
-  constructor(clientRef: DcRouterApiClient) {
-    this.clientRef = clientRef;
-  }
-
-  public async list(): Promise<Email[]> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_GetAllEmails>(
-      'getAllEmails',
-      this.clientRef.buildRequestPayload() as any,
-    );
-    return response.emails.map((e) => new Email(this.clientRef, e));
-  }
-
-  public async getDetail(emailId: string): Promise<interfaces.requests.IEmailDetail | null> {
-    const response = await this.clientRef.request<interfaces.requests.IReq_GetEmailDetail>(
-      'getEmailDetail',
-      this.clientRef.buildRequestPayload({ emailId }) as any,
-    );
-    return response.email;
-  }
-
-  public async resend(emailId: string): Promise<{ success: boolean; newQueueId?: string }> {
-    return this.clientRef.request<interfaces.requests.IReq_ResendEmail>(
-      'resendEmail',
-      this.clientRef.buildRequestPayload({ emailId }) as any,
-    );
-  }
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
jkunz	2172f69c47	v11.0.11 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-03-05 11:49:24 +00:00
jkunz	925b2f4518	fix(build): add debug logging to build script to list dist_ts and dist_ts_interfaces before and after bundling	2026-03-05 11:49:24 +00:00
				`@@ -1 +0,0 @@`
				`export * from './http3-route-augmentation.js';`