v13.29.0

.gitea/workflows/docker_nottags.yaml

@@ -1,4 +1,4 @@
-name: Docker (tags)
+name: Docker (non-tag pushes)
 
 on:
   push:
@@ -8,42 +8,10 @@ on:
 env:
   IMAGE: code.foss.global/host.today/ht-docker-node:szci
   NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@gitea.lossless.digital/${{gitea.repository}}.git
-  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
-  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
-  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
-  NPMCI_LOGIN_DOCKER_GITEA: ${{ github.server_url }}|${{ gitea.repository_owner }}|${{ secrets.GITEA_TOKEN }}
   NPMCI_LOGIN_DOCKER_DOCKERREGISTRY: ${{ secrets.NPMCI_LOGIN_DOCKER_DOCKERREGISTRY }}
 
 jobs:
-  security:
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ env.IMAGE }}
-    continue-on-error: true
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Install pnpm and npmci
-        run: |
-          pnpm install -g pnpm
-          pnpm install -g @shipzone/npmci
-          npmci npm prepare
-
-      - name: Audit production dependencies
-        run: |
-          npmci command npm config set registry https://registry.npmjs.org
-          npmci command pnpm audit --audit-level=high --prod
-        continue-on-error: true
-
-      - name: Audit development dependencies
-        run: |
-          npmci command npm config set registry https://registry.npmjs.org
-          npmci command pnpm audit --audit-level=high --dev
-        continue-on-error: true
-
   test:
-    needs: security
     runs-on: ubuntu-latest
     container:
       image: ${{ env.IMAGE }}
@@ -54,18 +22,14 @@ jobs:
       - name: Prepare
         run: |
           pnpm install -g pnpm
-          pnpm install -g @shipzone/npmci
-          npmci npm prepare
+          pnpm install -g @git.zone/tsdocker@latest
+          pnpm install
 
-      - name: Test stable
-        run: |
-          npmci node install stable
-          npmci npm install
-          npmci npm test
+      - name: Test
+        run: pnpm test
 
-      - name: Test build
-        run: |
-          npmci npm prepare
-          npmci node install stable
-          npmci npm install
-          npmci command npm run build
+      - name: Build image
+        run: tsdocker build
+
+      - name: Test image
+        run: tsdocker test

.gitea/workflows/docker_tags.yaml

@@ -8,73 +8,13 @@ on:
 env:
   IMAGE: code.foss.global/host.today/ht-docker-node:szci
   NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@gitea.lossless.digital/${{gitea.repository}}.git
-  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
-  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
-  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
-  NPMCI_LOGIN_DOCKER_GITEA: ${{ github.server_url }}|${{ gitea.repository_owner }}|${{ secrets.GITEA_TOKEN }}
   NPMCI_LOGIN_DOCKER_DOCKERREGISTRY: ${{ secrets.NPMCI_LOGIN_DOCKER_DOCKERREGISTRY }}
 
 jobs:
-  security:
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ env.IMAGE }}
-    continue-on-error: true
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Prepare
-        run: |
-          pnpm install -g pnpm
-          pnpm install -g @shipzone/npmci
-          npmci npm prepare
-
-      - name: Audit production dependencies
-        run: |
-          npmci command npm config set registry https://registry.npmjs.org
-          npmci command pnpm audit --audit-level=high --prod
-        continue-on-error: true
-
-      - name: Audit development dependencies
-        run: |
-          npmci command npm config set registry https://registry.npmjs.org
-          npmci command pnpm audit --audit-level=high --dev
-        continue-on-error: true
-
-  test:
-    needs: security
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ env.IMAGE }}
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Prepare
-        run: |
-          pnpm install -g pnpm
-          pnpm install -g @shipzone/npmci
-          npmci npm prepare
-
-      - name: Test stable
-        run: |
-          npmci node install stable
-          npmci npm install
-          npmci npm test
-
-      - name: Test build
-        run: |
-          npmci node install stable
-          npmci npm install
-          npmci command npm run build
-
   release:
-    needs: test
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     container:
-      image: code.foss.global/host.today/ht-docker-node:dbase_dind
+      image: code.foss.global/host.today/ht-docker-dbase:szci
 
     steps:
       - uses: actions/checkout@v3
@@ -82,23 +22,20 @@ jobs:
       - name: Prepare
         run: |
           pnpm install -g pnpm
-          pnpm install -g @git.zone/tsdocker
+          pnpm install -g @git.zone/tsdocker@latest
+          pnpm install
 
-      - name: Release
-        run: |
-          tsdocker login
-          tsdocker build
-          tsdocker push
+      - name: Login to registries
+        run: tsdocker login
 
-  metadata:
-    needs: test
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ env.IMAGE }}
+      - name: List images
+        run: tsdocker list
 
-    steps:
-      - uses: actions/checkout@v3
+      - name: Build images
+        run: tsdocker build
 
-      - name: Trigger
-        run: npmci trigger
+      - name: Test images
+        run: tsdocker test
+
+      - name: Push to code.foss.global
+        run: tsdocker push code.foss.global

.smartconfig.json

@@ -23,14 +23,17 @@
         "outputMode": "bundle",
         "bundler": "esbuild",
         "production": true,
-        "includeFiles": ["./html/**/*.html"]
+        "includeFiles": [
+          "./html/**/*.html"
+        ]
       }
     ]
   },
   "@git.zone/cli": {
+    "schemaVersion": 2,
     "projectType": "service",
     "module": {
-      "githost": "gitlab.com",
+      "githost": "code.foss.global",
       "gitscope": "serve.zone",
       "gitrepo": "dcrouter",
       "description": "A traffic router intended to be gating your datacenter.",
@@ -60,26 +63,37 @@
       ]
     },
     "release": {
-      "registries": [
-        "https://verdaccio.lossless.digital",
-        "https://registry.npmjs.org"
-      ],
-      "accessLevel": "public"
+      "targets": {
+        "git": {
+          "enabled": true,
+          "remote": "origin"
+        },
+        "npm": {
+          "enabled": false,
+          "registries": [
+            "https://verdaccio.lossless.digital",
+            "https://registry.npmjs.org"
+          ],
+          "accessLevel": "public"
+        },
+        "docker": {
+          "enabled": true,
+          "engine": "tsdocker"
+        }
+      }
     }
   },
-  "@ship.zone/szci": {
-    "npmGlobalTools": [],
-    "dockerRegistryRepoMap": {
-      "registry.gitlab.com": "code.foss.global/serve.zone/dcrouter"
-    },
-    "npmRegistryUrl": "verdaccio.lossless.digital"
-  },
   "@git.zone/tsdocker": {
-    "registries": ["code.foss.global"],
+    "registries": [
+      "code.foss.global"
+    ],
     "registryRepoMap": {
-      "code.foss.global": "serve.zone/dcrouter",
-      "dockerregistry.lossless.digital": "serve.zone/dcrouter"
+      "code.foss.global": "serve.zone/dcrouter"
     },
-    "platforms": ["linux/amd64", "linux/arm64"]
-  }
+    "platforms": [
+      "linux/amd64",
+      "linux/arm64"
+    ]
+  },
+  "@ship.zone/szci": {}
 }

Dockerfile

@@ -1,12 +1,18 @@
 # gitzone dockerfile_service
 ## STAGE 1 // BUILD
 FROM code.foss.global/host.today/ht-docker-node:lts AS build
-COPY ./ /app
+
 WORKDIR /app
+
+COPY package.json pnpm-lock.yaml ./
+RUN pnpm config set registry https://verdaccio.lossless.digital/
 RUN pnpm config set store-dir .pnpm-store
-RUN rm -rf node_modules && pnpm install
+RUN pnpm install --frozen-lockfile
+
+COPY . ./
 RUN pnpm run build
-RUN rm -rf .pnpm-store node_modules && pnpm install --prod
+RUN rm -rf .pnpm-store
+RUN pnpm prune --prod
 
 ## STAGE 2 // PRODUCTION
 FROM code.foss.global/host.today/ht-docker-node:alpine-node AS production
@@ -18,12 +24,10 @@ WORKDIR /app
 COPY --from=build /app /app
 
 ENV DCROUTER_MODE=OCI_CONTAINER
+ENV NODE_ENV=production
 ENV DCROUTER_HEAP_SIZE=512
 ENV UV_THREADPOOL_SIZE=16
 
-RUN pnpm install -g @servezone/healthy
-HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ "healthy" ]
-
 LABEL org.opencontainers.image.title="dcrouter" \
       org.opencontainers.image.description="Multi-service datacenter gateway" \
       org.opencontainers.image.source="https://code.foss.global/serve.zone/dcrouter"

changelog.md

@@ -1,5 +1,113 @@
 # Changelog
 
+## Pending
+
+
+## 2026-05-14 - 13.29.0
+
+### Fixes
+
+- harden VPN route access and wireguard client configuration handling (vpn)
+  - Fail closed for vpnOnly routes when no VPN client IPs are available by replacing allow lists and enforcing a block-all fallback
+  - Refresh route application and VPN client security after target profile creation so profile changes take effect immediately
+  - Validate vpnConfig.serverEndpoint, require persisted config managers for VPN startup, and normalize WireGuard AllowedIPs during client creation, export, and key rotation
+  - Switch smartvpn server setup to wireguard transport with a localhost-only listener and await async server stop operations consistently
+
+### Features
+
+- add persisted admin bootstrap flow with optional idp.global authentication (opsserver-admin)
+  - introduces bootstrap status and initial admin creation endpoints for OpsServer
+  - switches admin authentication from ephemeral-only users to database-backed accounts when a persistent admin exists
+  - adds optional idp.global login support for admin accounts and exposes auth source metadata in user listings
+  - updates the web dashboard to prompt creation of the first persisted admin account
+  - adds integration coverage for bootstrap, persisted login, identity invalidation, and user listing behavior
+
+## 2026-05-09 - 13.28.0 - feat(gateway-clients)
+add managed gateway client administration and token-bound route ownership
+
+- introduce persistent gateway client management with create, update, delete, list, and scoped token creation flows
+- add gateway client context and ownership resolution so token-bound clients can sync routes without spoofing another client
+- surface gateway client administration in the ops dashboard with a new Access > Gateway Clients view
+- mark certificate provisioning backoff failures as failed and expose root-cause errors with DNS management guidance in the certificates view
+
+## 2026-05-09 - 13.27.1 - fix(docker)
+configure pnpm to use the verdaccio registry during Docker builds
+
+- Adds a pnpm registry configuration step before dependency installation in the Dockerfile.
+- Ensures container builds resolve packages from the configured Verdaccio registry.
+
+## 2026-05-09 - 13.27.0 - feat(api-token-manager)
+seed and rotate the environment-managed admin API token during initialization
+
+- Add initialization support for DCROUTER_ADMIN_API_TOKEN with validation, persistence, and admin policy assignment
+- Ensure the environment-managed token is updated when the configured raw token changes
+- Refactor token hashing into a shared helper and add coverage for seeding, validation, redaction, and rotation behavior
+
+## 2026-05-09 - 13.26.0 - feat(gateway-clients)
+add policy-based gateway client tokens and gateway client route and DNS management endpoints
+
+- Introduces API token policies with admin and gatewayClient roles, capability checks, hostname restrictions, and allowed route targets.
+- Adds gateway client request and data interfaces for domains, DNS records, route sync, and ownership metadata while keeping workhoster aliases for compatibility.
+- Extends route metadata normalization to prefer gatewayClient ownership and updates generated route names and test coverage accordingly.
+
+## 2026-04-26 - 13.25.0 - feat(security)
+compile network ranges and CIDR arrays into edge firewall policies
+
+- add support for storing intelligence network CIDR arrays alongside single network ranges
+- convert start-end IPv4 ranges into CIDR blocks when compiling security policies
+- always return an explicit remote ingress firewall snapshot with a blockedIps array
+- add tests covering range normalization, ASN-derived CIDRs, and empty firewall snapshots
+
+## 2026-04-26 - 13.24.0 - feat(security)
+add security policy management and IP intelligence operations to the ops UI
+
+- adds typed request endpoints to fetch compiled security policy, list audit events, and force-refresh IP intelligence
+- introduces dedicated security policy state and actions for loading, creating, updating, deleting, and refreshing security data
+- enhances the network activity view with IP intelligence columns, detail dialogs, and block-rule actions
+- expands the security blocked view into a full management interface for rules, compiled policy, IP intelligence, and audit history
+
+## 2026-04-26 - 13.23.0 - feat(security)
+add managed security policies with IP intelligence and remote ingress firewall propagation
+
+- introduces a SecurityPolicyManager that observes public IPs, stores IP intelligence, compiles block policies, and audits policy changes
+- adds database documents and shared interfaces for security block rules, IP intelligence records, and security policy audit events
+- exposes ops/admin request handlers to list IP intelligence and create, update, or delete security block rules
+- applies merged security policies to SmartProxy and propagates firewall snapshots to remote ingress edges and tunnel synchronization
+
+## 2026-04-26 - 13.22.0 - feat(remoteingress)
+add remote ingress performance configuration and expose tunnel transport metrics
+
+- upgrade @serve.zone/remoteingress to support performance tuning and richer tunnel status data
+- pass remote ingress performance settings through router startup and config APIs
+- serialize allowed-edge sync operations and await route update hooks to avoid tunnel sync races
+- expose UDP listen ports and transport, flow control, queue, and traffic metrics in remote ingress APIs and ops UI
+
+## 2026-04-26 - 13.21.1 - fix(deps)
+bump @push.rocks/smartproxy to ^27.8.1
+
+- Updates @push.rocks/smartproxy from ^27.8.0 to ^27.8.1 in package.json.
+
+## 2026-04-25 - 13.21.0 - feat(monitoring)
+improve network activity metrics with live domain request rates and backend identifiers
+
+- use SmartProxy per-domain live request rates to rank and attribute domain activity metrics, while retaining lifetime request totals as fallback data
+- separate aggregate backend rows from protocol cache rows with stable ids so cached protocol entries no longer duplicate active backend connection counts
+- expose frontend and backend protocol distributions plus aggregated connectionCount fields through ops and web network views
+
+## 2026-04-17 - 13.20.2 - fix(vpn)
+handle VPN forwarding mode downgrades and support runtime VPN config updates
+
+- restart the VPN server back to socket mode when host-IP clients are removed while preserving explicit hybrid mode
+- allow DcRouter to update VPN configuration at runtime and refresh route allow-list resolution without recreating the router
+- improve VPN operations UI target profile rendering and loading behavior for create and edit flows
+
+## 2026-04-17 - 13.20.1 - fix(docs)
+refresh package readmes with clearer runtime, API client, interfaces, migrations, and dashboard guidance
+
+- Reworks the main README with updated positioning, quick-start examples, route ownership guidance, configuration notes, automation examples, and OCI bootstrap details
+- Expands package-specific readmes for the runtime, API client, interfaces, migrations, and web dashboard to better describe exports, behavior, and usage
+- Standardizes documentation references such as subpath import guidance and LICENSE link casing across readmes
+
 ## 2026-04-17 - 13.20.0 - feat(routes)
 add remote ingress controls and preserve-port targeting for route configuration
 
@@ -2526,4 +2634,4 @@ Applied a core fix.
 - Fixed core functionality for version 1.0.1
 
 –––––––––––––––––––––––
-Note: Versions that only contained version bumps (for example, 1.0.11 and the plain "1.0.x" commits) have been omitted from individual entries and are implicitly included in the version ranges above.
+Note: Versions that only contained version bumps (for example, 1.0.11 and the plain "1.0.x" commits) have been omitted from individual entries and are implicitly included in the version ranges above.

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.20.0",
+  "version": "13.29.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -23,11 +23,12 @@
   },
   "devDependencies": {
     "@git.zone/tsbuild": "^4.4.0",
-    "@git.zone/tsbundle": "^2.10.0",
-    "@git.zone/tsrun": "^2.0.2",
+    "@git.zone/tsbundle": "^2.10.1",
+    "@git.zone/tsdocker": "^2.2.5",
+    "@git.zone/tsrun": "^2.0.3",
     "@git.zone/tstest": "^3.6.3",
-    "@git.zone/tswatch": "^3.3.2",
-    "@types/node": "^25.6.0"
+    "@git.zone/tswatch": "^3.3.3",
+    "@types/node": "^25.6.1"
   },
   "dependencies": {
     "@api.global/typedrequest": "^3.3.0",
@@ -35,41 +36,42 @@
     "@api.global/typedserver": "^8.4.6",
     "@api.global/typedsocket": "^4.1.2",
     "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.78.2",
+    "@design.estate/dees-catalog": "^3.81.0",
     "@design.estate/dees-element": "^2.2.4",
-    "@push.rocks/lik": "^6.4.0",
+    "@idp.global/sdk": "^1.2.0",
+    "@push.rocks/lik": "^6.4.1",
     "@push.rocks/projectinfo": "^5.1.0",
-    "@push.rocks/qenv": "^6.1.3",
+    "@push.rocks/qenv": "^6.1.4",
     "@push.rocks/smartacme": "^9.5.0",
     "@push.rocks/smartdata": "^7.1.7",
-    "@push.rocks/smartdb": "^2.6.2",
-    "@push.rocks/smartdns": "^7.9.0",
-    "@push.rocks/smartfs": "^1.5.0",
+    "@push.rocks/smartdb": "^2.10.0",
+    "@push.rocks/smartdns": "^7.9.2",
+    "@push.rocks/smartfs": "^1.5.1",
     "@push.rocks/smartguard": "^3.1.0",
-    "@push.rocks/smartjwt": "^2.2.1",
+    "@push.rocks/smartjwt": "^2.2.2",
     "@push.rocks/smartlog": "^3.2.2",
     "@push.rocks/smartmetrics": "^3.0.3",
-    "@push.rocks/smartmigration": "1.2.0",
+    "@push.rocks/smartmigration": "1.3.1",
     "@push.rocks/smartmta": "^5.3.3",
-    "@push.rocks/smartnetwork": "^4.6.0",
+    "@push.rocks/smartnetwork": "^4.7.1",
     "@push.rocks/smartpath": "^6.0.0",
-    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^27.7.4",
-    "@push.rocks/smartradius": "^1.1.1",
-    "@push.rocks/smartrequest": "^5.0.1",
+    "@push.rocks/smartpromise": "^4.2.4",
+    "@push.rocks/smartproxy": "^27.10.0",
+    "@push.rocks/smartradius": "^1.1.2",
+    "@push.rocks/smartrequest": "^5.0.3",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.3.0",
+    "@push.rocks/smartstate": "^2.3.1",
     "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smartvpn": "1.19.2",
+    "@push.rocks/smartvpn": "1.19.4",
     "@push.rocks/taskbuffer": "^8.0.2",
     "@serve.zone/catalog": "^2.12.4",
-    "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^4.15.3",
-    "@tsclass/tsclass": "^9.5.0",
+    "@serve.zone/interfaces": "^5.5.0",
+    "@serve.zone/remoteingress": "^4.17.1",
+    "@tsclass/tsclass": "^9.5.1",
     "@types/qrcode": "^1.5.6",
-    "lru-cache": "^11.3.5",
+    "lru-cache": "^11.3.6",
     "qrcode": "^1.5.4",
-    "uuid": "^13.0.0"
+    "uuid": "^14.0.0"
   },
   "keywords": [
     "mail service",

readme.md

@@ -1,36 +1,38 @@
 # @serve.zone/dcrouter
 
-![dcrouter banner](https://code.foss.global/serve.zone/docs/raw/branch/main/dcrouter.png)
-
-`dcrouter` is a TypeScript control plane for running a serious multi-protocol edge or datacenter gateway from one process. It orchestrates HTTP/HTTPS and TCP routing through SmartProxy, email through smartmta, authoritative DNS and DNS-over-HTTPS, RADIUS, remote ingress tunnels, VPN access control, a typed Ops API, and a web dashboard.
-
-It is built for operators who want one place to define routes, expose services, manage certificates, register domains and DNS providers, control VPN-only access, and inspect what is going on in production.
+`dcrouter` is the serve.zone datacenter gateway runtime: a TypeScript control plane that brings HTTP/HTTPS/TCP routing, email ingress, authoritative DNS, RADIUS, VPN access control, remote ingress tunnels, certificate operations, metrics, and an Ops dashboard into one process.
 
 ## Issue Reporting and Security
 
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 
-## Why dcrouter
+## Why It Exists
 
-- 🌐 Run HTTP/HTTPS, TCP/SNI, email, DNS, RADIUS, VPN, and remote ingress from one orchestrated service.
-- 🔐 Keep certificates, routes, tokens, domains, and reusable route references in one management plane.
-- 🧠 Use system-managed routes for config-, email-, and DNS-derived traffic, plus API-managed routes for dynamic additions.
-- 📊 Get an Ops UI and TypedRequest API for monitoring, automation, and day-2 operations.
-- ⚡ Lean on Rust-backed data planes where it matters: proxying, DNS, email delivery, remote ingress, and VPN.
+Modern infrastructure often has too many tiny edge tools: a proxy here, a DNS daemon there, a separate cert worker, another dashboard, and a tunnel process bolted on later. `dcrouter` is designed as a cohesive gateway layer for operators who want one audited place to define public routes, domains, edge tunnels, access policy, and operational state.
 
-## What It Covers
+Highlights:
 
-| Area | What dcrouter does |
+- 🌐 SmartProxy-backed HTTP, HTTPS, TCP, TLS/SNI, and optional HTTP/3 route handling
+- 📬 SmartMTA-backed SMTP ingress and email-domain operations
+- 🧭 SmartDNS-backed authoritative DNS plus generated DNS-over-HTTPS routes
+- 🔐 ACME, certificate state, API tokens, users, source profiles, target profiles, and security policies
+- 🛡️ RADIUS, VLAN assignment, VPN-protected routes, and remote ingress firewall snapshots
+- 🖥️ Browser Ops dashboard and TypedRequest API served by the built-in OpsServer
+
+## Runtime Areas
+
+| Area | What dcrouter manages |
 | --- | --- |
-| HTTP / HTTPS / TCP | SmartProxy-based routing, TLS termination or passthrough, path/domain matching, optional HTTP/3 augmentation |
-| Email | smartmta-based SMTP ingress and delivery, route-based email handling, DKIM-aware domain support |
-| DNS | Authoritative DNS, DNS-over-HTTPS bootstrap routes, provider-backed and dcrouter-hosted domains and records |
-| Certificates | ACME-aware certificate management with dashboard and API support |
-| Access control | Source profiles, network targets, VPN-gated routes, API tokens, admin auth |
-| Network edge | Remote ingress hub for edge nodes tunneling traffic into the router |
-| Operations | Web dashboard, TypedRequest API, logs, metrics, health, route and token management |
+| Proxying | SmartProxy routes for HTTP, HTTPS, TCP, SNI, TLS termination, passthrough, and backend forwarding |
+| Route ownership | Constructor routes, generated email/DNS routes, and API-created routes with explicit origins |
+| DNS | Authoritative scopes, generated NS records, static DNS records, provider-backed domains, and DoH endpoints |
+| Email | UnifiedEmailServer startup, email-domain management, route-backed delivery actions, received mail operations |
+| Certificates | ACME config, stored certificate metadata, provisioning backoff, and certificate status reporting |
+| Edge access | Remote ingress hub, edge registrations, derived edge ports, pushed firewall rules, VPN-only route access |
+| Network auth | RADIUS clients, MAC Authentication Bypass, VLAN mapping, and accounting sessions |
+| Operations | Dashboard views, TypedRequest handlers, metrics, logs, health, API tokens, users, and configuration views |
 
-## Installation
+## Install
 
 ```bash
 pnpm add @serve.zone/dcrouter
@@ -38,7 +40,7 @@ pnpm add @serve.zone/dcrouter
 
 ## Quick Start
 
-This is the smallest realistic setup: one HTTP route, embedded database enabled, and the Ops dashboard on port `3000`.
+This starts the gateway on unprivileged ports and stores data under the default `~/.serve.zone/dcrouter` base directory.
 
 ```typescript
 import { DcRouter } from '@serve.zone/dcrouter';
@@ -47,10 +49,10 @@ const router = new DcRouter({
   smartProxyConfig: {
     routes: [
       {
-        name: 'app',
+        name: 'local-app',
         match: {
-          domains: ['app.example.com'],
-          ports: [80],
+          domains: ['localhost'],
+          ports: [18080],
         },
         action: {
           type: 'forward',
@@ -68,147 +70,93 @@ const router = new DcRouter({
 await router.start();
 ```
 
-Once the router is running, you can:
+After startup:
 
-- open the Ops dashboard on `http://localhost:3000`
-- inspect the route in the System Routes view
-- add API-managed routes through the dashboard or API client
-- enable DNS, email, VPN, remote ingress, or RADIUS by adding the corresponding config blocks
+- open the dashboard at `http://localhost:3000`
+- log in with the current built-in development credentials `admin` / `admin`
+- send proxied traffic to `http://localhost:18080`
+- stop gracefully with `await router.stop()`
 
-## Mental Model
+## Configuration Model
 
-`dcrouter` is not a toy reverse proxy with a few side features. It is an orchestrator that wires multiple specialized services into one management plane.
-
-| Layer | Responsibility |
-| --- | --- |
-| `DcRouter` | Startup order, shutdown, service wiring, configuration assembly, route hydration |
-| SmartProxy | HTTP/HTTPS, TCP/SNI, TLS, HTTP/3-capable route execution |
-| smartmta | SMTP ingress, queueing, DKIM-aware email processing and delivery |
-| SmartDNS | Authoritative DNS and DoH request handling |
-| smartradius | Network authentication, VLAN assignment, accounting |
-| remoteingress | Edge tunnel registrations and runtime forwarding into the hub |
-| smartvpn | VPN server and client access mediation for protected routes |
-| OpsServer + dashboard | Typed API and browser UI for operations |
-| smartdata-backed DB | Persistent routes, tokens, domains, records, profiles, cert metadata, caches |
-
-## Route Model
-
-Routes fall into two ownership classes:
-
-| Route kind | Origin | Ownership | What users can do |
-| --- | --- | --- | --- |
-| System routes | `config`, `email`, `dns` | Derived from config or runtime-managed subsystems | View and toggle only |
-| API routes | `api` | Created through route-management API | Create, edit, delete, toggle |
-
-Important details:
-
-- system routes are persisted with a stable `systemKey`
-- config-, email-, and DNS-derived routes show up in the System Routes view
-- DoH routes are persisted as system-route templates and get their live socket handlers attached at apply time
-- system routes are managed by the system, not edited directly by operators
-
-## Core Features
-
-### Traffic Routing
-
-- Domain-, port-, and path-based SmartProxy routes
-- HTTP/HTTPS reverse proxying and generic TCP/SNI forwarding
-- Optional HTTP/3 augmentation for qualifying HTTPS routes
-- Reusable source profiles and network targets for route composition
-- Remote ingress aware routing for edge-delivered traffic
-
-### Email
-
-- smartmta-based inbound email handling
-- Route-based mail actions such as forward, process, deliver, reject
-- DKIM-aware domain handling and DNS record generation support
-- Email-domain management through the Ops API and UI
-- Queue, resend, failure, and delivery inspection through the dashboard and API
-
-### DNS
-
-- Authoritative scopes via `dnsScopes`
-- Bootstrap nameserver domains via `dnsNsDomains`
-- DNS-over-HTTPS endpoints for `/dns-query` and `/resolve`
-- Managed domains, managed records, and provider-backed DNS integrations
-- Internal email DNS record generation for `internal-dns` email domains
-
-### Certificates and ACME
-
-- Certificate overview and operations through OpsServer
-- Import, export, delete, and reprovision flows
-- DB-backed ACME configuration management
-- Integration with managed DNS for certificate provisioning flows
-- Routes can declare `certificate: 'auto'`, but actual automated issuance depends on ACME being configured in the management plane
-
-### VPN, RADIUS, and Remote Ingress
-
-- VPN-gated routes with target-profile-based access matching
-- WireGuard-oriented VPN management with dcrouter-side client lifecycle support
-- RADIUS MAB, VLAN assignment, and accounting
-- Remote ingress hub for edge nodes tunneling traffic into central routes
-
-### Operations Plane
-
-- Web dashboard with overview, network, routes, access, security, domains, certificates, logs, and email views
-- TypedRequest API for automation and external control
-- API tokens with scoped access
-- Metrics, health, logs, and per-feature operational views
-
-## Configuration Overview
-
-The main entry point is `IDcRouterOptions`.
+`DcRouter` is configured with `IDcRouterOptions` from `@serve.zone/dcrouter`.
 
 | Option | Purpose |
 | --- | --- |
-| `smartProxyConfig` | Main HTTP/HTTPS and TCP/SNI routing configuration |
-| `emailConfig` | smartmta server config and email routes |
-| `emailPortConfig` | External-to-internal email port mapping and email storage path tuning |
-| `dnsNsDomains` | Nameserver hostnames used for NS bootstrap and DoH routes |
-| `dnsScopes` | Authoritative DNS zones managed by dcrouter |
-| `dnsRecords` | Static constructor-defined records |
-| `publicIp` / `proxyIps` | DNS A-record exposure strategy |
-| `dbConfig` | Embedded or external Mongo-backed persistence and seeding |
-| `radiusConfig` | RADIUS authentication, VLAN, and accounting setup |
-| `remoteIngressConfig` | Edge tunnel hub setup |
-| `vpnConfig` | VPN server and client access configuration |
-| `http3` | Global HTTP/3 behavior for qualifying routes |
-| `opsServerPort` | Dashboard and TypedRequest API port |
+| `baseDir` | Root directory for dcrouter runtime data. Defaults to `~/.serve.zone/dcrouter`. |
+| `smartProxyConfig` | Main SmartProxy route configuration for HTTP/HTTPS/TCP/SNI traffic. |
+| `emailConfig` | UnifiedEmailServer configuration: hostname, ports, domains, and mail routes. |
+| `emailPortConfig` | External-to-internal email port mapping and received-email storage path. |
+| `tls` | Legacy/static TLS and ACME contact settings used to seed certificate config. |
+| `dnsNsDomains` | Nameserver hostnames used for generated NS records and DoH routes. |
+| `dnsScopes` | Authoritative domains served by the embedded DNS server. |
+| `dnsRecords` | Constructor-defined DNS records. |
+| `publicIp` / `proxyIps` | IPs used for generated A records and proxy-aware DNS exposure. |
+| `dbConfig` | Smartdata persistence via embedded LocalSmartDb or external MongoDB. |
+| `radiusConfig` | RADIUS authentication, accounting, and VLAN assignment. |
+| `remoteIngressConfig` | Remote ingress hub configuration for edge tunnel nodes. |
+| `vpnConfig` | VPN server/client definitions and VPN-only routing behavior. |
+| `http3` | HTTP/3 augmentation settings for qualifying HTTPS routes. |
+| `opsServerPort` | Port for the Ops dashboard and `/typedrequest` API. Defaults to `3000`. |
 
-## Example: Enabling DNS, Email, and VPN
+Important runtime behavior:
+
+- `dbConfig.enabled` defaults to enabled. Without `mongoDbUrl`, dcrouter uses embedded LocalSmartDb.
+- If the DB is disabled, constructor-defined proxy traffic can still run, but persistent API routes, tokens, managed domains, and stored certificate state are unavailable.
+- Qualifying HTTPS forward routes on port `443` are HTTP/3-augmented unless `http3.enabled === false` or the route opts out.
+- DNS-over-HTTPS routes are generated on the first `dnsNsDomains` entry at `/dns-query` and `/resolve`.
+- Email listener ports can be remapped internally, for example public `25`, `587`, and `465` to unprivileged internal ports.
+
+## Route Ownership
+
+dcrouter keeps generated and operator-created routes separate so automation can reconcile safely.
+
+| Origin | Source | Mutability |
+| --- | --- | --- |
+| `config` | Constructor `smartProxyConfig.routes` and seed data | Toggle only |
+| `email` | Email listener and email-domain generated routes | Toggle only |
+| `dns` | Generated DNS-over-HTTPS and DNS-related routes | Toggle only |
+| `api` | Ops UI or API client | Full CRUD |
+
+System routes are persisted with stable `systemKey` values. API-created routes are the editable route layer intended for operators and automation.
+
+## Production-Flavored Example
 
 ```typescript
 import { DcRouter } from '@serve.zone/dcrouter';
 
 const router = new DcRouter({
+  baseDir: '/var/lib/dcrouter',
   smartProxyConfig: {
     routes: [
       {
         name: 'web-app',
-        match: {
-          domains: ['app.example.com'],
-          ports: [443],
-        },
+        match: { domains: ['app.example.com'], ports: [443] },
         action: {
           type: 'forward',
-          targets: [{ host: '127.0.0.1', port: 8080 }],
+          targets: [{ host: '10.10.0.21', port: 8080 }],
           tls: { mode: 'terminate', certificate: 'auto' },
         },
       },
+      {
+        name: 'internal-admin',
+        match: { domains: ['admin.example.com'], ports: [443] },
+        action: {
+          type: 'forward',
+          targets: [{ host: '10.10.0.30', port: 9000 }],
+          tls: { mode: 'terminate', certificate: 'auto' },
+        },
+        vpnOnly: true,
+      },
     ],
   },
   emailConfig: {
     hostname: 'mail.example.com',
     ports: [25, 587, 465],
-    domains: [
-      {
-        domain: 'example.com',
-        dnsMode: 'internal-dns',
-      },
-    ],
+    domains: [{ domain: 'example.com', dnsMode: 'internal-dns' }],
     routes: [
       {
-        name: 'inbound-mail',
+        name: 'inbound-example',
         match: { recipients: '*@example.com' },
         action: {
           type: 'forward',
@@ -220,102 +168,102 @@ const router = new DcRouter({
   dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
   dnsScopes: ['example.com'],
   publicIp: '203.0.113.10',
+  remoteIngressConfig: {
+    enabled: true,
+    tunnelPort: 8443,
+    hubDomain: 'ingress.example.com',
+  },
   vpnConfig: {
     enabled: true,
     serverEndpoint: 'vpn.example.com',
-    clients: [
-      {
-        clientId: 'ops-laptop',
-        description: 'Operations laptop',
-      },
-    ],
-  },
-  dbConfig: {
-    enabled: true,
+    clients: [{ clientId: 'ops-laptop', description: 'Operations laptop' }],
   },
+  opsServerPort: 3000,
 });
 
 await router.start();
 ```
 
-## Operations API and Dashboard
+## Automation API
 
-With the database enabled, dcrouter exposes a management plane for:
-
-- routes and route toggles
-- API tokens
-- source profiles and network targets
-- DNS providers, domains, and records
-- ACME configuration and certificate lifecycle
-- email domains and email operations
-- VPN clients, remote ingress edges, and RADIUS data
-
-The browser dashboard is built from the `ts_web` package and is served by OpsServer. The same backend is accessible programmatically via TypedRequest or the dedicated API client package.
-
-## Programmatic API Client
-
-Use the API client when you want automation or integration code instead of clicking through the dashboard.
+The OpsServer exposes TypedRequest handlers at `/typedrequest`. You can use raw contracts or the object-oriented API client.
 
 ```bash
 pnpm add @serve.zone/dcrouter-apiclient
 ```
 
 ```typescript
-import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
+import { DcRouterApiClient } from '@serve.zone/dcrouter-apiclient';
 
 const client = new DcRouterApiClient({
   baseUrl: 'https://dcrouter.example.com',
 });
 
-await client.login('admin', 'password');
+await client.login('admin', 'admin');
 
-const { routes } = await client.routes.list();
-const systemRoutes = routes.filter((route) => route.origin !== 'api');
-
-if (systemRoutes[0]) {
-  await systemRoutes[0].toggle(false);
-}
-
-await client.routes.build()
+const route = await client.routes.build()
   .setName('api-gateway')
   .setMatch({ ports: 443, domains: ['api.example.com'] })
   .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8081 }] })
   .save();
+
+await route.toggle(true);
 ```
 
-See `./ts_apiclient/readme.md` for the dedicated API-client package docs.
+Use `@serve.zone/dcrouter/interfaces` or `@serve.zone/dcrouter-interfaces` when you want the raw TypedRequest contracts instead of resource managers.
+
+## OCI / Container Bootstrap
+
+`runCli()` supports an environment-driven container mode when `DCROUTER_MODE=OCI_CONTAINER`.
+
+```typescript
+import { runCli } from '@serve.zone/dcrouter';
+
+await runCli();
+```
+
+Supported environment overrides include:
+
+| Variable | Purpose |
+| --- | --- |
+| `DCROUTER_CONFIG_PATH` | JSON file loaded as the base `IDcRouterOptions` object. |
+| `DCROUTER_BASE_DIR` | Runtime data root. |
+| `DCROUTER_TLS_EMAIL` / `DCROUTER_TLS_DOMAIN` | TLS/ACME seed settings. |
+| `DCROUTER_PUBLIC_IP` / `DCROUTER_PROXY_IPS` | Public/proxy IP exposure settings. |
+| `DCROUTER_DNS_NS_DOMAINS` / `DCROUTER_DNS_SCOPES` | DNS nameserver and authoritative scope settings. |
+| `DCROUTER_EMAIL_HOSTNAME` / `DCROUTER_EMAIL_PORTS` | Email server seed settings. |
+| `DCROUTER_CACHE_ENABLED` | Enables or disables DB-backed persistence. |
+| `DCROUTER_MAX_CONNECTIONS`, `DCROUTER_MAX_CONNECTIONS_PER_IP`, `DCROUTER_CONNECTION_RATE_LIMIT` | SmartProxy capacity and rate-limit overrides. |
 
 ## Published Modules
 
-This repository publishes multiple modules from the same codebase.
+This repository intentionally publishes multiple module boundaries from one codebase.
 
 | Module | Purpose | Docs |
 | --- | --- | --- |
-| `@serve.zone/dcrouter` | Main orchestrator and server package | `./readme.md` |
-| `@serve.zone/dcrouter-interfaces` | Shared TypedRequest request and data interfaces | `./ts_interfaces/readme.md` |
-| `@serve.zone/dcrouter-migrations` | Startup migration runner for dcrouter data | `./ts_migrations/readme.md` |
-| `@serve.zone/dcrouter-web` | Web dashboard entry and UI components | `./ts_web/readme.md` |
-| `@serve.zone/dcrouter-apiclient` | Typed OO API client | `./ts_apiclient/readme.md` |
+| `@serve.zone/dcrouter` | Main runtime and orchestrator | `./readme.md` |
+| `@serve.zone/dcrouter/interfaces` | Shared contracts as a subpath export | `./ts_interfaces/readme.md` |
+| `@serve.zone/dcrouter/apiclient` | API client as a subpath export | `./ts_apiclient/readme.md` |
+| `@serve.zone/dcrouter-interfaces` | Standalone contracts package | `./ts_interfaces/readme.md` |
+| `@serve.zone/dcrouter-apiclient` | Standalone OO API client package | `./ts_apiclient/readme.md` |
+| `@serve.zone/dcrouter-migrations` | Standalone migration runner package | `./ts_migrations/readme.md` |
+| `@serve.zone/dcrouter-web` | Dashboard frontend module boundary | `./ts_web/readme.md` |
 
-## Development and Testing
+## Development
 
 ```bash
 pnpm run build
 pnpm test
+pnpm run watch
 ```
 
-Target a single test file while working on one area:
+Useful source entry points:
 
-```bash
-tstest test/test.dns-runtime-routes.node.ts --verbose
-```
-
-## Notes for Operators
-
-- Database-backed management features depend on `dbConfig.enabled !== false`.
-- If you disable the DB, constructor-configured services still run, but persistent management features are limited.
-- Nameserver domains are still required for DNS bootstrap and DoH route generation.
-- HTTP/3 is enabled by default for qualifying HTTPS routes unless disabled globally or per route.
+- `ts/index.ts` exports `DcRouter`, `runCli()`, and public module surfaces.
+- `ts/classes.dcrouter.ts` owns service startup, dependency ordering, and `IDcRouterOptions`.
+- `ts/opsserver/classes.opsserver.ts` wires the dashboard server and TypedRequest handlers.
+- `ts/remoteingress/` integrates `@serve.zone/remoteingress` with stored edge registrations.
+- `ts_migrations/index.ts` contains all DB schema migration steps.
 
 ## License and Legal Information
 
@@ -331,7 +279,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH  
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

test/test.admin-bootstrap.node.ts

@@ -0,0 +1,208 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { TypedRequest } from '@api.global/typedrequest';
+import { OpsServer } from '../ts/opsserver/index.js';
+import { DcRouterDb } from '../ts/db/index.js';
+import * as plugins from '../ts/plugins.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+const testPort = 3110;
+const baseUrl = `http://localhost:${testPort}/typedrequest`;
+const bootstrapPassword = 'temporary-bootstrap-password';
+const persistedPassword = 'persisted-admin-password';
+
+let previousAdminPassword: string | undefined;
+let opsServer: OpsServer;
+let testDb: DcRouterDb;
+let storagePath: string;
+let bootstrapIdentity: interfaces.data.IIdentity;
+let persistedIdentity: interfaces.data.IIdentity;
+
+const createStatusRequest = () => new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(
+  baseUrl,
+  'getAdminBootstrapStatus',
+);
+
+const createLoginRequest = () => new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+  baseUrl,
+  'adminLoginWithUsernameAndPassword',
+);
+
+tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
+  previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
+  process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword;
+
+  storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  testDb = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await testDb.start();
+  await testDb.getDb().mongoDb.createCollection('__test_init');
+
+  const fakeDcRouter = {
+    options: {
+      opsServerPort: testPort,
+      dbConfig: { enabled: true },
+      adminAuth: {
+        idpClient: {
+          loginWithEmailAndPassword: async () => ({
+            jwt: 'idp-jwt',
+            refreshToken: 'idp-refresh-token',
+            user: {
+              id: 'idp-user-1',
+              data: {
+                name: 'Wrong IdP User',
+                username: 'wrong@example.com',
+                email: 'wrong@example.com',
+                status: 'active',
+                connectedOrgs: [],
+              },
+            },
+          }),
+          stop: async () => {},
+        },
+      },
+    },
+    typedrouter: new plugins.typedrequest.TypedRouter(),
+    dcRouterDb: testDb,
+  };
+
+  opsServer = new OpsServer(fakeDcRouter as any);
+  await opsServer.start();
+});
+
+tap.test('reports bootstrap required without auto-persisting an admin', async () => {
+  const status = await createStatusRequest().fire({});
+
+  expect(status.dbEnabled).toEqual(true);
+  expect(status.dbReady).toEqual(true);
+  expect(status.hasPersistentAdmin).toEqual(false);
+  expect(status.needsBootstrap).toEqual(true);
+  expect(status.ephemeralAdminAvailable).toEqual(true);
+});
+
+tap.test('allows temporary bootstrap admin login before persisted admin exists', async () => {
+  const response = await createLoginRequest().fire({
+    username: 'admin',
+    password: bootstrapPassword,
+  });
+
+  if (!response.identity) {
+    throw new Error('Expected bootstrap login identity');
+  }
+  bootstrapIdentity = response.identity;
+  expect(bootstrapIdentity.role).toEqual('admin');
+});
+
+tap.test('creates the initial persisted admin explicitly', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_CreateInitialAdminUser>(
+    baseUrl,
+    'createInitialAdminUser',
+  );
+
+  const response = await request.fire({
+    identity: bootstrapIdentity,
+    email: 'Admin@Example.com',
+    name: 'Persisted Admin',
+    password: persistedPassword,
+    enableIdpGlobalAuth: true,
+  });
+
+  expect(response.success).toEqual(true);
+  expect(response.user?.role).toEqual('admin');
+  expect(response.user?.authSources).toContain('local');
+  expect(response.user?.authSources).toContain('idp.global');
+  if (!response.identity) {
+    throw new Error('Expected persisted admin identity');
+  }
+  persistedIdentity = response.identity;
+});
+
+tap.test('disables bootstrap mode after persisted admin exists', async () => {
+  const status = await createStatusRequest().fire({});
+
+  expect(status.hasPersistentAdmin).toEqual(true);
+  expect(status.needsBootstrap).toEqual(false);
+  expect(status.ephemeralAdminAvailable).toEqual(false);
+});
+
+tap.test('rejects the old temporary admin after persisted admin creation', async () => {
+  let rejected = false;
+  try {
+    await createLoginRequest().fire({
+      username: 'admin',
+      password: bootstrapPassword,
+    });
+  } catch {
+    rejected = true;
+  }
+
+  expect(rejected).toEqual(true);
+});
+
+tap.test('rejects the old temporary admin identity after persisted admin creation', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
+    baseUrl,
+    'verifyIdentity',
+  );
+  const response = await request.fire({ identity: bootstrapIdentity });
+
+  expect(response.valid).toEqual(false);
+});
+
+tap.test('authenticates the persisted admin locally by normalized email', async () => {
+  const response = await createLoginRequest().fire({
+    username: 'admin@example.com',
+    password: persistedPassword,
+    authSource: 'local',
+  });
+
+  if (!response.identity) {
+    throw new Error('Expected persisted admin login identity');
+  }
+  expect(response.identity.userId).toEqual(persistedIdentity.userId);
+});
+
+tap.test('rejects idp.global login when IdP email does not match local account', async () => {
+  let rejected = false;
+  try {
+    await createLoginRequest().fire({
+      username: 'admin@example.com',
+      password: 'idp-password',
+      authSource: 'idp.global',
+    });
+  } catch {
+    rejected = true;
+  }
+
+  expect(rejected).toEqual(true);
+});
+
+tap.test('lists persisted users without password material', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_ListUsers>(baseUrl, 'listUsers');
+  const response = await request.fire({ identity: persistedIdentity });
+
+  expect(response.users.length).toEqual(1);
+  expect(response.users[0].email).toEqual('Admin@Example.com');
+  expect((response.users[0] as any).password).toBeUndefined();
+});
+
+tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
+  await opsServer.stop();
+  await testDb.stop();
+  DcRouterDb.resetInstance();
+  await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+
+  if (previousAdminPassword === undefined) {
+    delete process.env.DCROUTER_ADMIN_PASSWORD;
+  } else {
+    process.env.DCROUTER_ADMIN_PASSWORD = previousAdminPassword;
+  }
+});
+
+export default tap.start();

test/test.api-token-manager.node.ts

@@ -0,0 +1,75 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { ApiTokenManager } from '../ts/config/classes.api-token-manager.js';
+import { DcRouterDb } from '../ts/db/index.js';
+import * as plugins from '../ts/plugins.js';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-api-token-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-api-token-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+tap.test('ApiTokenManager seeds and rotates an env admin API token', async () => {
+  const previousToken = process.env.DCROUTER_ADMIN_API_TOKEN;
+  const previousName = process.env.DCROUTER_ADMIN_API_TOKEN_NAME;
+  const testDb = await createTestDb();
+
+  try {
+    const rawToken1 = `dcr_${plugins.crypto.randomBytes(32).toString('base64url')}`;
+    const rawToken2 = `dcr_${plugins.crypto.randomBytes(32).toString('base64url')}`;
+    process.env.DCROUTER_ADMIN_API_TOKEN = rawToken1;
+    process.env.DCROUTER_ADMIN_API_TOKEN_NAME = 'Onebox Managed Admin';
+
+    const manager = new ApiTokenManager();
+    await manager.initialize();
+
+    const token1 = await manager.validateToken(rawToken1);
+    expect(token1?.id).toEqual('env-admin-token');
+    expect(token1?.name).toEqual('Onebox Managed Admin');
+    expect(token1?.policy?.role).toEqual('admin');
+    expect(manager.hasScope(token1!, 'tokens:manage')).toEqual(true);
+
+    const listedToken = manager.listTokens().find((token) => token.id === 'env-admin-token') as any;
+    expect(listedToken.tokenHash).toBeUndefined();
+
+    process.env.DCROUTER_ADMIN_API_TOKEN = rawToken2;
+    const rotatedManager = new ApiTokenManager();
+    await rotatedManager.initialize();
+
+    expect(await rotatedManager.validateToken(rawToken1)).toBeNull();
+    const token2 = await rotatedManager.validateToken(rawToken2);
+    expect(token2?.id).toEqual('env-admin-token');
+    expect(token2?.policy?.role).toEqual('admin');
+  } finally {
+    if (previousToken === undefined) {
+      delete process.env.DCROUTER_ADMIN_API_TOKEN;
+    } else {
+      process.env.DCROUTER_ADMIN_API_TOKEN = previousToken;
+    }
+    if (previousName === undefined) {
+      delete process.env.DCROUTER_ADMIN_API_TOKEN_NAME;
+    } else {
+      process.env.DCROUTER_ADMIN_API_TOKEN_NAME = previousName;
+    }
+    await testDb.cleanup();
+  }
+});
+
+export default tap.start();

test/test.certificate-api-token.node.ts

@@ -0,0 +1,200 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { CertificateHandler } from '../ts/opsserver/handlers/certificate.handler.js';
+import { AcmeCertDoc, DcRouterDb } from '../ts/db/index.js';
+import * as plugins from '../ts/plugins.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+type TScope = interfaces.data.TApiTokenScope;
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-cert-api-token-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-test-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const makeApiTokenManager = (scopes: TScope[]) => {
+  const token = {
+    id: 'token-1',
+    name: 'certificate-test-token',
+    scopes,
+    createdBy: 'token-user',
+    createdAt: Date.now(),
+    expiresAt: null,
+    lastUsedAt: null,
+    enabled: true,
+  } as interfaces.data.IStoredApiToken;
+
+  return {
+    validateToken: async (rawToken: string) => rawToken === 'valid-token' ? token : null,
+    hasScope: (storedToken: interfaces.data.IStoredApiToken, scope: TScope) => storedToken.scopes.includes(scope),
+  };
+};
+
+const setupHandler = (scopes: TScope[], options?: {
+  routes?: any[];
+  certProvisionScheduler?: any;
+  certProvisionFunction?: (...args: any[]) => any;
+}) => {
+  const typedrouter = new plugins.typedrequest.TypedRouter();
+  const opsServerRef: any = {
+    typedrouter,
+    adminHandler: {
+      adminIdentityGuard: {
+        exec: async () => false,
+      },
+    },
+    dcRouterRef: {
+      apiTokenManager: makeApiTokenManager(scopes),
+      certificateStatusMap: new Map(),
+      smartProxy: {
+        settings: options?.certProvisionFunction ? {
+          certProvisionFunction: options.certProvisionFunction,
+        } : {},
+        routeManager: { getRoutes: () => options?.routes ?? [] },
+        getCertificateStatus: async () => null,
+      },
+      certProvisionScheduler: options?.certProvisionScheduler ?? null,
+    },
+  };
+
+  new CertificateHandler(opsServerRef);
+  return { typedrouter, opsServerRef };
+};
+
+const fireTypedRequest = async (
+  router: plugins.typedrequest.TypedRouter,
+  method: string,
+  request: Record<string, any>,
+) => {
+  return await router.routeAndAddResponse({
+    method,
+    request,
+    response: {},
+    correlation: {
+      id: `${method}-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+      phase: 'request',
+    },
+  } as any, { localRequest: true, skipHooks: true }) as any;
+};
+
+const testDbPromise = createTestDb();
+
+tap.test('CertificateHandler allows API-token export with certificates:read', async () => {
+  await testDbPromise;
+
+  const certDoc = new AcmeCertDoc();
+  certDoc.id = 'cert-1';
+  certDoc.domainName = 'example.com';
+  certDoc.created = 1;
+  certDoc.validUntil = 2;
+  certDoc.privateKey = '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----';
+  certDoc.publicKey = '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----';
+  certDoc.csr = '';
+  await certDoc.save();
+
+  const { typedrouter } = setupHandler(['certificates:read']);
+  const result = await fireTypedRequest(typedrouter, 'exportCertificate', {
+    apiToken: 'valid-token',
+    domain: 'example.com',
+  });
+
+  expect(result.error).toBeUndefined();
+  expect(result.response.success).toEqual(true);
+  expect(result.response.cert.domainName).toEqual('example.com');
+  expect(result.response.cert.privateKey).toContain('BEGIN PRIVATE KEY');
+  expect(result.response.cert.publicKey).toContain('BEGIN CERTIFICATE');
+});
+
+tap.test('CertificateHandler rejects API-token export without certificates:read', async () => {
+  const { typedrouter } = setupHandler(['certificates:write']);
+  const result = await fireTypedRequest(typedrouter, 'exportCertificate', {
+    apiToken: 'valid-token',
+    domain: 'example.com',
+  });
+
+  expect(result.error?.text).toEqual('insufficient scope');
+});
+
+tap.test('CertificateHandler allows API-token import with certificates:write', async () => {
+  await testDbPromise;
+
+  const { typedrouter, opsServerRef } = setupHandler(['certificates:write']);
+  const result = await fireTypedRequest(typedrouter, 'importCertificate', {
+    apiToken: 'valid-token',
+    cert: {
+      id: 'cert-2',
+      domainName: 'imported.example.com',
+      created: 3,
+      validUntil: 4,
+      privateKey: '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----',
+      publicKey: '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----',
+      csr: '',
+    },
+  });
+
+  expect(result.error).toBeUndefined();
+  expect(result.response.success).toEqual(true);
+  expect((await AcmeCertDoc.findByDomain('imported.example.com'))?.id).toEqual('cert-2');
+  expect(opsServerRef.dcRouterRef.certificateStatusMap.get('imported.example.com')?.status).toEqual('valid');
+});
+
+tap.test('CertificateHandler reports active certificate backoff as failed with root cause', async () => {
+  await testDbPromise;
+
+  const lastError = 'DNS-01 failed for stack.gallery: DnsManager: no managed domain found for _acme-challenge.stack.gallery.';
+  const retryAfter = new Date(Date.now() + 60 * 60 * 1000).toISOString();
+  const { typedrouter } = setupHandler(['certificates:read'], {
+    certProvisionFunction: async () => 'http01',
+    certProvisionScheduler: {
+      getBackoffInfo: async (domain: string) => domain === 'stack.gallery'
+        ? { failures: 11, retryAfter, lastError }
+        : null,
+    },
+    routes: [
+      {
+        name: 'stack-gallery',
+        match: { domains: ['stack.gallery'] },
+        action: {
+          tls: {
+            mode: 'terminate',
+            certificate: 'auto',
+          },
+        },
+      },
+    ],
+  });
+
+  const result = await fireTypedRequest(typedrouter, 'getCertificateOverview', {
+    apiToken: 'valid-token',
+  });
+
+  expect(result.error).toBeUndefined();
+  expect(result.response.summary.failed).toEqual(1);
+  expect(result.response.certificates[0].status).toEqual('failed');
+  expect(result.response.certificates[0].error).toEqual(lastError);
+  expect(result.response.certificates[0].backoffInfo.failures).toEqual(11);
+});
+
+tap.test('cleanup test db', async () => {
+  const testDb = await testDbPromise;
+  await testDb.cleanup();
+});
+
+export default tap.start();

test/test.email-ops-api.ts

@@ -5,6 +5,7 @@ import * as interfaces from '../ts_interfaces/index.js';
 
 const TEST_PORT = 3201;
 const BASE_URL = `http://localhost:${TEST_PORT}/typedrequest`;
+const TEST_ADMIN_PASSWORD = 'test-admin-password';
 
 let testDcRouter: DcRouter;
 let adminIdentity: interfaces.data.IIdentity;
@@ -56,6 +57,7 @@ const queueItems = [
 ];
 
 tap.test('should start DCRouter with OpsServer for email API tests', async () => {
+  process.env.DCROUTER_ADMIN_PASSWORD = TEST_ADMIN_PASSWORD;
   testDcRouter = new DcRouter({
     opsServerPort: TEST_PORT,
     dbConfig: { enabled: false },
@@ -98,10 +100,16 @@ tap.test('should login as admin for email API tests', async () => {
 
   const response = await loginRequest.fire({
     username: 'admin',
-    password: 'admin',
+    password: TEST_ADMIN_PASSWORD,
   });
 
-  adminIdentity = response.identity;
+  const responseIdentity = response.identity;
+  expect(responseIdentity).toBeDefined();
+  if (!responseIdentity) {
+    throw new Error('Expected admin login response to include identity');
+  }
+
+  adminIdentity = responseIdentity;
   expect(adminIdentity.jwt).toBeTruthy();
 });
 

test/test.errors.ts

@@ -103,6 +103,9 @@ tap.test('ErrorHandler should properly handle and format errors', async () => {
     }, 'TEST_EXECUTION_ERROR', { operation: 'testExecution' });
   } catch (error) {
     expect(error).toBeInstanceOf(PlatformError);
+    if (!(error instanceof PlatformError)) {
+      throw error;
+    }
     expect(error.code).toEqual('TEST_EXECUTION_ERROR');
     expect(error.context.operation).toEqual('testExecution');
   }
@@ -197,6 +200,9 @@ tap.test('Error retry utilities should work correctly', async () => {
       }
     );
   } catch (error) {
+    if (!(error instanceof Error)) {
+      throw error;
+    }
     expect(error.message).toEqual('Critical error');
     expect(attempts).toEqual(1); // Should only attempt once
   }
@@ -262,6 +268,9 @@ tap.test('Error handling can be combined with retry for robust operations', asyn
     // Should not reach here
     expect(false).toEqual(true);
   } catch (error) {
+    if (!(error instanceof Error)) {
+      throw error;
+    }
     expect(error.message).toContain('Flaky failure');
     expect(flaky.counter).toEqual(3); // Initial + 2 retries = 3 attempts
   }

test/test.jwt-auth.ts

@@ -5,8 +5,10 @@ import * as interfaces from '../ts_interfaces/index.js';
 
 let testDcRouter: DcRouter;
 let identity: interfaces.data.IIdentity;
+const testAdminPassword = 'test-admin-password';
 
 tap.test('should start DCRouter with OpsServer', async () => {
+  process.env.DCROUTER_ADMIN_PASSWORD = testAdminPassword;
   testDcRouter = new DcRouter({
     // Minimal config for testing
     opsServerPort: 3102,
@@ -25,18 +27,22 @@ tap.test('should login with admin credentials and receive JWT', async () => {
   
   const response = await loginRequest.fire({
     username: 'admin',
-    password: 'admin'
+    password: testAdminPassword
   });
-  
+
   expect(response).toHaveProperty('identity');
-  expect(response.identity).toHaveProperty('jwt');
-  expect(response.identity).toHaveProperty('userId');
-  expect(response.identity).toHaveProperty('name');
-  expect(response.identity).toHaveProperty('expiresAt');
-  expect(response.identity).toHaveProperty('role');
-  expect(response.identity.role).toEqual('admin');
-  
-  identity = response.identity;
+  const responseIdentity = response.identity;
+  if (!responseIdentity) {
+    throw new Error('Expected admin login response to include identity');
+  }
+  expect(responseIdentity).toHaveProperty('jwt');
+  expect(responseIdentity).toHaveProperty('userId');
+  expect(responseIdentity).toHaveProperty('name');
+  expect(responseIdentity).toHaveProperty('expiresAt');
+  expect(responseIdentity).toHaveProperty('role');
+  expect(responseIdentity.role).toEqual('admin');
+
+  identity = responseIdentity;
   console.log('JWT:', identity.jwt);
 });
 
@@ -53,7 +59,11 @@ tap.test('should verify valid JWT identity', async () => {
   expect(response).toHaveProperty('valid');
   expect(response.valid).toBeTrue();
   expect(response).toHaveProperty('identity');
-  expect(response.identity.userId).toEqual(identity.userId);
+  const responseIdentity = response.identity;
+  if (!responseIdentity) {
+    throw new Error('Expected verify response to include identity');
+  }
+  expect(responseIdentity.userId).toEqual(identity.userId);
 });
 
 tap.test('should reject invalid JWT', async () => {
@@ -86,8 +96,12 @@ tap.test('should verify JWT matches identity data', async () => {
   
   expect(response).toHaveProperty('valid');
   expect(response.valid).toBeTrue();
-  expect(response.identity.expiresAt).toEqual(identity.expiresAt);
-  expect(response.identity.userId).toEqual(identity.userId);
+  const responseIdentity = response.identity;
+  if (!responseIdentity) {
+    throw new Error('Expected verify response to include identity');
+  }
+  expect(responseIdentity.expiresAt).toEqual(identity.expiresAt);
+  expect(responseIdentity.userId).toEqual(identity.userId);
 });
 
 tap.test('should handle logout', async () => {
@@ -129,4 +143,4 @@ tap.test('should stop DCRouter', async () => {
   await testDcRouter.stop();
 });
 
-export default tap.start();
+export default tap.start();

test/test.metricsmanager.route-keys.node.ts

@@ -18,6 +18,9 @@ function createProxyMetrics(args: {
   connectionsByRoute: Map<string, number>;
   throughputByRoute: Map<string, { in: number; out: number }>;
   domainRequestsByIP: Map<string, Map<string, number>>;
+  domainRequestRates?: Map<string, { perSecond: number; lastMinute: number }>;
+  backendMetrics?: Map<string, any>;
+  protocolCache?: any[];
   requestsTotal?: number;
 }) {
   return {
@@ -45,6 +48,7 @@ function createProxyMetrics(args: {
       perSecond: () => 0,
       perMinute: () => 0,
       total: () => args.requestsTotal || 0,
+      byDomain: () => args.domainRequestRates || new Map<string, { perSecond: number; lastMinute: number }>(),
     },
     totals: {
       bytesIn: () => 0,
@@ -52,10 +56,10 @@ function createProxyMetrics(args: {
       connections: () => 0,
     },
     backends: {
-      byBackend: () => new Map<string, any>(),
+      byBackend: () => args.backendMetrics || new Map<string, any>(),
       protocols: () => new Map<string, string>(),
       topByErrors: () => [],
-      detectedProtocols: () => [],
+      detectedProtocols: () => args.protocolCache || [],
     },
   };
 }
@@ -117,4 +121,122 @@ tap.test('MetricsManager joins domain activity to id-keyed route metrics', async
   expect(beta!.bytesOutPerSecond).toEqual(600);
 });
 
+tap.test('MetricsManager prefers live domain request rates for current activity', async () => {
+  const proxyMetrics = createProxyMetrics({
+    connectionsByRoute: new Map([
+      ['route-id-only', 10],
+    ]),
+    throughputByRoute: new Map([
+      ['route-id-only', { in: 1000, out: 1000 }],
+    ]),
+    domainRequestsByIP: new Map([
+      ['192.0.2.10', new Map([
+        ['alpha.example.com', 1000],
+        ['beta.example.com', 1],
+      ])],
+    ]),
+    domainRequestRates: new Map([
+      ['alpha.example.com', { perSecond: 0, lastMinute: 0 }],
+      ['beta.example.com', { perSecond: 5, lastMinute: 60 }],
+    ]),
+  });
+
+  const smartProxy = {
+    getMetrics: () => proxyMetrics,
+    routeManager: {
+      getRoutes: () => [
+        {
+          id: 'route-id-only',
+          match: {
+            ports: [443],
+            domains: ['alpha.example.com', 'beta.example.com'],
+          },
+          action: {
+            type: 'forward',
+            targets: [{ host: '127.0.0.1', port: 8443 }],
+          },
+        },
+      ],
+    },
+  };
+
+  const manager = new MetricsManager({ smartProxy } as any);
+  const stats = await manager.getNetworkStats();
+  const alpha = stats.domainActivity.find((item) => item.domain === 'alpha.example.com');
+  const beta = stats.domainActivity.find((item) => item.domain === 'beta.example.com');
+
+  expect(alpha!.activeConnections).toEqual(0);
+  expect(alpha!.requestsPerSecond).toEqual(0);
+  expect(beta!.activeConnections).toEqual(10);
+  expect(beta!.requestsPerSecond).toEqual(5);
+  expect(beta!.bytesInPerSecond).toEqual(1000);
+});
+
+tap.test('MetricsManager does not duplicate backend active counts onto protocol cache rows', async () => {
+  const proxyMetrics = createProxyMetrics({
+    connectionsByRoute: new Map(),
+    throughputByRoute: new Map(),
+    domainRequestsByIP: new Map(),
+    backendMetrics: new Map([
+      ['192.0.2.1:443', {
+        protocol: 'h2',
+        activeConnections: 257,
+        totalConnections: 1000,
+        connectErrors: 1,
+        handshakeErrors: 2,
+        requestErrors: 3,
+        avgConnectTimeMs: 4,
+        poolHitRate: 0.9,
+        h2Failures: 5,
+      }],
+    ]),
+    protocolCache: [
+      {
+        host: '192.0.2.1',
+        port: 443,
+        domain: 'alpha.example.com',
+        protocol: 'h2',
+        h2Suppressed: false,
+        h3Suppressed: false,
+        h2CooldownRemainingSecs: null,
+        h3CooldownRemainingSecs: null,
+        h2ConsecutiveFailures: null,
+        h3ConsecutiveFailures: null,
+        h3Port: null,
+        ageSecs: 1,
+      },
+      {
+        host: '192.0.2.1',
+        port: 443,
+        domain: 'beta.example.com',
+        protocol: 'h2',
+        h2Suppressed: false,
+        h3Suppressed: false,
+        h2CooldownRemainingSecs: null,
+        h3CooldownRemainingSecs: null,
+        h2ConsecutiveFailures: null,
+        h3ConsecutiveFailures: null,
+        h3Port: null,
+        ageSecs: 1,
+      },
+    ],
+  });
+
+  const smartProxy = {
+    getMetrics: () => proxyMetrics,
+    routeManager: {
+      getRoutes: () => [],
+    },
+  };
+
+  const manager = new MetricsManager({ smartProxy } as any);
+  const stats = await manager.getNetworkStats();
+  const aggregate = stats.backends.find((item) => item.id === 'backend:192.0.2.1:443');
+  const cacheRows = stats.backends.filter((item) => item.id?.startsWith('cache:'));
+
+  expect(aggregate!.activeConnections).toEqual(257);
+  expect(cacheRows.length).toEqual(2);
+  expect(cacheRows.every((item) => item.activeConnections === 0)).toBeTrue();
+});
+
 export default tap.start();

test/test.opsserver-api.ts

@@ -5,8 +5,10 @@ import * as interfaces from '../ts_interfaces/index.js';
 
 let testDcRouter: DcRouter;
 let adminIdentity: interfaces.data.IIdentity;
+const testAdminPassword = 'test-admin-password';
 
 tap.test('should start DCRouter with OpsServer', async () => {
+  process.env.DCROUTER_ADMIN_PASSWORD = testAdminPassword;
   testDcRouter = new DcRouter({
     // Minimal config for testing
     opsServerPort: 3101,
@@ -25,11 +27,15 @@ tap.test('should login as admin', async () => {
 
   const response = await loginRequest.fire({
     username: 'admin',
-    password: 'admin',
+    password: testAdminPassword,
   });
 
   expect(response).toHaveProperty('identity');
-  adminIdentity = response.identity;
+  const responseIdentity = response.identity;
+  if (!responseIdentity) {
+    throw new Error('Expected admin login response to include identity');
+  }
+  adminIdentity = responseIdentity;
 });
 
 tap.test('should respond to health status request', async () => {

test/test.protected-endpoint.ts

@@ -5,8 +5,10 @@ import * as interfaces from '../ts_interfaces/index.js';
 
 let testDcRouter: DcRouter;
 let adminIdentity: interfaces.data.IIdentity;
+const testAdminPassword = 'test-admin-password';
 
 tap.test('should start DCRouter with OpsServer', async () => {
+  process.env.DCROUTER_ADMIN_PASSWORD = testAdminPassword;
   testDcRouter = new DcRouter({
     // Minimal config for testing
     opsServerPort: 3103,
@@ -25,11 +27,15 @@ tap.test('should login as admin', async () => {
 
   const response = await loginRequest.fire({
     username: 'admin',
-    password: 'admin'
+    password: testAdminPassword
   });
 
   expect(response).toHaveProperty('identity');
-  adminIdentity = response.identity;
+  const responseIdentity = response.identity;
+  if (!responseIdentity) {
+    throw new Error('Expected admin login response to include identity');
+  }
+  adminIdentity = responseIdentity;
   console.log('Admin logged in with JWT');
 });
 

test/test.security-policy-manager.node.ts

@@ -0,0 +1,129 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { DcRouterDb, IpIntelligenceDoc, SecurityBlockRuleDoc, SecurityPolicyAuditDoc } from '../ts/db/index.js';
+import { SecurityPolicyManager } from '../ts/security/index.js';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-security-policy-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-security-policy-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const testDbPromise = createTestDb();
+
+const clearTestState = async () => {
+  for (const rule of await SecurityBlockRuleDoc.findAll()) {
+    await rule.delete();
+  }
+  for (const record of await IpIntelligenceDoc.findAll()) {
+    await record.delete();
+  }
+  for (const event of await SecurityPolicyAuditDoc.findRecent(1000)) {
+    await event.delete();
+  }
+};
+
+tap.test('SecurityPolicyManager compiles start-end CIDR rules for edge firewall snapshots', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const manager = new SecurityPolicyManager();
+
+  await manager.createBlockRule({
+    type: 'cidr',
+    value: '203.0.113.0 - 203.0.113.255',
+    reason: 'test range',
+  });
+
+  const policy = await manager.compilePolicy();
+  expect(policy.blockedCidrs).toEqual(['203.0.113.0/24']);
+
+  const firewall = await manager.compileRemoteIngressFirewall();
+  expect(firewall.blockedIps).toEqual(['203.0.113.0/24']);
+});
+
+tap.test('SecurityPolicyManager compiles intelligence network ranges for ASN rules', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const manager = new SecurityPolicyManager();
+
+  const intelligenceDoc = new IpIntelligenceDoc();
+  intelligenceDoc.ipAddress = '198.51.100.23';
+  intelligenceDoc.asn = 64500;
+  intelligenceDoc.asnOrg = 'Example Network';
+  intelligenceDoc.networkRange = '198.51.100.0 - 198.51.100.127';
+  intelligenceDoc.firstSeenAt = Date.now();
+  intelligenceDoc.lastSeenAt = Date.now();
+  intelligenceDoc.updatedAt = Date.now();
+  intelligenceDoc.seenCount = 1;
+  await intelligenceDoc.save();
+
+  await manager.createBlockRule({
+    type: 'asn',
+    value: 'AS64500',
+    reason: 'test asn range',
+  });
+
+  const policy = await manager.compilePolicy();
+  expect(policy.blockedCidrs).toEqual(['198.51.100.0/25']);
+});
+
+tap.test('SecurityPolicyManager compiles intelligence CIDR arrays for ASN rules', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const manager = new SecurityPolicyManager();
+
+  const intelligenceDoc = new IpIntelligenceDoc();
+  intelligenceDoc.ipAddress = '198.51.100.130';
+  intelligenceDoc.asn = 64501;
+  intelligenceDoc.asnOrg = 'Example Split Network';
+  intelligenceDoc.networkRange = null;
+  intelligenceDoc.networkCidrs = ['198.51.100.128/25', '198.51.101.0/24'];
+  intelligenceDoc.firstSeenAt = Date.now();
+  intelligenceDoc.lastSeenAt = Date.now();
+  intelligenceDoc.updatedAt = Date.now();
+  intelligenceDoc.seenCount = 1;
+  await intelligenceDoc.save();
+
+  await manager.createBlockRule({
+    type: 'asn',
+    value: 'AS64501',
+    reason: 'test asn cidr array',
+  });
+
+  const policy = await manager.compilePolicy();
+  expect(policy.blockedCidrs).toEqual(['198.51.100.128/25', '198.51.101.0/24']);
+});
+
+tap.test('SecurityPolicyManager returns an explicit empty edge firewall snapshot', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const manager = new SecurityPolicyManager();
+
+  const firewall = await manager.compileRemoteIngressFirewall();
+  expect(firewall).toEqual({ blockedIps: [] });
+});
+
+tap.test('cleanup security policy test db', async () => {
+  const dbHandle = await testDbPromise;
+  await clearTestState();
+  await dbHandle.cleanup();
+});
+
+export default tap.start();

test/test.source-profiles-api.ts

@@ -5,6 +5,7 @@ import * as interfaces from '../ts_interfaces/index.js';
 
 const TEST_PORT = 3200;
 const TEST_URL = `http://localhost:${TEST_PORT}/typedrequest`;
+const TEST_ADMIN_PASSWORD = 'test-admin-password';
 
 let testDcRouter: DcRouter;
 let adminIdentity: interfaces.data.IIdentity;
@@ -14,6 +15,7 @@ let adminIdentity: interfaces.data.IIdentity;
 // ============================================================================
 
 tap.test('should start DCRouter with OpsServer', async () => {
+  process.env.DCROUTER_ADMIN_PASSWORD = TEST_ADMIN_PASSWORD;
   testDcRouter = new DcRouter({
     opsServerPort: TEST_PORT,
     dbConfig: { enabled: false },
@@ -31,11 +33,15 @@ tap.test('should login as admin', async () => {
 
   const response = await loginRequest.fire({
     username: 'admin',
-    password: 'admin',
+    password: TEST_ADMIN_PASSWORD,
   });
 
   expect(response).toHaveProperty('identity');
-  adminIdentity = response.identity;
+  const responseIdentity = response.identity;
+  if (!responseIdentity) {
+    throw new Error('Expected admin login response to include identity');
+  }
+  adminIdentity = responseIdentity;
 });
 
 // ============================================================================

test/test.vpn-runtime.node.ts

@@ -0,0 +1,177 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { DcRouter } from '../ts/classes.dcrouter.js';
+import { VpnManager } from '../ts/vpn/classes.vpn-manager.js';
+import { RouteConfigManager } from '../ts/config/classes.route-config-manager.js';
+
+tap.test('VpnManager downgrades back to socket mode when no host-IP clients remain', async () => {
+  const manager = new VpnManager({ forwardingMode: 'socket' });
+
+  let stopCalls = 0;
+  let startCalls = 0;
+
+  (manager as any).vpnServer = { running: true };
+  (manager as any).resolvedForwardingMode = 'hybrid';
+  (manager as any).clients = new Map([
+    ['client-1', { useHostIp: false }],
+  ]);
+  (manager as any).stop = async () => {
+    stopCalls++;
+  };
+  (manager as any).start = async () => {
+    startCalls++;
+    (manager as any).resolvedForwardingMode = (manager as any).forwardingModeOverride ?? 'socket';
+    (manager as any).forwardingModeOverride = undefined;
+    (manager as any).vpnServer = { running: true };
+  };
+
+  const restarted = await (manager as any).reconcileForwardingMode();
+
+  expect(restarted).toEqual(true);
+  expect(stopCalls).toEqual(1);
+  expect(startCalls).toEqual(1);
+  expect((manager as any).resolvedForwardingMode).toEqual('socket');
+});
+
+tap.test('VpnManager keeps explicit hybrid mode even without host-IP clients', async () => {
+  const manager = new VpnManager({ forwardingMode: 'hybrid' });
+
+  let stopCalls = 0;
+  let startCalls = 0;
+
+  (manager as any).vpnServer = { running: true };
+  (manager as any).resolvedForwardingMode = 'hybrid';
+  (manager as any).clients = new Map([
+    ['client-1', { useHostIp: false }],
+  ]);
+  (manager as any).stop = async () => {
+    stopCalls++;
+  };
+  (manager as any).start = async () => {
+    startCalls++;
+  };
+
+  const restarted = await (manager as any).reconcileForwardingMode();
+
+  expect(restarted).toEqual(false);
+  expect(stopCalls).toEqual(0);
+  expect(startCalls).toEqual(0);
+  expect((manager as any).resolvedForwardingMode).toEqual('hybrid');
+});
+
+tap.test('DcRouter.updateVpnConfig swaps the runtime VPN resolver and restarts VPN services', async () => {
+  const dcRouter = new DcRouter({
+    smartProxyConfig: { routes: [] },
+    dbConfig: { enabled: false },
+    vpnConfig: { enabled: false },
+  });
+
+  let stopCalls = 0;
+  let setupCalls = 0;
+  let applyCalls = 0;
+  const resolverValues: Array<unknown> = [];
+
+  dcRouter.vpnManager = {
+    stop: async () => {
+      stopCalls++;
+    },
+  } as any;
+  (dcRouter as any).routeConfigManager = {
+    setVpnClientIpsResolver: (resolver: unknown) => {
+      resolverValues.push(resolver);
+    },
+    applyRoutes: async () => {
+      applyCalls++;
+    },
+  };
+  (dcRouter as any).setupVpnServer = async () => {
+    setupCalls++;
+    dcRouter.vpnManager = {
+      stop: async () => {
+        stopCalls++;
+      },
+    } as any;
+  };
+
+  await dcRouter.updateVpnConfig({ enabled: true, subnet: '10.9.0.0/24' });
+
+  expect(stopCalls).toEqual(1);
+  expect(setupCalls).toEqual(1);
+  expect(applyCalls).toEqual(0);
+  expect(typeof resolverValues.at(-1)).toEqual('function');
+
+  await dcRouter.updateVpnConfig({ enabled: false });
+
+  expect(stopCalls).toEqual(2);
+  expect(setupCalls).toEqual(1);
+  expect(applyCalls).toEqual(1);
+  expect(resolverValues.at(-1)).toBeUndefined();
+  expect(dcRouter.vpnManager).toBeUndefined();
+});
+
+tap.test('RouteConfigManager makes vpnOnly routes fail closed without VPN clients', async () => {
+  const manager = new RouteConfigManager(() => undefined);
+  const route = {
+    name: 'private-route',
+    vpnOnly: true,
+    match: { domains: ['private.example.com'] },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] },
+    security: { ipAllowList: ['*'] },
+  } as any;
+
+  const prepared = (manager as any).injectVpnSecurity(route);
+
+  expect(prepared.security.ipAllowList).toEqual([]);
+  expect(prepared.security.ipBlockList).toContain('*');
+});
+
+tap.test('RouteConfigManager replaces public allow lists for vpnOnly routes', async () => {
+  const manager = new RouteConfigManager(
+    () => undefined,
+    undefined,
+    () => ['10.8.0.2'],
+  );
+  const route = {
+    name: 'private-route',
+    vpnOnly: true,
+    match: { domains: ['private.example.com'] },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] },
+    security: {
+      ipAllowList: ['*', '203.0.113.10'],
+      ipBlockList: ['198.51.100.5'],
+    },
+  } as any;
+
+  const prepared = (manager as any).injectVpnSecurity(route);
+
+  expect(prepared.security.ipAllowList).toEqual(['10.8.0.2']);
+  expect(prepared.security.ipBlockList).toEqual(['198.51.100.5']);
+});
+
+tap.test('VpnManager rewrites WireGuard AllowedIPs after key rotation', async () => {
+  const manager = new VpnManager({
+    serverEndpoint: 'vpn.example.com',
+    getClientAllowedIPs: async () => ['10.8.0.0/24', '203.0.113.10/32'],
+  });
+
+  (manager as any).vpnServer = {
+    rotateClientKey: async () => ({
+      entry: {
+        clientId: 'client-1',
+        publicKey: 'noise-public-key',
+        wgPublicKey: 'wg-public-key',
+      },
+      wireguardConfig: '[Interface]\nPrivateKey = old\nAddress = 10.8.0.2/24\n[Peer]\nAllowedIPs = 0.0.0.0/0\nEndpoint = vpn.example.com:51820\n',
+      secrets: { noisePrivateKey: 'noise-private-key', wgPrivateKey: 'wg-private-key' },
+    }),
+  };
+  (manager as any).clients = new Map([
+    ['client-1', { clientId: 'client-1', targetProfileIds: ['profile-1'] }],
+  ]);
+  (manager as any).persistClient = async () => {};
+
+  const bundle = await manager.rotateClientKey('client-1');
+
+  expect(bundle.wireguardConfig).toContain('AllowedIPs = 10.8.0.0/24, 203.0.113.10/32');
+});
+
+export default tap.start()

test/test.workapp-mail-manager.node.ts

@@ -0,0 +1,175 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { WorkAppMailManager } from '../ts/email/classes.workapp-mail-manager.js';
+import type { IUnifiedEmailServerOptions } from '@push.rocks/smartmta';
+
+class MemoryStorageManager {
+  public store = new Map<string, string>();
+
+  public async get(key: string): Promise<string | null> {
+    return this.store.get(key) || null;
+  }
+
+  public async set(key: string, value: string): Promise<void> {
+    this.store.set(key, value);
+  }
+}
+
+const createDcRouterStub = () => {
+  const storageManager = new MemoryStorageManager();
+  const emailConfig: IUnifiedEmailServerOptions = {
+    hostname: 'mail.example.com',
+    ports: [25, 587, 465],
+    domains: [
+      {
+        domain: 'example.com',
+        dnsMode: 'external-dns',
+      },
+    ],
+    routes: [
+      {
+        name: 'operator-route',
+        match: { recipients: 'ops@example.com' },
+        action: { type: 'reject', reject: { code: 550, message: 'not here' } },
+      },
+    ],
+    auth: {
+      users: [{ username: 'operator', password: 'secret' }],
+    },
+  };
+  const dcRouterRef: any = {
+    storageManager,
+    options: { emailConfig },
+    emailServer: {
+      updateOptions: (patch: Partial<IUnifiedEmailServerOptions>) => {
+        dcRouterRef.options.emailConfig = {
+          ...dcRouterRef.options.emailConfig,
+          ...patch,
+        };
+      },
+    },
+    updateEmailRoutes: async (routes: IUnifiedEmailServerOptions['routes']) => {
+      dcRouterRef.options.emailConfig.routes = routes;
+    },
+  };
+  return { dcRouterRef, storageManager };
+};
+
+tap.test('WorkAppMailManager syncs SMTP identity and inbound smartmta route', async () => {
+  const { dcRouterRef } = createDcRouterStub();
+  const manager = new WorkAppMailManager(dcRouterRef);
+
+  const createResult = await manager.syncMailIdentity({
+    ownership: {
+      workHosterType: 'onebox',
+      workHosterId: 'box-1',
+      workAppId: 'app-1',
+    },
+    localPart: 'Hello',
+    domain: 'Example.com',
+    inbound: {
+      enabled: true,
+      targetHost: '10.0.0.2',
+      targetPort: 2525,
+    },
+  }, 'tester');
+
+  expect(createResult.success).toEqual(true);
+  expect(createResult.action).toEqual('created');
+  expect(createResult.identity?.address).toEqual('hello@example.com');
+  expect(createResult.identity?.smtp.username.startsWith('workapp-')).toEqual(true);
+  expect((createResult.identity as any).smtpPassword).toBeUndefined();
+  expect(createResult.smtpCredentials?.password.length).toBeGreaterThan(20);
+
+  const generatedRoute = dcRouterRef.options.emailConfig.routes.find((route: any) => route.name.startsWith('workapp-mail-'));
+  expect(generatedRoute.match.recipients).toEqual('hello@example.com');
+  expect(generatedRoute.action.forward.host).toEqual('10.0.0.2');
+  expect(generatedRoute.action.forward.port).toEqual(2525);
+  expect(generatedRoute.action.forward.addHeaders['X-Dcrouter-WorkApp-Id']).toEqual('app-1');
+  expect(dcRouterRef.options.emailConfig.routes.some((route: any) => route.name === 'operator-route')).toEqual(true);
+
+  const generatedUser = dcRouterRef.options.emailConfig.auth.users.find((user: any) => user.username.startsWith('workapp-'));
+  expect(generatedUser.password).toEqual(createResult.smtpCredentials?.password);
+  expect(dcRouterRef.options.emailConfig.auth.users.some((user: any) => user.username === 'operator')).toEqual(true);
+
+  const listResult = await manager.listMailIdentities({ workAppId: 'app-1' });
+  expect(listResult.length).toEqual(1);
+  expect(listResult[0].address).toEqual('hello@example.com');
+});
+
+tap.test('WorkAppMailManager updates, resets credentials, and deletes identities', async () => {
+  const { dcRouterRef } = createDcRouterStub();
+  const manager = new WorkAppMailManager(dcRouterRef);
+  const ownership = {
+    workHosterType: 'onebox' as const,
+    workHosterId: 'box-1',
+    workAppId: 'app-1',
+  };
+
+  const createResult = await manager.syncMailIdentity({
+    ownership,
+    localPart: 'hello',
+    domain: 'example.com',
+    inbound: { enabled: true, targetHost: '10.0.0.2', targetPort: 2525 },
+  }, 'tester');
+  const firstPassword = createResult.smtpCredentials!.password;
+
+  const updateResult = await manager.syncMailIdentity({
+    ownership,
+    localPart: 'hello',
+    domain: 'example.com',
+    inbound: { enabled: true, targetHost: '10.0.0.3', targetPort: 2526 },
+  }, 'tester');
+  expect(updateResult.action).toEqual('updated');
+  expect(updateResult.smtpCredentials).toBeUndefined();
+  const generatedUser = dcRouterRef.options.emailConfig.auth.users.find((user: any) => user.username.startsWith('workapp-'));
+  expect(generatedUser.password).toEqual(firstPassword);
+  const generatedRoute = dcRouterRef.options.emailConfig.routes.find((route: any) => route.name.startsWith('workapp-mail-'));
+  expect(generatedRoute.action.forward.host).toEqual('10.0.0.3');
+
+  const resetResult = await manager.syncMailIdentity({
+    ownership,
+    localPart: 'hello',
+    domain: 'example.com',
+    resetSmtpPassword: true,
+  }, 'tester');
+  expect(resetResult.smtpCredentials?.password !== firstPassword).toEqual(true);
+
+  const deleteResult = await manager.syncMailIdentity({
+    ownership,
+    localPart: 'hello',
+    domain: 'example.com',
+    delete: true,
+  }, 'tester');
+  expect(deleteResult.action).toEqual('deleted');
+  expect(dcRouterRef.options.emailConfig.routes.some((route: any) => route.name.startsWith('workapp-mail-'))).toEqual(false);
+  expect(dcRouterRef.options.emailConfig.auth.users.some((user: any) => user.username.startsWith('workapp-'))).toEqual(false);
+  expect(dcRouterRef.options.emailConfig.auth.users.some((user: any) => user.username === 'operator')).toEqual(true);
+});
+
+tap.test('WorkAppMailManager applies persisted identities to startup email config', async () => {
+  const { dcRouterRef } = createDcRouterStub();
+  const manager = new WorkAppMailManager(dcRouterRef);
+  await manager.syncMailIdentity({
+    ownership: {
+      workHosterType: 'onebox',
+      workHosterId: 'box-1',
+      workAppId: 'app-1',
+    },
+    localPart: 'hello',
+    domain: 'example.com',
+    inbound: { enabled: true, targetHost: '10.0.0.2', targetPort: 2525 },
+  }, 'tester');
+
+  const baseStartupConfig: IUnifiedEmailServerOptions = {
+    hostname: 'mail.example.com',
+    ports: [25],
+    domains: [{ domain: 'example.com', dnsMode: 'external-dns' }],
+    routes: [],
+  };
+  const startupConfig = await manager.applyStoredIdentitiesToEmailConfig(baseStartupConfig);
+
+  expect(startupConfig.routes.some((route) => route.name.startsWith('workapp-mail-'))).toEqual(true);
+  expect(startupConfig.auth?.users?.some((user) => user.username.startsWith('workapp-'))).toEqual(true);
+});
+
+export default tap.start();

test/test.workhoster-handler.node.ts

@@ -0,0 +1,562 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { WorkHosterHandler } from '../ts/opsserver/handlers/workhoster.handler.js';
+import * as plugins from '../ts/plugins.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+type TScope = interfaces.data.TApiTokenScope;
+
+const fireTypedRequest = async (
+  router: plugins.typedrequest.TypedRouter,
+  method: string,
+  request: Record<string, any>,
+) => {
+  return await router.routeAndAddResponse({
+    method,
+    request,
+    response: {},
+    correlation: {
+      id: `${method}-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+      phase: 'request',
+    },
+  } as any, { localRequest: true, skipHooks: true }) as any;
+};
+
+const makeApiTokenManager = (
+  scopes: TScope[],
+  policy?: interfaces.data.IApiTokenPolicy,
+) => {
+  const token = {
+    id: 'token-1',
+    name: 'workhoster-test-token',
+    scopes,
+    createdBy: 'token-user',
+    createdAt: Date.now(),
+    expiresAt: null,
+    lastUsedAt: null,
+    enabled: true,
+    policy,
+  } as interfaces.data.IStoredApiToken;
+
+  return {
+    validateToken: async (rawToken: string) => rawToken === 'valid-token' ? token : null,
+    hasScope: (storedToken: interfaces.data.IStoredApiToken, scope: TScope) => {
+      if (storedToken.policy?.role === 'admin') return true;
+      const isGatewayClientToken = storedToken.policy?.role === 'gatewayClient';
+      const gatewayClientAllowedScopes = new Set<TScope>([
+        'gateway-clients:read',
+        'gateway-clients:write',
+        'workhosters:read',
+        'workhosters:write',
+      ]);
+      if (isGatewayClientToken && !gatewayClientAllowedScopes.has(scope)) return false;
+      if (!isGatewayClientToken && storedToken.scopes.includes('*')) return true;
+      const scopes = new Set(storedToken.scopes);
+      for (const policyScope of storedToken.policy?.scopes || []) {
+        scopes.add(policyScope);
+      }
+      const compatibilityAliases: Partial<Record<TScope, TScope[]>> = {
+        'gateway-clients:read': ['workhosters:read'],
+        'gateway-clients:write': ['workhosters:write'],
+        'workhosters:read': ['gateway-clients:read'],
+        'workhosters:write': ['gateway-clients:write'],
+      };
+      return scopes.has(scope) || Boolean(compatibilityAliases[scope]?.some((alias) => scopes.has(alias)));
+    },
+  };
+};
+
+const makeRouteConfigManager = () => {
+  const routes = new Map<string, interfaces.data.IRoute>();
+  let nextRouteNumber = 1;
+
+  return {
+    routes,
+    manager: {
+      findApiRouteByExternalKey: (externalKey: string) => {
+        return Array.from(routes.values()).find((route) =>
+          route.origin === 'api' && route.metadata?.externalKey === externalKey,
+        );
+      },
+      createRoute: async (
+        route: interfaces.data.IDcRouterRouteConfig,
+        createdBy: string,
+        enabled = true,
+        metadata?: interfaces.data.IRouteMetadata,
+      ) => {
+        const id = `route-${nextRouteNumber++}`;
+        routes.set(id, {
+          id,
+          route,
+          enabled,
+          createdBy,
+          createdAt: Date.now(),
+          updatedAt: Date.now(),
+          origin: 'api',
+          metadata,
+        });
+        return id;
+      },
+      updateRoute: async (
+        id: string,
+        patch: {
+          route?: Partial<interfaces.data.IDcRouterRouteConfig>;
+          enabled?: boolean;
+          metadata?: Partial<interfaces.data.IRouteMetadata>;
+        },
+      ) => {
+        const storedRoute = routes.get(id);
+        if (!storedRoute) return { success: false, message: 'Route not found' };
+        if (patch.route) {
+          storedRoute.route = { ...storedRoute.route, ...patch.route } as interfaces.data.IDcRouterRouteConfig;
+        }
+        if (patch.enabled !== undefined) {
+          storedRoute.enabled = patch.enabled;
+        }
+        if (patch.metadata) {
+          storedRoute.metadata = { ...storedRoute.metadata, ...patch.metadata };
+        }
+        storedRoute.updatedAt = Date.now();
+        return { success: true };
+      },
+      deleteRoute: async (id: string) => {
+        const deleted = routes.delete(id);
+        return deleted ? { success: true } : { success: false, message: 'Route not found' };
+      },
+    },
+  };
+};
+
+const setupHandler = (options: {
+  scopes: TScope[];
+  policy?: interfaces.data.IApiTokenPolicy;
+  isAdmin?: boolean;
+  dcRouterRef?: Record<string, any>;
+}) => {
+  const typedrouter = new plugins.typedrequest.TypedRouter();
+  const opsServerRef: any = {
+    typedrouter,
+    adminHandler: {
+      adminIdentityGuard: {
+        exec: async () => Boolean(options.isAdmin),
+      },
+    },
+    dcRouterRef: {
+      options: {},
+      apiTokenManager: makeApiTokenManager(options.scopes, options.policy),
+      ...options.dcRouterRef,
+    },
+  };
+
+  new WorkHosterHandler(opsServerRef);
+  return { typedrouter, opsServerRef };
+};
+
+tap.test('WorkHosterHandler exposes capabilities and managed domains with workhosters:read', async () => {
+  const { typedrouter } = setupHandler({
+    scopes: ['workhosters:read'],
+    dcRouterRef: {
+      options: {
+        remoteIngressConfig: { enabled: true },
+        dnsScopes: ['example.com'],
+        http3: { enabled: false },
+      },
+      routeConfigManager: {
+        getMergedRoutes: () => ({ routes: [] }),
+      },
+      smartProxy: {},
+      emailDomainManager: {},
+      emailServer: {},
+      dnsManager: {
+        listDomains: async () => [
+          { id: 'domain-1', name: 'example.com', source: 'dcrouter', authoritative: true },
+          { id: 'domain-2', name: 'provider.example', source: 'provider', providerId: 'cloudflare-1', authoritative: false },
+        ],
+        toPublicDomain: (domainDoc: any) => ({
+          ...domainDoc,
+          createdAt: 1,
+          updatedAt: 1,
+          createdBy: 'test',
+        }),
+      },
+    },
+  });
+
+  const capabilitiesResult = await fireTypedRequest(typedrouter, 'getGatewayCapabilities', {
+    apiToken: 'valid-token',
+  });
+  expect(capabilitiesResult.error).toBeUndefined();
+  expect(capabilitiesResult.response.capabilities.routes.idempotentSync).toEqual(true);
+  expect(capabilitiesResult.response.capabilities.domains.read).toEqual(true);
+  expect(capabilitiesResult.response.capabilities.certificates.export).toEqual(true);
+  expect(capabilitiesResult.response.capabilities.email.inbound).toEqual(true);
+  expect(capabilitiesResult.response.capabilities.remoteIngress.enabled).toEqual(true);
+  expect(capabilitiesResult.response.capabilities.dns.authoritative).toEqual(true);
+  expect(capabilitiesResult.response.capabilities.http3.enabled).toEqual(false);
+
+  const domainsResult = await fireTypedRequest(typedrouter, 'getWorkHosterDomains', {
+    apiToken: 'valid-token',
+  });
+  expect(domainsResult.error).toBeUndefined();
+  expect(domainsResult.response.domains.length).toEqual(2);
+  expect(domainsResult.response.domains[0].capabilities.canCreateSubdomains).toEqual(true);
+  expect(domainsResult.response.domains[1].capabilities.canManageDnsRecords).toEqual(true);
+  expect(domainsResult.response.domains[1].capabilities.canIssueCertificates).toEqual(true);
+  expect(domainsResult.response.domains[1].capabilities.canHostEmail).toEqual(true);
+});
+
+tap.test('WorkHosterHandler syncs WorkApp routes idempotently with workhosters:write', async () => {
+  const routeConfig = makeRouteConfigManager();
+  const { typedrouter } = setupHandler({
+    scopes: ['workhosters:write'],
+    dcRouterRef: {
+      options: {},
+      routeConfigManager: routeConfig.manager,
+    },
+  });
+  const ownership: interfaces.data.IWorkAppRouteOwnership = {
+    workHosterType: 'onebox',
+    workHosterId: 'box-1',
+    workAppId: 'app-1',
+    hostname: 'app.example.com',
+  };
+
+  const createResult = await fireTypedRequest(typedrouter, 'syncWorkAppRoute', {
+    apiToken: 'valid-token',
+    ownership,
+    route: {
+      match: { ports: [443], domains: ['app.example.com'] },
+      action: {
+        type: 'forward',
+        targets: [{ host: '10.0.0.2', port: 8080 }],
+        tls: { mode: 'terminate', certificate: 'auto' },
+      },
+    },
+  });
+
+  expect(createResult.error).toBeUndefined();
+  expect(createResult.response).toEqual({ success: true, action: 'created', routeId: 'route-1' });
+  expect(routeConfig.routes.size).toEqual(1);
+
+  const createdRoute = routeConfig.routes.get('route-1')!;
+  expect(createdRoute.createdBy).toEqual('token-user');
+  expect(createdRoute.route.name?.startsWith('gateway-client-onebox-box-1-app-1-app-example-com')).toEqual(true);
+  expect(createdRoute.metadata).toEqual({
+    ownerType: 'gatewayClient',
+    gatewayClientType: 'onebox',
+    gatewayClientId: 'box-1',
+    gatewayClientAppId: 'app-1',
+    workHosterType: 'onebox',
+    workHosterId: 'box-1',
+    workAppId: 'app-1',
+    externalKey: 'onebox:box-1:app-1:app.example.com',
+  });
+
+  const updateResult = await fireTypedRequest(typedrouter, 'syncWorkAppRoute', {
+    apiToken: 'valid-token',
+    ownership,
+    enabled: false,
+    route: {
+      name: 'updated-workapp-route',
+      match: { ports: [443], domains: ['app.example.com'] },
+      action: {
+        type: 'forward',
+        targets: [{ host: '10.0.0.3', port: 3000 }],
+        tls: { mode: 'terminate', certificate: 'auto' },
+      },
+    },
+  });
+
+  expect(updateResult.error).toBeUndefined();
+  expect(updateResult.response).toEqual({ success: true, action: 'updated', routeId: 'route-1' });
+  expect(routeConfig.routes.size).toEqual(1);
+  expect(routeConfig.routes.get('route-1')?.enabled).toEqual(false);
+  expect(routeConfig.routes.get('route-1')?.route.name).toEqual('updated-workapp-route');
+  expect(routeConfig.routes.get('route-1')?.route.action.targets?.[0].host).toEqual('10.0.0.3');
+
+  const deleteResult = await fireTypedRequest(typedrouter, 'syncWorkAppRoute', {
+    apiToken: 'valid-token',
+    ownership,
+    delete: true,
+  });
+
+  expect(deleteResult.error).toBeUndefined();
+  expect(deleteResult.response).toEqual({ success: true, action: 'deleted', routeId: 'route-1' });
+  expect(routeConfig.routes.size).toEqual(0);
+
+  const unchangedResult = await fireTypedRequest(typedrouter, 'syncWorkAppRoute', {
+    apiToken: 'valid-token',
+    ownership,
+    delete: true,
+  });
+
+  expect(unchangedResult.error).toBeUndefined();
+  expect(unchangedResult.response).toEqual({ success: true, action: 'unchanged' });
+});
+
+tap.test('WorkHosterHandler exposes gateway client context for token-bound clients', async () => {
+  const { typedrouter } = setupHandler({
+    scopes: ['gateway-clients:read'],
+    policy: {
+      role: 'gatewayClient',
+      gatewayClient: { type: 'onebox', id: 'box-policy' },
+      hostnamePatterns: ['*.example.com'],
+      allowedRouteTargets: [{ host: '10.0.0.2', ports: [8080] }],
+      capabilities: {
+        readDomains: true,
+        readDnsRecords: true,
+        syncRoutes: true,
+      },
+    },
+    dcRouterRef: { options: {} },
+  });
+
+  const result = await fireTypedRequest(typedrouter, 'getGatewayClientContext', {
+    apiToken: 'valid-token',
+  });
+
+  expect(result.error).toBeUndefined();
+  expect(result.response.context.gatewayClient).toEqual({ type: 'onebox', id: 'box-policy' });
+  expect(result.response.context.hostnamePatterns).toEqual(['*.example.com']);
+  expect(result.response.context.capabilities.syncRoutes).toEqual(true);
+});
+
+tap.test('WorkHosterHandler derives route ownership from gateway client token policy', async () => {
+  const routeConfig = makeRouteConfigManager();
+  const { typedrouter } = setupHandler({
+    scopes: ['gateway-clients:write'],
+    policy: {
+      role: 'gatewayClient',
+      gatewayClient: { type: 'onebox', id: 'box-policy' },
+      hostnamePatterns: ['*.example.com'],
+      allowedRouteTargets: [{ host: '10.0.0.2', ports: [8080] }],
+      capabilities: { syncRoutes: true },
+    },
+    dcRouterRef: {
+      options: {},
+      routeConfigManager: routeConfig.manager,
+    },
+  });
+
+  const createResult = await fireTypedRequest(typedrouter, 'syncGatewayClientRoute', {
+    apiToken: 'valid-token',
+    ownership: {
+      appId: 'app-1',
+      hostname: 'app.example.com',
+    },
+    route: {
+      match: { ports: [443], domains: ['app.example.com'] },
+      action: {
+        type: 'forward',
+        targets: [{ host: '10.0.0.2', port: 8080 }],
+        tls: { mode: 'terminate', certificate: 'auto' },
+      },
+    },
+  });
+
+  expect(createResult.error).toBeUndefined();
+  expect(createResult.response).toEqual({ success: true, action: 'created', routeId: 'route-1' });
+  expect(routeConfig.routes.get('route-1')?.metadata?.gatewayClientId).toEqual('box-policy');
+  expect(routeConfig.routes.get('route-1')?.metadata?.externalKey).toEqual('onebox:box-policy:app-1:app.example.com');
+
+  const spoofResult = await fireTypedRequest(typedrouter, 'syncGatewayClientRoute', {
+    apiToken: 'valid-token',
+    ownership: {
+      gatewayClientType: 'onebox',
+      gatewayClientId: 'other-box',
+      appId: 'app-1',
+      hostname: 'app.example.com',
+    },
+    delete: true,
+  });
+
+  expect(spoofResult.error?.text).toEqual('gateway client token cannot act for this ownership');
+});
+
+tap.test('WorkHosterHandler manages durable gateway clients and creates scoped tokens', async () => {
+  const identity: interfaces.data.IIdentity = {
+    jwt: 'admin-jwt',
+    userId: 'admin-user',
+    name: 'admin',
+    expiresAt: Date.now() + 3600000,
+  };
+  const gatewayClient: interfaces.data.IGatewayClient = {
+    id: 'onebox-main',
+    type: 'onebox',
+    name: 'Main Onebox',
+    hostnamePatterns: ['*.apps.example.com'],
+    allowedRouteTargets: [{ host: 'onebox-smartproxy', ports: [80] }],
+    capabilities: { readDomains: true, readDnsRecords: true, syncRoutes: true },
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'admin-user',
+  };
+  let createdTokenPolicy: interfaces.data.IApiTokenPolicy | undefined;
+  const { typedrouter } = setupHandler({
+    scopes: [],
+    isAdmin: true,
+    dcRouterRef: {
+      options: {},
+      gatewayClientManager: {
+        listClients: async () => [gatewayClient],
+        getClient: async (id: string) => id === gatewayClient.id ? gatewayClient : null,
+      },
+      apiTokenManager: {
+        listTokens: () => [{
+          id: 'token-1',
+          name: 'token',
+          scopes: ['gateway-clients:read'],
+          policy: { role: 'gatewayClient', gatewayClient: { type: 'onebox', id: 'onebox-main' } },
+          createdAt: 1,
+          expiresAt: null,
+          lastUsedAt: null,
+          enabled: true,
+        }],
+        createToken: async (
+          _name: string,
+          _scopes: TScope[],
+          _expiresInDays: number | null,
+          _createdBy: string,
+          policy?: interfaces.data.IApiTokenPolicy,
+        ) => {
+          createdTokenPolicy = policy;
+          return { id: 'new-token', rawToken: 'dcr_created' };
+        },
+      },
+    },
+  });
+
+  const listResult = await fireTypedRequest(typedrouter, 'listGatewayClients', { identity });
+  expect(listResult.error).toBeUndefined();
+  expect(listResult.response.gatewayClients[0].tokenCount).toEqual(1);
+
+  const tokenResult = await fireTypedRequest(typedrouter, 'createGatewayClientToken', {
+    identity,
+    gatewayClientId: 'onebox-main',
+  });
+  expect(tokenResult.error).toBeUndefined();
+  expect(tokenResult.response.tokenValue).toEqual('dcr_created');
+  expect(createdTokenPolicy?.gatewayClient).toEqual({ type: 'onebox', id: 'onebox-main' });
+  expect(createdTokenPolicy?.allowedRouteTargets).toEqual([{ host: 'onebox-smartproxy', ports: [80] }]);
+});
+
+tap.test('WorkHosterHandler rejects WorkApp route sync without workhosters:write', async () => {
+  const routeConfig = makeRouteConfigManager();
+  const { typedrouter } = setupHandler({
+    scopes: ['workhosters:read'],
+    dcRouterRef: {
+      options: {},
+      routeConfigManager: routeConfig.manager,
+    },
+  });
+
+  const result = await fireTypedRequest(typedrouter, 'syncWorkAppRoute', {
+    apiToken: 'valid-token',
+    ownership: {
+      workHosterType: 'onebox',
+      workHosterId: 'box-1',
+      workAppId: 'app-1',
+      hostname: 'app.example.com',
+    },
+    delete: true,
+  });
+
+  expect(result.error?.text).toEqual('insufficient scope');
+  expect(routeConfig.routes.size).toEqual(0);
+});
+
+tap.test('WorkHosterHandler exposes and syncs WorkApp mail identities', async () => {
+  const syncedRequests: Array<{ data: any; userId: string }> = [];
+  const identity: interfaces.data.IWorkAppMailIdentity = {
+    id: 'mail-1',
+    externalKey: 'onebox:box-1:app-1:hello@example.com',
+    ownership: {
+      workHosterType: 'onebox',
+      workHosterId: 'box-1',
+      workAppId: 'app-1',
+    },
+    address: 'hello@example.com',
+    localPart: 'hello',
+    domain: 'example.com',
+    enabled: true,
+    inbound: {
+      enabled: true,
+      targetHost: '10.0.0.2',
+      targetPort: 2525,
+    },
+    smtp: {
+      enabled: true,
+      username: 'workapp-user',
+    },
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'token-user',
+  };
+  const { typedrouter } = setupHandler({
+    scopes: ['workhosters:read', 'workhosters:write'],
+    dcRouterRef: {
+      options: {},
+      workAppMailManager: {
+        listMailIdentities: async (filter: any) => filter.workAppId === 'app-1' ? [identity] : [],
+        syncMailIdentity: async (data: any, userId: string) => {
+          syncedRequests.push({ data, userId });
+          return {
+            success: true,
+            action: 'created',
+            identity,
+            smtpCredentials: {
+              username: 'workapp-user',
+              password: 'generated-password',
+            },
+          };
+        },
+      },
+    },
+  });
+
+  const listResult = await fireTypedRequest(typedrouter, 'getWorkAppMailIdentities', {
+    apiToken: 'valid-token',
+    ownership: { workAppId: 'app-1' },
+  });
+  expect(listResult.error).toBeUndefined();
+  expect(listResult.response.identities).toEqual([identity]);
+
+  const syncResult = await fireTypedRequest(typedrouter, 'syncWorkAppMailIdentity', {
+    apiToken: 'valid-token',
+    ownership: identity.ownership,
+    localPart: 'hello',
+    domain: 'example.com',
+    inbound: identity.inbound,
+  });
+  expect(syncResult.error).toBeUndefined();
+  expect(syncResult.response.success).toEqual(true);
+  expect(syncResult.response.smtpCredentials.password).toEqual('generated-password');
+  expect(syncedRequests[0].userId).toEqual('token-user');
+});
+
+tap.test('WorkHosterHandler rejects WorkApp mail sync without workhosters:write', async () => {
+  const { typedrouter } = setupHandler({
+    scopes: ['workhosters:read'],
+    dcRouterRef: {
+      options: {},
+      workAppMailManager: {
+        syncMailIdentity: async () => ({ success: true }),
+      },
+    },
+  });
+
+  const result = await fireTypedRequest(typedrouter, 'syncWorkAppMailIdentity', {
+    apiToken: 'valid-token',
+    ownership: {
+      workHosterType: 'onebox',
+      workHosterId: 'box-1',
+      workAppId: 'app-1',
+    },
+    localPart: 'hello',
+    domain: 'example.com',
+  });
+
+  expect(result.error?.text).toEqual('insufficient scope');
+});
+
+export default tap.start();

test/test_latest.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+node --input-type=module <<'NODE'
+import fs from 'node:fs';
+
+const readJson = (path) => JSON.parse(fs.readFileSync(path, 'utf8'));
+
+const checks = {
+  packageVersion: readJson('/app/package.json').version,
+  interfacesVersion: readJson('/app/node_modules/@serve.zone/interfaces/package.json').version,
+  remoteingressVersion: readJson('/app/node_modules/@serve.zone/remoteingress/package.json').version,
+  hasCli: fs.existsSync('/app/cli.js'),
+  hasWebBundle: fs.existsSync('/app/dist_serve/bundle.js'),
+};
+
+await import('/app/dist_ts/index.js');
+
+if (checks.packageVersion !== '13.25.0') {
+  throw new Error(`Unexpected dcrouter package version ${checks.packageVersion}`);
+}
+if (checks.interfacesVersion !== '5.4.6') {
+  throw new Error(`Unexpected interfaces version ${checks.interfacesVersion}`);
+}
+if (checks.remoteingressVersion !== '4.17.1') {
+  throw new Error(`Unexpected remoteingress version ${checks.remoteingressVersion}`);
+}
+if (!checks.hasCli) {
+  throw new Error('Missing cli.js');
+}
+if (!checks.hasWebBundle) {
+  throw new Error('Missing web bundle');
+}
+
+console.log(JSON.stringify(checks));
+NODE

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.20.0',
+  version: '13.29.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -25,13 +25,15 @@ import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
 import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
 import { VpnManager, type IVpnManagerConfig } from './vpn/index.js';
-import { RouteConfigManager, ApiTokenManager, ReferenceResolver, DbSeeder, TargetProfileManager } from './config/index.js';
-import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';
+import { RouteConfigManager, ApiTokenManager, GatewayClientManager, ReferenceResolver, DbSeeder, TargetProfileManager } from './config/index.js';
+import type { TIpAllowEntry } from './config/classes.route-config-manager.js';
+import { SecurityLogger, ContentScanner, IPReputationChecker, SecurityPolicyManager } from './security/index.js';
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
 import { AcmeConfigManager } from './acme/manager.acme-config.js';
-import { EmailDomainManager, SmartMtaStorageManager, buildEmailDnsRecords } from './email/index.js';
+import { EmailDomainManager, SmartMtaStorageManager, WorkAppMailManager, buildEmailDnsRecords } from './email/index.js';
 import type { IRoute } from '../ts_interfaces/data/route-management.js';
+import type { ISecurityCompiledPolicy } from '../ts_interfaces/data/security-policy.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -165,6 +167,14 @@ export interface IDcRouterOptions {
   /** Port for the OpsServer web UI (default: 3000) */
   opsServerPort?: number;
 
+  /** Optional OpsServer account authentication settings. */
+  adminAuth?: {
+    /** Base URL for idp.global password authentication. Can also be set through DCROUTER_IDP_GLOBAL_URL. */
+    idpGlobalUrl?: string;
+    /** Test/integration hook for injecting an idp.global-compatible password client. */
+    idpClient?: Pick<plugins.idpSdkServer.IdpGlobalServerClient, 'loginWithEmailAndPassword' | 'stop'>;
+  };
+
   remoteIngressConfig?: {
     /** Enable remote ingress hub (default: false) */
     enabled?: boolean;
@@ -177,6 +187,8 @@ export interface IDcRouterOptions {
       certPath?: string;
       keyPath?: string;
     };
+    /** Performance profile and limits for remote ingress hub/edge tunnels. */
+    performance?: import('../ts_interfaces/data/remoteingress.js').IRemoteIngressPerformanceConfig;
   };
 
   /**
@@ -272,6 +284,7 @@ export class DcRouter {
   // Programmatic config API
   public routeConfigManager?: RouteConfigManager;
   public apiTokenManager?: ApiTokenManager;
+  public gatewayClientManager?: GatewayClientManager;
   public referenceResolver?: ReferenceResolver;
   public targetProfileManager?: TargetProfileManager;
 
@@ -281,6 +294,8 @@ export class DcRouter {
   // ACME configuration (DB-backed singleton, replaces tls.contactEmail)
   public acmeConfigManager?: AcmeConfigManager;
   public emailDomainManager?: EmailDomainManager;
+  public workAppMailManager: WorkAppMailManager;
+  public securityPolicyManager?: SecurityPolicyManager;
 
   // Auto-discovered public IP (populated by generateAuthoritativeRecords)
   public detectedPublicIp: string | null = null;
@@ -334,6 +349,7 @@ export class DcRouter {
     this.storageManager = new SmartMtaStorageManager(
       plugins.path.join(this.resolvedPaths.dataDir, 'smartmta-storage')
     );
+    this.workAppMailManager = new WorkAppMailManager(this);
 
     // Initialize service manager and register all services
     this.serviceManager = new plugins.taskbuffer.ServiceManager({
@@ -468,12 +484,36 @@ export class DcRouter {
       );
     }
 
+    // SecurityPolicyManager: optional, depends on DcRouterDb — owns IP intelligence
+    // and compiles the global block policy for SmartProxy and remote ingress edges.
+    if (this.options.dbConfig?.enabled !== false) {
+      this.serviceManager.addService(
+        new plugins.taskbuffer.Service('SecurityPolicyManager')
+          .optional()
+          .dependsOn('DcRouterDb')
+          .withStart(async () => {
+            this.securityPolicyManager = new SecurityPolicyManager({
+              onPolicyChanged: () => this.applySecurityPolicy(),
+            });
+            await this.securityPolicyManager.start();
+          })
+          .withStop(async () => {
+            if (this.securityPolicyManager) {
+              await this.securityPolicyManager.stop();
+              this.securityPolicyManager = undefined;
+            }
+          })
+          .withRetry({ maxRetries: 1, baseDelayMs: 500 }),
+      );
+    }
+
     // SmartProxy: critical, depends on DcRouterDb + DnsManager + AcmeConfigManager (if enabled)
     const smartProxyDeps: string[] = [];
     if (this.options.dbConfig?.enabled !== false) {
       smartProxyDeps.push('DcRouterDb');
       smartProxyDeps.push('DnsManager');
       smartProxyDeps.push('AcmeConfigManager');
+      smartProxyDeps.push('SecurityPolicyManager');
     }
     this.serviceManager.addService(
       new plugins.taskbuffer.Service('SmartProxy')
@@ -565,29 +605,20 @@ export class DcRouter {
             this.routeConfigManager = new RouteConfigManager(
               () => this.smartProxy,
               () => this.options.http3,
-              this.options.vpnConfig?.enabled
-                ? (route: import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig, routeId?: string) => {
-                    if (!this.vpnManager || !this.targetProfileManager) {
-                      // VPN not ready yet — deny all until re-apply after VPN starts
-                      return [];
-                    }
-                    return this.targetProfileManager.getMatchingClientIps(
-                      route,
-                      routeId,
-                      this.vpnManager.listClients(),
-                      this.routeConfigManager?.getRoutes() || new Map(),
-                    );
-                  }
-                : undefined,
+              this.createVpnRouteAllowListResolver(),
               this.referenceResolver,
               // Sync routes to RemoteIngressManager whenever routes change,
               // then push updated derived ports to the Rust hub binary
-              (routes) => {
+              async (routes) => {
                 if (this.remoteIngressManager) {
                   this.remoteIngressManager.setRoutes(routes as any[]);
                 }
                 if (this.tunnelManager) {
-                  this.tunnelManager.syncAllowedEdges();
+                  try {
+                    await this.tunnelManager.syncAllowedEdges();
+                  } catch (err: unknown) {
+                    logger.log('error', `Failed to sync Remote Ingress allowed edges: ${(err as Error).message}`);
+                  }
                 }
               },
               undefined,
@@ -595,6 +626,8 @@ export class DcRouter {
             );
             this.apiTokenManager = new ApiTokenManager();
             await this.apiTokenManager.initialize();
+            this.gatewayClientManager = new GatewayClientManager();
+            await this.gatewayClientManager.initialize();
             await this.routeConfigManager.initialize(
               this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
               this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
@@ -612,6 +645,7 @@ export class DcRouter {
           .withStop(async () => {
             this.routeConfigManager = undefined;
             this.apiTokenManager = undefined;
+            this.gatewayClientManager = undefined;
             this.referenceResolver = undefined;
             this.targetProfileManager = undefined;
           })
@@ -714,10 +748,14 @@ export class DcRouter {
 
     // VPN Server: optional, depends on SmartProxy
     if (this.options.vpnConfig?.enabled) {
+      const vpnServiceDeps = ['SmartProxy'];
+      if (this.options.dbConfig?.enabled !== false) {
+        vpnServiceDeps.push('ConfigManagers');
+      }
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('VpnServer')
           .optional()
-          .dependsOn('SmartProxy')
+          .dependsOn(...vpnServiceDeps)
           .withStart(async () => {
             await this.setupVpnServer();
           })
@@ -977,6 +1015,12 @@ export class DcRouter {
       logger.log('info', 'HTTP/3: Augmented qualifying HTTPS routes with QUIC/H3 configuration');
     }
 
+    const compiledSecurityPolicy = await this.securityPolicyManager?.compileSmartProxyPolicy();
+    const mergedSecurityPolicy = this.mergeSecurityPolicies(
+      (this.options.smartProxyConfig as any)?.securityPolicy,
+      compiledSecurityPolicy,
+    );
+
     // If we have routes or need a basic SmartProxy instance, create it
     if (routes.length > 0 || this.options.smartProxyConfig) {
       logger.log('info', 'Setting up SmartProxy with combined configuration');
@@ -1008,6 +1052,7 @@ export class DcRouter {
         // --- always set by dcrouter (after spread) ---
         routes,
         acme: acmeConfig,
+        ...(mergedSecurityPolicy ? { securityPolicy: mergedSecurityPolicy } as any : {}),
         certStore: {
           loadAll: async () => {
             const docs = await ProxyCertDoc.findAll();
@@ -1072,6 +1117,7 @@ export class DcRouter {
         });
 
         const scheduler = this.certProvisionScheduler;
+        smartProxyConfig.certProvisionFallbackToAcme = false;
         smartProxyConfig.certProvisionFunction = async (domain, eventComms) => {
           // If SmartAcme is not yet ready (still starting or retrying), fall back to HTTP-01
           if (!this.smartAcmeReady) {
@@ -1120,10 +1166,10 @@ export class DcRouter {
             await scheduler.clearBackoff(domain);
             return result;
           } catch (err: unknown) {
-            // Record failure for backoff tracking
-            await scheduler.recordFailure(domain, (err as Error).message);
-            eventComms.warn(`SmartAcme DNS-01 failed for ${domain}: ${(err as Error).message}, falling back to http-01`);
-            return 'http01';
+            const message = `DNS-01 failed for ${domain}: ${(err as Error).message}`;
+            await scheduler.recordFailure(domain, message);
+            eventComms.warn(message);
+            throw new Error(message);
           }
         };
       }
@@ -1132,7 +1178,12 @@ export class DcRouter {
       // to SmartProxy with PROXY protocol v1 headers to preserve client IPs.
       if (this.options.remoteIngressConfig?.enabled) {
         smartProxyConfig.acceptProxyProtocol = true;
-        smartProxyConfig.proxyIPs = ['127.0.0.1'];
+        if (!smartProxyConfig.proxyIPs) {
+          smartProxyConfig.proxyIPs = [];
+        }
+        if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
+          smartProxyConfig.proxyIPs.push('127.0.0.1');
+        }
       }
 
       // VPN uses socket mode with PP v2 — SmartProxy must accept proxy protocol from localhost
@@ -1245,8 +1296,60 @@ export class DcRouter {
       logger.log('info', `SmartProxy started with ${routes.length} routes`);
     }
   }
-  
-  
+
+  public async applySecurityPolicy(): Promise<void> {
+    if (!this.securityPolicyManager) {
+      return;
+    }
+
+    const compiledSmartProxyPolicy = await this.securityPolicyManager.compileSmartProxyPolicy();
+    const mergedSecurityPolicy = this.mergeSecurityPolicies(
+      (this.options.smartProxyConfig as any)?.securityPolicy,
+      compiledSmartProxyPolicy,
+    );
+
+    if (this.smartProxy && mergedSecurityPolicy) {
+      const smartProxyWithPolicyApi = this.smartProxy as any;
+      if (typeof smartProxyWithPolicyApi.updateSecurityPolicy === 'function') {
+        await smartProxyWithPolicyApi.updateSecurityPolicy(mergedSecurityPolicy);
+      }
+    }
+
+    const firewallConfig = await this.securityPolicyManager.compileRemoteIngressFirewall();
+    if (this.remoteIngressManager) {
+      (this.remoteIngressManager as any).setFirewallConfig?.(firewallConfig);
+    }
+    if (this.tunnelManager) {
+      await this.tunnelManager.syncAllowedEdges();
+    }
+  }
+
+  private mergeSecurityPolicies(
+    ...policies: Array<Partial<ISecurityCompiledPolicy> | undefined>
+  ): ISecurityCompiledPolicy | undefined {
+    const blockedIps = new Set<string>();
+    const blockedCidrs = new Set<string>();
+
+    for (const policy of policies) {
+      for (const ip of policy?.blockedIps || []) {
+        if (ip) blockedIps.add(ip);
+      }
+      for (const cidr of policy?.blockedCidrs || []) {
+        if (cidr) blockedCidrs.add(cidr);
+      }
+    }
+
+    if (blockedIps.size === 0 && blockedCidrs.size === 0) {
+      return undefined;
+    }
+
+    return {
+      blockedIps: [...blockedIps].sort(),
+      blockedCidrs: [...blockedCidrs].sort(),
+    };
+  }
+   
+   
 
   /**
    * Generate SmartProxy routes for email configuration
@@ -1546,7 +1649,7 @@ export class DcRouter {
     }
     
     // Create config with mapped ports
-    const emailConfig: IUnifiedEmailServerOptions = {
+    const emailConfig: IUnifiedEmailServerOptions = await this.workAppMailManager.applyStoredIdentitiesToEmailConfig({
       ...this.options.emailConfig,
       domains: transformedDomains,
       ports: this.options.emailConfig.ports.map(port => portMapping[port] || port + 10000),
@@ -1556,7 +1659,7 @@ export class DcRouter {
         persistentPath: plugins.path.join(this.resolvedPaths.dataDir, 'smartmta-queue'),
         ...this.options.emailConfig.queue,
       },
-    };
+    });
     
     // Create unified email server
     this.emailServer = new UnifiedEmailServer(this, emailConfig);
@@ -2233,6 +2336,9 @@ export class DcRouter {
     // Initialize the edge registration manager
     this.remoteIngressManager = new RemoteIngressManager();
     await this.remoteIngressManager.initialize();
+    this.remoteIngressManager.setFirewallConfig(
+      await this.securityPolicyManager?.compileRemoteIngressFirewall(),
+    );
 
     // Pass current bootstrap routes so the manager can derive edge ports initially.
     // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
@@ -2282,6 +2388,7 @@ export class DcRouter {
       tunnelPort: riCfg.tunnelPort ?? 8443,
       targetHost: '127.0.0.1',
       tls: tlsConfig,
+      performance: riCfg.performance,
     });
     await this.tunnelManager.start();
 
@@ -2292,11 +2399,44 @@ export class DcRouter {
   /**
    * Set up VPN server for VPN-based route access control.
    */
+  private createVpnRouteAllowListResolver(): ((
+    route: import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig,
+    routeId?: string,
+  ) => TIpAllowEntry[]) | undefined {
+    if (!this.options.vpnConfig?.enabled) {
+      return undefined;
+    }
+
+    return (
+      route: import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig,
+      routeId?: string,
+    ) => {
+      if (!this.vpnManager || !this.targetProfileManager) {
+        // VPN not ready yet — deny all until re-apply after VPN starts.
+        return [];
+      }
+
+      return this.targetProfileManager.getMatchingClientIps(
+        route,
+        routeId,
+        this.vpnManager.listClients(),
+        this.routeConfigManager?.getRoutes() || new Map(),
+      );
+    };
+  }
+
   private async setupVpnServer(): Promise<void> {
     if (!this.options.vpnConfig?.enabled) {
       return;
     }
 
+    if (this.options.dbConfig?.enabled === false) {
+      throw new Error('VPN requires dbConfig.enabled because clients, keys, routes, and target profiles are persisted in DcRouterDb');
+    }
+    if (!this.routeConfigManager || !this.targetProfileManager) {
+      throw new Error('VPN requires initialized route and target profile managers');
+    }
+
     logger.log('info', 'Setting up VPN server...');
 
     this.vpnManager = new VpnManager({
@@ -2441,6 +2581,29 @@ export class DcRouter {
 
     logger.log('info', 'RADIUS configuration updated');
   }
+
+  /**
+   * Update VPN configuration at runtime.
+   */
+  public async updateVpnConfig(config: IDcRouterOptions['vpnConfig']): Promise<void> {
+    if (this.vpnManager) {
+      await this.vpnManager.stop();
+      this.vpnManager = undefined;
+    }
+
+    this.options.vpnConfig = config;
+    this.vpnDomainIpCache.clear();
+    this.warnedWildcardVpnDomains.clear();
+    this.routeConfigManager?.setVpnClientIpsResolver(this.createVpnRouteAllowListResolver());
+
+    if (this.options.vpnConfig?.enabled) {
+      await this.setupVpnServer();
+    } else {
+      await this.routeConfigManager?.applyRoutes();
+    }
+
+    logger.log('info', 'VPN configuration updated');
+  }
 }
 
 // Re-export email server types for convenience

ts/config/classes.api-token-manager.ts

@@ -2,12 +2,15 @@ import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
 import { ApiTokenDoc } from '../db/index.js';
 import type {
+  IApiTokenPolicy,
   IStoredApiToken,
   IApiTokenInfo,
   TApiTokenScope,
 } from '../../ts_interfaces/data/route-management.js';
 
 const TOKEN_PREFIX_STR = 'dcr_';
+const ENV_ADMIN_TOKEN_ID = 'env-admin-token';
+const ENV_ADMIN_TOKEN_CREATED_BY = 'dcrouter-env';
 
 export class ApiTokenManager {
   private tokens = new Map<string, IStoredApiToken>();
@@ -16,6 +19,7 @@ export class ApiTokenManager {
 
   public async initialize(): Promise<void> {
     await this.loadTokens();
+    await this.ensureEnvAdminToken();
     if (this.tokens.size > 0) {
       logger.log('info', `Loaded ${this.tokens.size} API token(s) from storage`);
     }
@@ -33,13 +37,14 @@ export class ApiTokenManager {
     scopes: TApiTokenScope[],
     expiresInDays: number | null,
     createdBy: string,
+    policy?: IApiTokenPolicy,
   ): Promise<{ id: string; rawToken: string }> {
     const id = plugins.uuid.v4();
     const randomBytes = plugins.crypto.randomBytes(32);
     const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
     const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
 
-    const tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+    const tokenHash = this.hashToken(rawToken);
 
     const now = Date.now();
     const stored: IStoredApiToken = {
@@ -47,6 +52,7 @@ export class ApiTokenManager {
       name,
       tokenHash,
       scopes,
+      policy,
       createdAt: now,
       expiresAt: expiresInDays != null ? now + expiresInDays * 86400000 : null,
       lastUsedAt: null,
@@ -67,7 +73,7 @@ export class ApiTokenManager {
   public async validateToken(rawToken: string): Promise<IStoredApiToken | null> {
     if (!rawToken.startsWith(TOKEN_PREFIX_STR)) return null;
 
-    const hash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+    const hash = this.hashToken(rawToken);
 
     for (const stored of this.tokens.values()) {
       if (stored.tokenHash === hash) {
@@ -87,7 +93,31 @@ export class ApiTokenManager {
    * Check if a token has a specific scope.
    */
   public hasScope(token: IStoredApiToken, scope: TApiTokenScope): boolean {
-    return token.scopes.includes(scope);
+    if (token.policy?.role === 'admin') return true;
+
+    const isGatewayClientToken = token.policy?.role === 'gatewayClient';
+    const gatewayClientAllowedScopes = new Set<TApiTokenScope>([
+      'gateway-clients:read',
+      'gateway-clients:write',
+      'workhosters:read',
+      'workhosters:write',
+    ]);
+    if (isGatewayClientToken && !gatewayClientAllowedScopes.has(scope)) {
+      return false;
+    }
+
+    if (!isGatewayClientToken && token.scopes.includes('*')) return true;
+
+    const scopes = new Set<TApiTokenScope>([...token.scopes, ...(token.policy?.scopes || [])]);
+    if (scopes.has(scope)) return true;
+
+    const compatibilityAliases: Partial<Record<TApiTokenScope, TApiTokenScope[]>> = {
+      'gateway-clients:read': ['workhosters:read'],
+      'gateway-clients:write': ['workhosters:write'],
+      'workhosters:read': ['gateway-clients:read'],
+      'workhosters:write': ['gateway-clients:write'],
+    };
+    return Boolean(compatibilityAliases[scope]?.some((alias) => scopes.has(alias)));
   }
 
   /**
@@ -100,6 +130,7 @@ export class ApiTokenManager {
         id: stored.id,
         name: stored.name,
         scopes: stored.scopes,
+        policy: stored.policy,
         createdAt: stored.createdAt,
         expiresAt: stored.expiresAt,
         lastUsedAt: stored.lastUsedAt,
@@ -134,7 +165,7 @@ export class ApiTokenManager {
     const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
     const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
 
-    stored.tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+    stored.tokenHash = this.hashToken(rawToken);
     await this.persistToken(stored);
     logger.log('info', `API token '${stored.name}' rolled (id: ${id})`);
     return { id, rawToken };
@@ -165,6 +196,7 @@ export class ApiTokenManager {
           name: doc.name,
           tokenHash: doc.tokenHash,
           scopes: doc.scopes,
+          policy: doc.policy,
           createdAt: doc.createdAt,
           expiresAt: doc.expiresAt,
           lastUsedAt: doc.lastUsedAt,
@@ -175,12 +207,48 @@ export class ApiTokenManager {
     }
   }
 
+  private async ensureEnvAdminToken(): Promise<void> {
+    const rawToken = process.env.DCROUTER_ADMIN_API_TOKEN?.trim();
+    if (!rawToken) return;
+
+    if (!rawToken.startsWith(TOKEN_PREFIX_STR)) {
+      throw new Error(`DCROUTER_ADMIN_API_TOKEN must start with ${TOKEN_PREFIX_STR}`);
+    }
+    if (rawToken.length < TOKEN_PREFIX_STR.length + 32) {
+      throw new Error('DCROUTER_ADMIN_API_TOKEN is too short');
+    }
+
+    const now = Date.now();
+    const existing = this.tokens.get(ENV_ADMIN_TOKEN_ID);
+    const stored: IStoredApiToken = {
+      id: ENV_ADMIN_TOKEN_ID,
+      name: process.env.DCROUTER_ADMIN_API_TOKEN_NAME?.trim() || 'Environment Admin Token',
+      tokenHash: this.hashToken(rawToken),
+      scopes: ['*'],
+      policy: { role: 'admin' },
+      createdAt: existing?.createdAt || now,
+      expiresAt: null,
+      lastUsedAt: existing?.lastUsedAt || null,
+      createdBy: existing?.createdBy || ENV_ADMIN_TOKEN_CREATED_BY,
+      enabled: true,
+    };
+
+    this.tokens.set(stored.id, stored);
+    await this.persistToken(stored);
+    logger.log('info', `Environment admin API token ensured (id: ${stored.id})`);
+  }
+
+  private hashToken(rawToken: string): string {
+    return plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+  }
+
   private async persistToken(stored: IStoredApiToken): Promise<void> {
     const existing = await ApiTokenDoc.findById(stored.id);
     if (existing) {
       existing.name = stored.name;
       existing.tokenHash = stored.tokenHash;
       existing.scopes = stored.scopes;
+      existing.policy = stored.policy;
       existing.createdAt = stored.createdAt;
       existing.expiresAt = stored.expiresAt;
       existing.lastUsedAt = stored.lastUsedAt;
@@ -193,6 +261,7 @@ export class ApiTokenManager {
       doc.name = stored.name;
       doc.tokenHash = stored.tokenHash;
       doc.scopes = stored.scopes;
+      doc.policy = stored.policy;
       doc.createdAt = stored.createdAt;
       doc.expiresAt = stored.expiresAt;
       doc.lastUsedAt = stored.lastUsedAt;

ts/config/classes.gateway-client-manager.ts

@@ -0,0 +1,117 @@
+import * as plugins from '../plugins.js';
+import { GatewayClientDoc } from '../db/index.js';
+import type { IGatewayClient } from '../../ts_interfaces/data/workhoster.js';
+
+const defaultCapabilities: IGatewayClient['capabilities'] = {
+  readDomains: true,
+  readDnsRecords: true,
+  syncRoutes: true,
+  syncDnsRecords: false,
+  requestCertificates: false,
+};
+
+export class GatewayClientManager {
+  public async initialize(): Promise<void> {}
+
+  public async listClients(): Promise<IGatewayClient[]> {
+    const docs = await GatewayClientDoc.findAll();
+    return docs.map((doc) => this.toPublicClient(doc));
+  }
+
+  public async getClient(id: string): Promise<IGatewayClient | null> {
+    const doc = await GatewayClientDoc.findById(id);
+    return doc ? this.toPublicClient(doc) : null;
+  }
+
+  public async createClient(options: {
+    id?: string;
+    type: IGatewayClient['type'];
+    name: string;
+    description?: string;
+    hostnamePatterns?: string[];
+    allowedRouteTargets?: IGatewayClient['allowedRouteTargets'];
+    capabilities?: IGatewayClient['capabilities'];
+    createdBy: string;
+  }): Promise<IGatewayClient> {
+    const id = this.normalizeId(options.id || `${options.type}-${plugins.uuid.v4()}`);
+    if (!id) {
+      throw new Error('gateway client id is required');
+    }
+    if (await GatewayClientDoc.findById(id)) {
+      throw new Error('gateway client already exists');
+    }
+
+    const now = Date.now();
+    const doc = new GatewayClientDoc();
+    doc.id = id;
+    doc.type = options.type;
+    doc.name = options.name.trim();
+    doc.description = options.description?.trim() || undefined;
+    doc.hostnamePatterns = this.normalizeStringList(options.hostnamePatterns || []);
+    doc.allowedRouteTargets = this.normalizeAllowedRouteTargets(options.allowedRouteTargets || []);
+    doc.capabilities = { ...defaultCapabilities, ...(options.capabilities || {}) };
+    doc.enabled = true;
+    doc.createdAt = now;
+    doc.updatedAt = now;
+    doc.createdBy = options.createdBy;
+    await doc.save();
+    return this.toPublicClient(doc);
+  }
+
+  public async updateClient(
+    id: string,
+    patch: Partial<Pick<IGatewayClient, 'name' | 'description' | 'hostnamePatterns' | 'allowedRouteTargets' | 'capabilities' | 'enabled'>>,
+  ): Promise<IGatewayClient | null> {
+    const doc = await GatewayClientDoc.findById(id);
+    if (!doc) return null;
+    if (patch.name !== undefined) doc.name = patch.name.trim();
+    if (patch.description !== undefined) doc.description = patch.description.trim() || undefined;
+    if (patch.hostnamePatterns !== undefined) doc.hostnamePatterns = this.normalizeStringList(patch.hostnamePatterns);
+    if (patch.allowedRouteTargets !== undefined) doc.allowedRouteTargets = this.normalizeAllowedRouteTargets(patch.allowedRouteTargets);
+    if (patch.capabilities !== undefined) doc.capabilities = { ...defaultCapabilities, ...patch.capabilities };
+    if (patch.enabled !== undefined) doc.enabled = patch.enabled;
+    doc.updatedAt = Date.now();
+    await doc.save();
+    return this.toPublicClient(doc);
+  }
+
+  public async deleteClient(id: string): Promise<boolean> {
+    const doc = await GatewayClientDoc.findById(id);
+    if (!doc) return false;
+    await doc.delete();
+    return true;
+  }
+
+  private normalizeId(id: string): string {
+    return id.trim().toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+  }
+
+  private normalizeStringList(values: string[]): string[] {
+    return values.map((value) => value.trim().toLowerCase()).filter(Boolean);
+  }
+
+  private normalizeAllowedRouteTargets(targets: IGatewayClient['allowedRouteTargets']): IGatewayClient['allowedRouteTargets'] {
+    return targets
+      .map((target) => ({
+        host: target.host.trim().toLowerCase(),
+        ports: target.ports.filter((port) => Number.isInteger(port) && port > 0 && port <= 65535),
+      }))
+      .filter((target) => target.host && target.ports.length > 0);
+  }
+
+  private toPublicClient(doc: GatewayClientDoc): IGatewayClient {
+    return {
+      id: doc.id,
+      type: doc.type,
+      name: doc.name,
+      description: doc.description,
+      hostnamePatterns: doc.hostnamePatterns || [],
+      allowedRouteTargets: doc.allowedRouteTargets || [],
+      capabilities: doc.capabilities || {},
+      enabled: doc.enabled,
+      createdAt: doc.createdAt,
+      updatedAt: doc.updatedAt,
+      createdBy: doc.createdBy,
+    };
+  }
+}

ts/config/classes.route-config-manager.ts

@@ -59,7 +59,7 @@ export class RouteConfigManager {
     private getHttp3Config?: () => IHttp3Config | undefined,
     private getVpnClientIpsForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
     private referenceResolver?: ReferenceResolver,
-    private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void,
+    private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void | Promise<void>,
     private getRuntimeRoutes?: () => plugins.smartproxy.IRouteConfig[],
     private hydrateStoredRoute?: (storedRoute: IRoute) => plugins.smartproxy.IRouteConfig | undefined,
   ) {}
@@ -73,6 +73,12 @@ export class RouteConfigManager {
     return this.routes.get(id);
   }
 
+  public setVpnClientIpsResolver(
+    resolver?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
+  ): void {
+    this.getVpnClientIpsForRoute = resolver;
+  }
+
   /**
    * Load persisted routes, seed serializable config/email/dns routes,
    * compute warnings, and apply the combined DB-backed + runtime route set to SmartProxy.
@@ -250,6 +256,15 @@ export class RouteConfigManager {
     return this.updateRoute(id, { enabled });
   }
 
+  public findApiRouteByExternalKey(externalKey: string): IRoute | undefined {
+    for (const route of this.routes.values()) {
+      if (route.origin === 'api' && route.metadata?.externalKey === externalKey) {
+        return route;
+      }
+    }
+    return undefined;
+  }
+
   // =========================================================================
   // Private: seed routes from constructor config
   // =========================================================================
@@ -437,6 +452,20 @@ export class RouteConfigManager {
       lastResolvedAt: typeof metadata.lastResolvedAt === 'number' && Number.isFinite(metadata.lastResolvedAt)
         ? metadata.lastResolvedAt
         : undefined,
+      ownerType: metadata.ownerType === 'gatewayClient' || metadata.ownerType === 'workhoster' || metadata.ownerType === 'operator' || metadata.ownerType === 'system'
+        ? metadata.ownerType
+        : undefined,
+      gatewayClientType: metadata.gatewayClientType === 'onebox' || metadata.gatewayClientType === 'cloudly' || metadata.gatewayClientType === 'custom'
+        ? metadata.gatewayClientType
+        : metadata.workHosterType,
+      gatewayClientId: normalizeString(metadata.gatewayClientId || metadata.workHosterId),
+      gatewayClientAppId: normalizeString(metadata.gatewayClientAppId || metadata.workAppId),
+      workHosterType: metadata.workHosterType === 'onebox' || metadata.workHosterType === 'cloudly' || metadata.workHosterType === 'custom'
+        ? metadata.workHosterType
+        : metadata.gatewayClientType,
+      workHosterId: normalizeString(metadata.workHosterId || metadata.gatewayClientId),
+      workAppId: normalizeString(metadata.workAppId || metadata.gatewayClientAppId),
+      externalKey: normalizeString(metadata.externalKey),
     };
 
     if (!normalized.sourceProfileRef) {
@@ -448,6 +477,20 @@ export class RouteConfigManager {
     if (!normalized.sourceProfileRef && !normalized.networkTargetRef) {
       normalized.lastResolvedAt = undefined;
     }
+    if (normalized.ownerType !== 'gatewayClient' && normalized.ownerType !== 'workhoster') {
+      normalized.gatewayClientType = undefined;
+      normalized.gatewayClientId = undefined;
+      normalized.gatewayClientAppId = undefined;
+      normalized.workHosterType = undefined;
+      normalized.workHosterId = undefined;
+      normalized.workAppId = undefined;
+      normalized.externalKey = undefined;
+    } else {
+      normalized.ownerType = 'gatewayClient';
+      normalized.workHosterType = normalized.gatewayClientType;
+      normalized.workHosterId = normalized.gatewayClientId;
+      normalized.workAppId = normalized.gatewayClientAppId;
+    }
 
     if (Object.values(normalized).every((value) => value === undefined)) {
       return undefined;
@@ -534,7 +577,7 @@ export class RouteConfigManager {
 
       // Notify listeners (e.g. RemoteIngressManager) of the route set
       if (this.onRoutesApplied) {
-        this.onRoutesApplied(enabledRoutes);
+        await this.onRoutesApplied(enabledRoutes);
       }
 
       logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.routes.size} total)`);
@@ -564,19 +607,21 @@ export class RouteConfigManager {
     route: plugins.smartproxy.IRouteConfig,
     routeId?: string,
   ): plugins.smartproxy.IRouteConfig {
-    const vpnCallback = this.getVpnClientIpsForRoute;
-    if (!vpnCallback) return route;
-
     const dcRoute = route as IDcRouterRouteConfig;
     if (!dcRoute.vpnOnly) return route;
 
-    const vpnEntries = vpnCallback(dcRoute, routeId);
-    const existingEntries = route.security?.ipAllowList || [];
+    const vpnEntries = this.getVpnClientIpsForRoute?.(dcRoute, routeId) || [];
+    const existingBlockList = route.security?.ipBlockList || [];
+    const ipBlockList = vpnEntries.length
+      ? existingBlockList
+      : [...new Set([...existingBlockList, '*'])];
+
     return {
       ...route,
       security: {
         ...route.security,
-        ipAllowList: [...existingEntries, ...vpnEntries],
+        ipAllowList: vpnEntries,
+        ipBlockList,
       },
     };
   }

ts/config/index.ts

@@ -2,6 +2,7 @@
 export * from './validator.js';
 export { RouteConfigManager } from './classes.route-config-manager.js';
 export { ApiTokenManager } from './classes.api-token-manager.js';
+export { GatewayClientManager } from './classes.gateway-client-manager.js';
 export { ReferenceResolver } from './classes.reference-resolver.js';
 export { DbSeeder } from './classes.db-seeder.js';
-export { TargetProfileManager } from './classes.target-profile-manager.js';
+export { TargetProfileManager } from './classes.target-profile-manager.js';

ts/db/documents/classes.api-token.doc.ts

@@ -1,6 +1,6 @@
 import * as plugins from '../../plugins.js';
 import { DcRouterDb } from '../classes.dcrouter-db.js';
-import type { TApiTokenScope } from '../../../ts_interfaces/data/route-management.js';
+import type { IApiTokenPolicy, TApiTokenScope } from '../../../ts_interfaces/data/route-management.js';
 
 const getDb = () => DcRouterDb.getInstance().getDb();
 
@@ -19,6 +19,9 @@ export class ApiTokenDoc extends plugins.smartdata.SmartDataDbDoc<ApiTokenDoc, A
   @plugins.smartdata.svDb()
   public scopes!: TApiTokenScope[];
 
+  @plugins.smartdata.svDb()
+  public policy?: IApiTokenPolicy;
+
   @plugins.smartdata.svDb()
   public createdAt!: number;
 

ts/db/documents/classes.gateway-client.doc.ts

@@ -0,0 +1,54 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IApiTokenPolicy, TGatewayClientType } from '../../../ts_interfaces/data/route-management.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class GatewayClientDoc extends plugins.smartdata.SmartDataDbDoc<GatewayClientDoc, GatewayClientDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public type!: TGatewayClientType;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public hostnamePatterns: string[] = [];
+
+  @plugins.smartdata.svDb()
+  public allowedRouteTargets: NonNullable<IApiTokenPolicy['allowedRouteTargets']> = [];
+
+  @plugins.smartdata.svDb()
+  public capabilities: NonNullable<IApiTokenPolicy['capabilities']> = {};
+
+  @plugins.smartdata.svDb()
+  public enabled: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<GatewayClientDoc | null> {
+    return await GatewayClientDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<GatewayClientDoc[]> {
+    return await GatewayClientDoc.getInstances({});
+  }
+}

ts/db/documents/classes.ip-intelligence.doc.ts

@@ -0,0 +1,78 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IIpIntelligenceRecord } from '../../../ts_interfaces/data/security-policy.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class IpIntelligenceDoc extends plugins.smartdata.SmartDataDbDoc<IpIntelligenceDoc, IpIntelligenceDoc> implements IIpIntelligenceRecord {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public ipAddress!: string;
+
+  @plugins.smartdata.svDb()
+  public asn: number | null = null;
+
+  @plugins.smartdata.svDb()
+  public asnOrg: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public registrantOrg: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public registrantCountry: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public networkRange: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public networkCidrs: string[] | null = null;
+
+  @plugins.smartdata.svDb()
+  public abuseContact: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public country: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public countryCode: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public city: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public latitude: number | null = null;
+
+  @plugins.smartdata.svDb()
+  public longitude: number | null = null;
+
+  @plugins.smartdata.svDb()
+  public accuracyRadius: number | null = null;
+
+  @plugins.smartdata.svDb()
+  public timezone: string | null = null;
+
+  @plugins.smartdata.svDb()
+  public firstSeenAt: number = Date.now();
+
+  @plugins.smartdata.svDb()
+  public lastSeenAt: number = Date.now();
+
+  @plugins.smartdata.svDb()
+  public updatedAt: number = Date.now();
+
+  @plugins.smartdata.svDb()
+  public seenCount: number = 0;
+
+  constructor() {
+    super();
+  }
+
+  public static async findByIp(ipAddress: string): Promise<IpIntelligenceDoc | null> {
+    return await IpIntelligenceDoc.getInstance({ ipAddress });
+  }
+
+  public static async findAll(): Promise<IpIntelligenceDoc[]> {
+    return await IpIntelligenceDoc.getInstances({});
+  }
+}

ts/db/documents/classes.security-block-rule.doc.ts

@@ -0,0 +1,52 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { ISecurityBlockRule, TSecurityBlockRuleMatchMode, TSecurityBlockRuleType } from '../../../ts_interfaces/data/security-policy.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class SecurityBlockRuleDoc extends plugins.smartdata.SmartDataDbDoc<SecurityBlockRuleDoc, SecurityBlockRuleDoc> implements ISecurityBlockRule {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public type!: TSecurityBlockRuleType;
+
+  @plugins.smartdata.svDb()
+  public value!: string;
+
+  @plugins.smartdata.svDb()
+  public matchMode?: TSecurityBlockRuleMatchMode;
+
+  @plugins.smartdata.svDb()
+  public enabled: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public reason?: string;
+
+  @plugins.smartdata.svDb()
+  public createdAt: number = Date.now();
+
+  @plugins.smartdata.svDb()
+  public updatedAt: number = Date.now();
+
+  @plugins.smartdata.svDb()
+  public createdBy: string = 'system';
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<SecurityBlockRuleDoc | null> {
+    return await SecurityBlockRuleDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<SecurityBlockRuleDoc[]> {
+    return await SecurityBlockRuleDoc.getInstances({});
+  }
+
+  public static async findEnabled(): Promise<SecurityBlockRuleDoc[]> {
+    return await SecurityBlockRuleDoc.getInstances({ enabled: true });
+  }
+}

ts/db/documents/classes.security-policy-audit.doc.ts

@@ -0,0 +1,33 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { ISecurityPolicyAuditEvent } from '../../../ts_interfaces/data/security-policy.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class SecurityPolicyAuditDoc extends plugins.smartdata.SmartDataDbDoc<SecurityPolicyAuditDoc, SecurityPolicyAuditDoc> implements ISecurityPolicyAuditEvent {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public action!: string;
+
+  @plugins.smartdata.svDb()
+  public actor!: string;
+
+  @plugins.smartdata.svDb()
+  public details!: Record<string, unknown>;
+
+  @plugins.smartdata.svDb()
+  public createdAt: number = Date.now();
+
+  constructor() {
+    super();
+  }
+
+  public static async findRecent(limit = 100): Promise<SecurityPolicyAuditDoc[]> {
+    const docs = await SecurityPolicyAuditDoc.getInstances({});
+    return docs.sort((a, b) => b.createdAt - a.createdAt).slice(0, limit);
+  }
+}

ts/db/documents/index.ts

@@ -1,10 +1,14 @@
 // Cached/TTL document classes
 export * from './classes.cached.email.js';
 export * from './classes.cached.ip.reputation.js';
+export * from './classes.ip-intelligence.doc.js';
+export * from './classes.security-block-rule.doc.js';
+export * from './classes.security-policy-audit.doc.js';
 
 // Config document classes
 export * from './classes.route.doc.js';
 export * from './classes.api-token.doc.js';
+export * from './classes.gateway-client.doc.js';
 export * from './classes.source-profile.doc.js';
 export * from './classes.target-profile.doc.js';
 export * from './classes.network-target.doc.js';

ts/email/classes.email-domain.manager.ts

@@ -57,6 +57,31 @@ export class EmailDomainManager {
     return doc ? this.docToInterface(doc) : null;
   }
 
+  public async getByDomain(domainName: string): Promise<IEmailDomain | null> {
+    const doc = await EmailDomainDoc.findByDomain(domainName);
+    return doc ? this.docToInterface(doc) : null;
+  }
+
+  public async ensureEmailDomainForDomainName(domainName: string): Promise<IEmailDomain | null> {
+    const normalizedDomain = domainName.trim().toLowerCase();
+    const existing = await this.getByDomain(normalizedDomain);
+    if (existing) return existing;
+    if (this.isDomainAlreadyConfigured(normalizedDomain)) return null;
+
+    const linkedDomain = await this.findLinkedDnsDomain(normalizedDomain);
+    if (!linkedDomain) {
+      throw new Error(`DNS domain not found for email domain: ${normalizedDomain}`);
+    }
+
+    const subdomain = normalizedDomain === linkedDomain.name
+      ? undefined
+      : normalizedDomain.slice(0, -(linkedDomain.name.length + 1));
+    return await this.createEmailDomain({
+      linkedDomainId: linkedDomain.id,
+      subdomain,
+    });
+  }
+
   public async createEmailDomain(opts: {
     linkedDomainId: string;
     subdomain?: string;
@@ -351,6 +376,13 @@ export class EmailDomainManager {
     return configuredDomains.includes(domainName.toLowerCase());
   }
 
+  private async findLinkedDnsDomain(domainName: string): Promise<DomainDoc | null> {
+    const domains = await DomainDoc.findAll();
+    return domains
+      .filter((domainDoc) => domainName === domainDoc.name || domainName.endsWith(`.${domainDoc.name}`))
+      .sort((a, b) => b.name.length - a.name.length)[0] || null;
+  }
+
   private async buildManagedDomainConfigs(): Promise<IEmailDomainConfig[]> {
     const docs = await EmailDomainDoc.findAll();
     const managedConfigs: IEmailDomainConfig[] = [];
@@ -378,7 +410,7 @@ export class EmailDomainManager {
     return managedConfigs;
   }
 
-  private async syncManagedDomainsToRuntime(): Promise<void> {
+  public async syncManagedDomainsToRuntime(): Promise<void> {
     if (!this.dcRouter.options?.emailConfig) {
       return;
     }

ts/email/classes.workapp-mail-manager.ts

@@ -0,0 +1,343 @@
+import type {
+  IEmailRoute,
+  IUnifiedEmailServerOptions,
+} from '@push.rocks/smartmta';
+import * as plugins from '../plugins.js';
+import type * as interfaces from '../../ts_interfaces/index.js';
+
+type TSyncRequest = interfaces.requests.IReq_SyncWorkAppMailIdentity['request'];
+
+interface IStoredWorkAppMailIdentity extends interfaces.data.IWorkAppMailIdentity {
+  smtpPassword: string;
+}
+
+interface IStoredWorkAppMailState {
+  version: 1;
+  identities: IStoredWorkAppMailIdentity[];
+}
+
+export class WorkAppMailManager {
+  private readonly storageKey = '/workhosters/mail-identities.json';
+
+  constructor(private dcRouterRef: any) {}
+
+  public async listMailIdentities(
+    ownership?: Partial<interfaces.data.IWorkAppMailOwnership>,
+  ): Promise<interfaces.data.IWorkAppMailIdentity[]> {
+    const identities = await this.readStoredIdentities();
+    return identities
+      .filter((identity) => this.matchesOwnership(identity.ownership, ownership))
+      .map((identity) => this.toPublicIdentity(identity));
+  }
+
+  public async syncMailIdentity(
+    request: TSyncRequest,
+    createdBy: string,
+  ): Promise<interfaces.data.IWorkAppMailIdentitySyncResult> {
+    if (!this.dcRouterRef.options.emailConfig) {
+      return { success: false, message: 'Email server is not configured' };
+    }
+
+    const ownership = this.normalizeOwnership(request.ownership);
+    const domain = this.normalizeDomain(request.domain);
+    const localPart = this.normalizeLocalPart(request.localPart);
+    const address = `${localPart}@${domain}`;
+    const externalKey = this.buildExternalKey(ownership, address);
+    const identities = await this.readStoredIdentities();
+    const existingIndex = identities.findIndex((identity) => identity.externalKey === externalKey);
+
+    if (request.delete) {
+      if (existingIndex < 0) {
+        return { success: true, action: 'unchanged' };
+      }
+      const [deletedIdentity] = identities.splice(existingIndex, 1);
+      await this.writeStoredIdentities(identities);
+      await this.applyStoredIdentitiesToRuntime(identities);
+      return {
+        success: true,
+        action: 'deleted',
+        identity: this.toPublicIdentity(deletedIdentity),
+      };
+    }
+
+    await this.ensureEmailDomainConfigured(domain);
+
+    const existingIdentity = existingIndex >= 0 ? identities[existingIndex] : undefined;
+    const now = Date.now();
+    const smtpPassword = existingIdentity && !request.resetSmtpPassword
+      ? existingIdentity.smtpPassword
+      : this.generateSmtpPassword();
+    const identity: IStoredWorkAppMailIdentity = {
+      id: existingIdentity?.id || plugins.smartunique.shortId(),
+      externalKey,
+      ownership,
+      address,
+      localPart,
+      domain,
+      enabled: request.enabled ?? existingIdentity?.enabled ?? true,
+      displayName: request.displayName ?? existingIdentity?.displayName,
+      inbound: this.normalizeInboundRoute(request.inbound ?? existingIdentity?.inbound),
+      smtp: {
+        enabled: request.smtpEnabled ?? existingIdentity?.smtp.enabled ?? true,
+        username: existingIdentity?.smtp.username || this.buildSmtpUsername(externalKey),
+      },
+      createdAt: existingIdentity?.createdAt || now,
+      updatedAt: now,
+      createdBy: existingIdentity?.createdBy || createdBy,
+      smtpPassword,
+    };
+
+    if (existingIndex >= 0) {
+      identities[existingIndex] = identity;
+    } else {
+      identities.push(identity);
+    }
+
+    await this.writeStoredIdentities(identities);
+    await this.applyStoredIdentitiesToRuntime(identities);
+
+    const response: interfaces.data.IWorkAppMailIdentitySyncResult = {
+      success: true,
+      action: existingIndex >= 0 ? 'updated' : 'created',
+      identity: this.toPublicIdentity(identity),
+    };
+
+    if (existingIndex < 0 || request.resetSmtpPassword) {
+      response.smtpCredentials = this.buildSmtpCredentials(identity);
+    }
+
+    return response;
+  }
+
+  public async applyStoredIdentitiesToEmailConfig<TConfig extends IUnifiedEmailServerOptions>(
+    emailConfig: TConfig,
+  ): Promise<TConfig> {
+    const identities = await this.readStoredIdentities();
+    return this.mergeIdentitiesIntoEmailConfig(emailConfig, identities);
+  }
+
+  public async applyStoredIdentitiesToRuntime(
+    identities = undefined as IStoredWorkAppMailIdentity[] | undefined,
+  ): Promise<void> {
+    const emailConfig = this.dcRouterRef.options.emailConfig as IUnifiedEmailServerOptions | undefined;
+    if (!emailConfig) return;
+
+    const nextConfig = this.mergeIdentitiesIntoEmailConfig(
+      emailConfig,
+      identities || await this.readStoredIdentities(),
+    );
+
+    this.dcRouterRef.options.emailConfig = nextConfig;
+    if (this.dcRouterRef.emailServer) {
+      this.dcRouterRef.emailServer.updateOptions({ auth: nextConfig.auth });
+      await this.dcRouterRef.updateEmailRoutes(nextConfig.routes);
+    }
+  }
+
+  private async readStoredIdentities(): Promise<IStoredWorkAppMailIdentity[]> {
+    const storedData = await this.dcRouterRef.storageManager.get(this.storageKey);
+    if (!storedData) return [];
+    const parsed = JSON.parse(storedData) as IStoredWorkAppMailState | IStoredWorkAppMailIdentity[];
+    return Array.isArray(parsed) ? parsed : parsed.identities || [];
+  }
+
+  private async writeStoredIdentities(identities: IStoredWorkAppMailIdentity[]): Promise<void> {
+    const state: IStoredWorkAppMailState = {
+      version: 1,
+      identities,
+    };
+    await this.dcRouterRef.storageManager.set(this.storageKey, JSON.stringify(state, null, 2));
+  }
+
+  private mergeIdentitiesIntoEmailConfig<TConfig extends IUnifiedEmailServerOptions>(
+    emailConfig: TConfig,
+    identities: IStoredWorkAppMailIdentity[],
+  ): TConfig {
+    const generatedRoutes = identities
+      .filter((identity) => identity.enabled && identity.inbound?.enabled)
+      .map((identity) => this.buildInboundRoute(identity));
+    const configuredRoutes = (emailConfig.routes || [])
+      .filter((route) => !this.isManagedMailRouteName(route.name));
+    const generatedUsers = identities
+      .filter((identity) => identity.enabled && identity.smtp.enabled)
+      .map((identity) => ({
+        username: identity.smtp.username,
+        password: identity.smtpPassword,
+      }));
+    const configuredUsers = (emailConfig.auth?.users || [])
+      .filter((user) => !this.isManagedSmtpUsername(user.username));
+
+    return {
+      ...emailConfig,
+      routes: [...configuredRoutes, ...generatedRoutes],
+      auth: {
+        ...(emailConfig.auth || {}),
+        users: [...configuredUsers, ...generatedUsers],
+      },
+    };
+  }
+
+  private buildInboundRoute(identity: IStoredWorkAppMailIdentity): IEmailRoute {
+    const inbound = identity.inbound!;
+    return {
+      name: this.buildRouteName(identity.externalKey),
+      priority: 1000,
+      match: {
+        recipients: identity.address,
+      },
+      action: {
+        type: 'forward',
+        forward: {
+          host: inbound.targetHost,
+          port: inbound.targetPort,
+          preserveHeaders: inbound.preserveHeaders ?? true,
+          addHeaders: {
+            'X-Dcrouter-WorkHoster-Type': identity.ownership.workHosterType,
+            'X-Dcrouter-WorkHoster-Id': identity.ownership.workHosterId,
+            'X-Dcrouter-WorkApp-Id': identity.ownership.workAppId,
+            ...(inbound.addHeaders || {}),
+          },
+        },
+      },
+    };
+  }
+
+  private async ensureEmailDomainConfigured(domain: string): Promise<void> {
+    const emailConfig = this.dcRouterRef.options.emailConfig as IUnifiedEmailServerOptions | undefined;
+    if (emailConfig?.domains?.some((domainConfig) => domainConfig.domain.toLowerCase() === domain)) {
+      return;
+    }
+
+    const emailDomainManager = this.dcRouterRef.emailDomainManager;
+    if (!emailDomainManager) {
+      throw new Error(`Email domain is not configured: ${domain}`);
+    }
+
+    if (await emailDomainManager.getByDomain(domain)) {
+      await emailDomainManager.syncManagedDomainsToRuntime();
+      return;
+    }
+
+    await emailDomainManager.ensureEmailDomainForDomainName(domain);
+  }
+
+  private normalizeOwnership(
+    ownership: interfaces.data.IWorkAppMailOwnership,
+  ): interfaces.data.IWorkAppMailOwnership {
+    const workHosterType = ownership.workHosterType;
+    const workHosterId = ownership.workHosterId?.trim();
+    const workAppId = ownership.workAppId?.trim();
+    if (!['onebox', 'cloudly', 'custom'].includes(workHosterType)) {
+      throw new Error(`Invalid WorkHoster type: ${workHosterType}`);
+    }
+    if (!workHosterId) throw new Error('workHosterId is required');
+    if (!workAppId) throw new Error('workAppId is required');
+    return { workHosterType, workHosterId, workAppId };
+  }
+
+  private normalizeDomain(domain: string): string {
+    const normalized = domain?.trim().toLowerCase();
+    if (!normalized || normalized.includes('@') || !normalized.includes('.')) {
+      throw new Error(`Invalid email domain: ${domain}`);
+    }
+    return normalized;
+  }
+
+  private normalizeLocalPart(localPart: string): string {
+    const normalized = localPart?.trim().toLowerCase();
+    if (!normalized || normalized.includes('@') || /\s/.test(normalized)) {
+      throw new Error(`Invalid email local part: ${localPart}`);
+    }
+    return normalized;
+  }
+
+  private normalizeInboundRoute(
+    inbound?: interfaces.data.IWorkAppMailInboundRoute,
+  ): interfaces.data.IWorkAppMailInboundRoute | undefined {
+    if (!inbound) return undefined;
+    if (!inbound.enabled) {
+      return { ...inbound, enabled: false };
+    }
+    const targetHost = inbound.targetHost?.trim();
+    const targetPort = Number(inbound.targetPort);
+    if (!targetHost) throw new Error('inbound.targetHost is required when inbound routing is enabled');
+    if (!Number.isInteger(targetPort) || targetPort < 1 || targetPort > 65535) {
+      throw new Error(`Invalid inbound.targetPort: ${inbound.targetPort}`);
+    }
+    return {
+      ...inbound,
+      targetHost,
+      targetPort,
+    };
+  }
+
+  private matchesOwnership(
+    ownership: interfaces.data.IWorkAppMailOwnership,
+    filter?: Partial<interfaces.data.IWorkAppMailOwnership>,
+  ): boolean {
+    if (!filter) return true;
+    if (filter.workHosterType && filter.workHosterType !== ownership.workHosterType) return false;
+    if (filter.workHosterId && filter.workHosterId !== ownership.workHosterId) return false;
+    if (filter.workAppId && filter.workAppId !== ownership.workAppId) return false;
+    return true;
+  }
+
+  private buildExternalKey(
+    ownership: interfaces.data.IWorkAppMailOwnership,
+    address: string,
+  ): string {
+    return [
+      ownership.workHosterType,
+      ownership.workHosterId,
+      ownership.workAppId,
+      address,
+    ].join(':');
+  }
+
+  private buildSmtpUsername(externalKey: string): string {
+    return `workapp-${this.hashExternalKey(externalKey).slice(0, 24)}`;
+  }
+
+  private buildRouteName(externalKey: string): string {
+    return `workapp-mail-${this.hashExternalKey(externalKey).slice(0, 32)}`;
+  }
+
+  private hashExternalKey(externalKey: string): string {
+    return plugins.crypto.createHash('sha256').update(externalKey).digest('hex');
+  }
+
+  private generateSmtpPassword(): string {
+    return plugins.crypto.randomBytes(24).toString('base64url');
+  }
+
+  private isManagedMailRouteName(routeName: string): boolean {
+    return routeName.startsWith('workapp-mail-');
+  }
+
+  private isManagedSmtpUsername(username: string): boolean {
+    return username.startsWith('workapp-');
+  }
+
+  private buildSmtpCredentials(
+    identity: IStoredWorkAppMailIdentity,
+  ): interfaces.data.IWorkAppMailCredentials {
+    return {
+      username: identity.smtp.username,
+      password: identity.smtpPassword,
+      host: this.dcRouterRef.options.emailConfig?.outbound?.hostname
+        || this.dcRouterRef.options.emailConfig?.hostname,
+      ports: {
+        smtp: this.dcRouterRef.options.emailConfig?.ports?.includes(25) ? 25 : undefined,
+        submission: this.dcRouterRef.options.emailConfig?.ports?.includes(587) ? 587 : undefined,
+        smtps: this.dcRouterRef.options.emailConfig?.ports?.includes(465) ? 465 : undefined,
+      },
+    };
+  }
+
+  private toPublicIdentity(
+    identity: IStoredWorkAppMailIdentity,
+  ): interfaces.data.IWorkAppMailIdentity {
+    const { smtpPassword, ...publicIdentity } = identity;
+    return publicIdentity;
+  }
+}

ts/email/index.ts

@@ -1,3 +1,4 @@
 export * from './classes.email-domain.manager.js';
 export * from './classes.smartmta-storage-manager.js';
+export * from './classes.workapp-mail-manager.js';
 export * from './email-dns-records.js';

ts/monitoring/classes.metricsmanager.ts

@@ -560,7 +560,9 @@ export class MetricsManager {
           requestsPerSecond: 0,
           requestsTotal: 0,
           backends: [] as Array<any>,
-          domainActivity: [] as Array<{ domain: string; bytesInPerSecond: number; bytesOutPerSecond: number; activeConnections: number; routeCount: number; requestCount: number }>,
+          domainActivity: [] as Array<{ domain: string; bytesInPerSecond: number; bytesOutPerSecond: number; activeConnections: number; routeCount: number; requestCount: number; requestsPerSecond?: number; requestsLastMinute?: number }>,
+          frontendProtocols: null,
+          backendProtocols: null,
         };
       }
 
@@ -592,6 +594,7 @@ export class MetricsManager {
       // Get HTTP request rates
       const requestsPerSecond = proxyMetrics.requests.perSecond();
       const requestsTotal = proxyMetrics.requests.total();
+      const domainRequestRates = proxyMetrics.requests.byDomain();
 
       // Get frontend/backend protocol distribution
       const frontendProtocols = proxyMetrics.connections.frontendProtocols() ?? null;
@@ -619,47 +622,48 @@ export class MetricsManager {
       const seenCacheKeys = new Set<string>();
 
       for (const [key, bm] of backendMetrics) {
+        backends.push({
+          id: `backend:${key}`,
+          backend: key,
+          domain: null,
+          protocol: bm.protocol,
+          activeConnections: bm.activeConnections,
+          totalConnections: bm.totalConnections,
+          connectErrors: bm.connectErrors,
+          handshakeErrors: bm.handshakeErrors,
+          requestErrors: bm.requestErrors,
+          avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
+          poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
+          h2Failures: bm.h2Failures,
+          h2Suppressed: false,
+          h3Suppressed: false,
+          h2CooldownRemainingSecs: null,
+          h3CooldownRemainingSecs: null,
+          h2ConsecutiveFailures: null,
+          h3ConsecutiveFailures: null,
+          h3Port: null,
+          cacheAgeSecs: null,
+        });
+
         const cacheEntries = cacheByBackend.get(key);
-        if (!cacheEntries || cacheEntries.length === 0) {
-          // No protocol cache entry — emit one row with backend metrics only
-          backends.push({
-            backend: key,
-            domain: null,
-            protocol: bm.protocol,
-            activeConnections: bm.activeConnections,
-            totalConnections: bm.totalConnections,
-            connectErrors: bm.connectErrors,
-            handshakeErrors: bm.handshakeErrors,
-            requestErrors: bm.requestErrors,
-            avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
-            poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
-            h2Failures: bm.h2Failures,
-            h2Suppressed: false,
-            h3Suppressed: false,
-            h2CooldownRemainingSecs: null,
-            h3CooldownRemainingSecs: null,
-            h2ConsecutiveFailures: null,
-            h3ConsecutiveFailures: null,
-            h3Port: null,
-            cacheAgeSecs: null,
-          });
-        } else {
-          // One row per domain, each enriched with the shared backend metrics
+        if (cacheEntries && cacheEntries.length > 0) {
+          // Protocol cache rows are domain-scoped metadata, not live backend connections.
           for (const cache of cacheEntries) {
             const compositeKey = `${cache.host}:${cache.port}:${cache.domain ?? ''}`;
             seenCacheKeys.add(compositeKey);
             backends.push({
+              id: `cache:${compositeKey}`,
               backend: key,
               domain: cache.domain ?? null,
               protocol: cache.protocol ?? bm.protocol,
-              activeConnections: bm.activeConnections,
-              totalConnections: bm.totalConnections,
-              connectErrors: bm.connectErrors,
-              handshakeErrors: bm.handshakeErrors,
-              requestErrors: bm.requestErrors,
-              avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
-              poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
-              h2Failures: bm.h2Failures,
+              activeConnections: 0,
+              totalConnections: 0,
+              connectErrors: 0,
+              handshakeErrors: 0,
+              requestErrors: 0,
+              avgConnectTimeMs: 0,
+              poolHitRate: 0,
+              h2Failures: 0,
               h2Suppressed: cache.h2Suppressed,
               h3Suppressed: cache.h3Suppressed,
               h2CooldownRemainingSecs: cache.h2CooldownRemainingSecs,
@@ -678,6 +682,7 @@ export class MetricsManager {
         const compositeKey = `${entry.host}:${entry.port}:${entry.domain ?? ''}`;
         if (!seenCacheKeys.has(compositeKey)) {
           backends.push({
+            id: `cache:${compositeKey}`,
             backend: `${entry.host}:${entry.port}`,
             domain: entry.domain,
             protocol: entry.protocol,
@@ -720,6 +725,8 @@ export class MetricsManager {
         .slice(0, 10)
         .map(([ip, data]) => ({ ip, count: data.count, bwIn: data.bwIn, bwOut: data.bwOut }));
 
+      void this.dcRouter.securityPolicyManager?.observeIps([...allIPData.keys()]);
+
       // Build domain activity using per-IP domain request counts from Rust engine
       const connectionsByRoute = proxyMetrics.connections.byRoute();
       const throughputByRoute = proxyMetrics.throughput.byRoute();
@@ -750,6 +757,9 @@ export class MetricsManager {
 
       // Resolve wildcards using domains seen in request metrics
       const allKnownDomains = new Set<string>(domainRequestTotals.keys());
+      for (const domain of domainRequestRates.keys()) {
+        allKnownDomains.add(domain);
+      }
       for (const entry of protocolCache) {
         if (entry.domain) allKnownDomains.add(entry.domain);
       }
@@ -775,11 +785,20 @@ export class MetricsManager {
         }
       }
 
-      // For each route, compute the total request count across all its resolved domains
-      // so we can distribute throughput/connections proportionally
+      const hasLiveDomainRates = domainRequestRates.size > 0;
+      const getDomainWeight = (domain: string): number => {
+        const liveRate = domainRequestRates.get(domain);
+        return hasLiveDomainRates
+          ? (liveRate?.lastMinute ?? 0)
+          : (domainRequestTotals.get(domain) || 0);
+      };
+
+      // For each route, compute the total activity weight across all resolved domains
+      // so we can distribute route-level throughput/connections. Prefer live domain
+      // request rates from SmartProxy 27.8+, falling back to lifetime counters.
       const routeTotalRequests = new Map<string, number>();
       for (const [domain, routeKeys] of domainToRoutes) {
-        const reqs = domainRequestTotals.get(domain) || 0;
+        const reqs = getDomainWeight(domain);
         for (const routeKey of routeKeys) {
           routeTotalRequests.set(routeKey, (routeTotalRequests.get(routeKey) || 0) + reqs);
         }
@@ -792,10 +811,13 @@ export class MetricsManager {
         bytesOutPerSec: number;
         routeCount: number;
         requestCount: number;
+        requestsPerSecond: number;
+        requestsLastMinute: number;
       }>();
 
       for (const [domain, routeKeys] of domainToRoutes) {
-        const domainReqs = domainRequestTotals.get(domain) || 0;
+        const domainReqs = getDomainWeight(domain);
+        const requestRate = domainRequestRates.get(domain);
         let totalConns = 0;
         let totalIn = 0;
         let totalOut = 0;
@@ -816,7 +838,9 @@ export class MetricsManager {
           bytesInPerSec: totalIn,
           bytesOutPerSec: totalOut,
           routeCount: routeKeys.length,
-          requestCount: domainReqs,
+          requestCount: domainRequestTotals.get(domain) || 0,
+          requestsPerSecond: requestRate?.perSecond ?? 0,
+          requestsLastMinute: requestRate?.lastMinute ?? 0,
         });
       }
 
@@ -828,8 +852,17 @@ export class MetricsManager {
           activeConnections: data.activeConnections,
           routeCount: data.routeCount,
           requestCount: data.requestCount,
+          requestsPerSecond: data.requestsPerSecond,
+          requestsLastMinute: data.requestsLastMinute,
         }))
-        .sort((a, b) => (b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond));
+        .sort((a, b) => {
+          if (hasLiveDomainRates) {
+            return (b.requestsPerSecond - a.requestsPerSecond) ||
+              (b.requestsLastMinute - a.requestsLastMinute) ||
+              ((b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond));
+          }
+          return (b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond);
+        });
 
       return {
         connectionsByIP,

ts/opsserver/classes.opsserver.ts

@@ -38,6 +38,7 @@ export class OpsServer {
   private dnsRecordHandler!: handlers.DnsRecordHandler;
   private acmeConfigHandler!: handlers.AcmeConfigHandler;
   private emailDomainHandler!: handlers.EmailDomainHandler;
+  private workHosterHandler!: handlers.WorkHosterHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
@@ -106,11 +107,15 @@ export class OpsServer {
     this.dnsRecordHandler = new handlers.DnsRecordHandler(this);
     this.acmeConfigHandler = new handlers.AcmeConfigHandler(this);
     this.emailDomainHandler = new handlers.EmailDomainHandler(this);
+    this.workHosterHandler = new handlers.WorkHosterHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');
   }
 
   public async stop() {
+    if (this.adminHandler) {
+      await this.adminHandler.stop();
+    }
     // Clean up log handler streams and push destination before stopping the server
     if (this.logsHandler) {
       this.logsHandler.cleanup();
@@ -119,4 +124,4 @@ export class OpsServer {
       await this.server.stop();
     }
   }
-}
+}

ts/opsserver/handlers/admin.handler.ts

@@ -8,19 +8,33 @@ export interface IJwtData {
   expiresAt: number;
 }
 
+type TAdminUser = {
+  id: string;
+  username: string;
+  email?: string;
+  name?: string;
+  role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
+};
+
 export class AdminHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
   
   // JWT instance
   public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
   
-  // Simple in-memory user storage (in production, use proper database)
+  // Ephemeral bootstrap users. Persisted accounts take over once an active admin exists.
   private users = new Map<string, {
     id: string;
     username: string;
     password: string;
     role: string;
   }>();
+
+  private accountStore?: plugins.idpSdkServer.SmartdataAccountStore;
+  private idpClient?: plugins.idpSdkServer.IdpGlobalServerClient;
+  private ownsIdpClient = false;
   
   constructor(private opsServerRef: OpsServer) {
     // Add this handler's router to the parent
@@ -32,6 +46,14 @@ export class AdminHandler {
     this.initializeDefaultUsers();
     this.registerHandlers();
   }
+
+  public async stop(): Promise<void> {
+    if (this.ownsIdpClient) {
+      await this.idpClient?.stop();
+    }
+    this.idpClient = undefined;
+    this.ownsIdpClient = false;
+  }
   
   private async initializeJwt(): Promise<void> {
     this.smartjwtInstance = new plugins.smartjwt.SmartJwt();
@@ -43,65 +65,138 @@ export class AdminHandler {
   }
   
   private initializeDefaultUsers(): void {
-    // Add default admin user
+    const username = process.env.DCROUTER_ADMIN_USERNAME || 'admin';
+    const configuredPassword = process.env.DCROUTER_ADMIN_PASSWORD;
+    const password = configuredPassword || plugins.crypto.randomBytes(24).toString('base64url');
+
     const adminId = plugins.uuid.v4();
     this.users.set(adminId, {
       id: adminId,
-      username: 'admin',
-      password: 'admin',
+      username,
+      password,
       role: 'admin',
     });
+
+    if (!configuredPassword) {
+      console.warn(`DCRouter generated one-time admin password for ${username}: ${password}`);
+    }
   }
 
   /**
-   * Return a safe projection of the users Map — excludes password fields.
+   * Return a safe projection of the active user source — excludes password fields.
    * Used by UsersHandler to serve the admin-only listUsers endpoint.
    */
-  public listUsers(): Array<{ id: string; username: string; role: string }> {
+  public async listUsers(): Promise<interfaces.requests.IAdminUserProjection[]> {
+    if (await this.hasPersistentAdminAccount()) {
+      const store = this.getAccountStore();
+      const accounts = await store!.listAccounts();
+      return accounts.map((accountArg) => this.accountToUser(accountArg));
+    }
+
     return Array.from(this.users.values()).map((user) => ({
       id: user.id,
       username: user.username,
       role: user.role,
     }));
   }
+
+  public async getBootstrapStatus(): Promise<interfaces.requests.IReq_GetAdminBootstrapStatus['response']> {
+    const dbEnabled = this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
+    const store = this.getAccountStore();
+    const dbReady = !!store;
+    const hasPersistentAdmin = dbReady ? await store.hasActiveAdminAccount() : false;
+    return {
+      dbEnabled,
+      dbReady,
+      hasPersistentAdmin,
+      needsBootstrap: dbEnabled && dbReady && !hasPersistentAdmin,
+      ephemeralAdminAvailable: !hasPersistentAdmin,
+      idpGlobalConfigured: this.isIdpGlobalConfigured(),
+    };
+  }
+
+  public async createInitialAdminUser(optionsArg: {
+    email: string;
+    name?: string;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  }): Promise<interfaces.requests.IReq_CreateInitialAdminUser['response']> {
+    const store = this.getAccountStore();
+    if (!store) {
+      throw new plugins.typedrequest.TypedResponseError('database is not ready');
+    }
+
+    if (await store.hasActiveAdminAccount()) {
+      throw new plugins.typedrequest.TypedResponseError('initial admin already exists');
+    }
+
+    const password = String(optionsArg.password || '');
+    if (!password) {
+      throw new plugins.typedrequest.TypedResponseError('password is required');
+    }
+
+    const email = String(optionsArg.email || '').trim();
+    const authSources: Array<'local' | 'idp.global'> = ['local'];
+    if (optionsArg.enableIdpGlobalAuth) {
+      authSources.push('idp.global');
+    }
+
+    try {
+      const account = await store.createAccount({
+        email,
+        name: String(optionsArg.name || '').trim() || email,
+        role: 'admin',
+        authSources,
+        password,
+      });
+      const user = this.accountToUser(account);
+      return {
+        success: true,
+        identity: await this.createIdentityForUser(user),
+        user,
+      };
+    } catch (error) {
+      throw new plugins.typedrequest.TypedResponseError((error as Error).message || 'failed to create initial admin');
+    }
+  }
   
   private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAdminBootstrapStatus>(
+        'getAdminBootstrapStatus',
+        async (_dataArg) => this.getBootstrapStatus()
+      )
+    );
+
+    this.opsServerRef.adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateInitialAdminUser>(
+        'createInitialAdminUser',
+        async (dataArg) => this.createInitialAdminUser({
+          email: dataArg.email,
+          name: dataArg.name,
+          password: dataArg.password,
+          enableIdpGlobalAuth: dataArg.enableIdpGlobalAuth,
+        })
+      )
+    );
+
     // Admin Login Handler
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
         'adminLoginWithUsernameAndPassword',
         async (dataArg) => {
           try {
-            // Find user by username and password
-            let user: { id: string; username: string; password: string; role: string } | null = null;
-            for (const [_, userData] of this.users) {
-              if (userData.username === dataArg.username && userData.password === dataArg.password) {
-                user = userData;
-                break;
-              }
-            }
-            
+            const user = await this.authenticateUser({
+              username: dataArg.username,
+              password: dataArg.password,
+              authSource: dataArg.authSource,
+            });
             if (!user) {
               throw new plugins.typedrequest.TypedResponseError('login failed');
             }
-            
-            const expiresAtTimestamp = Date.now() + 3600 * 1000 * 24; // 24 hours
-            
-            const jwt = await this.smartjwtInstance.createJWT({
-              userId: user.id,
-              status: 'loggedIn',
-              expiresAt: expiresAtTimestamp,
-            });
-            
+
             return {
-              identity: {
-                jwt,
-                userId: user.id,
-                name: user.username,
-                expiresAt: expiresAtTimestamp,
-                role: user.role,
-                type: 'user',
-              },
+              identity: await this.createIdentityForUser(user),
             };
           } catch (error) {
             if (error instanceof plugins.typedrequest.TypedResponseError) {
@@ -155,8 +250,7 @@ export class AdminHandler {
               };
             }
             
-            // Find user
-            const user = this.users.get(jwtData.userId);
+            const user = await this.resolveUser(jwtData.userId);
             if (!user) {
               return {
                 valid: false,
@@ -168,7 +262,7 @@ export class AdminHandler {
               identity: {
                 jwt: dataArg.identity.jwt,
                 userId: user.id,
-                name: user.username,
+                name: user.name || user.username,
                 expiresAt: jwtData.expiresAt,
                 role: user.role,
                 type: 'user',
@@ -217,6 +311,15 @@ export class AdminHandler {
           return false;
         }
         
+        const user = await this.resolveUser(jwtData.userId);
+        if (!user) {
+          return false;
+        }
+
+        if (dataArg.identity.role && dataArg.identity.role !== user.role) {
+          return false;
+        }
+
         return true;
       } catch (error) {
         return false;
@@ -249,4 +352,120 @@ export class AdminHandler {
       name: 'adminIdentityGuard',
     }
   );
-}
+
+  private async authenticateUser(optionsArg: {
+    username: string;
+    password: string;
+    authSource?: interfaces.requests.TAdminLoginAuthSource;
+  }): Promise<TAdminUser | null> {
+    if (await this.hasPersistentAdminAccount()) {
+      const store = this.getAccountStore();
+      const authService = new plugins.idpSdkServer.AccountAuthService({
+        store: store!,
+        idpClient: this.getIdpClient() as plugins.idpSdkServer.IdpGlobalServerClient | undefined,
+      });
+      const result = await authService.authenticate({
+        email: optionsArg.username,
+        password: optionsArg.password,
+        authSource: optionsArg.authSource || 'auto',
+      });
+      return result ? this.accountToUser(result.account) : null;
+    }
+
+    for (const [_, userData] of this.users) {
+      if (userData.username === optionsArg.username && userData.password === optionsArg.password) {
+        return userData;
+      }
+    }
+    return null;
+  }
+
+  private async resolveUser(userIdArg: string): Promise<TAdminUser | null> {
+    if (await this.hasPersistentAdminAccount()) {
+      const account = await this.getAccountStore()!.getAccountById(userIdArg);
+      if (!account || account.status !== 'active') {
+        return null;
+      }
+      return this.accountToUser(account);
+    }
+
+    return this.users.get(userIdArg) || null;
+  }
+
+  private async hasPersistentAdminAccount(): Promise<boolean> {
+    const store = this.getAccountStore();
+    return store ? store.hasActiveAdminAccount() : false;
+  }
+
+  private getAccountStore(): plugins.idpSdkServer.SmartdataAccountStore | null {
+    if (this.opsServerRef.dcRouterRef.options.dbConfig?.enabled === false) {
+      return null;
+    }
+    const dcRouterDb = this.opsServerRef.dcRouterRef.dcRouterDb;
+    if (!dcRouterDb?.isReady()) {
+      return null;
+    }
+    if (!this.accountStore) {
+      this.accountStore = new plugins.idpSdkServer.SmartdataAccountStore({
+        smartdataDb: dcRouterDb.getDb(),
+      });
+    }
+    return this.accountStore;
+  }
+
+  private getIdpClient(): Pick<plugins.idpSdkServer.IdpGlobalServerClient, 'loginWithEmailAndPassword' | 'stop'> | undefined {
+    const configuredClient = this.opsServerRef.dcRouterRef.options.adminAuth?.idpClient;
+    if (configuredClient) {
+      return configuredClient;
+    }
+
+    const baseUrl = this.opsServerRef.dcRouterRef.options.adminAuth?.idpGlobalUrl || process.env.DCROUTER_IDP_GLOBAL_URL;
+    if (!baseUrl) {
+      return undefined;
+    }
+
+    if (!this.idpClient) {
+      this.idpClient = new plugins.idpSdkServer.IdpGlobalServerClient({ baseUrl });
+      this.ownsIdpClient = true;
+    }
+    return this.idpClient;
+  }
+
+  private isIdpGlobalConfigured(): boolean {
+    return !!(
+      this.opsServerRef.dcRouterRef.options.adminAuth?.idpClient ||
+      this.opsServerRef.dcRouterRef.options.adminAuth?.idpGlobalUrl ||
+      process.env.DCROUTER_IDP_GLOBAL_URL
+    );
+  }
+
+  private accountToUser(accountArg: plugins.idpSdkServer.IIdpSdkAccount): TAdminUser {
+    return {
+      id: accountArg.id,
+      username: accountArg.email,
+      email: accountArg.email,
+      name: accountArg.name,
+      role: accountArg.role,
+      status: accountArg.status,
+      authSources: accountArg.authSources,
+    };
+  }
+
+  private async createIdentityForUser(userArg: TAdminUser): Promise<interfaces.data.IIdentity> {
+    const expiresAtTimestamp = Date.now() + 3600 * 1000 * 24; // 24 hours
+    const jwt = await this.smartjwtInstance.createJWT({
+      userId: userArg.id,
+      status: 'loggedIn',
+      expiresAt: expiresAtTimestamp,
+    });
+
+    return {
+      jwt,
+      userId: userArg.id,
+      name: userArg.name || userArg.username,
+      expiresAt: expiresAtTimestamp,
+      role: userArg.role,
+      type: 'user',
+    };
+  }
+}

ts/opsserver/handlers/api-token.handler.ts

@@ -26,6 +26,7 @@ export class ApiTokenHandler {
             dataArg.scopes,
             dataArg.expiresInDays ?? null,
             dataArg.identity.userId,
+            dataArg.policy,
           );
           return { success: true, tokenId: result.id, tokenValue: result.rawToken };
         },

ts/opsserver/handlers/certificate.handler.ts

@@ -26,21 +26,51 @@ export function deriveCertDomainName(domain: string): string | undefined {
 }
 
 export class CertificateHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
   constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter?.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
 
-  private registerHandlers(): void {
-    const viewRouter = this.opsServerRef.viewRouter;
-    const adminRouter = this.opsServerRef.adminRouter;
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
 
-    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    const router = this.typedrouter;
 
     // Get Certificate Overview
-    viewRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCertificateOverview>(
         'getCertificateOverview',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:read');
           const certificates = await this.buildCertificateOverview();
           const summary = this.buildSummary(certificates);
           return { certificates, summary };
@@ -48,53 +78,56 @@ export class CertificateHandler {
       )
     );
 
-    // ---- Write endpoints (adminRouter — admin identity required via middleware) ----
-
     // Legacy route-based reprovision (backward compat)
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificate>(
         'reprovisionCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.reprovisionCertificateByRoute(dataArg.routeName);
         }
       )
     );
 
     // Domain-based reprovision (preferred)
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificateDomain>(
         'reprovisionCertificateDomain',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.reprovisionCertificateDomain(dataArg.domain, dataArg.forceRenew);
         }
       )
     );
 
     // Delete certificate
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteCertificate>(
         'deleteCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.deleteCertificate(dataArg.domain);
         }
       )
     );
 
     // Export certificate
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportCertificate>(
         'exportCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:read');
           return this.exportCertificate(dataArg.domain);
         }
       )
     );
 
     // Import certificate
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ImportCertificate>(
         'importCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.importCertificate(dataArg.cert);
         }
       )
@@ -274,6 +307,11 @@ export class CertificateHandler {
         }
       }
 
+      if (backoffInfo && status !== 'valid' && status !== 'expiring') {
+        status = 'failed';
+        error = error || backoffInfo.lastError;
+      }
+
       certificates.push({
         domain,
         routeNames: info.routeNames,

ts/opsserver/handlers/config.handler.ts

@@ -206,6 +206,7 @@ export class ConfigHandler {
       hubDomain: riCfg?.hubDomain || null,
       tlsMode,
       connectedEdgeIps,
+      performance: riCfg?.performance,
     };
 
     return {

ts/opsserver/handlers/index.ts

@@ -18,4 +18,5 @@ export * from './dns-provider.handler.js';
 export * from './domain.handler.js';
 export * from './dns-record.handler.js';
 export * from './acme-config.handler.js';
-export * from './email-domain.handler.js';
+export * from './email-domain.handler.js';
+export * from './workhoster.handler.js';

ts/opsserver/handlers/remoteingress.handler.ts

@@ -29,6 +29,7 @@ export class RemoteIngressHandler {
               ...e,
               secret: '********', // Never expose secrets via API
               effectiveListenPorts: manager.getEffectiveListenPorts(e),
+              effectiveListenPortsUdp: manager.getEffectiveListenPortsUdp(e),
               manualPorts: breakdown.manual,
               derivedPorts: breakdown.derived,
             };
@@ -133,6 +134,7 @@ export class RemoteIngressHandler {
               ...edge,
               secret: '********',
               effectiveListenPorts: manager.getEffectiveListenPorts(edge),
+              effectiveListenPortsUdp: manager.getEffectiveListenPortsUdp(edge),
               manualPorts: breakdown.manual,
               derivedPorts: breakdown.derived,
             },

ts/opsserver/handlers/security.handler.ts

@@ -50,19 +50,21 @@ export class SecurityHandler {
             localAddress: conn.destination.ip,
             startTime: conn.startTime,
             protocol: conn.type === 'http' ? 'https' : conn.type as any,
-            state: conn.status as any,
+            state: conn.status === 'active' ? 'connected' : conn.status as any,
             bytesReceived: (conn as any)._throughputIn || 0,
             bytesSent: (conn as any)._throughputOut || 0,
+            connectionCount: conn.bytesTransferred || 1,
           }));
+          const totalConnections = connectionInfos.reduce((sum, conn) => sum + (conn.connectionCount || 1), 0);
           
           const summary = {
-            total: connectionInfos.length,
+            total: totalConnections,
             byProtocol: connectionInfos.reduce((acc, conn) => {
-              acc[conn.protocol] = (acc[conn.protocol] || 0) + 1;
+              acc[conn.protocol] = (acc[conn.protocol] || 0) + (conn.connectionCount || 1);
               return acc;
             }, {} as { [protocol: string]: number }),
             byState: connectionInfos.reduce((acc, conn) => {
-              acc[conn.state] = (acc[conn.state] || 0) + 1;
+              acc[conn.state] = (acc[conn.state] || 0) + (conn.connectionCount || 1);
               return acc;
             }, {} as { [state: string]: number }),
           };
@@ -104,6 +106,8 @@ export class SecurityHandler {
               requestsPerSecond: networkStats.requestsPerSecond || 0,
               requestsTotal: networkStats.requestsTotal || 0,
               backends: networkStats.backends || [],
+              frontendProtocols: networkStats.frontendProtocols || null,
+              backendProtocols: networkStats.backendProtocols || null,
             };
           }
 
@@ -120,6 +124,8 @@ export class SecurityHandler {
             requestsPerSecond: 0,
             requestsTotal: 0,
             backends: [],
+            frontendProtocols: null,
+            backendProtocols: null,
           };
         }
       )
@@ -151,6 +157,113 @@ export class SecurityHandler {
         }
       )
     );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListSecurityBlockRules>(
+        'listSecurityBlockRules',
+        async () => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          return { rules: manager ? await manager.listBlockRules() : [] };
+        },
+      ),
+    );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListIpIntelligence>(
+        'listIpIntelligence',
+        async () => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          return { records: manager ? await manager.listIpIntelligence() : [] };
+        },
+      ),
+    );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCompiledSecurityPolicy>(
+        'getCompiledSecurityPolicy',
+        async () => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          return {
+            policy: manager
+              ? await manager.compilePolicy()
+              : { blockedIps: [], blockedCidrs: [] },
+          };
+        },
+      ),
+    );
+
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListSecurityPolicyAudit>(
+        'listSecurityPolicyAudit',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          return { events: manager ? await manager.listAuditEvents(dataArg.limit || 100) : [] };
+        },
+      ),
+    );
+
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSecurityBlockRule>(
+        'createSecurityBlockRule',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          if (!manager) return { success: false, message: 'Security policy manager not initialized' };
+          const rule = await manager.createBlockRule({
+            type: dataArg.type,
+            value: dataArg.value,
+            matchMode: dataArg.matchMode,
+            reason: dataArg.reason,
+            enabled: dataArg.enabled,
+          }, dataArg.identity.userId);
+          return { success: true, rule };
+        },
+      ),
+    );
+
+    adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSecurityBlockRule>(
+        'updateSecurityBlockRule',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          if (!manager) return { success: false, message: 'Security policy manager not initialized' };
+          const rule = await manager.updateBlockRule(dataArg.id, {
+            value: dataArg.value,
+            matchMode: dataArg.matchMode,
+            reason: dataArg.reason,
+            enabled: dataArg.enabled,
+          }, dataArg.identity.userId);
+          return rule ? { success: true, rule } : { success: false, message: 'Rule not found' };
+        },
+      ),
+    );
+
+    adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSecurityBlockRule>(
+        'deleteSecurityBlockRule',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          if (!manager) return { success: false, message: 'Security policy manager not initialized' };
+          const success = await manager.deleteBlockRule(dataArg.id, dataArg.identity.userId);
+          return { success, message: success ? undefined : 'Rule not found' };
+        },
+      ),
+    );
+
+    adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RefreshIpIntelligence>(
+        'refreshIpIntelligence',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
+          if (!manager) return { success: false, message: 'Security policy manager not initialized' };
+          const record = await manager.refreshIpIntelligence(dataArg.ipAddress);
+          return record
+            ? { success: true, record }
+            : { success: false, message: 'IP address is invalid or not public' };
+        },
+      ),
+    );
   }
   
   private async collectSecurityMetrics(): Promise<{
@@ -335,4 +448,4 @@ export class SecurityHandler {
       limits: [],
     };
   }
-}
+}

ts/opsserver/handlers/stats.handler.ts

@@ -302,6 +302,7 @@ export class StatsHandler {
                     startTime: 0,
                     bytesIn: tp?.in || 0,
                     bytesOut: tp?.out || 0,
+                    connectionCount: count,
                   });
                 }
 

ts/opsserver/handlers/target-profile.handler.ts

@@ -88,6 +88,8 @@ export class TargetProfileHandler {
             routeRefs: dataArg.routeRefs,
             createdBy: userId,
           });
+          await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
+          await this.opsServerRef.dcRouterRef.vpnManager?.refreshAllClientSecurity();
           return { success: true, id };
         },
       ),

ts/opsserver/handlers/users.handler.ts

@@ -21,7 +21,7 @@ export class UsersHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListUsers>(
         'listUsers',
         async (_dataArg) => {
-          const users = this.opsServerRef.adminHandler.listUsers();
+          const users = await this.opsServerRef.adminHandler.listUsers();
           return { users };
         },
       ),

ts/opsserver/handlers/workhoster.handler.ts

@@ -0,0 +1,664 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+type TAuthContext = {
+  userId: string;
+  isAdmin: boolean;
+  token?: interfaces.data.IStoredApiToken;
+};
+
+export class WorkHosterHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<TAuthContext> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return { userId: request.identity.userId, isAdmin: true };
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return { userId: token.createdBy, isAdmin: token.policy?.role === 'admin', token };
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private async requireAdmin(request: { identity?: interfaces.data.IIdentity }): Promise<string> {
+    if (request.identity?.jwt) {
+      const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+        identity: request.identity,
+      });
+      if (isAdmin) return request.identity.userId;
+    }
+    throw new plugins.typedrequest.TypedResponseError('admin identity required');
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayCapabilities>(
+        'getGatewayCapabilities',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'gateway-clients:read');
+          return { capabilities: this.getGatewayCapabilities() };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientContext>(
+        'getGatewayClientContext',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
+          return {
+            context: this.getGatewayClientContext(auth),
+            capabilities: this.getGatewayCapabilities(),
+          };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListGatewayClients>(
+        'listGatewayClients',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg);
+          return { gatewayClients: await this.listManagedGatewayClients() };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateGatewayClient>(
+        'createGatewayClient',
+        async (dataArg) => {
+          const userId = await this.requireAdmin(dataArg);
+          const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+          if (!manager) return { success: false, message: 'Gateway client management not initialized' };
+          try {
+            const gatewayClient = await manager.createClient({
+              id: dataArg.id,
+              type: dataArg.type,
+              name: dataArg.name,
+              description: dataArg.description,
+              hostnamePatterns: dataArg.hostnamePatterns,
+              allowedRouteTargets: dataArg.allowedRouteTargets,
+              capabilities: dataArg.capabilities,
+              createdBy: userId,
+            });
+            return { success: true, gatewayClient };
+          } catch (error) {
+            return { success: false, message: (error as Error).message };
+          }
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateGatewayClient>(
+        'updateGatewayClient',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg);
+          const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+          if (!manager) return { success: false, message: 'Gateway client management not initialized' };
+          const gatewayClient = await manager.updateClient(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            hostnamePatterns: dataArg.hostnamePatterns,
+            allowedRouteTargets: dataArg.allowedRouteTargets,
+            capabilities: dataArg.capabilities,
+            enabled: dataArg.enabled,
+          });
+          return gatewayClient
+            ? { success: true, gatewayClient }
+            : { success: false, message: 'Gateway client not found' };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteGatewayClient>(
+        'deleteGatewayClient',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg);
+          const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+          if (!manager) return { success: false, message: 'Gateway client management not initialized' };
+          const success = await manager.deleteClient(dataArg.id);
+          return { success, message: success ? undefined : 'Gateway client not found' };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateGatewayClientToken>(
+        'createGatewayClientToken',
+        async (dataArg) => {
+          const userId = await this.requireAdmin(dataArg);
+          const gatewayClient = await this.opsServerRef.dcRouterRef.gatewayClientManager?.getClient(dataArg.gatewayClientId);
+          const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!gatewayClient || !gatewayClient.enabled) {
+            return { success: false, message: 'Gateway client not found or disabled' };
+          }
+          if (!tokenManager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const result = await tokenManager.createToken(
+            dataArg.name?.trim() || `${gatewayClient.name} Token`,
+            ['gateway-clients:read', 'gateway-clients:write'],
+            dataArg.expiresInDays ?? null,
+            userId,
+            {
+              role: 'gatewayClient',
+              scopes: ['gateway-clients:read', 'gateway-clients:write'],
+              gatewayClient: { type: gatewayClient.type, id: gatewayClient.id },
+              hostnamePatterns: gatewayClient.hostnamePatterns,
+              allowedRouteTargets: gatewayClient.allowedRouteTargets,
+              capabilities: gatewayClient.capabilities,
+            },
+          );
+          return { success: true, tokenId: result.id, tokenValue: result.rawToken };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDomains>(
+        'getGatewayClientDomains',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
+          this.assertCapability(auth, 'readDomains');
+          return { domains: await this.listGatewayClientDomains(auth, dataArg.gatewayClientId) };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDnsRecords>(
+        'getGatewayClientDnsRecords',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
+          this.assertCapability(auth, 'readDnsRecords');
+          return { records: await this.listGatewayClientDnsRecords(auth, dataArg.gatewayClientId) };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetWorkHosterDomains>(
+        'getWorkHosterDomains',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'workhosters:read');
+          this.assertCapability(auth, 'readDomains');
+          return { domains: await this.listGatewayClientDomains(auth) };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncGatewayClientRoute>(
+        'syncGatewayClientRoute',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:write');
+          this.assertCapability(auth, 'syncRoutes');
+          return await this.syncGatewayClientRoute(auth, dataArg.ownership, dataArg.route, dataArg.enabled, dataArg.delete);
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppRoute>(
+        'syncWorkAppRoute',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'workhosters:write');
+          this.assertCapability(auth, 'syncRoutes');
+          const ownership: interfaces.data.IGatewayClientOwnership = {
+            gatewayClientType: dataArg.ownership.workHosterType,
+            gatewayClientId: dataArg.ownership.workHosterId,
+            appId: dataArg.ownership.workAppId,
+            hostname: dataArg.ownership.hostname,
+          };
+          return await this.syncGatewayClientRoute(auth, ownership, dataArg.route, dataArg.enabled, dataArg.delete);
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetWorkAppMailIdentities>(
+        'getWorkAppMailIdentities',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'workhosters:read');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) return { identities: [] };
+          return { identities: await manager.listMailIdentities(dataArg.ownership) };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppMailIdentity>(
+        'syncWorkAppMailIdentity',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'workhosters:write');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) {
+            return { success: false, message: 'WorkApp mail manager not initialized' };
+          }
+          try {
+            return await manager.syncMailIdentity(dataArg, auth.userId);
+          } catch (error) {
+            return { success: false, message: (error as Error).message };
+          }
+        },
+      ),
+    );
+  }
+
+  private getGatewayCapabilities(): interfaces.data.IGatewayCapabilities {
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    return {
+      routes: {
+        read: Boolean(dcRouter.routeConfigManager),
+        write: Boolean(dcRouter.routeConfigManager),
+        idempotentSync: Boolean(dcRouter.routeConfigManager),
+      },
+      domains: {
+        read: Boolean(dcRouter.dnsManager),
+        write: Boolean(dcRouter.dnsManager),
+      },
+      certificates: {
+        read: Boolean(dcRouter.smartProxy),
+        export: Boolean(dcRouter.smartProxy),
+        forceRenew: Boolean(dcRouter.smartProxy),
+      },
+      email: {
+        domains: Boolean(dcRouter.emailDomainManager),
+        inbound: Boolean(dcRouter.emailServer),
+        outbound: Boolean(dcRouter.emailServer),
+      },
+      remoteIngress: {
+        enabled: Boolean(dcRouter.options.remoteIngressConfig?.enabled),
+      },
+      dns: {
+        authoritative: Boolean(dcRouter.options.dnsScopes?.length),
+        providerManaged: Boolean(dcRouter.dnsManager),
+      },
+      http3: {
+        enabled: dcRouter.options.http3?.enabled !== false,
+      },
+    };
+  }
+
+  private getGatewayClientContext(auth: TAuthContext): interfaces.data.IGatewayClientContext {
+    const policy = auth.token?.policy;
+    const role = auth.isAdmin ? 'admin' : policy?.role || 'operator';
+    return {
+      role,
+      scopes: auth.token?.scopes || ['*'],
+      gatewayClient: policy?.gatewayClient,
+      hostnamePatterns: policy?.hostnamePatterns || [],
+      allowedRouteTargets: policy?.allowedRouteTargets || [],
+      capabilities: policy?.capabilities || {},
+    };
+  }
+
+  private async listManagedGatewayClients(): Promise<interfaces.data.IGatewayClient[]> {
+    const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+    if (!manager) return [];
+    const clients = await manager.listClients();
+    const tokens = this.opsServerRef.dcRouterRef.apiTokenManager?.listTokens() || [];
+    return clients.map((client) => ({
+      ...client,
+      tokenCount: tokens.filter((token) => token.policy?.gatewayClient?.id === client.id).length,
+    }));
+  }
+
+  private buildExternalKey(ownership: interfaces.data.IWorkAppRouteOwnership): string {
+    return [
+      ownership.workHosterType,
+      ownership.workHosterId,
+      ownership.workAppId,
+      ownership.hostname,
+    ].map((part) => part.trim()).join(':');
+  }
+
+  private assertCapability(
+    auth: TAuthContext,
+    capability: keyof NonNullable<interfaces.data.IApiTokenPolicy['capabilities']>,
+  ): void {
+    if (auth.isAdmin) return;
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient') return;
+    if (policy.capabilities?.[capability] === true) return;
+    throw new plugins.typedrequest.TypedResponseError(`token capability missing: ${capability}`);
+  }
+
+  private resolveGatewayClientId(auth: TAuthContext, requestedId?: string): string | undefined {
+    const policyClient = auth.token?.policy?.gatewayClient;
+    if (!policyClient) return requestedId;
+    if (requestedId && requestedId !== policyClient.id) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token cannot access another gateway client');
+    }
+    return policyClient.id;
+  }
+
+  private resolveGatewayClientOwnership(
+    auth: TAuthContext,
+    ownership: interfaces.data.IGatewayClientOwnership,
+  ): Required<interfaces.data.IGatewayClientOwnership> {
+    const policy = auth.token?.policy;
+    if (policy?.role === 'gatewayClient') {
+      if (!policy.gatewayClient) {
+        throw new plugins.typedrequest.TypedResponseError('gateway client token is missing gatewayClient binding');
+      }
+      if (ownership.gatewayClientType && ownership.gatewayClientType !== policy.gatewayClient.type) {
+        throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+      }
+      if (ownership.gatewayClientId && ownership.gatewayClientId !== policy.gatewayClient.id) {
+        throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+      }
+      return {
+        gatewayClientType: policy.gatewayClient.type,
+        gatewayClientId: policy.gatewayClient.id,
+        appId: ownership.appId,
+        hostname: ownership.hostname,
+      };
+    }
+
+    if (!ownership.gatewayClientType || !ownership.gatewayClientId) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client ownership is missing type or id');
+    }
+    return ownership as Required<interfaces.data.IGatewayClientOwnership>;
+  }
+
+  private assertGatewayClientOwnership(auth: TAuthContext, ownership: Required<interfaces.data.IGatewayClientOwnership>): void {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient') return;
+    if (!this.matchesHostnamePatterns(ownership.hostname, policy.hostnamePatterns || [])) {
+      throw new plugins.typedrequest.TypedResponseError('hostname is outside token policy');
+    }
+  }
+
+  private assertRouteTargetsAllowed(auth: TAuthContext, route?: interfaces.data.IDcRouterRouteConfig): void {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient' || !route) return;
+    const allowedTargets = policy.allowedRouteTargets || [];
+    if (allowedTargets.length === 0) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token has no allowed route targets');
+    }
+    const targets = ((route.action as any)?.targets || []) as Array<{ host?: string; port?: number }>;
+    for (const target of targets) {
+      const host = String(target.host || '').trim().toLowerCase();
+      const port = Number(target.port);
+      const allowed = allowedTargets.some((allowedTarget) => {
+        return allowedTarget.host.trim().toLowerCase() === host && allowedTarget.ports.includes(port);
+      });
+      if (!allowed) {
+        throw new plugins.typedrequest.TypedResponseError(`route target is outside token policy: ${host}:${port}`);
+      }
+    }
+  }
+
+  private matchesHostnamePatterns(hostname: string, patterns: string[]): boolean {
+    const normalizedHostname = hostname.trim().toLowerCase();
+    if (!normalizedHostname) return false;
+    for (const pattern of patterns) {
+      const normalizedPattern = pattern.trim().toLowerCase();
+      if (!normalizedPattern) continue;
+      if (normalizedPattern === normalizedHostname) return true;
+      if (normalizedPattern.startsWith('*.')) {
+        const suffix = normalizedPattern.slice(2);
+        if (!normalizedHostname.endsWith(`.${suffix}`)) continue;
+        const prefix = normalizedHostname.slice(0, -(suffix.length + 1));
+        if (prefix && !prefix.includes('.')) return true;
+      }
+    }
+    return false;
+  }
+
+  private getRouteHostnames(route: interfaces.data.IDcRouterRouteConfig): string[] {
+    const domains = (route.match as any)?.domains;
+    if (Array.isArray(domains)) {
+      return domains.map((domain) => String(domain).trim().toLowerCase()).filter(Boolean);
+    }
+    if (typeof domains === 'string') {
+      return domains.split(',').map((domain) => domain.trim().toLowerCase()).filter(Boolean);
+    }
+    return [];
+  }
+
+  private getOwnedRoutes(gatewayClientId?: string): interfaces.data.IMergedRoute[] {
+    const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+    if (!manager) return [];
+    return manager.getMergedRoutes().routes.filter((route) => {
+      const metadata = route.metadata;
+      if (!metadata) return false;
+      const ownerType = metadata.ownerType;
+      const isGatewayOwned = ownerType === 'gatewayClient' || ownerType === 'workhoster';
+      if (!isGatewayOwned) return false;
+      const routeGatewayClientId = metadata.gatewayClientId || metadata.workHosterId;
+      return gatewayClientId ? routeGatewayClientId === gatewayClientId : true;
+    });
+  }
+
+  private async listGatewayClientDomains(
+    auth: TAuthContext,
+    requestedGatewayClientId?: string,
+  ): Promise<interfaces.data.IGatewayClientDomain[]> {
+    const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+    if (!dnsManager) return [];
+    const gatewayClientId = this.resolveGatewayClientId(auth, requestedGatewayClientId);
+    const ownedRoutes = this.getOwnedRoutes(gatewayClientId);
+    const routeHostnames = ownedRoutes.flatMap((route) => this.getRouteHostnames(route.route));
+    const docs = await dnsManager.listDomains();
+
+    return docs
+      .filter((domainDoc) => {
+        if (!auth.token?.policy || auth.token.policy.role !== 'gatewayClient') return true;
+        return routeHostnames.some((hostname) => this.isHostnameInDomain(hostname, domainDoc.name));
+      })
+      .map((domainDoc) => {
+        const domain = dnsManager.toPublicDomain(domainDoc);
+        const canManageDnsRecords = domain.source === 'dcrouter' || Boolean(domain.providerId);
+        const serviceCount = routeHostnames.filter((hostname) => this.isHostnameInDomain(hostname, domain.name)).length;
+        return {
+          ...domain,
+          serviceCount,
+          managePath: `/domains/${domain.id}`,
+          capabilities: {
+            canCreateSubdomains: canManageDnsRecords,
+            canManageDnsRecords,
+            canIssueCertificates: Boolean(this.opsServerRef.dcRouterRef.smartProxy),
+            canHostEmail: Boolean(this.opsServerRef.dcRouterRef.emailDomainManager),
+          },
+        } satisfies interfaces.data.IGatewayClientDomain;
+      });
+  }
+
+  private async listGatewayClientDnsRecords(
+    auth: TAuthContext,
+    requestedGatewayClientId?: string,
+  ): Promise<interfaces.data.IGatewayClientDnsRecord[]> {
+    const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+    if (!dnsManager) return [];
+    const gatewayClientId = this.resolveGatewayClientId(auth, requestedGatewayClientId);
+    const ownedRoutes = this.getOwnedRoutes(gatewayClientId);
+    const domains = await dnsManager.listDomains();
+    const records: interfaces.data.IGatewayClientDnsRecord[] = [];
+
+    for (const route of ownedRoutes) {
+      const metadata = route.metadata;
+      if (!metadata) continue;
+      const gatewayClientType = metadata.gatewayClientType || metadata.workHosterType || 'custom';
+      const routeGatewayClientId = metadata.gatewayClientId || metadata.workHosterId || '';
+      const appId = metadata.gatewayClientAppId || metadata.workAppId || '';
+
+      for (const hostname of this.getRouteHostnames(route.route)) {
+        if (auth.token?.policy?.role === 'gatewayClient' && !this.matchesHostnamePatterns(hostname, auth.token.policy.hostnamePatterns || [])) {
+          continue;
+        }
+        const domainDoc = domains.find((domain) => this.isHostnameInDomain(hostname, domain.name));
+        const domainRecords = domainDoc ? await dnsManager.listRecordsForDomain(domainDoc.id) : [];
+        const matchingRecords = domainRecords.filter((record) => record.name === hostname);
+        if (matchingRecords.length === 0) {
+          records.push({
+            id: `missing:${hostname}`,
+            domainId: domainDoc?.id || '',
+            domainName: domainDoc?.name,
+            name: hostname,
+            type: 'MISSING',
+            value: '',
+            ttl: 0,
+            source: 'local',
+            status: 'missing',
+            gatewayClientType,
+            gatewayClientId: routeGatewayClientId,
+            appId,
+            hostname,
+            routeId: route.id,
+            managePath: domainDoc ? `/domains/${domainDoc.id}/dns` : '/domains',
+            createdAt: route.createdAt || 0,
+            updatedAt: route.updatedAt || 0,
+            createdBy: '',
+          });
+          continue;
+        }
+        for (const recordDoc of matchingRecords) {
+          const record = dnsManager.toPublicRecord(recordDoc);
+          records.push({
+            ...record,
+            domainName: domainDoc?.name,
+            status: 'active',
+            gatewayClientType,
+            gatewayClientId: routeGatewayClientId,
+            appId,
+            hostname,
+            routeId: route.id,
+            managePath: `/dns-records/${record.id}`,
+          });
+        }
+      }
+    }
+
+    return records;
+  }
+
+  private isHostnameInDomain(hostname: string, domainName: string): boolean {
+    const normalizedHostname = hostname.trim().toLowerCase();
+    const normalizedDomainName = domainName.trim().toLowerCase();
+    return normalizedHostname === normalizedDomainName || normalizedHostname.endsWith(`.${normalizedDomainName}`);
+  }
+
+  private async syncGatewayClientRoute(
+    auth: TAuthContext,
+    ownership: interfaces.data.IGatewayClientOwnership,
+    route?: interfaces.data.IDcRouterRouteConfig,
+    enabled?: boolean,
+    deleteRoute?: boolean,
+  ): Promise<interfaces.data.IGatewayClientRouteSyncResult> {
+    const resolvedOwnership = this.resolveGatewayClientOwnership(auth, ownership);
+    this.assertGatewayClientOwnership(auth, resolvedOwnership);
+    this.assertRouteTargetsAllowed(auth, route);
+
+    const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+    if (!manager) {
+      return { success: false, message: 'Route management not initialized' };
+    }
+
+    const externalKey = this.buildGatewayClientExternalKey(resolvedOwnership);
+    const existingRoute = manager.findApiRouteByExternalKey(externalKey);
+
+    if (deleteRoute) {
+      if (!existingRoute) {
+        return { success: true, action: 'unchanged' };
+      }
+      const result = await manager.deleteRoute(existingRoute.id);
+      return result.success
+        ? { success: true, action: 'deleted', routeId: existingRoute.id }
+        : { success: false, message: result.message };
+    }
+
+    if (!route) {
+      return { success: false, message: 'route is required unless delete=true' };
+    }
+
+    const metadata: interfaces.data.IRouteMetadata = {
+      ownerType: 'gatewayClient',
+      gatewayClientType: resolvedOwnership.gatewayClientType,
+      gatewayClientId: resolvedOwnership.gatewayClientId,
+      gatewayClientAppId: resolvedOwnership.appId,
+      workHosterType: resolvedOwnership.gatewayClientType,
+      workHosterId: resolvedOwnership.gatewayClientId,
+      workAppId: resolvedOwnership.appId,
+      externalKey,
+    };
+    const normalizedRoute = this.normalizeGatewayClientRoute(route, resolvedOwnership, externalKey);
+
+    if (existingRoute) {
+      const result = await manager.updateRoute(existingRoute.id, {
+        route: normalizedRoute,
+        enabled: enabled ?? true,
+        metadata,
+      });
+      return result.success
+        ? { success: true, action: 'updated', routeId: existingRoute.id }
+        : { success: false, message: result.message };
+    }
+
+    const routeId = await manager.createRoute(normalizedRoute, auth.userId, enabled ?? true, metadata);
+    return { success: true, action: 'created', routeId };
+  }
+
+  private buildGatewayClientExternalKey(ownership: Required<interfaces.data.IGatewayClientOwnership>): string {
+    return [
+      ownership.gatewayClientType,
+      ownership.gatewayClientId,
+      ownership.appId,
+      ownership.hostname,
+    ].map((part) => part.trim()).join(':');
+  }
+
+  private normalizeWorkAppRoute(
+    route: interfaces.data.IDcRouterRouteConfig,
+    ownership: interfaces.data.IWorkAppRouteOwnership,
+    externalKey: string,
+  ): interfaces.data.IDcRouterRouteConfig {
+    const normalizedRoute = { ...route };
+    if (!normalizedRoute.name) {
+      normalizedRoute.name = `workapp-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
+    }
+    return normalizedRoute;
+  }
+
+  private normalizeGatewayClientRoute(
+    route: interfaces.data.IDcRouterRouteConfig,
+    ownership: Required<interfaces.data.IGatewayClientOwnership>,
+    externalKey: string,
+  ): interfaces.data.IDcRouterRouteConfig {
+    const normalizedRoute = { ...route };
+    if (!normalizedRoute.name) {
+      normalizedRoute.name = `gateway-client-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
+    }
+    return normalizedRoute;
+  }
+}

ts/plugins.ts

@@ -41,6 +41,13 @@ export {
   typedsocket,
 }
 
+// @idp.global scope
+import * as idpSdkServer from '@idp.global/sdk/server';
+
+export {
+  idpSdkServer,
+}
+
 // @push.rocks scope
 import * as projectinfo from '@push.rocks/projectinfo';
 import * as qenv from '@push.rocks/qenv';

ts/readme.md

@@ -1,8 +1,6 @@
 # @serve.zone/dcrouter
 
-The core DcRouter package — a unified datacenter gateway orchestrator. 🚀
-
-This is the main entry point for DcRouter. It provides the `DcRouter` class that wires together SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and the OpsServer dashboard into a single cohesive service.
+The `ts/` directory is the main dcrouter runtime package. It exposes the `DcRouter` orchestrator, `IDcRouterOptions`, `runCli()`, and the server-side exports that matter when you want to boot the full router stack from code.
 
 ## Issue Reporting and Security
 
@@ -14,7 +12,19 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 pnpm add @serve.zone/dcrouter
 ```
 
-## Usage
+## Core Exports
+
+| Export | Purpose |
+| --- | --- |
+| `DcRouter` | Main orchestrator for proxying, DNS, email, VPN, RADIUS, remote ingress, DB, and OpsServer |
+| `IDcRouterOptions` | Top-level configuration shape |
+| `runCli()` | Bootstrap helper; uses OCI env-driven config when `DCROUTER_MODE=OCI_CONTAINER` |
+| `UnifiedEmailServer` and smartmta types | Re-exported email server primitives |
+| `RadiusServer` and related types | RADIUS server runtime exports |
+| `RemoteIngressManager` and `TunnelManager` | Remote ingress orchestration exports |
+| `IHttp3Config` | HTTP/3 configuration for qualifying HTTPS routes |
+
+## Quick Start
 
 ```typescript
 import { DcRouter } from '@serve.zone/dcrouter';
@@ -23,116 +33,49 @@ const router = new DcRouter({
   smartProxyConfig: {
     routes: [
       {
-        name: 'web-app',
-        match: { domains: ['example.com'], ports: [443] },
+        name: 'local-app',
+        match: {
+          domains: ['localhost'],
+          ports: [18080],
+        },
         action: {
           type: 'forward',
-          targets: [{ host: '192.168.1.10', port: 8080 }],
-          tls: { mode: 'terminate', certificate: 'auto' }
-        }
-      }
+          targets: [{ host: '127.0.0.1', port: 3001 }],
+        },
+      },
     ],
-    acme: { email: 'admin@example.com', enabled: true, useProduction: true }
-  }
+  },
+  opsServerPort: 3000,
 });
 
 await router.start();
-// OpsServer dashboard at http://localhost:3000 (configurable via opsServerPort)
-
-// Graceful shutdown
-await router.stop();
 ```
 
-## Module Structure
+## What `DcRouter` Manages
 
-```
-ts/
-├── index.ts                        # Main exports (DcRouter, re-exported smartmta types)
-├── classes.dcrouter.ts             # DcRouter orchestrator class + IDcRouterOptions
-├── classes.cert-provision-scheduler.ts  # Per-domain cert backoff scheduler
-├── classes.storage-cert-manager.ts # SmartAcme cert manager backed by StorageManager
-├── logger.ts                       # Structured logging utility
-├── paths.ts                        # Centralized data directory paths
-├── plugins.ts                      # All dependency imports
-├── cache/                          # Cache database (smartdata + LocalTsmDb)
-│   ├── classes.cachedb.ts          # CacheDb singleton
-│   ├── classes.cachecleaner.ts     # TTL-based cleanup
-│   └── documents/                  # Cached document models
-├── config/                         # Configuration utilities
-├── errors/                         # Error classes and retry logic
-├── http3/                          # HTTP/3 (QUIC) route augmentation
-│   ├── index.ts                    # Barrel export
-│   └── http3-route-augmentation.ts # Pure utility: augmentRoutesWithHttp3(), IHttp3Config
-├── monitoring/                     # MetricsManager (SmartMetrics integration)
-├── opsserver/                      # OpsServer dashboard + API handlers
-│   ├── classes.opsserver.ts        # HTTP server + TypedRouter setup
-│   └── handlers/                   # TypedRequest handlers by domain
-│       ├── admin.handler.ts        # Auth (login/logout/verify)
-│       ├── stats.handler.ts        # Statistics + health
-│       ├── config.handler.ts       # Configuration (read-only)
-│       ├── logs.handler.ts         # Log retrieval
-│       ├── email.handler.ts        # Email operations
-│       ├── certificate.handler.ts  # Certificate management
-│       ├── radius.handler.ts       # RADIUS management
-│       ├── remoteingress.handler.ts # Remote ingress edge + token management
-│       ├── route-management.handler.ts # Programmatic route CRUD
-│       ├── api-token.handler.ts    # API token management
-│       └── security.handler.ts     # Security metrics + connections
-├── radius/                         # RADIUS server integration
-├── remoteingress/                  # Remote ingress hub integration
-│   ├── classes.remoteingress-manager.ts  # Edge CRUD + port derivation
-│   └── classes.tunnel-manager.ts   # Rust hub lifecycle + status tracking
-├── security/                       # Security utilities
-├── sms/                            # SMS integration
-└── storage/                        # StorageManager (filesystem/custom/memory)
-```
+- SmartProxy for HTTP/HTTPS/TCP routes
+- `UnifiedEmailServer` for SMTP ingress and delivery when `emailConfig` is present
+- DB-backed managers for routes, API tokens, target profiles, domains, records, ACME config, and email domains when the DB is enabled
+- embedded authoritative DNS and DoH route generation from `dnsNsDomains` and `dnsScopes`
+- VPN, RADIUS, and remote ingress services when their config blocks are enabled
+- OpsServer and the dashboard, which start on every boot
 
-## Exports
+## Important Runtime Behavior
 
-```typescript
-// Main class
-export { DcRouter, IDcRouterOptions } from './classes.dcrouter.js';
+- The DB is enabled by default and uses an embedded local database when no external MongoDB URL is provided.
+- System routes from config, email, and DNS are persisted with stable ownership and are toggle-only.
+- API-created routes are the only routes intended for full CRUD from the dashboard or client SDK.
+- Qualifying HTTPS forward routes on port `443` get HTTP/3 augmentation by default.
+- `runCli()` is the supported code-level bootstrap entrypoint; the package does not expose a separate npm `bin` command.
 
-// Re-exported from smartmta
-export { UnifiedEmailServer } from '@push.rocks/smartmta';
-export type { IUnifiedEmailServerOptions, IEmailRoute, IEmailDomainConfig } from '@push.rocks/smartmta';
+## Use Another Module When...
 
-// RADIUS
-export { RadiusServer, IRadiusServerConfig } from './radius/index.js';
-
-// Remote Ingress
-export { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
-
-// HTTP/3
-export type { IHttp3Config } from './http3/index.js';
-```
-
-## Key Classes
-
-### `DcRouter`
-
-The central orchestrator. Accepts `IDcRouterOptions` and manages the lifecycle of all sub-services:
-
-| Config Section | Service Started | Package |
-|----------------|----------------|---------|
-| `smartProxyConfig` | SmartProxy (HTTP/HTTPS/TCP/SNI) | `@push.rocks/smartproxy` |
-| `emailConfig` | UnifiedEmailServer (SMTP) | `@push.rocks/smartmta` |
-| `dnsNsDomains` + `dnsScopes` | DnsServer (UDP + DoH) | `@push.rocks/smartdns` |
-| `radiusConfig` | RadiusServer (auth + accounting) | `@push.rocks/smartradius` |
-| `remoteIngressConfig` | RemoteIngressManager + TunnelManager | `@serve.zone/remoteingress` |
-| `tls` + `dnsChallenge` | SmartAcme (ACME cert provisioning) | `@push.rocks/smartacme` |
-| `http3` | HTTP/3 route augmentation (enabled by default) | built-in |
-| `cacheConfig` | CacheDb (embedded MongoDB) | `@push.rocks/smartdata` |
-| *(always)* | OpsServer (dashboard + API) | `@api.global/typedserver` |
-| *(always)* | MetricsManager | `@push.rocks/smartmetrics` |
-
-### `RemoteIngressManager`
-
-Manages CRUD for remote ingress edge registrations. Persists edges via StorageManager. Provides port derivation from routes tagged with `remoteIngress.enabled`.
-
-### `TunnelManager`
-
-Manages the Rust-based RemoteIngressHub lifecycle. Syncs allowed edges, tracks connection status, and exposes edge statuses (connected, publicIp, activeTunnels, lastHeartbeat).
+| Need | Module |
+| --- | --- |
+| A higher-level client SDK for a running router | `@serve.zone/dcrouter-apiclient` or `@serve.zone/dcrouter/apiclient` |
+| Raw TypedRequest request/data contracts | `@serve.zone/dcrouter-interfaces` or `@serve.zone/dcrouter/interfaces` |
+| The standalone migration runner | `@serve.zone/dcrouter-migrations` |
+| The browser dashboard module boundary | `@serve.zone/dcrouter-web` |
 
 ## License and Legal Information
 

ts/remoteingress/classes.remoteingress-manager.ts

@@ -2,6 +2,10 @@ import * as plugins from '../plugins.js';
 import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import { RemoteIngressEdgeDoc } from '../db/index.js';
 
+interface IRemoteIngressFirewallConfig {
+  blockedIps?: string[];
+}
+
 /**
  * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
  */
@@ -31,6 +35,7 @@ function extractPorts(portRange: number | Array<number | { from: number; to: num
 export class RemoteIngressManager {
   private edges: Map<string, IRemoteIngress> = new Map();
   private routes: IDcRouterRouteConfig[] = [];
+  private firewallConfig?: IRemoteIngressFirewallConfig;
 
   constructor() {
   }
@@ -69,6 +74,13 @@ export class RemoteIngressManager {
     this.routes = routes;
   }
 
+  /**
+   * Set the full desired firewall snapshot pushed to all edges.
+   */
+  public setFirewallConfig(firewallConfig?: IRemoteIngressFirewallConfig): void {
+    this.firewallConfig = firewallConfig;
+  }
+
   /**
    * Derive listen ports for an edge from routes tagged with remoteIngress.enabled.
    * When a route specifies edgeFilter, only edges whose id or tags match get that route's ports.
@@ -305,8 +317,8 @@ export class RemoteIngressManager {
    * Get the list of allowed edges (enabled only) for the Rust hub.
    * Includes listenPortsUdp when routes with transport 'udp' or 'all' are present.
    */
-  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[] }> {
-    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[] }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> = [];
     for (const edge of this.edges.values()) {
       if (edge.enabled) {
         const listenPortsUdp = this.getEffectiveListenPortsUdp(edge);
@@ -315,6 +327,7 @@ export class RemoteIngressManager {
           secret: edge.secret,
           listenPorts: this.getEffectiveListenPorts(edge),
           ...(listenPortsUdp.length > 0 ? { listenPortsUdp } : {}),
+          ...(this.firewallConfig ? { firewallConfig: this.firewallConfig } : {}),
         });
       }
     }

ts/remoteingress/classes.tunnel-manager.ts

@@ -9,6 +9,7 @@ export interface ITunnelManagerConfig {
     certPem?: string;
     keyPem?: string;
   };
+  performance?: import('../../ts_interfaces/data/remoteingress.js').IRemoteIngressPerformanceConfig;
 }
 
 /**
@@ -20,6 +21,7 @@ export class TunnelManager {
   private config: ITunnelManagerConfig;
   private edgeStatuses: Map<string, IRemoteIngressStatus> = new Map();
   private reconcileInterval: ReturnType<typeof setInterval> | null = null;
+  private syncChain: Promise<void> = Promise.resolve();
 
   constructor(manager: RemoteIngressManager, config: ITunnelManagerConfig = {}) {
     this.manager = manager;
@@ -66,7 +68,8 @@ export class TunnelManager {
       tunnelPort: this.config.tunnelPort ?? 8443,
       targetHost: this.config.targetHost ?? '127.0.0.1',
       tls: this.config.tls,
-    });
+      ...(this.config.performance ? { performance: this.config.performance } : {}),
+    } as any);
 
     // Send allowed edges to the hub
     await this.syncAllowedEdges();
@@ -107,20 +110,23 @@ export class TunnelManager {
       if (existing) {
         existing.activeTunnels = rustEdge.activeStreams;
         existing.lastHeartbeat = Date.now();
+        this.applyRustStatus(existing, rustEdge);
         // Update peer address if available from Rust hub
         if (rustEdge.peerAddr) {
           existing.publicIp = rustEdge.peerAddr;
         }
       } else {
         // Missed edgeConnected event — add entry
-        this.edgeStatuses.set(rustEdge.edgeId, {
+        const status: IRemoteIngressStatus = {
           edgeId: rustEdge.edgeId,
           connected: true,
           publicIp: rustEdge.peerAddr || null,
           activeTunnels: rustEdge.activeStreams,
           lastHeartbeat: Date.now(),
           connectedAt: rustEdge.connectedAt * 1000,
-        });
+        };
+        this.applyRustStatus(status, rustEdge);
+        this.edgeStatuses.set(rustEdge.edgeId, status);
       }
     }
 
@@ -137,8 +143,22 @@ export class TunnelManager {
    * Call this after creating/deleting/updating edges.
    */
   public async syncAllowedEdges(): Promise<void> {
-    const edges = this.manager.getAllowedEdges();
-    await this.hub.updateAllowedEdges(edges);
+    const run = this.syncChain.catch(() => {}).then(async () => {
+      const edges = this.manager.getAllowedEdges();
+      await this.hub.updateAllowedEdges(edges as any);
+    });
+    this.syncChain = run;
+    await run;
+  }
+
+  private applyRustStatus(status: IRemoteIngressStatus, rustEdge: any): void {
+    status.transportMode = rustEdge.transportMode;
+    status.fallbackUsed = rustEdge.fallbackUsed;
+    status.performance = rustEdge.performance;
+    status.flowControl = rustEdge.flowControl;
+    status.queues = rustEdge.queues;
+    status.traffic = rustEdge.traffic;
+    status.udp = rustEdge.udp;
   }
 
   /**

ts/security/classes.security-policy-manager.ts

@@ -0,0 +1,422 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { IpIntelligenceDoc, SecurityBlockRuleDoc, SecurityPolicyAuditDoc } from '../db/index.js';
+import type {
+  IIpIntelligenceRecord,
+  ISecurityBlockRule,
+  ISecurityCompiledPolicy,
+  ISecurityPolicyAuditEvent,
+  TSecurityBlockRuleMatchMode,
+  TSecurityBlockRuleType,
+} from '../../ts_interfaces/data/security-policy.js';
+
+export interface ISecurityPolicyManagerOptions {
+  intelligenceRefreshMs?: number;
+  onPolicyChanged?: () => void | Promise<void>;
+}
+
+export interface IRemoteIngressFirewallSnapshot {
+  blockedIps: string[];
+}
+
+export class SecurityPolicyManager {
+  private readonly smartNetwork = new plugins.smartnetwork.SmartNetwork({
+    cacheTtl: 24 * 60 * 60 * 1000,
+  });
+  private readonly intelligenceRefreshMs: number;
+  private readonly inFlightObservations = new Set<string>();
+  private readonly onPolicyChanged?: () => void | Promise<void>;
+
+  constructor(options: ISecurityPolicyManagerOptions = {}) {
+    this.intelligenceRefreshMs = options.intelligenceRefreshMs ?? 24 * 60 * 60 * 1000;
+    this.onPolicyChanged = options.onPolicyChanged;
+  }
+
+  public async start(): Promise<void> {
+    logger.log('info', 'SecurityPolicyManager started');
+  }
+
+  public async stop(): Promise<void> {
+    await this.smartNetwork.stop();
+  }
+
+  public async observeIps(ips: string[]): Promise<void> {
+    const uniqueIps = [...new Set(ips.map((ip) => this.normalizeIp(ip)).filter(Boolean) as string[])];
+    await Promise.allSettled(uniqueIps.map((ip) => this.observeIp(ip)));
+  }
+
+  public async observeIp(ipAddress: string, options: { force?: boolean } = {}): Promise<void> {
+    const ip = this.normalizeIp(ipAddress);
+    if (!ip || !this.isPublicIp(ip) || this.inFlightObservations.has(ip)) {
+      return;
+    }
+
+    this.inFlightObservations.add(ip);
+    try {
+      const now = Date.now();
+      let doc = await IpIntelligenceDoc.findByIp(ip);
+      if (doc && !options.force && now - doc.updatedAt < this.intelligenceRefreshMs) {
+        if (now - doc.lastSeenAt > 60_000) {
+          doc.lastSeenAt = now;
+          doc.seenCount = (doc.seenCount || 0) + 1;
+          await doc.save();
+        }
+        return;
+      }
+
+      const intelligence = await this.smartNetwork.getIpIntelligence(ip);
+      if (!doc) {
+        doc = new IpIntelligenceDoc();
+        doc.ipAddress = ip;
+        doc.firstSeenAt = now;
+      }
+      Object.assign(doc, intelligence);
+      doc.lastSeenAt = now;
+      doc.updatedAt = now;
+      doc.seenCount = (doc.seenCount || 0) + 1;
+      await doc.save();
+
+      if (await this.matchesAnyReactiveRule(doc)) {
+        await this.notifyPolicyChanged();
+      }
+    } catch (err) {
+      logger.log('warn', `Failed to enrich IP ${ip}: ${(err as Error).message}`);
+    } finally {
+      this.inFlightObservations.delete(ip);
+    }
+  }
+
+  public async listBlockRules(): Promise<ISecurityBlockRule[]> {
+    return (await SecurityBlockRuleDoc.findAll()).map((doc) => this.ruleFromDoc(doc));
+  }
+
+  public async listIpIntelligence(): Promise<IIpIntelligenceRecord[]> {
+    return (await IpIntelligenceDoc.findAll()).map((doc) => this.intelligenceFromDoc(doc));
+  }
+
+  public async refreshIpIntelligence(ipAddress: string): Promise<IIpIntelligenceRecord | null> {
+    const ip = this.normalizeIp(ipAddress);
+    if (!ip || !this.isPublicIp(ip)) {
+      return null;
+    }
+    await this.observeIp(ip, { force: true });
+    const doc = await IpIntelligenceDoc.findByIp(ip);
+    return doc ? this.intelligenceFromDoc(doc) : null;
+  }
+
+  public async listAuditEvents(limit = 100): Promise<ISecurityPolicyAuditEvent[]> {
+    return (await SecurityPolicyAuditDoc.findRecent(limit)).map((doc) => ({
+      id: doc.id,
+      action: doc.action,
+      actor: doc.actor,
+      details: doc.details,
+      createdAt: doc.createdAt,
+    }));
+  }
+
+  private intelligenceFromDoc(doc: IpIntelligenceDoc): IIpIntelligenceRecord {
+    return {
+      ipAddress: doc.ipAddress,
+      asn: doc.asn,
+      asnOrg: doc.asnOrg,
+      registrantOrg: doc.registrantOrg,
+      registrantCountry: doc.registrantCountry,
+      networkRange: doc.networkRange,
+      networkCidrs: doc.networkCidrs,
+      abuseContact: doc.abuseContact,
+      country: doc.country,
+      countryCode: doc.countryCode,
+      city: doc.city,
+      latitude: doc.latitude,
+      longitude: doc.longitude,
+      accuracyRadius: doc.accuracyRadius,
+      timezone: doc.timezone,
+      firstSeenAt: doc.firstSeenAt,
+      lastSeenAt: doc.lastSeenAt,
+      updatedAt: doc.updatedAt,
+      seenCount: doc.seenCount,
+    };
+  }
+
+  public async createBlockRule(input: {
+    type: TSecurityBlockRuleType;
+    value: string;
+    matchMode?: TSecurityBlockRuleMatchMode;
+    reason?: string;
+    enabled?: boolean;
+  }, actor = 'system'): Promise<ISecurityBlockRule> {
+    const now = Date.now();
+    const doc = new SecurityBlockRuleDoc();
+    doc.id = plugins.uuid.v4();
+    doc.type = input.type;
+    doc.value = input.value.trim();
+    doc.matchMode = input.matchMode;
+    doc.reason = input.reason;
+    doc.enabled = input.enabled ?? true;
+    doc.createdAt = now;
+    doc.updatedAt = now;
+    doc.createdBy = actor;
+    await doc.save();
+    await this.writeAudit('createBlockRule', actor, { rule: this.ruleFromDoc(doc) });
+    await this.notifyPolicyChanged();
+    return this.ruleFromDoc(doc);
+  }
+
+  public async updateBlockRule(id: string, patch: Partial<Pick<ISecurityBlockRule, 'value' | 'matchMode' | 'reason' | 'enabled'>>, actor = 'system'): Promise<ISecurityBlockRule | null> {
+    const doc = await SecurityBlockRuleDoc.findById(id);
+    if (!doc) {
+      return null;
+    }
+    if (patch.value !== undefined) doc.value = patch.value.trim();
+    if (patch.matchMode !== undefined) doc.matchMode = patch.matchMode;
+    if (patch.reason !== undefined) doc.reason = patch.reason;
+    if (patch.enabled !== undefined) doc.enabled = patch.enabled;
+    doc.updatedAt = Date.now();
+    await doc.save();
+    await this.writeAudit('updateBlockRule', actor, { id, patch });
+    await this.notifyPolicyChanged();
+    return this.ruleFromDoc(doc);
+  }
+
+  public async deleteBlockRule(id: string, actor = 'system'): Promise<boolean> {
+    const doc = await SecurityBlockRuleDoc.findById(id);
+    if (!doc) {
+      return false;
+    }
+    await doc.delete();
+    await this.writeAudit('deleteBlockRule', actor, { id });
+    await this.notifyPolicyChanged();
+    return true;
+  }
+
+  public async compilePolicy(): Promise<ISecurityCompiledPolicy> {
+    const rules = await SecurityBlockRuleDoc.findEnabled();
+    const intelligenceDocs = await IpIntelligenceDoc.findAll();
+    const blockedIps = new Set<string>();
+    const blockedCidrs = new Set<string>();
+
+    for (const rule of rules) {
+      const normalizedValue = rule.value.trim();
+      if (!normalizedValue) continue;
+
+      if (rule.type === 'ip') {
+        const ip = this.normalizeIp(normalizedValue);
+        if (ip && plugins.net.isIP(ip)) blockedIps.add(ip);
+        continue;
+      }
+
+      if (rule.type === 'cidr') {
+        for (const cidr of this.normalizeNetworkEntries(normalizedValue)) {
+          blockedCidrs.add(cidr);
+        }
+        continue;
+      }
+
+      for (const doc of intelligenceDocs) {
+        if (!this.ruleMatchesIntelligence(rule, doc)) continue;
+        const networkEntries = this.normalizeNetworkEntryList([
+          ...(doc.networkCidrs || []),
+          doc.networkRange,
+        ]);
+        if (networkEntries.length > 0) {
+          for (const cidr of networkEntries) {
+            blockedCidrs.add(cidr);
+          }
+        } else if (this.normalizeIp(doc.ipAddress)) {
+          blockedIps.add(this.normalizeIp(doc.ipAddress)!);
+        }
+      }
+    }
+
+    return {
+      blockedIps: [...blockedIps].sort(),
+      blockedCidrs: [...blockedCidrs].sort(),
+    };
+  }
+
+  public async compileSmartProxyPolicy(): Promise<ISecurityCompiledPolicy> {
+    return await this.compilePolicy();
+  }
+
+  public async compileRemoteIngressFirewall(): Promise<IRemoteIngressFirewallSnapshot> {
+    const policy = await this.compilePolicy();
+    const blockedIps = [
+      ...policy.blockedIps.filter((ip) => plugins.net.isIP(ip) === 4),
+      ...policy.blockedCidrs.filter((cidr) => plugins.net.isIP(cidr.split('/')[0]) === 4),
+    ];
+    return { blockedIps };
+  }
+
+  private async matchesAnyReactiveRule(doc: IpIntelligenceDoc): Promise<boolean> {
+    const rules = await SecurityBlockRuleDoc.findEnabled();
+    return rules.some((rule) => rule.type === 'asn' || rule.type === 'organization'
+      ? this.ruleMatchesIntelligence(rule, doc)
+      : false);
+  }
+
+  private ruleMatchesIntelligence(rule: SecurityBlockRuleDoc, doc: IpIntelligenceDoc): boolean {
+    const value = rule.value.trim().toLowerCase();
+    if (!value) return false;
+
+    if (rule.type === 'asn') {
+      return String(doc.asn ?? '') === value.replace(/^as/i, '');
+    }
+
+    if (rule.type === 'organization') {
+      const candidates = [doc.asnOrg, doc.registrantOrg]
+        .filter(Boolean)
+        .map((candidate) => candidate!.toLowerCase());
+      if (rule.matchMode === 'exact') {
+        return candidates.some((candidate) => candidate === value);
+      }
+      return candidates.some((candidate) => candidate.includes(value));
+    }
+
+    return false;
+  }
+
+  private normalizeIp(ipAddress: string): string | undefined {
+    const ip = ipAddress.trim();
+    if (ip.startsWith('::ffff:')) {
+      return ip.slice('::ffff:'.length);
+    }
+    return plugins.net.isIP(ip) ? ip : undefined;
+  }
+
+  private normalizeCidr(value: string): string | undefined {
+    const [rawIp, rawPrefix] = value.trim().split('/');
+    if (!rawIp || !rawPrefix) return undefined;
+    const ip = this.normalizeIp(rawIp);
+    if (!ip) return undefined;
+    const prefix = Number(rawPrefix);
+    const maxPrefix = plugins.net.isIP(ip) === 4 ? 32 : 128;
+    if (!Number.isInteger(prefix) || prefix < 0 || prefix > maxPrefix) return undefined;
+    return `${ip}/${prefix}`;
+  }
+
+  private normalizeNetworkEntries(value: string): string[] {
+    const trimmed = value.trim();
+    if (!trimmed) return [];
+
+    const cidr = this.normalizeCidr(trimmed);
+    if (cidr) return [cidr];
+
+    const rangeParts = trimmed.split(/\s+-\s+/);
+    if (rangeParts.length === 2) {
+      return this.ipv4RangeToCidrs(rangeParts[0], rangeParts[1]);
+    }
+
+    return [];
+  }
+
+  private normalizeNetworkEntryList(values: Array<string | null | undefined>): string[] {
+    const cidrs = new Set<string>();
+    for (const value of values) {
+      if (!value) continue;
+      for (const entry of value.split(',').map((part) => part.trim()).filter(Boolean)) {
+        for (const cidr of this.normalizeNetworkEntries(entry)) {
+          cidrs.add(cidr);
+        }
+      }
+    }
+    return [...cidrs];
+  }
+
+  private ipv4RangeToCidrs(startIp: string, endIp: string): string[] {
+    const start = this.ipv4ToBigInt(startIp);
+    const end = this.ipv4ToBigInt(endIp);
+    if (start === undefined || end === undefined || start > end) return [];
+
+    const cidrs: string[] = [];
+    let current = start;
+    while (current <= end) {
+      let maxBlockSize = current === 0n ? 1n << 32n : current & -current;
+      const remaining = end - current + 1n;
+      while (maxBlockSize > remaining) {
+        maxBlockSize = maxBlockSize / 2n;
+      }
+      const prefixLength = 32 - this.powerOfTwoExponent(maxBlockSize);
+      cidrs.push(`${this.numberToIpv4(current)}/${prefixLength}`);
+      current += maxBlockSize;
+    }
+    return cidrs;
+  }
+
+  private ipv4ToBigInt(ip: string): bigint | undefined {
+    const normalized = this.normalizeIp(ip);
+    if (!normalized || plugins.net.isIP(normalized) !== 4) return undefined;
+    return normalized
+      .split('.')
+      .reduce((sum, part) => (sum * 256n) + BigInt(Number(part)), 0n);
+  }
+
+  private numberToIpv4(value: bigint): string {
+    return [
+      Number((value >> 24n) & 255n),
+      Number((value >> 16n) & 255n),
+      Number((value >> 8n) & 255n),
+      Number(value & 255n),
+    ].join('.');
+  }
+
+  private powerOfTwoExponent(value: bigint): number {
+    let exponent = 0;
+    let remaining = value;
+    while (remaining > 1n) {
+      remaining >>= 1n;
+      exponent++;
+    }
+    return exponent;
+  }
+
+  private isPublicIp(ip: string): boolean {
+    const family = plugins.net.isIP(ip);
+    if (family === 4) {
+      const parts = ip.split('.').map((part) => Number(part));
+      const [a, b] = parts;
+      if (a === 10 || a === 127 || a === 0 || a >= 224) return false;
+      if (a === 100 && b >= 64 && b <= 127) return false;
+      if (a === 169 && b === 254) return false;
+      if (a === 172 && b >= 16 && b <= 31) return false;
+      if (a === 192 && b === 168) return false;
+      return true;
+    }
+    if (family === 6) {
+      const lower = ip.toLowerCase();
+      if (lower === '::1' || lower === '::') return false;
+      if (lower.startsWith('fe80:') || lower.startsWith('fc') || lower.startsWith('fd')) return false;
+      return true;
+    }
+    return false;
+  }
+
+  private ruleFromDoc(doc: SecurityBlockRuleDoc): ISecurityBlockRule {
+    return {
+      id: doc.id,
+      type: doc.type,
+      value: doc.value,
+      matchMode: doc.matchMode,
+      enabled: doc.enabled,
+      reason: doc.reason,
+      createdAt: doc.createdAt,
+      updatedAt: doc.updatedAt,
+      createdBy: doc.createdBy,
+    };
+  }
+
+  private async writeAudit(action: string, actor: string, details: Record<string, unknown>): Promise<void> {
+    const doc = new SecurityPolicyAuditDoc();
+    doc.id = plugins.uuid.v4();
+    doc.action = action;
+    doc.actor = actor;
+    doc.details = details;
+    doc.createdAt = Date.now();
+    await doc.save();
+  }
+
+  private async notifyPolicyChanged(): Promise<void> {
+    if (this.onPolicyChanged) {
+      await this.onPolicyChanged();
+    }
+  }
+}

ts/security/index.ts

@@ -18,4 +18,10 @@ export {
   ThreatCategory,
   type IScanResult,
   type IContentScannerOptions
-} from './classes.contentscanner.js';
+} from './classes.contentscanner.js';
+
+export {
+  SecurityPolicyManager,
+  type ISecurityPolicyManagerOptions,
+  type IRemoteIngressFirewallSnapshot,
+} from './classes.security-policy-manager.js';

ts/vpn/classes.vpn-manager.ts

@@ -111,15 +111,13 @@ export class VpnManager {
 
     const subnet = this.getSubnet();
     const wgListenPort = this.config.wgListenPort ?? 51820;
+    const serverEndpoint = this.getWireGuardServerEndpoint();
 
-    // Auto-detect hybrid mode: if any persisted client uses host IP and mode is
-    // 'socket' (or unset), upgrade to 'hybrid' so the daemon can handle both
-    let configuredMode = this.forwardingModeOverride ?? this.config.forwardingMode ?? 'socket';
-    if (anyClientUsesHostIp && configuredMode === 'socket') {
-      configuredMode = 'hybrid';
+    const desiredForwardingMode = this.getDesiredForwardingMode(anyClientUsesHostIp);
+    if (anyClientUsesHostIp && desiredForwardingMode === 'hybrid') {
       logger.log('info', 'VPN: Auto-upgrading forwarding mode to hybrid (client with useHostIp detected)');
     }
-    const forwardingMode = configuredMode === 'hybrid' ? 'hybrid' : configuredMode;
+    const forwardingMode = desiredForwardingMode;
     const isBridge = forwardingMode === 'bridge';
     this.resolvedForwardingMode = forwardingMode;
     this.forwardingModeOverride = undefined;
@@ -136,21 +134,19 @@ export class VpnManager {
       : { default: 'forceTarget' as const, target: '127.0.0.1' };
 
     const serverConfig: plugins.smartvpn.IVpnServerConfig = {
-      listenAddr: '0.0.0.0:0', // WS listener not strictly needed but required field
+      listenAddr: '127.0.0.1:0', // Required by smartvpn, unused in wireguard-only mode
       privateKey: this.serverKeys.noisePrivateKey,
       publicKey: this.serverKeys.noisePublicKey,
       subnet,
       dns: this.config.dns,
       forwardingMode: forwardingMode as any,
-      transportMode: 'all',
+      transportMode: 'wireguard',
       wgPrivateKey: this.serverKeys.wgPrivateKey,
       wgListenPort,
       clients: clientEntries,
       socketForwardProxyProtocol: !isBridge,
       destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
-      serverEndpoint: this.config.serverEndpoint
-        ? `${this.config.serverEndpoint}:${wgListenPort}`
-        : undefined,
+      serverEndpoint,
       clientAllowedIPs: [subnet],
       // Bridge-specific config
       ...(isBridge ? {
@@ -190,7 +186,7 @@ export class VpnManager {
       } catch {
         // Ignore stop errors
       }
-      this.vpnServer.stop();
+      await this.vpnServer.stop();
       this.vpnServer = undefined;
     }
     this.resolvedForwardingMode = undefined;
@@ -218,7 +214,7 @@ export class VpnManager {
       throw new Error('VPN server not running');
     }
 
-    await this.ensureForwardingModeForHostIpClient(opts.useHostIp === true);
+    await this.ensureForwardingModeForNextClient(opts.useHostIp === true);
 
     const doc = new VpnClientDoc();
     doc.clientId = opts.clientId;
@@ -247,14 +243,10 @@ export class VpnManager {
       vlanId: doc.vlanId,
     });
 
-    // Override AllowedIPs with per-client values based on target profiles
-    if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(doc.targetProfileIds || []);
-      bundle.wireguardConfig = bundle.wireguardConfig.replace(
-        /AllowedIPs\s*=\s*.+/,
-        `AllowedIPs = ${allowedIPs.join(', ')}`,
-      );
-    }
+    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
+      bundle.wireguardConfig,
+      doc.targetProfileIds || [],
+    );
 
     // Persist client entry (including WG private key for export/QR)
     doc.clientId = bundle.entry.clientId;
@@ -298,6 +290,7 @@ export class VpnManager {
     if (doc) {
       await doc.delete();
     }
+    await this.reconcileForwardingMode();
     this.config.onClientChanged?.();
   }
 
@@ -368,8 +361,10 @@ export class VpnManager {
     await this.persistClient(client);
 
     if (this.vpnServer) {
-      await this.ensureForwardingModeForHostIpClient(client.useHostIp === true);
-      await this.vpnServer.updateClient(clientId, this.buildClientRuntimeUpdate(client));
+      const restarted = await this.reconcileForwardingMode();
+      if (!restarted) {
+        await this.vpnServer.updateClient(clientId, this.buildClientRuntimeUpdate(client));
+      }
     }
 
     this.config.onClientChanged?.();
@@ -381,9 +376,13 @@ export class VpnManager {
   public async rotateClientKey(clientId: string): Promise<plugins.smartvpn.IClientConfigBundle> {
     if (!this.vpnServer) throw new Error('VPN server not running');
     const bundle = await this.vpnServer.rotateClientKey(clientId);
+    const client = this.clients.get(clientId);
+    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
+      bundle.wireguardConfig,
+      client?.targetProfileIds || [],
+    );
 
     // Update persisted entry with new keys (including private key for export/QR)
-    const client = this.clients.get(clientId);
     if (client) {
       client.noisePublicKey = bundle.entry.publicKey;
       client.wgPublicKey = bundle.entry.wgPublicKey || '';
@@ -414,15 +413,7 @@ export class VpnManager {
         );
       }
 
-      // Override AllowedIPs with per-client values based on target profiles
-      if (this.config.getClientAllowedIPs) {
-        const profileIds = persisted?.targetProfileIds || [];
-        const allowedIPs = await this.config.getClientAllowedIPs(profileIds);
-        config = config.replace(
-          /AllowedIPs\s*=\s*.+/,
-          `AllowedIPs = ${allowedIPs.join(', ')}`,
-        );
-      }
+      config = await this.rewriteWireGuardAllowedIPs(config, persisted?.targetProfileIds || []);
     }
 
     return config;
@@ -515,6 +506,46 @@ export class VpnManager {
     }
   }
 
+  private getWireGuardServerEndpoint(): string {
+    const endpoint = this.config.serverEndpoint?.trim();
+    if (!endpoint) {
+      throw new Error('vpnConfig.serverEndpoint is required when VPN is enabled');
+    }
+    if (endpoint.includes('://') || endpoint.includes('/')) {
+      throw new Error('vpnConfig.serverEndpoint must be a host or host:port, not a URL');
+    }
+
+    const host = endpoint.includes(':') ? endpoint.split(':')[0] : endpoint;
+    const lowerHost = host.toLowerCase();
+    if (
+      lowerHost === 'localhost'
+      || lowerHost === '0.0.0.0'
+      || lowerHost.startsWith('127.')
+    ) {
+      throw new Error('vpnConfig.serverEndpoint must be reachable by VPN clients');
+    }
+
+    return endpoint.includes(':')
+      ? endpoint
+      : `${endpoint}:${this.config.wgListenPort ?? 51820}`;
+  }
+
+  private async rewriteWireGuardAllowedIPs(
+    wireguardConfig: string,
+    targetProfileIds: string[],
+  ): Promise<string> {
+    if (!this.config.getClientAllowedIPs) return wireguardConfig;
+
+    const allowedIPs = await this.config.getClientAllowedIPs(targetProfileIds);
+    const effectiveAllowedIPs = allowedIPs.length ? allowedIPs : [this.getSubnet()];
+    const allowedLine = `AllowedIPs = ${effectiveAllowedIPs.join(', ')}`;
+
+    if (/^AllowedIPs\s*=.*$/m.test(wireguardConfig)) {
+      return wireguardConfig.replace(/^AllowedIPs\s*=.*$/m, allowedLine);
+    }
+    return `${wireguardConfig.trimEnd()}\n${allowedLine}\n`;
+  }
+
   // ── Private helpers ────────────────────────────────────────────────────
 
   private async loadOrGenerateServerKeys(): Promise<VpnServerKeysDoc> {
@@ -532,7 +563,7 @@ export class VpnManager {
 
     const noiseKeys = await tempServer.generateKeypair();
     const wgKeys = await tempServer.generateWgKeypair();
-    tempServer.stop();
+    await tempServer.stop();
 
     const doc = stored || new VpnServerKeysDoc();
     doc.noisePrivateKey = noiseKeys.privateKey;
@@ -563,6 +594,28 @@ export class VpnManager {
       ?? 'socket';
   }
 
+  private hasHostIpClients(extraHostIpClient = false): boolean {
+    if (extraHostIpClient) {
+      return true;
+    }
+
+    for (const client of this.clients.values()) {
+      if (client.useHostIp) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  private getDesiredForwardingMode(hasHostIpClients = this.hasHostIpClients()): 'socket' | 'bridge' | 'hybrid' {
+    const configuredMode = this.forwardingModeOverride ?? this.config.forwardingMode ?? 'socket';
+    if (configuredMode !== 'socket') {
+      return configuredMode;
+    }
+    return hasHostIpClients ? 'hybrid' : 'socket';
+  }
+
   private getDefaultDestinationPolicy(
     forwardingMode: 'socket' | 'bridge' | 'hybrid',
     useHostIp = false,
@@ -633,16 +686,45 @@ export class VpnManager {
     };
   }
 
-  private async ensureForwardingModeForHostIpClient(useHostIp: boolean): Promise<void> {
-    if (!useHostIp || !this.vpnServer) return;
-    if (this.getResolvedForwardingMode() !== 'socket') return;
-
-    logger.log('info', 'VPN: Restarting server in hybrid mode to support a host-IP client');
-    this.forwardingModeOverride = 'hybrid';
+  private async restartWithForwardingMode(
+    forwardingMode: 'socket' | 'bridge' | 'hybrid',
+    reason: string,
+  ): Promise<void> {
+    logger.log('info', `VPN: Restarting server in ${forwardingMode} mode ${reason}`);
+    this.forwardingModeOverride = forwardingMode;
     await this.stop();
     await this.start();
   }
 
+  private async ensureForwardingModeForNextClient(useHostIp: boolean): Promise<void> {
+    if (!this.vpnServer) return;
+
+    const desiredForwardingMode = this.getDesiredForwardingMode(this.hasHostIpClients(useHostIp));
+    if (desiredForwardingMode === this.getResolvedForwardingMode()) {
+      return;
+    }
+
+    await this.restartWithForwardingMode(desiredForwardingMode, 'to support a host-IP client');
+  }
+
+  private async reconcileForwardingMode(): Promise<boolean> {
+    if (!this.vpnServer) {
+      return false;
+    }
+
+    const desiredForwardingMode = this.getDesiredForwardingMode();
+    const currentForwardingMode = this.getResolvedForwardingMode();
+    if (desiredForwardingMode === currentForwardingMode) {
+      return false;
+    }
+
+    const reason = desiredForwardingMode === 'socket'
+      ? 'because no host-IP clients remain'
+      : 'to support host-IP clients';
+    await this.restartWithForwardingMode(desiredForwardingMode, reason);
+    return true;
+  }
+
   private async persistClient(client: VpnClientDoc): Promise<void> {
     await client.save();
   }

ts_apiclient/classes.dcrouterapiclient.ts

@@ -10,6 +10,7 @@ import { ConfigManager } from './classes.config.js';
 import { LogManager } from './classes.logs.js';
 import { EmailManager } from './classes.email.js';
 import { RadiusManager } from './classes.radius.js';
+import { WorkHosterManager } from './classes.workhoster.js';
 
 export interface IDcRouterApiClientOptions {
   baseUrl: string;
@@ -31,6 +32,7 @@ export class DcRouterApiClient {
   public logs: LogManager;
   public emails: EmailManager;
   public radius: RadiusManager;
+  public workHosters: WorkHosterManager;
 
   constructor(options: IDcRouterApiClientOptions) {
     this.baseUrl = options.baseUrl.replace(/\/+$/, '');
@@ -45,6 +47,7 @@ export class DcRouterApiClient {
     this.logs = new LogManager(this);
     this.emails = new EmailManager(this);
     this.radius = new RadiusManager(this);
+    this.workHosters = new WorkHosterManager(this);
   }
 
   // =====================

ts_apiclient/classes.remoteingress.ts

@@ -9,12 +9,14 @@ export class RemoteIngress {
   public name: string;
   public secret: string;
   public listenPorts: number[];
+  public listenPortsUdp?: number[];
   public enabled: boolean;
   public autoDerivePorts: boolean;
   public tags?: string[];
   public createdAt: number;
   public updatedAt: number;
   public effectiveListenPorts?: number[];
+  public effectiveListenPortsUdp?: number[];
   public manualPorts?: number[];
   public derivedPorts?: number[];
 
@@ -24,12 +26,14 @@ export class RemoteIngress {
     this.name = data.name;
     this.secret = data.secret;
     this.listenPorts = data.listenPorts;
+    this.listenPortsUdp = data.listenPortsUdp;
     this.enabled = data.enabled;
     this.autoDerivePorts = data.autoDerivePorts;
     this.tags = data.tags;
     this.createdAt = data.createdAt;
     this.updatedAt = data.updatedAt;
     this.effectiveListenPorts = data.effectiveListenPorts;
+    this.effectiveListenPortsUdp = data.effectiveListenPortsUdp;
     this.manualPorts = data.manualPorts;
     this.derivedPorts = data.derivedPorts;
   }
@@ -52,11 +56,13 @@ export class RemoteIngress {
     const edge = response.edge;
     this.name = edge.name;
     this.listenPorts = edge.listenPorts;
+    this.listenPortsUdp = edge.listenPortsUdp;
     this.enabled = edge.enabled;
     this.autoDerivePorts = edge.autoDerivePorts;
     this.tags = edge.tags;
     this.updatedAt = edge.updatedAt;
     this.effectiveListenPorts = edge.effectiveListenPorts;
+    this.effectiveListenPortsUdp = edge.effectiveListenPortsUdp;
     this.manualPorts = edge.manualPorts;
     this.derivedPorts = edge.derivedPorts;
   }

ts_apiclient/classes.workhoster.ts

@@ -0,0 +1,57 @@
+import * as interfaces from '../ts_interfaces/index.js';
+import type { DcRouterApiClient } from './classes.dcrouterapiclient.js';
+
+export class WorkHosterManager {
+  constructor(private clientRef: DcRouterApiClient) {}
+
+  public async getCapabilities(): Promise<interfaces.data.IGatewayCapabilities> {
+    const response = await this.clientRef.request<interfaces.requests.IReq_GetGatewayCapabilities>(
+      'getGatewayCapabilities',
+      this.clientRef.buildRequestPayload() as any,
+    );
+    return response.capabilities;
+  }
+
+  public async getGatewayClientContext(): Promise<interfaces.data.IGatewayClientContext> {
+    const response = await this.clientRef.request<interfaces.requests.IReq_GetGatewayClientContext>(
+      'getGatewayClientContext',
+      this.clientRef.buildRequestPayload() as any,
+    );
+    return response.context;
+  }
+
+  public async getDomains(): Promise<interfaces.data.IWorkHosterDomain[]> {
+    const response = await this.clientRef.request<interfaces.requests.IReq_GetWorkHosterDomains>(
+      'getWorkHosterDomains',
+      this.clientRef.buildRequestPayload() as any,
+    );
+    return response.domains;
+  }
+
+  public async syncRoute(options: {
+    ownership: interfaces.data.IWorkAppRouteOwnership;
+    route: interfaces.data.IDcRouterRouteConfig;
+    enabled?: boolean;
+  }): Promise<interfaces.data.IWorkAppRouteSyncResult> {
+    return this.clientRef.request<interfaces.requests.IReq_SyncWorkAppRoute>(
+      'syncWorkAppRoute',
+      this.clientRef.buildRequestPayload({
+        ownership: options.ownership,
+        route: options.route,
+        enabled: options.enabled,
+      }) as any,
+    );
+  }
+
+  public async deleteRoute(
+    ownership: interfaces.data.IWorkAppRouteOwnership,
+  ): Promise<interfaces.data.IWorkAppRouteSyncResult> {
+    return this.clientRef.request<interfaces.requests.IReq_SyncWorkAppRoute>(
+      'syncWorkAppRoute',
+      this.clientRef.buildRequestPayload({
+        ownership,
+        delete: true,
+      }) as any,
+    );
+  }
+}

ts_apiclient/index.ts

@@ -7,6 +7,7 @@ export { Certificate, CertificateManager, type ICertificateSummary } from './cla
 export { ApiToken, ApiTokenBuilder, ApiTokenManager } from './classes.apitoken.js';
 export { RemoteIngress, RemoteIngressBuilder, RemoteIngressManager } from './classes.remoteingress.js';
 export { Email, EmailManager } from './classes.email.js';
+export { WorkHosterManager } from './classes.workhoster.js';
 
 // Read-only managers
 export { StatsManager } from './classes.stats.js';

ts_apiclient/readme.md

@@ -1,20 +1,18 @@
 # @serve.zone/dcrouter-apiclient
 
-Typed, object-oriented API client for operating a running dcrouter instance. 🔧
-
-Use this package when you want a clean TypeScript client instead of manually firing TypedRequest calls. It wraps the OpsServer API in resource managers and resource classes such as routes, certificates, tokens, edges, emails, stats, logs, config, and RADIUS.
+`@serve.zone/dcrouter-apiclient` is the object-oriented TypeScript client for the dcrouter OpsServer API. It wraps `/typedrequest` calls in managers, builders, and resource classes for routes, certificates, API tokens, remote ingress, email, stats, config, logs, RADIUS, and WorkHoster integrations.
 
 ## Issue Reporting and Security
 
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 
-## Installation
+## Install
 
 ```bash
 pnpm add @serve.zone/dcrouter-apiclient
 ```
 
-Or import through the main package:
+The same client is also exposed as a subpath of the main package:
 
 ```typescript
 import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
@@ -29,78 +27,60 @@ const client = new DcRouterApiClient({
   baseUrl: 'https://dcrouter.example.com',
 });
 
-await client.login('admin', 'password');
+await client.login('admin', 'admin');
 
-const { routes } = await client.routes.list();
-console.log(routes.map((route) => `${route.origin}:${route.name}`));
+const { routes, warnings } = await client.routes.list();
+console.log(routes.length, warnings.length);
 
-await client.routes.build()
+const route = await client.routes.build()
   .setName('api-gateway')
   .setMatch({ ports: 443, domains: ['api.example.com'] })
   .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] })
   .save();
+
+await route.toggle(true);
 ```
 
-## Authentication Modes
+## Authentication
 
-| Mode | How it works |
-| --- | --- |
-| Admin login | Call `login(username, password)` and the client stores the returned identity for later requests |
-| API token | Pass `apiToken` into the constructor for token-based automation |
+The client supports session login and API-token authentication.
 
 ```typescript
-const client = new DcRouterApiClient({
+const sessionClient = new DcRouterApiClient({
   baseUrl: 'https://dcrouter.example.com',
-  apiToken: 'dcr_your_token_here',
+});
+await sessionClient.login('admin', 'admin');
+
+const tokenClient = new DcRouterApiClient({
+  baseUrl: 'https://dcrouter.example.com',
+  apiToken: 'dcr_token_value',
 });
 ```
 
-## Main Managers
+`baseUrl` is normalized by removing trailing slashes. Requests are sent to `${baseUrl}/typedrequest`. `buildRequestPayload()` injects the current identity and optional API token for manager methods.
+
+## Manager Map
 
 | Manager | Purpose |
 | --- | --- |
-| `client.routes` | List routes and create API-managed routes |
-| `client.certificates` | Inspect and operate on certificate records |
-| `client.apiTokens` | Create, list, toggle, roll, revoke API tokens |
-| `client.remoteIngress` | Manage registered remote ingress edges |
-| `client.stats` | Read operational metrics and health data |
-| `client.config` | Read current configuration view |
-| `client.logs` | Read recent logs or stream them |
-| `client.emails` | List emails and trigger resend flows |
-| `client.radius` | Operate on RADIUS clients, VLANs, sessions, and accounting |
+| `client.routes` | List merged routes, build API routes, update/delete API routes, and toggle routes. |
+| `client.certificates` | Inspect certificate summaries and trigger certificate operations. |
+| `client.apiTokens` | Create, list, toggle, roll, and revoke API tokens. |
+| `client.remoteIngress` | Manage edge registrations, statuses, ports, tags, and connection tokens. |
+| `client.emails` | Inspect received/cached email items and trigger resend flows. |
+| `client.workHosters` | Manage WorkHoster-facing route/application integration calls. |
+| `client.stats` | Read health, counters, summaries, and runtime status. |
+| `client.config` | Read the current configuration view. |
+| `client.logs` | Read recent log information. |
+| `client.radius` | Manage RADIUS clients, VLAN mappings, and accounting sessions. |
 
-## Route Behavior
-
-Routes are returned as `Route` instances with:
-
-- `id`
-- `name`
-- `enabled`
-- `origin`
-
-Important behavior:
-
-- API routes can be created, updated, deleted, and toggled.
-- System routes can be listed and toggled, but not edited or deleted.
-- A system route is any route whose `origin !== 'api'`.
-
-```typescript
-const { routes } = await client.routes.list();
-
-for (const route of routes) {
-  if (route.origin !== 'api') {
-    await route.toggle(false);
-  }
-}
-```
-
-## Builder Example
+## Route Builder
 
 ```typescript
 const route = await client.routes.build()
   .setName('internal-app')
   .setMatch({
-    ports: 80,
+    ports: 443,
     domains: ['internal.example.com'],
   })
   .setAction({
@@ -110,26 +90,54 @@ const route = await client.routes.build()
   .setEnabled(true)
   .save();
 
-await route.toggle(false);
+await route.update({
+  action: {
+    type: 'forward',
+    targets: [{ host: '127.0.0.1', port: 3001 }],
+  },
+});
 ```
 
-## Example: Certificates and Stats
+System routes from `config`, `email`, and `dns` origins are designed to be toggled, not edited. Full create/update/delete behavior is for routes with origin `api`.
+
+## API Tokens and Remote Ingress
 
 ```typescript
-const { certificates, summary } = await client.certificates.list();
-console.log(summary.valid, summary.failed);
+const token = await client.apiTokens.build()
+  .setName('automation')
+  .setScopes(['routes:read', 'routes:write'])
+  .setExpiresInDays(30)
+  .save();
 
-const health = await client.stats.getHealth();
-const recentLogs = await client.logs.getRecent({ level: 'error', limit: 20 });
+const edge = await client.remoteIngress.build()
+  .setName('edge-eu-1')
+  .setListenPorts([80, 443])
+  .setAutoDerivePorts(true)
+  .setTags(['production', 'eu'])
+  .save();
+
+const connectionToken = await edge.getConnectionToken();
+console.log(token.tokenValue, connectionToken);
 ```
 
-## What This Package Does Not Do
+## What This Package Is Not
 
 - It does not start dcrouter.
-- It does not embed the dashboard.
-- It does not replace the request interfaces package if you only need raw types.
+- It does not serve or bundle the Ops dashboard.
+- It does not replace `@serve.zone/dcrouter-interfaces` when you want raw TypedRequest contracts.
 
-Use `@serve.zone/dcrouter` to run the server, `@serve.zone/dcrouter-web` for the dashboard bundle/components, and `@serve.zone/dcrouter-interfaces` for raw API contracts.
+Use `@serve.zone/dcrouter` for the server runtime and `@serve.zone/dcrouter-interfaces` for shared request/data types.
+
+## Development
+
+This folder is published from the dcrouter monorepo via `tspublish.json` with order `5`.
+
+Useful source entry points:
+
+- `index.ts` exports the public client surface.
+- `classes.dcrouterapiclient.ts` owns authentication and request dispatch.
+- `classes.route.ts` owns route resources and builders.
+- `classes.remoteingress.ts`, `classes.apitoken.ts`, `classes.radius.ts`, and the other manager files wrap focused API domains.
 
 ## License and Legal Information
 
@@ -145,7 +153,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH  
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts_interfaces/data/index.ts

@@ -6,6 +6,8 @@ export * from './target-profile.js';
 export * from './vpn.js';
 export * from './dns-provider.js';
 export * from './domain.js';
+export * from './workhoster.js';
 export * from './dns-record.js';
 export * from './acme-config.js';
-export * from './email-domain.js';
+export * from './email-domain.js';
+export * from './security-policy.js';

ts_interfaces/data/remoteingress.ts

@@ -36,6 +36,64 @@ export interface IRemoteIngressStatus {
   activeTunnels: number;
   lastHeartbeat: number | null;
   connectedAt: number | null;
+  transportMode?: 'tcpTls' | 'quic' | 'quicWithFallback';
+  fallbackUsed?: boolean;
+  performance?: IRemoteIngressPerformanceEffective;
+  flowControl?: IRemoteIngressFlowControlStatus;
+  queues?: IRemoteIngressQueueStatus;
+  traffic?: IRemoteIngressTrafficStatus;
+  udp?: IRemoteIngressUdpStatus;
+}
+
+export type TRemoteIngressPerformanceProfile = 'balanced' | 'throughput' | 'highConcurrency';
+
+export interface IRemoteIngressPerformanceConfig {
+  profile?: TRemoteIngressPerformanceProfile;
+  maxStreamsPerEdge?: number;
+  totalWindowBudgetBytes?: number;
+  minStreamWindowBytes?: number;
+  maxStreamWindowBytes?: number;
+  sustainedStreamWindowBytes?: number;
+  quicDatagramReceiveBufferBytes?: number;
+}
+
+export interface IRemoteIngressPerformanceEffective {
+  profile: TRemoteIngressPerformanceProfile;
+  maxStreamsPerEdge: number;
+  totalWindowBudgetBytes: number;
+  minStreamWindowBytes: number;
+  maxStreamWindowBytes: number;
+  sustainedStreamWindowBytes: number;
+  quicDatagramReceiveBufferBytes: number;
+}
+
+export interface IRemoteIngressFlowControlStatus {
+  applies: boolean;
+  currentWindowBytes: number;
+  minWindowBytes: number;
+  maxWindowBytes: number;
+  totalWindowBudgetBytes: number;
+  estimatedInFlightBytes: number;
+  stalledStreams: number;
+}
+
+export interface IRemoteIngressQueueStatus {
+  ctrlQueueDepth: number;
+  dataQueueDepth: number;
+  sustainedQueueDepth: number;
+}
+
+export interface IRemoteIngressTrafficStatus {
+  bytesIn: number;
+  bytesOut: number;
+  streamsOpenedTotal: number;
+  streamsClosedTotal: number;
+  rejectedStreams: number;
+}
+
+export interface IRemoteIngressUdpStatus {
+  activeSessions: number;
+  droppedDatagrams: number;
 }
 
 /**

ts_interfaces/data/route-management.ts

@@ -9,8 +9,10 @@ export type IRouteSecurity = NonNullable<IRouteConfig['security']>;
 // ============================================================================
 
 export type TApiTokenScope =
+  | '*'
   | 'routes:read' | 'routes:write'
   | 'config:read'
+  | 'certificates:read' | 'certificates:write'
   | 'tokens:read' | 'tokens:manage'
   | 'source-profiles:read' | 'source-profiles:write'
   | 'target-profiles:read' | 'target-profiles:write'
@@ -18,7 +20,35 @@ export type TApiTokenScope =
   | 'dns-providers:read' | 'dns-providers:write'
   | 'domains:read' | 'domains:write'
   | 'dns-records:read' | 'dns-records:write'
-  | 'acme-config:read' | 'acme-config:write';
+  | 'acme-config:read' | 'acme-config:write'
+  | 'email-domains:read' | 'email-domains:write'
+  | 'gateway-clients:read' | 'gateway-clients:write'
+  | 'workhosters:read' | 'workhosters:write';
+
+export type TGatewayClientType = 'onebox' | 'cloudly' | 'custom';
+/** @deprecated Use TGatewayClientType. */
+export type TWorkHosterType = TGatewayClientType;
+
+export interface IApiTokenPolicy {
+  role: 'admin' | 'gatewayClient' | 'operator';
+  scopes?: TApiTokenScope[];
+  gatewayClient?: {
+    type: TGatewayClientType;
+    id: string;
+  };
+  hostnamePatterns?: string[];
+  allowedRouteTargets?: Array<{
+    host: string;
+    ports: number[];
+  }>;
+  capabilities?: {
+    readDomains?: boolean;
+    readDnsRecords?: boolean;
+    syncRoutes?: boolean;
+    syncDnsRecords?: boolean;
+    requestCertificates?: boolean;
+  };
+}
 
 // ============================================================================
 // Source Profile Types (source-side: who can access)
@@ -80,6 +110,18 @@ export interface IRouteMetadata {
   networkTargetName?: string;
   /** Timestamp of last reference resolution. */
   lastResolvedAt?: number;
+  /** External route ownership, used by WorkHoster reconciliation. */
+  ownerType?: 'gatewayClient' | 'workhoster' | 'operator' | 'system';
+  gatewayClientType?: TGatewayClientType;
+  gatewayClientId?: string;
+  gatewayClientAppId?: string;
+  /** @deprecated Use gatewayClientType. */
+  workHosterType?: TGatewayClientType;
+  /** @deprecated Use gatewayClientId. */
+  workHosterId?: string;
+  /** @deprecated Use gatewayClientAppId. */
+  workAppId?: string;
+  externalKey?: string;
 }
 
 /**
@@ -112,6 +154,7 @@ export interface IApiTokenInfo {
   id: string;
   name: string;
   scopes: TApiTokenScope[];
+  policy?: IApiTokenPolicy;
   createdAt: number;
   expiresAt: number | null;
   lastUsedAt: number | null;
@@ -145,6 +188,7 @@ export interface IStoredApiToken {
   name: string;
   tokenHash: string;
   scopes: TApiTokenScope[];
+  policy?: IApiTokenPolicy;
   createdAt: number;
   expiresAt: number | null;
   lastUsedAt: number | null;

ts_interfaces/data/security-policy.ts

@@ -0,0 +1,37 @@
+import type { IIpIntelligenceResult } from '@push.rocks/smartnetwork';
+
+export type TSecurityBlockRuleType = 'ip' | 'cidr' | 'asn' | 'organization';
+export type TSecurityBlockRuleMatchMode = 'exact' | 'contains';
+
+export interface IIpIntelligenceRecord extends IIpIntelligenceResult {
+  ipAddress: string;
+  firstSeenAt: number;
+  lastSeenAt: number;
+  updatedAt: number;
+  seenCount: number;
+}
+
+export interface ISecurityBlockRule {
+  id: string;
+  type: TSecurityBlockRuleType;
+  value: string;
+  matchMode?: TSecurityBlockRuleMatchMode;
+  enabled: boolean;
+  reason?: string;
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}
+
+export interface ISecurityCompiledPolicy {
+  blockedIps: string[];
+  blockedCidrs: string[];
+}
+
+export interface ISecurityPolicyAuditEvent {
+  id: string;
+  action: string;
+  actor: string;
+  details: Record<string, unknown>;
+  createdAt: number;
+}

ts_interfaces/data/stats.ts

@@ -119,6 +119,8 @@ export interface IConnectionInfo {
   state: 'connecting' | 'connected' | 'authenticated' | 'transmitting' | 'closing';
   bytesReceived: number;
   bytesSent: number;
+  /** Present when the row is an aggregate, e.g. one row per remote IP. */
+  connectionCount?: number;
 }
 
 export interface IQueueStatus {
@@ -149,7 +151,12 @@ export interface IDomainActivity {
   bytesOutPerSecond: number;
   activeConnections: number;
   routeCount: number;
+  /** Lifetime request count when available from SmartProxy. */
   requestCount: number;
+  /** Live HTTP request rate when SmartProxy exposes per-domain rates. */
+  requestsPerSecond?: number;
+  /** HTTP requests over the last minute when SmartProxy exposes per-domain rates. */
+  requestsLastMinute?: number;
 }
 
 export interface INetworkMetrics {
@@ -208,9 +215,12 @@ export interface IConnectionDetails {
   startTime: number;
   bytesIn: number;
   bytesOut: number;
+  /** Present when the row is an aggregate, e.g. one row per remote IP. */
+  connectionCount?: number;
 }
 
 export interface IBackendInfo {
+  id?: string;
   backend: string;
   domain: string | null;
   protocol: string;
@@ -250,4 +260,4 @@ export interface IVpnStats {
   registeredClients: number;
   connectedClients: number;
   wgListenPort: number;
-}
+}

ts_interfaces/data/workhoster.ts

@@ -0,0 +1,172 @@
+import type { IDomain } from './domain.js';
+import type { IDnsRecord, TDnsRecordType } from './dns-record.js';
+import type { IApiTokenPolicy, TApiTokenScope, TGatewayClientType } from './route-management.js';
+
+export interface IGatewayCapabilities {
+  routes: {
+    read: boolean;
+    write: boolean;
+    idempotentSync: boolean;
+  };
+  domains: {
+    read: boolean;
+    write: boolean;
+  };
+  certificates: {
+    read: boolean;
+    export: boolean;
+    forceRenew: boolean;
+  };
+  email: {
+    domains: boolean;
+    inbound: boolean;
+    outbound: boolean;
+  };
+  remoteIngress: {
+    enabled: boolean;
+  };
+  dns: {
+    authoritative: boolean;
+    providerManaged: boolean;
+  };
+  http3: {
+    enabled: boolean;
+  };
+}
+
+export interface IGatewayClientContext {
+  role: IApiTokenPolicy['role'];
+  scopes: TApiTokenScope[];
+  gatewayClient?: {
+    type: TGatewayClientType;
+    id: string;
+  };
+  hostnamePatterns: string[];
+  allowedRouteTargets: NonNullable<IApiTokenPolicy['allowedRouteTargets']>;
+  capabilities: NonNullable<IApiTokenPolicy['capabilities']>;
+}
+
+export interface IGatewayClient {
+  id: string;
+  type: TGatewayClientType;
+  name: string;
+  description?: string;
+  hostnamePatterns: string[];
+  allowedRouteTargets: NonNullable<IApiTokenPolicy['allowedRouteTargets']>;
+  capabilities: NonNullable<IApiTokenPolicy['capabilities']>;
+  enabled: boolean;
+  tokenCount?: number;
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}
+
+export interface IGatewayClientDomain extends IDomain {
+  capabilities: {
+    canCreateSubdomains: boolean;
+    canManageDnsRecords: boolean;
+    canIssueCertificates: boolean;
+    canHostEmail: boolean;
+  };
+  serviceCount?: number;
+  managePath?: string;
+}
+
+/** @deprecated Use IGatewayClientDomain. */
+export type IWorkHosterDomain = IGatewayClientDomain;
+
+export interface IGatewayClientOwnership {
+  gatewayClientType?: TGatewayClientType;
+  gatewayClientId?: string;
+  appId: string;
+  hostname: string;
+}
+
+/** @deprecated Use IGatewayClientOwnership. */
+export interface IWorkAppRouteOwnership {
+  workHosterType: TGatewayClientType;
+  workHosterId: string;
+  workAppId: string;
+  hostname: string;
+}
+
+export interface IGatewayClientRouteSyncResult {
+  success: boolean;
+  action?: 'created' | 'updated' | 'deleted' | 'unchanged';
+  routeId?: string;
+  message?: string;
+}
+
+/** @deprecated Use IGatewayClientRouteSyncResult. */
+export type IWorkAppRouteSyncResult = IGatewayClientRouteSyncResult;
+
+export interface IGatewayClientDnsRecord extends Omit<IDnsRecord, 'type'> {
+  type: TDnsRecordType | 'MISSING';
+  domainName?: string;
+  status: 'active' | 'missing';
+  gatewayClientType: TGatewayClientType;
+  gatewayClientId: string;
+  appId: string;
+  hostname: string;
+  routeId?: string;
+  serviceName?: string;
+  managePath?: string;
+}
+
+export interface IGatewayClientMailOwnership {
+  gatewayClientType: TGatewayClientType;
+  gatewayClientId: string;
+  appId: string;
+}
+
+export interface IWorkAppMailOwnership {
+  workHosterType: TGatewayClientType;
+  workHosterId: string;
+  workAppId: string;
+}
+
+export interface IWorkAppMailInboundRoute {
+  enabled: boolean;
+  targetHost: string;
+  targetPort: number;
+  preserveHeaders?: boolean;
+  addHeaders?: Record<string, string>;
+}
+
+export interface IWorkAppMailIdentity {
+  id: string;
+  externalKey: string;
+  ownership: IWorkAppMailOwnership;
+  address: string;
+  localPart: string;
+  domain: string;
+  enabled: boolean;
+  displayName?: string;
+  inbound?: IWorkAppMailInboundRoute;
+  smtp: {
+    enabled: boolean;
+    username: string;
+  };
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}
+
+export interface IWorkAppMailCredentials {
+  username: string;
+  password: string;
+  host?: string;
+  ports?: {
+    smtp?: number;
+    submission?: number;
+    smtps?: number;
+  };
+}
+
+export interface IWorkAppMailIdentitySyncResult {
+  success: boolean;
+  action?: 'created' | 'updated' | 'deleted' | 'unchanged';
+  identity?: IWorkAppMailIdentity;
+  smtpCredentials?: IWorkAppMailCredentials;
+  message?: string;
+}

ts_interfaces/readme.md

@@ -1,20 +1,18 @@
 # @serve.zone/dcrouter-interfaces
 
-Shared TypeScript request and data interfaces for dcrouter's OpsServer API. 📡
-
-This package is the contract layer for typed clients, frontend code, tests, or automation that talks to a running dcrouter instance through TypedRequest.
+`@serve.zone/dcrouter-interfaces` contains the shared TypeScript data models and TypedRequest contracts used by dcrouter's OpsServer, dashboard, API client, tests, and external automation.
 
 ## Issue Reporting and Security
 
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 
-## Installation
+## Install
 
 ```bash
 pnpm add @serve.zone/dcrouter-interfaces
 ```
 
-Or consume the same interfaces through the main package:
+The same contracts are exposed through the main package subpath:
 
 ```typescript
 import { data, requests } from '@serve.zone/dcrouter/interfaces';
@@ -22,17 +20,29 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';
 
 ## What It Exports
 
-The package exposes two namespaces from `index.ts`:
-
 | Export | Purpose |
 | --- | --- |
-| `data` | Shared runtime-shaped types such as route data, auth identity, stats, domains, certificates, VPN, DNS, and email-domain data |
-| `requests` | TypedRequest request and response contracts for every OpsServer endpoint |
+| `data` | Shared runtime-shaped models such as identities, routes, DNS records, domains, email domains, remote ingress edges, VPN objects, stats, and security policy data. |
+| `requests` | TypedRequest request/response contracts for OpsServer methods. |
+| `typedrequestInterfaces` | Helper types re-exported from `@api.global/typedrequest-interfaces` through `plugins.ts`. |
 
-## Example
+## Covered API Areas
+
+| Area | Examples |
+| --- | --- |
+| Auth | admin login, logout, identity verification, users |
+| Routes | merged route listing, API route CRUD, toggles, warnings, ownership metadata |
+| Access | API tokens, source profiles, target profiles, network targets |
+| DNS and domains | DNS providers, domains, DNS records, ACME config |
+| Email | email-domain management and email operations |
+| Edge services | remote ingress, VPN, RADIUS |
+| Observability | stats, combined stats, logs, configuration |
+| WorkHoster | external app/workhoster route ownership contracts |
+
+## Raw TypedRequest Example
 
 ```typescript
-import * as typedrequest from '@api.global/typedrequest';
+import { TypedRequest } from '@api.global/typedrequest';
 import { data, requests } from '@serve.zone/dcrouter-interfaces';
 
 const identity: data.IIdentity = {
@@ -41,9 +51,10 @@ const identity: data.IIdentity = {
   name: 'Admin',
   expiresAt: Date.now() + 60_000,
   role: 'admin',
+  type: 'user',
 };
 
-const request = new typedrequest.TypedRequest<requests.IReq_GetMergedRoutes>(
+const request = new TypedRequest<requests.IReq_GetMergedRoutes>(
   'https://dcrouter.example.com/typedrequest',
   'getMergedRoutes',
 );
@@ -51,42 +62,27 @@ const request = new typedrequest.TypedRequest<requests.IReq_GetMergedRoutes>(
 const response = await request.fire({ identity });
 
 for (const route of response.routes) {
-  console.log(route.id, route.origin, route.systemKey, route.enabled);
+  console.log(route.id, route.origin, route.enabled, route.systemKey);
 }
 ```
 
-## API Domains Covered
+## When To Use It
 
-| Domain | Examples |
-| --- | --- |
-| Auth | admin login, logout, identity verification |
-| Routes | merged routes, create, update, delete, toggle |
-| Access | API tokens, source profiles, target profiles, network targets |
-| DNS and domains | providers, domains, DNS records |
-| Certificates | overview, reprovision, import, export, delete, ACME config |
-| Email | email operations, email domains |
-| Remote ingress | edge registrations, status, connection tokens |
-| VPN | clients, status, telemetry, lifecycle |
-| RADIUS | clients, VLANs, sessions, accounting |
-| Observability | stats, logs, health, configuration |
+- Use it in custom CLIs that call dcrouter's TypedRequest API directly.
+- Use it in tests that need request/response types without the OO client.
+- Use it in integrations where server and client code need the same data shapes.
+- Use `@serve.zone/dcrouter-apiclient` instead when you want higher-level managers and builders.
 
-## Notable Data Types
+## Development
 
-| Type | Description |
-| --- | --- |
-| `data.IMergedRoute` | Route entry returned by route management, including `origin`, `enabled`, and optional `systemKey` |
-| `data.IDcRouterRouteConfig` | dcrouter-flavored route config used across the stack |
-| `data.IRouteMetadata` | Reference metadata connecting routes to source profiles or network targets |
-| `data.IIdentity` | Admin identity used for authenticated requests |
-| `data.IApiTokenInfo` | Public token metadata without the secret |
+This folder is published from the dcrouter monorepo via `tspublish.json` with order `1`, before the client package that imports it.
 
-## When To Use This Package
+Useful source entry points:
 
-- Use it in custom dashboards or CLIs that call TypedRequest directly.
-- Use it in tests that need strongly typed request payloads or response assertions.
-- Use it when you want the API contract without pulling in the OO client.
-
-If you want a higher-level client with managers and resource classes, use `@serve.zone/dcrouter-apiclient` instead.
+- `index.ts` exports `data` and `requests` namespaces.
+- `data/index.ts` groups shared data models.
+- `requests/index.ts` groups TypedRequest contracts.
+- `data/route-management.ts` defines route ownership, API token scopes, profiles, and network target shapes.
 
 ## License and Legal Information
 
@@ -102,7 +98,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH  
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts_interfaces/requests/admin.ts

@@ -1,6 +1,18 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
 
+export type TAdminLoginAuthSource = 'auto' | 'local' | 'idp.global';
+
+export interface IAdminUserProjection {
+  id: string;
+  username: string;
+  email?: string;
+  name?: string;
+  role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
+}
+
 // Admin Login
 export interface IReq_AdminLoginWithUsernameAndPassword extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -10,12 +22,50 @@ export interface IReq_AdminLoginWithUsernameAndPassword extends plugins.typedreq
   request: {
     username: string;
     password: string;
+    authSource?: TAdminLoginAuthSource;
   };
   response: {
     identity?: authInterfaces.IIdentity;
   };
 }
 
+// Admin bootstrap status
+export interface IReq_GetAdminBootstrapStatus extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetAdminBootstrapStatus
+> {
+  method: 'getAdminBootstrapStatus';
+  request: {};
+  response: {
+    dbEnabled: boolean;
+    dbReady: boolean;
+    hasPersistentAdmin: boolean;
+    needsBootstrap: boolean;
+    ephemeralAdminAvailable: boolean;
+    idpGlobalConfigured: boolean;
+  };
+}
+
+// Create the first persisted admin account. Requires the bootstrap/ephemeral admin identity.
+export interface IReq_CreateInitialAdminUser extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateInitialAdminUser
+> {
+  method: 'createInitialAdminUser';
+  request: {
+    identity: authInterfaces.IIdentity;
+    email: string;
+    name?: string;
+    password: string;
+    enableIdpGlobalAuth?: boolean;
+  };
+  response: {
+    success: boolean;
+    identity?: authInterfaces.IIdentity;
+    user?: IAdminUserProjection;
+  };
+}
+
 // Admin Logout
 export interface IReq_AdminLogout extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -43,4 +93,4 @@ export interface IReq_VerifyIdentity extends plugins.typedrequestInterfaces.impl
     valid: boolean;
     identity?: authInterfaces.IIdentity;
   };
-}
+}

ts_interfaces/requests/api-tokens.ts

@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import type * as authInterfaces from '../data/auth.js';
-import type { IApiTokenInfo, TApiTokenScope } from '../data/route-management.js';
+import type { IApiTokenInfo, IApiTokenPolicy, TApiTokenScope } from '../data/route-management.js';
 
 // ============================================================================
 // API Token Management Endpoints
@@ -19,6 +19,7 @@ export interface IReq_CreateApiToken extends plugins.typedrequestInterfaces.impl
     identity: authInterfaces.IIdentity;
     name: string;
     scopes: TApiTokenScope[];
+    policy?: IApiTokenPolicy;
     expiresInDays?: number | null;
   };
   response: {

ts_interfaces/requests/certificate.ts

@@ -28,7 +28,8 @@ export interface IReq_GetCertificateOverview extends plugins.typedrequestInterfa
 > {
   method: 'getCertificateOverview';
   request: {
-    identity: authInterfaces.IIdentity;
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
   };
   response: {
     certificates: ICertificateInfo[];
@@ -50,7 +51,8 @@ export interface IReq_ReprovisionCertificate extends plugins.typedrequestInterfa
 > {
   method: 'reprovisionCertificate';
   request: {
-    identity: authInterfaces.IIdentity;
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
     routeName: string;
   };
   response: {
@@ -66,7 +68,8 @@ export interface IReq_ReprovisionCertificateDomain extends plugins.typedrequestI
 > {
   method: 'reprovisionCertificateDomain';
   request: {
-    identity: authInterfaces.IIdentity;
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
     domain: string;
     forceRenew?: boolean;
   };
@@ -83,7 +86,8 @@ export interface IReq_DeleteCertificate extends plugins.typedrequestInterfaces.i
 > {
   method: 'deleteCertificate';
   request: {
-    identity: authInterfaces.IIdentity;
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
     domain: string;
   };
   response: {
@@ -99,7 +103,8 @@ export interface IReq_ExportCertificate extends plugins.typedrequestInterfaces.i
 > {
   method: 'exportCertificate';
   request: {
-    identity: authInterfaces.IIdentity;
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
     domain: string;
   };
   response: {
@@ -124,7 +129,8 @@ export interface IReq_ImportCertificate extends plugins.typedrequestInterfaces.i
 > {
   method: 'importCertificate';
   request: {
-    identity: authInterfaces.IIdentity;
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
     cert: {
       id: string;
       domainName: string;

ts_interfaces/requests/config.ts

@@ -71,6 +71,7 @@ export interface IConfigData {
     hubDomain: string | null;
     tlsMode: 'custom' | 'acme' | 'self-signed';
     connectedEdgeIps: string[];
+    performance?: import('../data/remoteingress.js').IRemoteIngressPerformanceConfig;
   };
 }
 

ts_interfaces/requests/index.ts

@@ -18,4 +18,6 @@ export * from './dns-providers.js';
 export * from './domains.js';
 export * from './dns-records.js';
 export * from './acme-config.js';
-export * from './email-domains.js';
+export * from './email-domains.js';
+export * from './workhoster.js';
+export * from './security-policy.js';

ts_interfaces/requests/security-policy.ts

@@ -0,0 +1,134 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type {
+  IIpIntelligenceRecord,
+  ISecurityBlockRule,
+  ISecurityCompiledPolicy,
+  ISecurityPolicyAuditEvent,
+  TSecurityBlockRuleMatchMode,
+  TSecurityBlockRuleType,
+} from '../data/security-policy.js';
+
+export interface IReq_ListSecurityBlockRules extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ListSecurityBlockRules
+> {
+  method: 'listSecurityBlockRules';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    rules: ISecurityBlockRule[];
+  };
+}
+
+export interface IReq_CreateSecurityBlockRule extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateSecurityBlockRule
+> {
+  method: 'createSecurityBlockRule';
+  request: {
+    identity: authInterfaces.IIdentity;
+    type: TSecurityBlockRuleType;
+    value: string;
+    matchMode?: TSecurityBlockRuleMatchMode;
+    reason?: string;
+    enabled?: boolean;
+  };
+  response: {
+    success: boolean;
+    rule?: ISecurityBlockRule;
+    message?: string;
+  };
+}
+
+export interface IReq_UpdateSecurityBlockRule extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateSecurityBlockRule
+> {
+  method: 'updateSecurityBlockRule';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+    value?: string;
+    matchMode?: TSecurityBlockRuleMatchMode;
+    reason?: string;
+    enabled?: boolean;
+  };
+  response: {
+    success: boolean;
+    rule?: ISecurityBlockRule;
+    message?: string;
+  };
+}
+
+export interface IReq_DeleteSecurityBlockRule extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteSecurityBlockRule
+> {
+  method: 'deleteSecurityBlockRule';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+export interface IReq_ListIpIntelligence extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ListIpIntelligence
+> {
+  method: 'listIpIntelligence';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    records: IIpIntelligenceRecord[];
+  };
+}
+
+export interface IReq_GetCompiledSecurityPolicy extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetCompiledSecurityPolicy
+> {
+  method: 'getCompiledSecurityPolicy';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    policy: ISecurityCompiledPolicy;
+  };
+}
+
+export interface IReq_ListSecurityPolicyAudit extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ListSecurityPolicyAudit
+> {
+  method: 'listSecurityPolicyAudit';
+  request: {
+    identity: authInterfaces.IIdentity;
+    limit?: number;
+  };
+  response: {
+    events: ISecurityPolicyAuditEvent[];
+  };
+}
+
+export interface IReq_RefreshIpIntelligence extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RefreshIpIntelligence
+> {
+  method: 'refreshIpIntelligence';
+  request: {
+    identity: authInterfaces.IIdentity;
+    ipAddress: string;
+  };
+  response: {
+    success: boolean;
+    record?: IIpIntelligenceRecord;
+    message?: string;
+  };
+}

ts_interfaces/requests/users.ts

@@ -1,5 +1,6 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
+import type { IAdminUserProjection } from './admin.js';
 
 /**
  * List all OpsServer users (admin-only, read-only).
@@ -14,10 +15,6 @@ export interface IReq_ListUsers extends plugins.typedrequestInterfaces.implement
     identity: authInterfaces.IIdentity;
   };
   response: {
-    users: Array<{
-      id: string;
-      username: string;
-      role: string;
-    }>;
+    users: IAdminUserProjection[];
   };
 }

ts_interfaces/requests/workhoster.ts

@@ -0,0 +1,251 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type {
+  IGatewayClientDnsRecord,
+  IGatewayClientContext,
+  IGatewayClient,
+  IGatewayClientDomain,
+  IGatewayClientOwnership,
+  IGatewayClientRouteSyncResult,
+  IGatewayCapabilities,
+  IWorkAppMailIdentity,
+  IWorkAppMailIdentitySyncResult,
+  IWorkAppMailInboundRoute,
+  IWorkAppMailOwnership,
+  IWorkAppRouteOwnership,
+  IWorkAppRouteSyncResult,
+  IWorkHosterDomain,
+} from '../data/workhoster.js';
+import type { IDcRouterRouteConfig } from '../data/remoteingress.js';
+
+export interface IReq_GetGatewayCapabilities extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetGatewayCapabilities
+> {
+  method: 'getGatewayCapabilities';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    capabilities: IGatewayCapabilities;
+  };
+}
+
+export interface IReq_GetGatewayClientContext extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetGatewayClientContext
+> {
+  method: 'getGatewayClientContext';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    context: IGatewayClientContext;
+    capabilities: IGatewayCapabilities;
+  };
+}
+
+export interface IReq_ListGatewayClients extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ListGatewayClients
+> {
+  method: 'listGatewayClients';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    gatewayClients: IGatewayClient[];
+  };
+}
+
+export interface IReq_CreateGatewayClient extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateGatewayClient
+> {
+  method: 'createGatewayClient';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id?: string;
+    type: IGatewayClient['type'];
+    name: string;
+    description?: string;
+    hostnamePatterns?: string[];
+    allowedRouteTargets?: IGatewayClient['allowedRouteTargets'];
+    capabilities?: IGatewayClient['capabilities'];
+  };
+  response: {
+    success: boolean;
+    gatewayClient?: IGatewayClient;
+    message?: string;
+  };
+}
+
+export interface IReq_UpdateGatewayClient extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateGatewayClient
+> {
+  method: 'updateGatewayClient';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+    name?: string;
+    description?: string;
+    hostnamePatterns?: string[];
+    allowedRouteTargets?: IGatewayClient['allowedRouteTargets'];
+    capabilities?: IGatewayClient['capabilities'];
+    enabled?: boolean;
+  };
+  response: {
+    success: boolean;
+    gatewayClient?: IGatewayClient;
+    message?: string;
+  };
+}
+
+export interface IReq_DeleteGatewayClient extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteGatewayClient
+> {
+  method: 'deleteGatewayClient';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+export interface IReq_CreateGatewayClientToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateGatewayClientToken
+> {
+  method: 'createGatewayClientToken';
+  request: {
+    identity: authInterfaces.IIdentity;
+    gatewayClientId: string;
+    name?: string;
+    expiresInDays?: number | null;
+  };
+  response: {
+    success: boolean;
+    tokenId?: string;
+    tokenValue?: string;
+    message?: string;
+  };
+}
+
+export interface IReq_GetWorkHosterDomains extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetWorkHosterDomains
+> {
+  method: 'getWorkHosterDomains';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    domains: IWorkHosterDomain[];
+  };
+}
+
+export interface IReq_GetGatewayClientDomains extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetGatewayClientDomains
+> {
+  method: 'getGatewayClientDomains';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    gatewayClientId?: string;
+  };
+  response: {
+    domains: IGatewayClientDomain[];
+  };
+}
+
+export interface IReq_GetGatewayClientDnsRecords extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetGatewayClientDnsRecords
+> {
+  method: 'getGatewayClientDnsRecords';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    gatewayClientId?: string;
+  };
+  response: {
+    records: IGatewayClientDnsRecord[];
+  };
+}
+
+export interface IReq_SyncWorkAppRoute extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_SyncWorkAppRoute
+> {
+  method: 'syncWorkAppRoute';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    ownership: IWorkAppRouteOwnership;
+    route?: IDcRouterRouteConfig;
+    enabled?: boolean;
+    delete?: boolean;
+  };
+  response: IWorkAppRouteSyncResult;
+}
+
+export interface IReq_SyncGatewayClientRoute extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_SyncGatewayClientRoute
+> {
+  method: 'syncGatewayClientRoute';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    ownership: IGatewayClientOwnership;
+    route?: IDcRouterRouteConfig;
+    enabled?: boolean;
+    delete?: boolean;
+  };
+  response: IGatewayClientRouteSyncResult;
+}
+
+export interface IReq_GetWorkAppMailIdentities extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetWorkAppMailIdentities
+> {
+  method: 'getWorkAppMailIdentities';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    ownership?: Partial<IWorkAppMailOwnership>;
+  };
+  response: {
+    identities: IWorkAppMailIdentity[];
+  };
+}
+
+export interface IReq_SyncWorkAppMailIdentity extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_SyncWorkAppMailIdentity
+> {
+  method: 'syncWorkAppMailIdentity';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    ownership: IWorkAppMailOwnership;
+    localPart: string;
+    domain: string;
+    displayName?: string;
+    inbound?: IWorkAppMailInboundRoute;
+    enabled?: boolean;
+    smtpEnabled?: boolean;
+    resetSmtpPassword?: boolean;
+    delete?: boolean;
+  };
+  response: IWorkAppMailIdentitySyncResult;
+}

ts_migrations/index.ts

@@ -1,5 +1,3 @@
-/// <reference types="node" />
-
 /**
  * dcrouter migration runner.
  *

ts_migrations/readme.md

@@ -1,49 +1,85 @@
 # @serve.zone/dcrouter-migrations
 
-Migration runner package for dcrouter's smartdata-backed persistence layer. 🧱
-
-This package provides the startup migration chain that upgrades dcrouter data across releases before the application reads from the database.
+`@serve.zone/dcrouter-migrations` is dcrouter's versioned SmartMigration chain for persistent database schema and data transitions. The main dcrouter runtime runs it after the database is ready and before DB-backed managers read collections.
 
 ## Issue Reporting and Security
 
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 
-## What It Exports
+## Install
+
+```bash
+pnpm add @serve.zone/dcrouter-migrations
+```
+
+If you boot `DcRouter`, you usually do not install or call this package directly; startup handles it.
+
+## API
 
 | Export | Purpose |
 | --- | --- |
-| `createMigrationRunner(db, targetVersion)` | Builds the dcrouter SmartMigration runner for the current application version |
-| `IMigrationRunner` | Small interface describing the runner's `run()` method |
-| `IMigrationRunResult` | Logged result shape used after execution |
-
-## Usage
+| `createMigrationRunner(db, targetVersion)` | Builds a configured SmartMigration runner for the supplied Smartdata database and target app version. |
+| `IMigrationRunner` | Minimal runner interface with `run()`. |
+| `IMigrationRunResult` | Result shape logged after a migration run. |
 
 ```typescript
 import { createMigrationRunner } from '@serve.zone/dcrouter-migrations';
 
-const migration = await createMigrationRunner(db, '13.18.0');
+const migration = await createMigrationRunner(db, '13.25.0');
 const result = await migration.run();
 
 console.log(result.currentVersionBefore, result.currentVersionAfter);
 ```
 
-## What These Migrations Handle
+## Current Chain
 
-The migration chain currently covers dcrouter-specific storage transitions such as:
+The current migration chain covers:
 
-- target profile target field renames
-- domain and DNS record source renames
-- route collection unification into `RouteDoc`
-- persisted route metadata backfills such as `origin` and `systemKey`
+- `TargetProfileDoc.targets[].host` to `TargetProfileDoc.targets[].ip`
+- legacy domain source `manual` to `dcrouter`
+- legacy DNS record source `manual` to `local`
+- route collection unification from `StoredRouteDoc` to `RouteDoc`
+- route `origin` backfill for migrated API routes
+- `systemKey` backfill for persisted config, email, and DNS routes
 
-## Important Behavior
+## Migration Rules
 
-- fresh installs are stamped directly to the current target version
-- migration steps are registered in strict version order
-- migrations run before services load DB-backed state
-- route-related migrations use smartdata collection names exactly as declared in code
+All schema migrations must live in `ts_migrations/index.ts` as SmartMigration steps. Do not put migration logic in application services, managers, startup hooks, or document classes.
 
-If you are embedding dcrouter's DB layer outside the main runtime, run this package before any feature code assumes the latest schema.
+Every step must be idempotent. SmartMigration may re-run steps during skip-forward or resume flows, so an already-migrated database must remain safe.
+
+The `.to()` version of a step must match the release version that ships the migration so SmartMigration can plan the step correctly.
+
+## Collection Name Warning
+
+smartdata uses the exact class name as the MongoDB collection name. Do not lowercase new collection references.
+
+Examples:
+
+| Document class | MongoDB collection |
+| --- | --- |
+| `StoredRouteDoc` | `StoredRouteDoc` |
+| `TargetProfileDoc` | `TargetProfileDoc` |
+| `RouteDoc` | `RouteDoc` |
+
+When writing migrations in `ts_migrations/index.ts`, use exact class-name casing in calls such as `ctx.mongo!.collection('ClassName')` and `db.listCollections({ name: 'ClassName' })`.
+
+Historical migration steps may still reference older lowercased collections from earlier behavior. Do not copy that pattern for new migrations.
+
+## When To Use This Package Directly
+
+- You are testing dcrouter schema transitions without booting the full runtime.
+- You are embedding dcrouter persistence in another process and need the same version chain.
+- You are authoring a migration and want a focused test harness around `createMigrationRunner()`.
+
+## Development
+
+This folder is published from the dcrouter monorepo via `tspublish.json` with order `2`.
+
+Useful source entry points:
+
+- `index.ts` defines the public runner factory and all migration steps.
+- `../AGENTS.md` contains the local migration authoring rules that must be followed.
 
 ## License and Legal Information
 
@@ -59,7 +95,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH  
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.20.0',
+  version: '13.29.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -10,6 +10,8 @@ export interface ILoginState {
   isLoggedIn: boolean;
 }
 
+export type IAdminBootstrapStatus = interfaces.requests.IReq_GetAdminBootstrapStatus['response'];
+
 export interface IStatsState {
   serverStats: interfaces.data.IServerStats | null;
   emailStats: interfaces.data.IEmailStats | null;
@@ -54,6 +56,7 @@ export interface INetworkState {
   topIPs: Array<{ ip: string; count: number }>;
   topIPsByBandwidth: Array<{ ip: string; count: number; bwIn: number; bwOut: number }>;
   throughputByIP: Array<{ ip: string; in: number; out: number }>;
+  ipIntelligence: interfaces.data.IIpIntelligenceRecord[];
   domainActivity: interfaces.data.IDomainActivity[];
   throughputHistory: Array<{ timestamp: number; in: number; out: number }>;
   requestsPerSecond: number;
@@ -66,6 +69,16 @@ export interface INetworkState {
   error: string | null;
 }
 
+export interface ISecurityPolicyState {
+  rules: interfaces.data.ISecurityBlockRule[];
+  ipIntelligence: interfaces.data.IIpIntelligenceRecord[];
+  compiledPolicy: interfaces.data.ISecurityCompiledPolicy | null;
+  auditEvents: interfaces.data.ISecurityPolicyAuditEvent[];
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
 export interface ICertificateState {
   certificates: interfaces.requests.ICertificateInfo[];
   summary: { total: number; valid: number; expiring: number; expired: number; failed: number; unknown: number };
@@ -164,6 +177,7 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
     topIPs: [],
     topIPsByBandwidth: [],
     throughputByIP: [],
+    ipIntelligence: [],
     domainActivity: [],
     throughputHistory: [],
     requestsPerSecond: 0,
@@ -178,6 +192,20 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
   'soft'
 );
 
+export const securityPolicyStatePart = await appState.getStatePart<ISecurityPolicyState>(
+  'securityPolicy',
+  {
+    rules: [],
+    ipIntelligence: [],
+    compiledPolicy: null,
+    auditEvents: [],
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft',
+);
+
 export const emailOpsStatePart = await appState.getStatePart<IEmailOpsState>(
   'emailOps',
   {
@@ -259,6 +287,7 @@ export interface IRouteManagementState {
   mergedRoutes: interfaces.data.IMergedRoute[];
   warnings: interfaces.data.IRouteWarning[];
   apiTokens: interfaces.data.IApiTokenInfo[];
+  gatewayClients: interfaces.data.IGatewayClient[];
   isLoading: boolean;
   error: string | null;
   lastUpdated: number;
@@ -270,6 +299,7 @@ export const routeManagementStatePart = await appState.getStatePart<IRouteManage
     mergedRoutes: [],
     warnings: [],
     apiTokens: [],
+    gatewayClients: [],
     isLoading: false,
     error: null,
     lastUpdated: 0,
@@ -284,7 +314,11 @@ export const routeManagementStatePart = await appState.getStatePart<IRouteManage
 export interface IUser {
   id: string;
   username: string;
+  email?: string;
+  name?: string;
   role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
 }
 
 export interface IUsersState {
@@ -323,6 +357,7 @@ const getActionContext = (): IActionContext => {
 export const loginAction = loginStatePart.createAction<{
   username: string;
   password: string;
+  authSource?: interfaces.requests.TAdminLoginAuthSource;
 }>(async (statePartArg, dataArg): Promise<ILoginState> => {
   const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
     interfaces.requests.IReq_AdminLoginWithUsernameAndPassword
@@ -332,6 +367,7 @@ export const loginAction = loginStatePart.createAction<{
     const response = await typedRequest.fire({
       username: dataArg.username,
       password: dataArg.password,
+      authSource: dataArg.authSource,
     });
 
     if (response.identity) {
@@ -347,6 +383,47 @@ export const loginAction = loginStatePart.createAction<{
   }
 });
 
+export async function getAdminBootstrapStatus(): Promise<IAdminBootstrapStatus> {
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_GetAdminBootstrapStatus
+  >('/typedrequest', 'getAdminBootstrapStatus');
+
+  return request.fire({});
+}
+
+export async function createInitialAdminUser(optionsArg: {
+  email: string;
+  name?: string;
+  password: string;
+  enableIdpGlobalAuth?: boolean;
+}) {
+  const context = getActionContext();
+  if (!context.identity) {
+    throw new Error('No identity available for admin bootstrap');
+  }
+
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateInitialAdminUser
+  >('/typedrequest', 'createInitialAdminUser');
+
+  const response = await request.fire({
+    identity: context.identity,
+    email: optionsArg.email,
+    name: optionsArg.name,
+    password: optionsArg.password,
+    enableIdpGlobalAuth: optionsArg.enableIdpGlobalAuth,
+  });
+
+  if (response.identity) {
+    loginStatePart.setState({
+      identity: response.identity,
+      isLoggedIn: true,
+    });
+  }
+
+  return response;
+}
+
 // Logout Action — always clears state, even if identity is expired/missing
 export const logoutAction = loginStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
@@ -512,43 +589,56 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
   if (!context.identity) return currentState;
 
   try {
-    // Fetch active connections using the existing endpoint
-    const connectionsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_GetActiveConnections
-    >('/typedrequest', 'getActiveConnections');
-    
-    const connectionsResponse = await connectionsRequest.fire({
-      identity: context.identity,
-    });
-
     // Get network stats for throughput and IP data
     const networkStatsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
       interfaces.requests.IReq_GetNetworkStats
     >('/typedrequest', 'getNetworkStats');
 
-    const networkStatsResponse = await networkStatsRequest.fire({
-      identity: context.identity,
-    });
+    const ipIntelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListIpIntelligence
+    >('/typedrequest', 'listIpIntelligence');
+
+    const [networkStatsResponse, ipIntelligenceResponse] = await Promise.all([
+      networkStatsRequest.fire({
+        identity: context.identity,
+      }),
+      ipIntelligenceRequest.fire({
+        identity: context.identity,
+      }),
+    ]);
 
     // Use the connections data for the connection list
     // and network stats for throughput and IP analytics
     const connectionsByIP: { [ip: string]: number } = {};
+    const throughputByIP = new Map<string, { in: number; out: number }>();
+    for (const item of networkStatsResponse.throughputByIP || []) {
+      throughputByIP.set(item.ip, { in: item.in, out: item.out });
+    }
     
     // Build connectionsByIP from network stats if available
     if (networkStatsResponse.connectionsByIP && Array.isArray(networkStatsResponse.connectionsByIP)) {
       networkStatsResponse.connectionsByIP.forEach((item: { ip: string; count: number }) => {
         connectionsByIP[item.ip] = item.count;
       });
-    } else {
-      // Fallback: calculate from connections
-      connectionsResponse.connections.forEach(conn => {
-        const ip = conn.remoteAddress;
-        connectionsByIP[ip] = (connectionsByIP[ip] || 0) + 1;
-      });
     }
 
+    const connections: interfaces.data.IConnectionInfo[] = Object.entries(connectionsByIP).map(([ip, count]) => {
+      const tp = throughputByIP.get(ip);
+      return {
+        id: `ip-${ip}`,
+        remoteAddress: ip,
+        localAddress: 'server',
+        startTime: 0,
+        protocol: 'https',
+        state: 'connected',
+        bytesReceived: tp?.in || 0,
+        bytesSent: tp?.out || 0,
+        connectionCount: count,
+      };
+    });
+
     return {
-      connections: connectionsResponse.connections,
+      connections,
       connectionsByIP,
       throughputRate: networkStatsResponse.throughputRate || { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
       totalBytes: networkStatsResponse.totalDataTransferred
@@ -557,6 +647,7 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
       topIPs: networkStatsResponse.topIPs || [],
       topIPsByBandwidth: networkStatsResponse.topIPsByBandwidth || [],
       throughputByIP: networkStatsResponse.throughputByIP || [],
+      ipIntelligence: ipIntelligenceResponse.records || [],
       domainActivity: networkStatsResponse.domainActivity || [],
       throughputHistory: networkStatsResponse.throughputHistory || [],
       requestsPerSecond: networkStatsResponse.requestsPerSecond || 0,
@@ -578,6 +669,182 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
   }
 });
 
+// ============================================================================
+// Security Policy Actions
+// ============================================================================
+
+export const fetchSecurityPolicyAction = securityPolicyStatePart.createAction(
+  async (statePartArg): Promise<ISecurityPolicyState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const rulesRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ListSecurityBlockRules
+      >('/typedrequest', 'listSecurityBlockRules');
+      const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ListIpIntelligence
+      >('/typedrequest', 'listIpIntelligence');
+      const compiledPolicyRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetCompiledSecurityPolicy
+      >('/typedrequest', 'getCompiledSecurityPolicy');
+      const auditRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ListSecurityPolicyAudit
+      >('/typedrequest', 'listSecurityPolicyAudit');
+
+      const [rulesResponse, intelligenceResponse, compiledPolicyResponse, auditResponse] = await Promise.all([
+        rulesRequest.fire({ identity: context.identity }),
+        intelligenceRequest.fire({ identity: context.identity }),
+        compiledPolicyRequest.fire({ identity: context.identity }),
+        auditRequest.fire({ identity: context.identity, limit: 100 }),
+      ]);
+
+      return {
+        rules: rulesResponse.rules || [],
+        ipIntelligence: intelligenceResponse.records || [],
+        compiledPolicy: compiledPolicyResponse.policy,
+        auditEvents: auditResponse.events || [],
+        isLoading: false,
+        error: null,
+        lastUpdated: Date.now(),
+      };
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        isLoading: false,
+        error: error instanceof Error ? error.message : 'Failed to fetch security policy',
+      };
+    }
+  },
+);
+
+export const createSecurityBlockRuleAction = securityPolicyStatePart.createAction<{
+  type: interfaces.data.TSecurityBlockRuleType;
+  value: string;
+  matchMode?: interfaces.data.TSecurityBlockRuleMatchMode;
+  reason?: string;
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<ISecurityPolicyState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_CreateSecurityBlockRule
+    >('/typedrequest', 'createSecurityBlockRule');
+
+    const response = await request.fire({
+      identity: context.identity,
+      type: dataArg.type,
+      value: dataArg.value,
+      matchMode: dataArg.matchMode,
+      reason: dataArg.reason,
+      enabled: dataArg.enabled,
+    });
+
+    if (!response.success) {
+      return { ...currentState, error: response.message || 'Failed to create security block rule' };
+    }
+
+    return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to create security block rule',
+    };
+  }
+});
+
+export const updateSecurityBlockRuleAction = securityPolicyStatePart.createAction<{
+  id: string;
+  value?: string;
+  matchMode?: interfaces.data.TSecurityBlockRuleMatchMode;
+  reason?: string;
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<ISecurityPolicyState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateSecurityBlockRule
+    >('/typedrequest', 'updateSecurityBlockRule');
+
+    const response = await request.fire({
+      identity: context.identity,
+      id: dataArg.id,
+      value: dataArg.value,
+      matchMode: dataArg.matchMode,
+      reason: dataArg.reason,
+      enabled: dataArg.enabled,
+    });
+
+    if (!response.success) {
+      return { ...currentState, error: response.message || 'Failed to update security block rule' };
+    }
+
+    return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update security block rule',
+    };
+  }
+});
+
+export const deleteSecurityBlockRuleAction = securityPolicyStatePart.createAction<string>(
+  async (statePartArg, ruleId, actionContext): Promise<ISecurityPolicyState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteSecurityBlockRule
+      >('/typedrequest', 'deleteSecurityBlockRule');
+
+      const response = await request.fire({ identity: context.identity, id: ruleId });
+      if (!response.success) {
+        return { ...currentState, error: response.message || 'Failed to delete security block rule' };
+      }
+
+      return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete security block rule',
+      };
+    }
+  },
+);
+
+export const refreshIpIntelligenceAction = securityPolicyStatePart.createAction<string>(
+  async (statePartArg, ipAddress, actionContext): Promise<ISecurityPolicyState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    if (!context.identity) return currentState;
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_RefreshIpIntelligence
+      >('/typedrequest', 'refreshIpIntelligence');
+      const response = await request.fire({ identity: context.identity, ipAddress });
+      if (!response.success) {
+        return { ...currentState, error: response.message || 'Failed to refresh IP intelligence' };
+      }
+      return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+    } catch (error: unknown) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to refresh IP intelligence',
+      };
+    }
+  },
+);
+
 // ============================================================================
 // Email Operations Actions
 // ============================================================================
@@ -2261,6 +2528,115 @@ export const fetchApiTokensAction = routeManagementStatePart.createAction(async
   }
 });
 
+export const fetchGatewayClientsAction = routeManagementStatePart.createAction(async (statePartArg): Promise<IRouteManagementState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListGatewayClients
+    >('/typedrequest', 'listGatewayClients');
+    const response = await request.fire({ identity: context.identity });
+    return {
+      ...currentState,
+      gatewayClients: response.gatewayClients,
+      error: null,
+      lastUpdated: Date.now(),
+    };
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to fetch gateway clients',
+    };
+  }
+});
+
+export async function createGatewayClient(data: {
+  id?: string;
+  type: interfaces.data.IGatewayClient['type'];
+  name: string;
+  description?: string;
+  hostnamePatterns?: string[];
+  allowedRouteTargets?: interfaces.data.IGatewayClient['allowedRouteTargets'];
+}) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateGatewayClient
+  >('/typedrequest', 'createGatewayClient');
+  return request.fire({
+    identity: context.identity!,
+    capabilities: {
+      readDomains: true,
+      readDnsRecords: true,
+      syncRoutes: true,
+      syncDnsRecords: false,
+      requestCertificates: false,
+    },
+    ...data,
+  });
+}
+
+export const updateGatewayClientAction = routeManagementStatePart.createAction<{
+  id: string;
+  name?: string;
+  description?: string;
+  hostnamePatterns?: string[];
+  allowedRouteTargets?: interfaces.data.IGatewayClient['allowedRouteTargets'];
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<IRouteManagementState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateGatewayClient
+    >('/typedrequest', 'updateGatewayClient');
+    await request.fire({ identity: context.identity!, ...dataArg });
+    return await actionContext!.dispatch(fetchGatewayClientsAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update gateway client',
+    };
+  }
+});
+
+export const deleteGatewayClientAction = routeManagementStatePart.createAction<string>(
+  async (statePartArg, gatewayClientId, actionContext): Promise<IRouteManagementState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteGatewayClient
+      >('/typedrequest', 'deleteGatewayClient');
+      await request.fire({ identity: context.identity!, id: gatewayClientId });
+      return await actionContext!.dispatch(fetchGatewayClientsAction, null);
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete gateway client',
+      };
+    }
+  },
+);
+
+export async function createGatewayClientToken(
+  gatewayClientId: string,
+  name?: string,
+  expiresInDays?: number | null,
+) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateGatewayClientToken
+  >('/typedrequest', 'createGatewayClientToken');
+  return request.fire({
+    identity: context.identity!,
+    gatewayClientId,
+    name,
+    expiresInDays,
+  });
+}
+
 // Users (read-only list)
 export const fetchUsersAction = usersStatePart.createAction(async (statePartArg): Promise<IUsersState> => {
   const context = getActionContext();
@@ -2290,7 +2666,12 @@ export const fetchUsersAction = usersStatePart.createAction(async (statePartArg)
   }
 });
 
-export async function createApiToken(name: string, scopes: interfaces.data.TApiTokenScope[], expiresInDays?: number | null) {
+export async function createApiToken(
+  name: string,
+  scopes: interfaces.data.TApiTokenScope[],
+  expiresInDays?: number | null,
+  policy?: any,
+) {
   const context = getActionContext();
   const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
     interfaces.requests.IReq_CreateApiToken
@@ -2300,6 +2681,7 @@ export async function createApiToken(name: string, scopes: interfaces.data.TApiT
     identity: context.identity!,
     name,
     scopes,
+    policy,
     expiresInDays,
   });
 }
@@ -2589,7 +2971,7 @@ async function dispatchCombinedRefreshActionInner() {
         email: true,
         dns: true,
         security: true,
-        network: currentView === 'network', // Only fetch network if on network view
+        network: currentView === 'network' && currentSubview === 'activity',
         radius: true,
         vpn: true,
       },
@@ -2617,7 +2999,7 @@ async function dispatchCombinedRefreshActionInner() {
 
       // Build connectionsByIP from connectionDetails (now populated with real per-IP data)
       network.connectionDetails.forEach(conn => {
-        connectionsByIP[conn.remoteAddress] = (connectionsByIP[conn.remoteAddress] || 0) + 1;
+        connectionsByIP[conn.remoteAddress] = (connectionsByIP[conn.remoteAddress] || 0) + (conn.connectionCount || 1);
       });
 
       // Build connections from connectionDetails (real per-IP aggregates)
@@ -2630,6 +3012,7 @@ async function dispatchCombinedRefreshActionInner() {
         state: conn.state as any,
         bytesReceived: conn.bytesIn,
         bytesSent: conn.bytesOut,
+        connectionCount: conn.connectionCount,
       }));
 
       networkStatePart.setState({
@@ -2660,6 +3043,27 @@ async function dispatchCombinedRefreshActionInner() {
         isLoading: false,
         error: null,
       });
+
+      try {
+        const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+          interfaces.requests.IReq_ListIpIntelligence
+        >('/typedrequest', 'listIpIntelligence');
+        const intelligenceResponse = await intelligenceRequest.fire({ identity: context.identity });
+        networkStatePart.setState({
+          ...networkStatePart.getState()!,
+          ipIntelligence: intelligenceResponse.records || [],
+        });
+      } catch (error) {
+        console.error('IP intelligence refresh failed:', error);
+      }
+    }
+
+    if (currentView === 'security') {
+      try {
+        await securityPolicyStatePart.dispatchAction(fetchSecurityPolicyAction, null);
+      } catch (error) {
+        console.error('Security policy refresh failed:', error);
+      }
     }
 
     // Refresh certificate data if on Domains > Certificates subview

ts_web/elements/access/ops-view-apitokens.ts

@@ -20,6 +20,7 @@ export class OpsViewApiTokens extends DeesElement {
     mergedRoutes: [],
     warnings: [],
     apiTokens: [],
+    gatewayClients: [],
     isLoading: false,
     error: null,
     lastUpdated: 0,
@@ -199,12 +200,25 @@ export class OpsViewApiTokens extends DeesElement {
   private async showCreateTokenDialog() {
     const { DeesModal } = await import('@design.estate/dees-catalog');
 
-    const allScopes: TApiTokenScope[] = [
+    const allScopes = [
+      '*',
       'routes:read',
       'routes:write',
       'config:read',
+      'certificates:read',
+      'certificates:write',
       'tokens:read',
       'tokens:manage',
+      'domains:read',
+      'domains:write',
+      'dns-records:read',
+      'dns-records:write',
+      'email-domains:read',
+      'email-domains:write',
+      'gateway-clients:read',
+      'gateway-clients:write',
+      'workhosters:read',
+      'workhosters:write',
     ];
 
     await DeesModal.createAndShow({
@@ -218,10 +232,15 @@ export class OpsViewApiTokens extends DeesElement {
           <dees-input-tags
             .key=${'scopes'}
             .label=${'Token Scopes'}
-            .value=${['routes:read', 'routes:write']}
+            .value=${['gateway-clients:read', 'gateway-clients:write']}
             .suggestions=${allScopes}
             .required=${true}
           ></dees-input-tags>
+          <dees-input-text .key=${'policyRole'} .label=${'Policy Role'} .description=${'admin, gatewayClient, or operator'}></dees-input-text>
+          <dees-input-text .key=${'gatewayClientType'} .label=${'Gateway Client Type'} .description=${'For gatewayClient tokens: onebox, cloudly, or custom'}></dees-input-text>
+          <dees-input-text .key=${'gatewayClientId'} .label=${'Gateway Client ID'} .description=${'Required for gatewayClient tokens'}></dees-input-text>
+          <dees-input-text .key=${'hostnamePatterns'} .label=${'Hostname Patterns'} .description=${'Comma separated, e.g. *.apps.example.com'}></dees-input-text>
+          <dees-input-text .key=${'allowedRouteTarget'} .label=${'Allowed Route Target'} .description=${'Optional host:ports, e.g. 203.0.113.10:80,443'}></dees-input-text>
           <dees-input-text .key=${'expiresInDays'} .label=${'Expires in'} .description=${'Number of days; leave blank for no expiration'}></dees-input-text>
         </dees-form>
       `,
@@ -247,6 +266,7 @@ export class OpsViewApiTokens extends DeesElement {
             const rawScopes: string[] = tagsInput?.getValue?.() || tagsInput?.value || formData.scopes || [];
             const scopes = rawScopes
               .filter((s: string) => allScopes.includes(s as any)) as TApiTokenScope[];
+            const policy = this.buildPolicy(formData, scopes);
 
             const expiresInDays = formData.expiresInDays
               ? parseInt(formData.expiresInDays, 10)
@@ -255,7 +275,7 @@ export class OpsViewApiTokens extends DeesElement {
             await modalArg.destroy();
 
             try {
-              const response = await appstate.createApiToken(formData.name, scopes, expiresInDays);
+              const response = await appstate.createApiToken(formData.name, scopes, expiresInDays, policy);
               if (response.success && response.tokenValue) {
                 // Refresh the list first so it's ready when user dismisses the modal
                 await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
@@ -289,6 +309,42 @@ export class OpsViewApiTokens extends DeesElement {
     });
   }
 
+  private buildPolicy(formData: any, scopes: TApiTokenScope[]): any | undefined {
+    const role = String(formData.policyRole || '').trim();
+    if (!role) return undefined;
+    const policy: any = {
+      role,
+      scopes,
+    };
+    if (role === 'gatewayClient') {
+      const type = String(formData.gatewayClientType || 'onebox').trim() as 'onebox' | 'cloudly' | 'custom';
+      const id = String(formData.gatewayClientId || '').trim();
+      if (id) {
+        policy.gatewayClient = { type, id };
+      }
+      policy.hostnamePatterns = String(formData.hostnamePatterns || '')
+        .split(',')
+        .map((pattern) => pattern.trim())
+        .filter(Boolean);
+      const target = String(formData.allowedRouteTarget || '').trim();
+      if (target.includes(':')) {
+        const [host, portsValue] = target.split(':');
+        policy.allowedRouteTargets = [{
+          host: host.trim(),
+          ports: portsValue.split(',').map((port) => Number(port.trim())).filter((port) => Number.isInteger(port)),
+        }];
+      }
+      policy.capabilities = {
+        readDomains: true,
+        readDnsRecords: true,
+        syncRoutes: true,
+        syncDnsRecords: false,
+        requestCertificates: false,
+      };
+    }
+    return policy;
+  }
+
   private async showRollTokenDialog(token: interfaces.data.IApiTokenInfo) {
     const { DeesModal } = await import('@design.estate/dees-catalog');
 

ts_web/elements/access/ops-view-gatewayclients.ts

@@ -0,0 +1,250 @@
+import * as appstate from '../../appstate.js';
+import * as interfaces from '../../../dist_ts_interfaces/index.js';
+import { viewHostCss } from '../shared/css.js';
+
+import {
+  DeesElement,
+  css,
+  cssManager,
+  customElement,
+  html,
+  state,
+  type TemplateResult,
+} from '@design.estate/dees-element';
+
+@customElement('ops-view-gatewayclients')
+export class OpsViewGatewayClients extends DeesElement {
+  @state() accessor routeState: appstate.IRouteManagementState = {
+    mergedRoutes: [],
+    warnings: [],
+    apiTokens: [],
+    gatewayClients: [],
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  };
+
+  constructor() {
+    super();
+    const sub = appstate.routeManagementStatePart
+      .select((s) => s)
+      .subscribe((routeState) => {
+        this.routeState = routeState;
+      });
+    this.rxSubscriptions.push(sub);
+
+    const loginSub = appstate.loginStatePart
+      .select((s) => s.isLoggedIn)
+      .subscribe((isLoggedIn) => {
+        if (isLoggedIn) {
+          appstate.routeManagementStatePart.dispatchAction(appstate.fetchGatewayClientsAction, null);
+        }
+      });
+    this.rxSubscriptions.push(loginSub);
+  }
+
+  public static styles = [
+    cssManager.defaultStyles,
+    viewHostCss,
+    css`
+      .pill {
+        display: inline-flex;
+        padding: 2px 6px;
+        border-radius: 3px;
+        font-size: 11px;
+        background: ${cssManager.bdTheme('rgba(37, 99, 235, 0.1)', 'rgba(96, 165, 250, 0.14)')};
+        color: ${cssManager.bdTheme('#1d4ed8', '#93c5fd')};
+        margin-right: 4px;
+        margin-bottom: 2px;
+      }
+    `,
+  ];
+
+  public render(): TemplateResult {
+    return html`
+      <dees-heading level="3">Gateway Clients</dees-heading>
+      <dees-table
+        .heading1=${'Gateway Clients'}
+        .heading2=${'Create durable clients and token credentials for Onebox, Cloudly, or custom integrations'}
+        .data=${this.routeState.gatewayClients}
+        .dataName=${'gateway client'}
+        .searchable=${true}
+        .showColumnFilters=${true}
+        .displayFunction=${(client: interfaces.data.IGatewayClient) => ({
+          name: client.name,
+          id: client.id,
+          type: client.type,
+          hostnames: this.renderPills(client.hostnamePatterns),
+          targets: this.renderTargets(client.allowedRouteTargets),
+          tokens: client.tokenCount || 0,
+          status: client.enabled ? 'Active' : 'Disabled',
+        })}
+        .dataActions=${[
+          {
+            name: 'Create Client',
+            iconName: 'lucide:plus',
+            type: ['header'],
+            actionFunc: async () => await this.showCreateClientDialog(),
+          },
+          {
+            name: 'Create Token',
+            iconName: 'lucide:keyRound',
+            type: ['inRow', 'contextmenu'] as any,
+            actionFunc: async (actionData: any) => await this.showCreateTokenDialog(actionData.item),
+          },
+          {
+            name: 'Enable',
+            iconName: 'lucide:play',
+            type: ['inRow', 'contextmenu'] as any,
+            actionRelevancyCheckFunc: (actionData: any) => !actionData.item.enabled,
+            actionFunc: async (actionData: any) => {
+              await appstate.routeManagementStatePart.dispatchAction(appstate.updateGatewayClientAction, {
+                id: actionData.item.id,
+                enabled: true,
+              });
+            },
+          },
+          {
+            name: 'Disable',
+            iconName: 'lucide:pause',
+            type: ['inRow', 'contextmenu'] as any,
+            actionRelevancyCheckFunc: (actionData: any) => actionData.item.enabled,
+            actionFunc: async (actionData: any) => {
+              await appstate.routeManagementStatePart.dispatchAction(appstate.updateGatewayClientAction, {
+                id: actionData.item.id,
+                enabled: false,
+              });
+            },
+          },
+          {
+            name: 'Delete',
+            iconName: 'lucide:trash2',
+            type: ['inRow', 'contextmenu'] as any,
+            actionFunc: async (actionData: any) => {
+              await appstate.routeManagementStatePart.dispatchAction(appstate.deleteGatewayClientAction, actionData.item.id);
+            },
+          },
+        ]}
+      ></dees-table>
+    `;
+  }
+
+  private renderPills(values: string[]): TemplateResult {
+    if (!values.length) return html`<span>None</span>`;
+    return html`${values.map((value) => html`<span class="pill">${value}</span>`)}`;
+  }
+
+  private renderTargets(targets: interfaces.data.IGatewayClient['allowedRouteTargets']): TemplateResult {
+    if (!targets.length) return html`<span>None</span>`;
+    return html`${targets.map((target) => html`<span class="pill">${target.host}:${target.ports.join(',')}</span>`)}`;
+  }
+
+  private async showCreateClientDialog(): Promise<void> {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    await DeesModal.createAndShow({
+      heading: 'Create Gateway Client',
+      content: html`
+        <dees-form>
+          <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'type'} .label=${'Type'} .value=${'onebox'} .description=${'onebox, cloudly, or custom'}></dees-input-text>
+          <dees-input-text .key=${'id'} .label=${'Client ID'} .description=${'Optional stable ID; generated when empty'}></dees-input-text>
+          <dees-input-text .key=${'hostnamePatterns'} .label=${'Hostname Patterns'} .description=${'Comma separated, e.g. *.apps.example.com'}></dees-input-text>
+          <dees-input-text .key=${'allowedRouteTarget'} .label=${'Allowed Route Target'} .description=${'Optional host:ports, e.g. onebox-smartproxy:80'}></dees-input-text>
+          <dees-input-text .key=${'description'} .label=${'Description'}></dees-input-text>
+        </dees-form>
+      `,
+      menuOptions: [
+        { name: 'Cancel', iconName: 'lucide:x', action: async (modalArg: any) => await modalArg.destroy() },
+        {
+          name: 'Create',
+          iconName: 'lucide:plus',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const formData = await (form as any).collectFormData();
+            const name = String(formData.name || '').trim();
+            if (!name) return;
+            await modalArg.destroy();
+            await appstate.createGatewayClient({
+              id: String(formData.id || '').trim() || undefined,
+              type: this.normalizeClientType(String(formData.type || 'onebox')),
+              name,
+              description: String(formData.description || '').trim() || undefined,
+              hostnamePatterns: this.parseList(String(formData.hostnamePatterns || '')),
+              allowedRouteTargets: this.parseAllowedRouteTargets(String(formData.allowedRouteTarget || '')),
+            });
+            await appstate.routeManagementStatePart.dispatchAction(appstate.fetchGatewayClientsAction, null);
+          },
+        },
+      ],
+    });
+  }
+
+  private async showCreateTokenDialog(client: interfaces.data.IGatewayClient): Promise<void> {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    await DeesModal.createAndShow({
+      heading: `Create Token for ${client.name}`,
+      content: html`
+        <div style="color: #888; margin-bottom: 12px; font-size: 13px;">
+          The token will be shown once. Configure Onebox with the dcrouter URL and this token.
+        </div>
+        <dees-form>
+          <dees-input-text .key=${'name'} .label=${'Token Name'} .value=${`${client.name} Token`}></dees-input-text>
+          <dees-input-text .key=${'expiresInDays'} .label=${'Expires in'} .description=${'Number of days; leave blank for no expiration'}></dees-input-text>
+        </dees-form>
+      `,
+      menuOptions: [
+        { name: 'Cancel', iconName: 'lucide:x', action: async (modalArg: any) => await modalArg.destroy() },
+        {
+          name: 'Create Token',
+          iconName: 'lucide:key',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const formData = await (form as any).collectFormData();
+            const expiresInDays = formData.expiresInDays ? parseInt(formData.expiresInDays, 10) : null;
+            await modalArg.destroy();
+            const response = await appstate.createGatewayClientToken(
+              client.id,
+              String(formData.name || '').trim() || undefined,
+              expiresInDays,
+            );
+            await appstate.routeManagementStatePart.dispatchAction(appstate.fetchGatewayClientsAction, null);
+            if (response.success && response.tokenValue) {
+              await DeesModal.createAndShow({
+                heading: 'Gateway Client Token Created',
+                content: html`
+                  <p>Copy this token now. It will not be shown again.</p>
+                  <div style="background: #111; padding: 12px; border-radius: 6px; margin-top: 8px;">
+                    <code style="color: #0f8; word-break: break-all; font-size: 13px;">${response.tokenValue}</code>
+                  </div>
+                `,
+                menuOptions: [
+                  { name: 'Done', iconName: 'lucide:check', action: async (m: any) => await m.destroy() },
+                ],
+              });
+            }
+          },
+        },
+      ],
+    });
+  }
+
+  private normalizeClientType(value: string): interfaces.data.IGatewayClient['type'] {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === 'cloudly' || normalized === 'custom') return normalized;
+    return 'onebox';
+  }
+
+  private parseList(value: string): string[] {
+    return value.split(',').map((entry) => entry.trim()).filter(Boolean);
+  }
+
+  private parseAllowedRouteTargets(value: string): interfaces.data.IGatewayClient['allowedRouteTargets'] {
+    const target = value.trim();
+    if (!target.includes(':')) return [];
+    const [host, portsValue] = target.split(':');
+    const ports = portsValue.split(',').map((port) => Number(port.trim())).filter((port) => Number.isInteger(port));
+    return host.trim() && ports.length ? [{ host: host.trim(), ports }] : [];
+  }
+}

ts_web/elements/domains/ops-view-certificates.ts

@@ -11,6 +11,7 @@ import * as appstate from '../../appstate.js';
 import * as interfaces from '../../../dist_ts_interfaces/index.js';
 import { viewHostCss } from '../shared/css.js';
 import { type IStatsTile } from '@design.estate/dees-catalog';
+import { appRouter } from '../../router.js';
 
 declare global {
   interface HTMLElementTagNameMap {
@@ -26,6 +27,9 @@ export class OpsViewCertificates extends DeesElement {
   @state()
   accessor acmeState: appstate.IAcmeConfigState = appstate.acmeConfigStatePart.getState()!;
 
+  @state()
+  accessor domainsState: appstate.IDomainsState = appstate.domainsStatePart.getState()!;
+
   constructor() {
     super();
     const certSub = appstate.certificateStatePart.select().subscribe((newState) => {
@@ -36,12 +40,19 @@ export class OpsViewCertificates extends DeesElement {
       this.acmeState = newState;
     });
     this.rxSubscriptions.push(acmeSub);
+    const domainsSub = appstate.domainsStatePart.select().subscribe((newState) => {
+      this.domainsState = newState;
+    });
+    this.rxSubscriptions.push(domainsSub);
   }
 
   async connectedCallback() {
     await super.connectedCallback();
-    await appstate.certificateStatePart.dispatchAction(appstate.fetchCertificateOverviewAction, null);
-    await appstate.acmeConfigStatePart.dispatchAction(appstate.fetchAcmeConfigAction, null);
+    await Promise.all([
+      appstate.certificateStatePart.dispatchAction(appstate.fetchCertificateOverviewAction, null),
+      appstate.acmeConfigStatePart.dispatchAction(appstate.fetchAcmeConfigAction, null),
+      appstate.domainsStatePart.dispatchAction(appstate.fetchDomainsAndProvidersAction, null),
+    ]);
   }
 
   public static styles = [
@@ -127,10 +138,16 @@ export class OpsViewCertificates extends DeesElement {
       .errorText {
         font-size: 12px;
         color: ${cssManager.bdTheme('#991b1b', '#f87171')};
-        max-width: 200px;
-        overflow: hidden;
-        text-overflow: ellipsis;
-        white-space: nowrap;
+        max-width: 420px;
+        line-height: 1.35;
+        white-space: normal;
+      }
+
+      .errorStack {
+        display: flex;
+        flex-direction: column;
+        align-items: flex-start;
+        gap: 4px;
       }
 
       .backoffIndicator {
@@ -160,6 +177,39 @@ export class OpsViewCertificates extends DeesElement {
       .expiryInfo .daysLeft.danger {
         color: ${cssManager.bdTheme('#991b1b', '#f87171')};
       }
+
+      .dnsWarningPanel {
+        border: 1px solid ${cssManager.bdTheme('#fed7aa', '#7c2d12')};
+        border-radius: 12px;
+        padding: 16px;
+        background: ${cssManager.bdTheme('#fff7ed', '#1c1917')};
+        color: ${cssManager.bdTheme('#7c2d12', '#fdba74')};
+      }
+
+      .dnsWarningTitle {
+        font-weight: 700;
+        margin-bottom: 6px;
+      }
+
+      .dnsWarningText {
+        font-size: 13px;
+        line-height: 1.45;
+        color: ${cssManager.bdTheme('#9a3412', '#fed7aa')};
+      }
+
+      .dnsWarningList {
+        margin: 12px 0 0;
+        padding-left: 18px;
+        font-size: 13px;
+        line-height: 1.5;
+      }
+
+      .dnsWarningActions {
+        display: flex;
+        flex-wrap: wrap;
+        gap: 8px;
+        margin-top: 14px;
+      }
     `,
   ];
 
@@ -172,11 +222,102 @@ export class OpsViewCertificates extends DeesElement {
       <div class="certificatesContainer">
         ${this.renderStatsTiles(summary)}
         ${this.renderAcmeSettingsTile()}
+        ${this.renderManagedDomainWarnings()}
         ${this.renderCertificateTable()}
       </div>
     `;
   }
 
+  private renderManagedDomainWarnings(): TemplateResult {
+    const issues = this.getMissingManagedDomainIssues();
+    if (issues.length === 0) {
+      return html``;
+    }
+
+    const shownIssues = issues.slice(0, 6);
+    const remaining = issues.length - shownIssues.length;
+
+    return html`
+      <div class="dnsWarningPanel">
+        <div class="dnsWarningTitle">DNS-01 certificate provisioning needs managed DNS domains</div>
+        <div class="dnsWarningText">
+          DcRouter can only create ACME TXT records for domains listed under Domains > Domains.
+          Add the zone directly or import it from a DNS provider before reprovisioning certificates.
+        </div>
+        <ul class="dnsWarningList">
+          ${shownIssues.map((issue) => html`
+            <li>
+              <strong>${issue.domain}</strong>: no managed DNS domain covers
+              <code>${issue.challengeHost}</code>. Add/import <code>${issue.requiredDomain}</code>
+              or a parent zone.
+            </li>
+          `)}
+          ${remaining > 0 ? html`<li>${remaining} more domain${remaining === 1 ? '' : 's'} need managed DNS.</li>` : ''}
+        </ul>
+        <div class="dnsWarningActions">
+          <dees-button @click=${() => appRouter.navigateToView('domains', 'domains')}>Manage Domains</dees-button>
+          <dees-button @click=${() => appRouter.navigateToView('domains', 'providers')}>DNS Providers</dees-button>
+        </div>
+      </div>
+    `;
+  }
+
+  private getMissingManagedDomainIssues(): Array<{
+    domain: string;
+    challengeHost: string;
+    requiredDomain: string;
+  }> {
+    const managedDomains = this.domainsState.domains
+      .map((domain) => this.normalizeDomain(domain.name))
+      .filter(Boolean);
+    const issues: Array<{ domain: string; challengeHost: string; requiredDomain: string }> = [];
+    const seen = new Set<string>();
+
+    for (const cert of this.certState.certificates) {
+      if (!cert.canReprovision || (cert.source !== 'acme' && cert.source !== 'provision-function')) {
+        continue;
+      }
+
+      const requiredDomain = this.getAcmeChallengeDomain(cert.domain);
+      if (!requiredDomain) {
+        continue;
+      }
+
+      const covered = managedDomains.some((managedDomain) =>
+        requiredDomain === managedDomain || requiredDomain.endsWith(`.${managedDomain}`),
+      );
+      if (covered) {
+        continue;
+      }
+
+      const key = `${cert.domain}:${requiredDomain}`;
+      if (seen.has(key)) {
+        continue;
+      }
+      seen.add(key);
+      issues.push({
+        domain: cert.domain,
+        challengeHost: `_acme-challenge.${requiredDomain}`,
+        requiredDomain,
+      });
+    }
+
+    return issues;
+  }
+
+  private getAcmeChallengeDomain(domain: string): string {
+    const normalized = this.normalizeDomain(domain).replace(/^\*\.?/, '');
+    const parts = normalized.split('.').filter(Boolean);
+    if (parts.length >= 2 && parts.length <= 3) {
+      return parts.slice(-2).join('.');
+    }
+    return normalized;
+  }
+
+  private normalizeDomain(domain: string): string {
+    return domain.trim().toLowerCase().replace(/^\*\.?/, '').replace(/\.$/, '');
+  }
+
   private renderAcmeSettingsTile(): TemplateResult {
     const config = this.acmeState.config;
 
@@ -349,11 +490,7 @@ export class OpsViewCertificates extends DeesElement {
           Status: this.renderStatusBadge(cert.status),
           Source: this.renderSourceBadge(cert.source),
           Expires: this.renderExpiry(cert.expiryDate),
-          Error: cert.backoffInfo
-            ? html`<span class="backoffIndicator">${cert.backoffInfo.failures} failures, retry ${this.formatRetryTime(cert.backoffInfo.retryAfter)}</span>`
-            : cert.error
-              ? html`<span class="errorText" title="${cert.error}">${cert.error}</span>`
-              : '',
+          Error: this.renderError(cert),
         })}
         .dataActions=${[
           {
@@ -632,6 +769,24 @@ export class OpsViewCertificates extends DeesElement {
     `;
   }
 
+  private renderError(cert: interfaces.requests.ICertificateInfo): TemplateResult | string {
+    if (cert.backoffInfo) {
+      const message = cert.backoffInfo.lastError || cert.error;
+      return html`
+        <span class="errorStack">
+          ${message ? html`<span class="errorText" title=${message}>${message}</span>` : ''}
+          <span class="backoffIndicator">
+            ${cert.backoffInfo.failures} failure${cert.backoffInfo.failures === 1 ? '' : 's'}, retry ${this.formatRetryTime(cert.backoffInfo.retryAfter)}
+          </span>
+        </span>
+      `;
+    }
+    if (cert.error) {
+      return html`<span class="errorText" title=${cert.error}>${cert.error}</span>`;
+    }
+    return '';
+  }
+
   private formatRetryTime(retryAfter?: string): string {
     if (!retryAfter) return 'soon';
     const retryDate = new Date(retryAfter);

ts_web/elements/network/ops-view-network-activity.ts

@@ -79,7 +79,6 @@ export class OpsViewNetworkActivity extends DeesElement {
     // Subscribe and track unsubscribe functions
     const statsUnsubscribe = appstate.statsStatePart.select().subscribe((state) => {
       this.statsState = state;
-      this.updateNetworkData();
     });
     this.rxSubscriptions.push(statsUnsubscribe);
 
@@ -256,6 +255,17 @@ export class OpsViewNetworkActivity extends DeesElement {
         color: ${cssManager.bdTheme('#f57c00', '#ff9933')};
       }
 
+      .intelligenceBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 4px 8px;
+        border-radius: 999px;
+        font-size: 12px;
+        font-weight: 500;
+        background: ${cssManager.bdTheme('#eef2ff', '#1e1b4b')};
+        color: ${cssManager.bdTheme('#4338ca', '#a5b4fc')};
+      }
+
       .protocolChartGrid {
         display: grid;
         grid-template-columns: repeat(2, 1fr);
@@ -346,6 +356,100 @@ export class OpsViewNetworkActivity extends DeesElement {
     return `${size.toFixed(1)} ${units[unitIndex]}`;
   }
 
+  private formatOptional(value: unknown): string {
+    if (value === null || value === undefined || value === '') return '-';
+    return String(value);
+  }
+
+  private formatDateTime(timestamp?: number | null): string {
+    return timestamp ? new Date(timestamp).toLocaleString() : '-';
+  }
+
+  private getIpIntelligence(ip: string): interfaces.data.IIpIntelligenceRecord | undefined {
+    return this.networkState.ipIntelligence?.find((record) => record.ipAddress === ip);
+  }
+
+  private getIpOrganization(record?: interfaces.data.IIpIntelligenceRecord): string {
+    return record?.asnOrg || record?.registrantOrg || '';
+  }
+
+  private getIpIntelligenceColumns(ip: string): Record<string, unknown> {
+    const record = this.getIpIntelligence(ip);
+    const organization = this.getIpOrganization(record);
+    return {
+      'Intelligence': record
+        ? html`<span class="intelligenceBadge">${this.formatOptional(organization || record.countryCode || 'Known')}</span>`
+        : html`<span class="statusBadge warning">Enriching...</span>`,
+      'ASN': record?.asn ? `AS${record.asn}` : '-',
+      'Organization': this.formatOptional(organization),
+      'Country': this.formatOptional(record?.countryCode || record?.country),
+      'Network Range': this.formatOptional(record?.networkRange),
+      'Last Seen': this.formatDateTime(record?.lastSeenAt),
+    };
+  }
+
+  private getIpDataActions() {
+    return [
+      {
+        name: 'Refresh Intelligence',
+        iconName: 'lucide:refresh-cw',
+        type: ['inRow', 'contextmenu'] as any,
+        actionFunc: async (actionData: any) => {
+          const ip = actionData.item.ip;
+          await appstate.securityPolicyStatePart.dispatchAction(appstate.refreshIpIntelligenceAction, ip);
+          await appstate.networkStatePart.dispatchAction(appstate.fetchNetworkStatsAction, null);
+        },
+      },
+      {
+        name: 'Block IP',
+        iconName: 'lucide:shield-ban',
+        type: ['inRow', 'contextmenu'] as any,
+        actionFunc: async (actionData: any) => {
+          await this.createBlockRuleDialog('ip', actionData.item.ip, 'Blocked from Network Activity');
+        },
+      },
+      {
+        name: 'Block Network Range',
+        iconName: 'lucide:network',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(this.getIpIntelligence(actionData.item.ip)?.networkRange),
+        actionFunc: async (actionData: any) => {
+          const record = this.getIpIntelligence(actionData.item.ip);
+          await this.createBlockRuleDialog('cidr', record!.networkRange!, 'Blocked network range from Network Activity');
+        },
+      },
+      {
+        name: 'Block ASN',
+        iconName: 'lucide:radio-tower',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(this.getIpIntelligence(actionData.item.ip)?.asn),
+        actionFunc: async (actionData: any) => {
+          const record = this.getIpIntelligence(actionData.item.ip);
+          await this.createBlockRuleDialog('asn', String(record!.asn), 'Blocked ASN from Network Activity');
+        },
+      },
+      {
+        name: 'Block Organization',
+        iconName: 'lucide:building-2',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(this.getIpOrganization(this.getIpIntelligence(actionData.item.ip))),
+        actionFunc: async (actionData: any) => {
+          const record = this.getIpIntelligence(actionData.item.ip);
+          await this.createBlockRuleDialog('organization', this.getIpOrganization(record), 'Blocked organization from Network Activity');
+        },
+      },
+      {
+        name: 'View Intelligence',
+        iconName: 'lucide:info',
+        type: ['doubleClick', 'contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(this.getIpIntelligence(actionData.item.ip)),
+        actionFunc: async (actionData: any) => {
+          await this.showIpIntelligenceDetails(actionData.item.ip);
+        },
+      },
+    ];
+  }
+
   private calculateThroughput(): { in: number; out: number } {
     // Use real throughput data from network state
     return {
@@ -501,10 +605,12 @@ export class OpsViewNetworkActivity extends DeesElement {
             'Bandwidth In': bw ? this.formatBitsPerSecond(bw.in) : '0 bit/s',
             'Bandwidth Out': bw ? this.formatBitsPerSecond(bw.out) : '0 bit/s',
             'Share': totalConnections > 0 ? ((ipData.count / totalConnections) * 100).toFixed(1) + '%' : '0%',
+            ...this.getIpIntelligenceColumns(ipData.ip),
           };
         }}
+        .dataActions=${this.getIpDataActions()}
         heading1="Top Connected IPs"
-        heading2="IPs with most active connections and bandwidth"
+        heading2="IPs with most active connections, bandwidth, and intelligence"
         searchable
         .showColumnFilters=${true}
         .pagination=${false}
@@ -530,10 +636,12 @@ export class OpsViewNetworkActivity extends DeesElement {
             'Bandwidth Out': this.formatBitsPerSecond(ipData.bwOut),
             'Total Bandwidth': this.formatBitsPerSecond(ipData.bwIn + ipData.bwOut),
             'Connections': ipData.count,
+            ...this.getIpIntelligenceColumns(ipData.ip),
           };
         }}
+        .dataActions=${this.getIpDataActions()}
         heading1="Top IPs by Bandwidth"
-        heading2="IPs with highest throughput"
+        heading2="IPs with highest throughput and intelligence"
         searchable
         .showColumnFilters=${true}
         .pagination=${false}
@@ -560,6 +668,8 @@ export class OpsViewNetworkActivity extends DeesElement {
             'Throughput Out': this.formatBitsPerSecond(item.bytesOutPerSecond),
             'Transferred / min': this.formatBytes(totalBytesPerMin),
             'Connections': item.activeConnections,
+            'Req/s': item.requestsPerSecond != null ? item.requestsPerSecond.toFixed(1) : '-',
+            'Req/min': item.requestsLastMinute != null ? item.requestsLastMinute.toFixed(0) : '-',
             'Requests': item.requestCount?.toLocaleString() ?? '0',
             'Routes': item.routeCount,
           };
@@ -583,7 +693,7 @@ export class OpsViewNetworkActivity extends DeesElement {
     return html`
       <dees-table
         .data=${backends}
-        .rowKey=${'backend'}
+        .rowKey=${'id'}
         .highlightUpdates=${'flash'}
         .displayFunction=${(item: interfaces.data.IBackendInfo) => {
           const totalErrors = item.connectErrors + item.handshakeErrors + item.requestErrors;
@@ -677,6 +787,114 @@ export class OpsViewNetworkActivity extends DeesElement {
     });
   }
 
+  private getDropdownKey(value: any): string {
+    return typeof value === 'string' ? value : value?.key || '';
+  }
+
+  private async createBlockRuleDialog(
+    type: interfaces.data.TSecurityBlockRuleType,
+    value: string,
+    reason: string,
+  ): Promise<void> {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    const typeOptions = [
+      { key: 'ip', option: 'IP address' },
+      { key: 'cidr', option: 'CIDR / network range' },
+      { key: 'asn', option: 'ASN' },
+      { key: 'organization', option: 'Organization' },
+    ];
+    const matchModeOptions = [
+      { key: 'contains', option: 'Organization contains value' },
+      { key: 'exact', option: 'Organization exactly matches value' },
+    ];
+
+    await DeesModal.createAndShow({
+      heading: 'Create Security Block Rule',
+      content: html`
+        <dees-form>
+          <dees-input-dropdown
+            .key=${'type'}
+            .label=${'Rule Type'}
+            .options=${typeOptions}
+            .selectedOption=${typeOptions.find((option) => option.key === type)}
+          ></dees-input-dropdown>
+          <dees-input-text .key=${'value'} .label=${'Value'} .value=${value} .required=${true}></dees-input-text>
+          <dees-input-dropdown
+            .key=${'matchMode'}
+            .label=${'Organization Match Mode'}
+            .description=${'Only used for organization rules'}
+            .options=${matchModeOptions}
+            .selectedOption=${matchModeOptions[0]}
+          ></dees-input-dropdown>
+          <dees-input-text .key=${'reason'} .label=${'Reason'} .value=${reason}></dees-input-text>
+          <dees-input-checkbox .key=${'enabled'} .label=${'Enable immediately'} .value=${true}></dees-input-checkbox>
+        </dees-form>
+      `,
+      menuOptions: [
+        { name: 'Cancel', iconName: 'lucide:x', action: async (modalArg: any) => modalArg.destroy() },
+        {
+          name: 'Create',
+          iconName: 'lucide:shield-ban',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const data = await form.collectFormData();
+            const selectedType = this.getDropdownKey(data.type) as interfaces.data.TSecurityBlockRuleType;
+            const selectedValue = String(data.value || '').trim();
+            if (!selectedType || !selectedValue) return;
+            const matchMode = selectedType === 'organization'
+              ? this.getDropdownKey(data.matchMode) as interfaces.data.TSecurityBlockRuleMatchMode
+              : undefined;
+            await appstate.securityPolicyStatePart.dispatchAction(appstate.createSecurityBlockRuleAction, {
+              type: selectedType,
+              value: selectedValue,
+              matchMode,
+              reason: String(data.reason || '').trim() || undefined,
+              enabled: data.enabled !== false,
+            });
+            await appstate.networkStatePart.dispatchAction(appstate.fetchNetworkStatsAction, null);
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
+  private async showIpIntelligenceDetails(ip: string): Promise<void> {
+    const record = this.getIpIntelligence(ip);
+    if (!record) return;
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    await DeesModal.createAndShow({
+      heading: `IP Intelligence: ${ip}`,
+      content: html`
+        <div style="padding: 20px;">
+          <dees-dataview-codebox
+            .heading=${'Intelligence Record'}
+            progLang="json"
+            .codeToDisplay=${JSON.stringify(record, null, 2)}
+          ></dees-dataview-codebox>
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: 'Copy Abuse Contact',
+          iconName: 'lucide:copy',
+          action: async () => {
+            if (record.abuseContact) await navigator.clipboard.writeText(record.abuseContact);
+          },
+        },
+        {
+          name: 'Block IP',
+          iconName: 'lucide:shield-ban',
+          action: async () => {
+            await this.createBlockRuleDialog('ip', record.ipAddress, 'Blocked from IP intelligence details');
+          },
+        },
+      ],
+    });
+  }
+
   private async updateNetworkData() {
     // Track requests/sec history for the trend sparkline (moved out of render)
     const reqPerSec = this.networkState.requestsPerSecond || 0;
@@ -707,6 +925,9 @@ export class OpsViewNetworkActivity extends DeesElement {
     }
 
     const throughput = this.calculateThroughput();
+    if (this.networkState.lastUpdated && now - this.networkState.lastUpdated > 3000) {
+      return;
+    }
 
     // Convert to Mbps (bytes * 8 / 1,000,000)
     const throughputInMbps = (throughput.in * 8) / 1000000;

ts_web/elements/network/ops-view-remoteingress.ts

@@ -125,6 +125,18 @@ export class OpsViewRemoteIngress extends DeesElement {
         color: ${cssManager.bdTheme('#047857', '#34d399')};
         border: 1px dashed ${cssManager.bdTheme('#6ee7b7', '#065f46')};
       }
+
+      .metricStack {
+        display: flex;
+        flex-direction: column;
+        gap: 2px;
+        font-size: 12px;
+        line-height: 1.35;
+      }
+
+      .metricMuted {
+        color: var(--text-muted, #6b7280);
+      }
     `,
   ];
 
@@ -226,9 +238,13 @@ export class OpsViewRemoteIngress extends DeesElement {
           .displayFunction=${(edge: interfaces.data.IRemoteIngress) => ({
             name: edge.name,
             status: this.getEdgeStatusHtml(edge),
+            transport: this.getTransportHtml(edge.id),
             publicIp: this.getEdgePublicIp(edge.id),
             ports: this.getPortsHtml(edge),
             tunnels: this.getEdgeTunnelCount(edge.id),
+            window: this.getWindowHtml(edge.id),
+            queues: this.getQueuesHtml(edge.id),
+            traffic: this.getTrafficHtml(edge.id),
             lastHeartbeat: this.getLastHeartbeat(edge.id),
           })}
           .dataActions=${[
@@ -459,6 +475,46 @@ export class OpsViewRemoteIngress extends DeesElement {
     return status?.activeTunnels || 0;
   }
 
+  private getTransportHtml(edgeId: string): TemplateResult | string {
+    const status = this.getEdgeStatus(edgeId);
+    if (!status?.connected) return '-';
+    const mode = status.transportMode || 'unknown';
+    const label = mode === 'quic' ? 'QUIC' : mode === 'tcpTls' ? 'TCP/TLS' : mode;
+    return html`<div class="metricStack"><strong>${label}</strong><span class="metricMuted">${status.fallbackUsed ? 'fallback' : status.performance?.profile || 'default'}</span></div>`;
+  }
+
+  private getWindowHtml(edgeId: string): TemplateResult | string {
+    const status = this.getEdgeStatus(edgeId);
+    if (!status?.connected || !status.flowControl) return '-';
+    if (!status.flowControl.applies) {
+      return html`<div class="metricStack"><span>native QUIC</span><span class="metricMuted">max ${status.performance?.maxStreamsPerEdge || '-'} streams</span></div>`;
+    }
+    return html`
+      <div class="metricStack">
+        <span>${this.formatBytes(status.flowControl.currentWindowBytes)} window</span>
+        <span class="metricMuted">${this.formatBytes(status.flowControl.estimatedInFlightBytes)} est. in-flight</span>
+      </div>
+    `;
+  }
+
+  private getQueuesHtml(edgeId: string): TemplateResult | string {
+    const status = this.getEdgeStatus(edgeId);
+    if (!status?.connected || !status.queues) return '-';
+    return html`<div class="metricStack"><span>C ${status.queues.ctrlQueueDepth} / D ${status.queues.dataQueueDepth}</span><span class="metricMuted">S ${status.queues.sustainedQueueDepth}</span></div>`;
+  }
+
+  private getTrafficHtml(edgeId: string): TemplateResult | string {
+    const status = this.getEdgeStatus(edgeId);
+    if (!status?.connected || !status.traffic) return '-';
+    const drops = (status.traffic.rejectedStreams || 0) + (status.udp?.droppedDatagrams || 0);
+    return html`
+      <div class="metricStack">
+        <span>${this.formatBytes(status.traffic.bytesIn)} in / ${this.formatBytes(status.traffic.bytesOut)} out</span>
+        <span class="metricMuted">${drops} rejected/dropped</span>
+      </div>
+    `;
+  }
+
   private getLastHeartbeat(edgeId: string): string {
     const status = this.getEdgeStatus(edgeId);
     if (!status?.lastHeartbeat) return '-';
@@ -467,4 +523,16 @@ export class OpsViewRemoteIngress extends DeesElement {
     if (ago < 3600000) return `${Math.floor(ago / 60000)}m ago`;
     return `${Math.floor(ago / 3600000)}h ago`;
   }
+
+  private formatBytes(bytes: number): string {
+    if (!Number.isFinite(bytes) || bytes <= 0) return '0 B';
+    const units = ['B', 'KB', 'MB', 'GB', 'TB'];
+    let value = bytes;
+    let unitIndex = 0;
+    while (value >= 1024 && unitIndex < units.length - 1) {
+      value = value / 1024;
+      unitIndex++;
+    }
+    return `${value >= 10 || unitIndex === 0 ? value.toFixed(0) : value.toFixed(1)} ${units[unitIndex]}`;
+  }
 }

ts_web/elements/network/ops-view-routes.ts

@@ -129,6 +129,7 @@ export class OpsViewRoutes extends DeesElement {
     mergedRoutes: [],
     warnings: [],
     apiTokens: [],
+    gatewayClients: [],
     isLoading: false,
     error: null,
     lastUpdated: 0,

ts_web/elements/network/ops-view-vpn.ts

@@ -49,19 +49,28 @@ export class OpsViewVpn extends DeesElement {
   @state()
   accessor vpnState: appstate.IVpnState = appstate.vpnStatePart.getState()!;
 
+  @state()
+  accessor targetProfilesState: appstate.ITargetProfilesState = appstate.targetProfilesStatePart.getState()!;
+
   constructor() {
     super();
     const sub = appstate.vpnStatePart.select().subscribe((newState) => {
       this.vpnState = newState;
     });
     this.rxSubscriptions.push(sub);
+
+    const targetProfilesSub = appstate.targetProfilesStatePart.select().subscribe((newState) => {
+      this.targetProfilesState = newState;
+    });
+    this.rxSubscriptions.push(targetProfilesSub);
   }
 
   async connectedCallback() {
     await super.connectedCallback();
-    await appstate.vpnStatePart.dispatchAction(appstate.fetchVpnAction, null);
-    // Ensure target profiles are loaded for autocomplete candidates
-    await appstate.targetProfilesStatePart.dispatchAction(appstate.fetchTargetProfilesAction, null);
+    await Promise.all([
+      appstate.vpnStatePart.dispatchAction(appstate.fetchVpnAction, null),
+      appstate.targetProfilesStatePart.dispatchAction(appstate.fetchTargetProfilesAction, null),
+    ]);
   }
 
   public static styles = [
@@ -330,13 +339,7 @@ export class OpsViewVpn extends DeesElement {
             'Status': statusHtml,
             'Routing': routingHtml,
             'VPN IP': client.assignedIp || '-',
-            'Target Profiles': client.targetProfileIds?.length
-              ? html`${client.targetProfileIds.map(id => {
-                  const profileState = appstate.targetProfilesStatePart.getState();
-                  const profile = profileState?.profiles.find(p => p.id === id);
-                  return html`<span class="tagBadge">${profile?.name || id}</span>`;
-                })}`
-              : '-',
+            'Target Profiles': this.renderTargetProfileBadges(client.targetProfileIds),
             'Description': client.description || '-',
             'Created': new Date(client.createdAt).toLocaleDateString(),
           };
@@ -347,6 +350,7 @@ export class OpsViewVpn extends DeesElement {
             iconName: 'lucide:plus',
             type: ['header'],
             actionFunc: async () => {
+              await this.ensureTargetProfilesLoaded();
               const { DeesModal } = await import('@design.estate/dees-catalog');
               const profileCandidates = this.getTargetProfileCandidates();
               const createModal = await DeesModal.createAndShow({
@@ -647,6 +651,7 @@ export class OpsViewVpn extends DeesElement {
             type: ['contextmenu', 'inRow'],
             actionFunc: async (actionData: any) => {
               const client = actionData.item as interfaces.data.IVpnClient;
+              await this.ensureTargetProfilesLoaded();
               const { DeesModal } = await import('@design.estate/dees-catalog');
               const currentDescription = client.description ?? '';
               const currentTargetProfileNames = this.resolveProfileIdsToLabels(client.targetProfileIds) || [];
@@ -810,12 +815,28 @@ export class OpsViewVpn extends DeesElement {
     `;
   }
 
+  private async ensureTargetProfilesLoaded(): Promise<void> {
+    await appstate.targetProfilesStatePart.dispatchAction(appstate.fetchTargetProfilesAction, null);
+  }
+
+  private renderTargetProfileBadges(ids?: string[]): TemplateResult | string {
+    const labels = this.resolveProfileIdsToLabels(ids, {
+      pendingLabel: 'Loading profile...',
+      missingLabel: (id) => `Unknown profile (${id})`,
+    });
+
+    if (!labels?.length) {
+      return '-';
+    }
+
+    return html`${labels.map((label) => html`<span class="tagBadge">${label}</span>`)}`;
+  }
+
   /**
    * Build stable profile labels for list inputs.
    */
   private getTargetProfileChoices() {
-    const profileState = appstate.targetProfilesStatePart.getState();
-    const profiles = profileState?.profiles || [];
+    const profiles = this.targetProfilesState.profiles || [];
     const nameCounts = new Map<string, number>();
 
     for (const profile of profiles) {
@@ -837,12 +858,27 @@ export class OpsViewVpn extends DeesElement {
   /**
    * Convert profile IDs to form labels (for populating edit form values).
    */
-  private resolveProfileIdsToLabels(ids?: string[]): string[] | undefined {
+  private resolveProfileIdsToLabels(
+    ids?: string[],
+    options: {
+      pendingLabel?: string;
+      missingLabel?: (id: string) => string;
+    } = {},
+  ): string[] | undefined {
     if (!ids?.length) return undefined;
     const choices = this.getTargetProfileChoices();
     const labelsById = new Map(choices.map((profile) => [profile.id, profile.label]));
     return ids.map((id) => {
-      return labelsById.get(id) || id;
+      const label = labelsById.get(id);
+      if (label) {
+        return label;
+      }
+
+      if (this.targetProfilesState.lastUpdated === 0 && !this.targetProfilesState.error) {
+        return options.pendingLabel || 'Loading profile...';
+      }
+
+      return options.missingLabel?.(id) || id;
     });
   }
 

ts_web/elements/ops-dashboard.ts

@@ -35,6 +35,7 @@ import { OpsViewEmailSecurity } from './email/ops-view-email-security.js';
 import { OpsViewEmailDomains } from './email/ops-view-email-domains.js';
 
 // Access group
+import { OpsViewGatewayClients } from './access/ops-view-gatewayclients.js';
 import { OpsViewApiTokens } from './access/ops-view-apitokens.js';
 import { OpsViewUsers } from './access/ops-view-users.js';
 
@@ -65,6 +66,9 @@ export class OpsDashboard extends DeesElement {
     isLoggedIn: false,
   };
 
+  private bootstrapStepper?: any;
+  private bootstrapCheckPromise?: Promise<void>;
+
   @state() accessor uiState: appstate.IUiState = {
     activeView: 'overview',
     activeSubview: null,
@@ -121,6 +125,7 @@ export class OpsDashboard extends DeesElement {
       name: 'Access',
       iconName: 'lucide:keyRound',
       subViews: [
+        { slug: 'gatewayclients', name: 'Gateway Clients', iconName: 'lucide:plugZap', element: OpsViewGatewayClients },
         { slug: 'apitokens', name: 'API Tokens', iconName: 'lucide:key', element: OpsViewApiTokens },
         { slug: 'users', name: 'Users', iconName: 'lucide:users', element: OpsViewUsers },
       ],
@@ -334,6 +339,7 @@ export class OpsDashboard extends DeesElement {
             await (simpleLogin as any).switchToSlottedContent();
             await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
             await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
+            await this.ensureAdminBootstrap();
           } else {
             // Server rejected the JWT — clear state, show login
             await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
@@ -368,10 +374,106 @@ export class OpsDashboard extends DeesElement {
       await simpleLogin!.switchToSlottedContent();
       await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
       await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
+      await this.ensureAdminBootstrap();
     } else {
       form!.setStatus('error', 'Login failed!');
       await domtools.convenience.smartdelay.delayFor(2000);
       form!.reset();
     }
   }
+
+  private async ensureAdminBootstrap(): Promise<void> {
+    if (!this.loginState.identity || this.bootstrapStepper?.isConnected) {
+      return;
+    }
+    if (this.bootstrapCheckPromise) {
+      return this.bootstrapCheckPromise;
+    }
+
+    this.bootstrapCheckPromise = (async () => {
+      try {
+        const status = await appstate.getAdminBootstrapStatus();
+        if (status.needsBootstrap) {
+          await this.showAdminBootstrapStepper(status);
+        }
+      } catch (error) {
+        console.error('Admin bootstrap status check failed:', error);
+      } finally {
+        this.bootstrapCheckPromise = undefined;
+      }
+    })();
+
+    return this.bootstrapCheckPromise;
+  }
+
+  private async showAdminBootstrapStepper(statusArg: appstate.IAdminBootstrapStatus): Promise<void> {
+    const { DeesStepper } = await import('@design.estate/dees-catalog');
+    this.bootstrapStepper = await DeesStepper.createAndShow({
+      cancelable: false,
+      steps: [
+        {
+          title: 'Create Persisted Admin',
+          content: html`
+            <div style="display: grid; gap: 16px; color: var(--dees-color-text-secondary); font-size: 14px; line-height: 1.5;">
+              <p style="margin: 0;">
+                This router is currently using the temporary bootstrap admin. Create the first persisted admin account to continue.
+              </p>
+              <dees-form>
+                <dees-input-text .key=${'email'} .label=${'Admin email'} .required=${true}></dees-input-text>
+                <dees-input-text .key=${'name'} .label=${'Display name'}></dees-input-text>
+                <dees-input-text .key=${'password'} .label=${'Password'} .required=${true} .isPasswordBool=${true}></dees-input-text>
+                <dees-input-text .key=${'passwordConfirm'} .label=${'Confirm password'} .required=${true} .isPasswordBool=${true}></dees-input-text>
+                <dees-input-checkbox
+                  .key=${'enableIdpGlobalAuth'}
+                  .label=${'Allow idp.global login for this email'}
+                  .description=${statusArg.idpGlobalConfigured
+                    ? 'The local account remains authoritative; idp.global only verifies identity.'
+                    : 'Requires DCROUTER_IDP_GLOBAL_URL before idp.global logins can work.'}
+                ></dees-input-checkbox>
+              </dees-form>
+            </div>
+          `,
+          menuOptions: [
+            {
+              name: 'Create admin',
+              action: async (stepperArg: any) => {
+                const form = stepperArg.shadowRoot?.querySelector('.selected dees-form') as any;
+                if (!form) return;
+                const formData = await form.collectFormData();
+                const email = String(formData.email || '').trim();
+                const name = String(formData.name || '').trim();
+                const password = String(formData.password || '');
+                const passwordConfirm = String(formData.passwordConfirm || '');
+
+                if (!email || !password) {
+                  form.setStatus?.('error', 'Email and password are required.');
+                  return;
+                }
+                if (password !== passwordConfirm) {
+                  form.setStatus?.('error', 'Passwords do not match.');
+                  return;
+                }
+
+                try {
+                  form.setStatus?.('pending', 'Creating persisted admin...');
+                  await appstate.createInitialAdminUser({
+                    email,
+                    name,
+                    password,
+                    enableIdpGlobalAuth: Boolean(formData.enableIdpGlobalAuth),
+                  });
+                  form.setStatus?.('success', 'Persisted admin created.');
+                  await stepperArg.destroy();
+                  this.bootstrapStepper = undefined;
+                  await appstate.usersStatePart.dispatchAction(appstate.fetchUsersAction, null);
+                } catch (error) {
+                  form.setStatus?.('error', error instanceof Error ? error.message : 'Failed to create admin.');
+                }
+              },
+            },
+          ],
+        },
+      ],
+    });
+  }
 }

ts_web/elements/security/ops-view-security-blocked.ts

@@ -1,4 +1,5 @@
 import * as appstate from '../../appstate.js';
+import * as interfaces from '../../../dist_ts_interfaces/index.js';
 import { viewHostCss } from '../shared/css.js';
 
 import {
@@ -21,18 +22,23 @@ declare global {
 @customElement('ops-view-security-blocked')
 export class OpsViewSecurityBlocked extends DeesElement {
   @state()
-  accessor statsState: appstate.IStatsState = appstate.statsStatePart.getState()!;
+  accessor securityPolicyState: appstate.ISecurityPolicyState = appstate.securityPolicyStatePart.getState()!;
 
   constructor() {
     super();
-    const sub = appstate.statsStatePart
+    const sub = appstate.securityPolicyStatePart
       .select((s) => s)
       .subscribe((s) => {
-        this.statsState = s;
+        this.securityPolicyState = s;
       });
     this.rxSubscriptions.push(sub);
   }
 
+  public async connectedCallback() {
+    await super.connectedCallback();
+    await appstate.securityPolicyStatePart.dispatchAction(appstate.fetchSecurityPolicyAction, null);
+  }
+
   public static styles = [
     cssManager.defaultStyles,
     viewHostCss,
@@ -40,79 +46,436 @@ export class OpsViewSecurityBlocked extends DeesElement {
       dees-statsgrid {
         margin-bottom: 32px;
       }
+
+      .sectionStack {
+        display: flex;
+        flex-direction: column;
+        gap: 32px;
+      }
+
+      .statusBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 4px 8px;
+        border-radius: 4px;
+        font-size: 12px;
+        font-weight: 500;
+      }
+
+      .statusBadge.enabled {
+        background: ${cssManager.bdTheme('#e8f5e9', '#1a3a1a')};
+        color: ${cssManager.bdTheme('#388e3c', '#66bb6a')};
+      }
+
+      .statusBadge.disabled {
+        background: ${cssManager.bdTheme('#f5f5f5', '#2a2a2a')};
+        color: ${cssManager.bdTheme('#757575', '#999')};
+      }
+
+      .typeBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 4px 8px;
+        border-radius: 999px;
+        font-size: 12px;
+        font-weight: 500;
+        background: ${cssManager.bdTheme('#eef2ff', '#1e1b4b')};
+        color: ${cssManager.bdTheme('#4338ca', '#a5b4fc')};
+      }
+
+      .errorMessage {
+        padding: 12px 16px;
+        border-radius: 8px;
+        background: ${cssManager.bdTheme('#fef2f2', '#450a0a')};
+        color: ${cssManager.bdTheme('#b91c1c', '#fca5a5')};
+      }
     `,
   ];
 
   public render(): TemplateResult {
-    const metrics = this.statsState.securityMetrics;
-
-    if (!metrics) {
-      return html`
-        <div class="loadingMessage">
-          <p>Loading security metrics...</p>
-        </div>
-      `;
-    }
-
-    const blockedIPs: string[] = metrics.blockedIPs || [];
+    const state = this.securityPolicyState;
+    const activeRules = state.rules.filter((rule) => rule.enabled);
+    const disabledRules = state.rules.length - activeRules.length;
+    const compiledPolicy = state.compiledPolicy || { blockedIps: [], blockedCidrs: [] };
 
     const tiles: IStatsTile[] = [
       {
-        id: 'totalBlocked',
-        title: 'Blocked IPs',
-        value: blockedIPs.length,
+        id: 'activeRules',
+        title: 'Active Rules',
+        value: activeRules.length,
         type: 'number',
-        icon: 'lucide:ShieldBan',
-        color: blockedIPs.length > 0 ? '#ef4444' : '#22c55e',
-        description: 'Currently blocked addresses',
+        icon: 'lucide:shield-check',
+        color: activeRules.length > 0 ? '#ef4444' : '#22c55e',
+        description: `${disabledRules} disabled`,
+      },
+      {
+        id: 'compiledIps',
+        title: 'Compiled IPs',
+        value: compiledPolicy.blockedIps.length,
+        type: 'number',
+        icon: 'lucide:server-off',
+        color: '#ef4444',
+        description: 'Direct IP blocks enforced by SmartProxy',
+      },
+      {
+        id: 'compiledCidrs',
+        title: 'Compiled CIDRs',
+        value: compiledPolicy.blockedCidrs.length,
+        type: 'number',
+        icon: 'lucide:network',
+        color: '#f97316',
+        description: 'Network ranges pushed to enforcement layers',
+      },
+      {
+        id: 'intelligenceRecords',
+        title: 'IP Intelligence',
+        value: state.ipIntelligence.length,
+        type: 'number',
+        icon: 'lucide:radar',
+        color: '#6366f1',
+        description: 'Observed public IPs with enrichment',
       },
     ];
 
     return html`
-      <dees-heading level="3">Blocked IPs</dees-heading>
+      <dees-heading level="3">Security Blocking</dees-heading>
+
+      ${state.error ? html`<div class="errorMessage">${state.error}</div>` : html``}
 
       <dees-statsgrid
         .tiles=${tiles}
         .minTileWidth=${200}
       ></dees-statsgrid>
 
+      <div class="sectionStack">
+        ${this.renderRulesTable()}
+        ${this.renderCompiledPolicyTable()}
+        ${this.renderIpIntelligenceTable()}
+        ${this.renderAuditTable()}
+      </div>
+    `;
+  }
+
+  private renderRulesTable(): TemplateResult {
+    return html`
       <dees-table
-        .heading1=${'Blocked IP Addresses'}
-        .heading2=${'IPs blocked due to suspicious activity'}
-        .data=${blockedIPs.map((ip) => ({ ip }))}
-        .displayFunction=${(item) => ({
-          'IP Address': item.ip,
-          'Reason': 'Suspicious activity',
+        .heading1=${'Managed Block Rules'}
+        .heading2=${'Rules compiled into SmartProxy policy and remote ingress edge firewall snapshots'}
+        .data=${this.securityPolicyState.rules}
+        .rowKey=${'id'}
+        .displayFunction=${(rule: interfaces.data.ISecurityBlockRule) => ({
+          'Type': html`<span class="typeBadge">${rule.type}</span>`,
+          'Value': rule.value,
+          'Match': rule.type === 'organization' ? (rule.matchMode || 'contains') : '-',
+          'Reason': rule.reason || '-',
+          'Status': html`<span class="statusBadge ${rule.enabled ? 'enabled' : 'disabled'}">${rule.enabled ? 'Enabled' : 'Disabled'}</span>`,
+          'Created': this.formatDateTime(rule.createdAt),
+          'Updated': this.formatDateTime(rule.updatedAt),
         })}
-        .dataActions=${[
-          {
-            name: 'Unblock',
-            iconName: 'lucide:shield-off',
-            type: ['contextmenu' as const],
-            actionFunc: async (item) => {
-              await this.unblockIP(item.ip);
-            },
-          },
-          {
-            name: 'Clear All',
-            iconName: 'lucide:trash-2',
-            type: ['header' as const],
-            actionFunc: async () => {
-              await this.clearBlockedIPs();
-            },
-          },
-        ]}
+        .dataActions=${this.getRuleActions()}
+        searchable
+        .showColumnFilters=${true}
+        dataName="rule"
       ></dees-table>
     `;
   }
 
-  private async clearBlockedIPs() {
-    // SmartProxy manages IP blocking — not yet exposed via API
-    alert('Clearing blocked IPs is not yet supported from the UI.');
+  private renderCompiledPolicyTable(): TemplateResult {
+    const policy = this.securityPolicyState.compiledPolicy || { blockedIps: [], blockedCidrs: [] };
+    const rows = [
+      ...policy.blockedIps.map((value) => ({ type: 'ip', value })),
+      ...policy.blockedCidrs.map((value) => ({ type: 'cidr', value })),
+    ];
+
+    return html`
+      <dees-table
+        .heading1=${'Compiled Enforcement Policy'}
+        .heading2=${'Concrete IPs and CIDRs currently sent to SmartProxy and remote ingress'}
+        .data=${rows}
+        .rowKey=${'value'}
+        .displayFunction=${(row: { type: string; value: string }) => ({
+          'Enforcement Type': html`<span class="typeBadge">${row.type}</span>`,
+          'Value': row.value,
+        })}
+        searchable
+        .showColumnFilters=${true}
+        dataName="compiled rule"
+      ></dees-table>
+    `;
   }
 
-  private async unblockIP(ip: string) {
-    // SmartProxy manages IP blocking — not yet exposed via API
-    alert(`Unblocking IP ${ip} is not yet supported from the UI.`);
+  private renderIpIntelligenceTable(): TemplateResult {
+    return html`
+      <dees-table
+        .heading1=${'Observed IP Intelligence'}
+        .heading2=${'Public IPs observed in network metrics and enriched for ASN / organization matching'}
+        .data=${this.securityPolicyState.ipIntelligence}
+        .rowKey=${'ipAddress'}
+        .displayFunction=${(record: interfaces.data.IIpIntelligenceRecord) => ({
+          'IP Address': record.ipAddress,
+          'ASN': record.asn ? `AS${record.asn}` : '-',
+          'ASN Org': record.asnOrg || '-',
+          'Registrant Org': record.registrantOrg || '-',
+          'Country': record.countryCode || record.country || '-',
+          'Network Range': record.networkRange || '-',
+          'Abuse Contact': record.abuseContact || '-',
+          'Seen': record.seenCount,
+          'Last Seen': this.formatDateTime(record.lastSeenAt),
+        })}
+        .dataActions=${this.getIpIntelligenceActions()}
+        searchable
+        .showColumnFilters=${true}
+        dataName="ip intelligence record"
+      ></dees-table>
+    `;
+  }
+
+  private renderAuditTable(): TemplateResult {
+    return html`
+      <dees-table
+        .heading1=${'Policy Audit'}
+        .heading2=${'Recent security policy changes'}
+        .data=${this.securityPolicyState.auditEvents}
+        .rowKey=${'id'}
+        .displayFunction=${(event: interfaces.data.ISecurityPolicyAuditEvent) => ({
+          'Time': this.formatDateTime(event.createdAt),
+          'Action': event.action,
+          'Actor': event.actor,
+          'Details': this.formatAuditDetails(event.details),
+        })}
+        searchable
+        .showColumnFilters=${true}
+        dataName="audit event"
+      ></dees-table>
+    `;
+  }
+
+  private getRuleActions() {
+    return [
+      {
+        name: 'Create Rule',
+        iconName: 'lucide:plus',
+        type: ['header'] as any,
+        actionFunc: async () => this.showRuleDialog(),
+      },
+      {
+        name: 'Edit',
+        iconName: 'lucide:pencil',
+        type: ['inRow', 'contextmenu'] as any,
+        actionFunc: async (actionData: any) => this.showRuleDialog(actionData.item),
+      },
+      {
+        name: 'Enable',
+        iconName: 'lucide:play',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => !actionData.item.enabled,
+        actionFunc: async (actionData: any) => {
+          const rule = actionData.item as interfaces.data.ISecurityBlockRule;
+          await appstate.securityPolicyStatePart.dispatchAction(appstate.updateSecurityBlockRuleAction, {
+            id: rule.id,
+            enabled: true,
+          });
+        },
+      },
+      {
+        name: 'Disable',
+        iconName: 'lucide:pause',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => actionData.item.enabled,
+        actionFunc: async (actionData: any) => {
+          const rule = actionData.item as interfaces.data.ISecurityBlockRule;
+          await appstate.securityPolicyStatePart.dispatchAction(appstate.updateSecurityBlockRuleAction, {
+            id: rule.id,
+            enabled: false,
+          });
+        },
+      },
+      {
+        name: 'Delete',
+        iconName: 'lucide:trash-2',
+        type: ['contextmenu'] as any,
+        actionFunc: async (actionData: any) => {
+          const rule = actionData.item as interfaces.data.ISecurityBlockRule;
+          if (!window.confirm(`Delete block rule ${rule.type}:${rule.value}?`)) return;
+          await appstate.securityPolicyStatePart.dispatchAction(appstate.deleteSecurityBlockRuleAction, rule.id);
+        },
+      },
+    ];
+  }
+
+  private getIpIntelligenceActions() {
+    return [
+      {
+        name: 'Refresh Intelligence',
+        iconName: 'lucide:refresh-cw',
+        type: ['inRow', 'contextmenu'] as any,
+        actionFunc: async (actionData: any) => {
+          const record = actionData.item as interfaces.data.IIpIntelligenceRecord;
+          await appstate.securityPolicyStatePart.dispatchAction(appstate.refreshIpIntelligenceAction, record.ipAddress);
+        },
+      },
+      {
+        name: 'Block IP',
+        iconName: 'lucide:shield-ban',
+        type: ['contextmenu'] as any,
+        actionFunc: async (actionData: any) => {
+          const record = actionData.item as interfaces.data.IIpIntelligenceRecord;
+          await this.showRuleDialog(undefined, {
+            type: 'ip',
+            value: record.ipAddress,
+            reason: 'Blocked from IP intelligence table',
+          });
+        },
+      },
+      {
+        name: 'Block Network Range',
+        iconName: 'lucide:network',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(actionData.item.networkRange),
+        actionFunc: async (actionData: any) => {
+          const record = actionData.item as interfaces.data.IIpIntelligenceRecord;
+          await this.showRuleDialog(undefined, {
+            type: 'cidr',
+            value: record.networkRange || '',
+            reason: 'Blocked network range from IP intelligence table',
+          });
+        },
+      },
+      {
+        name: 'Block ASN',
+        iconName: 'lucide:radio-tower',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(actionData.item.asn),
+        actionFunc: async (actionData: any) => {
+          const record = actionData.item as interfaces.data.IIpIntelligenceRecord;
+          await this.showRuleDialog(undefined, {
+            type: 'asn',
+            value: String(record.asn),
+            reason: 'Blocked ASN from IP intelligence table',
+          });
+        },
+      },
+      {
+        name: 'Block Organization',
+        iconName: 'lucide:building-2',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(actionData.item.asnOrg || actionData.item.registrantOrg),
+        actionFunc: async (actionData: any) => {
+          const record = actionData.item as interfaces.data.IIpIntelligenceRecord;
+          await this.showRuleDialog(undefined, {
+            type: 'organization',
+            value: record.asnOrg || record.registrantOrg || '',
+            reason: 'Blocked organization from IP intelligence table',
+          });
+        },
+      },
+    ];
+  }
+
+  private async showRuleDialog(
+    rule?: interfaces.data.ISecurityBlockRule,
+    defaults: Partial<interfaces.data.ISecurityBlockRule> = {},
+  ): Promise<void> {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    const typeOptions = [
+      { key: 'ip', option: 'IP address' },
+      { key: 'cidr', option: 'CIDR / network range' },
+      { key: 'asn', option: 'ASN' },
+      { key: 'organization', option: 'Organization' },
+    ];
+    const matchModeOptions = [
+      { key: 'contains', option: 'Organization contains value' },
+      { key: 'exact', option: 'Organization exactly matches value' },
+    ];
+    const selectedType = rule?.type || defaults.type || 'ip';
+    const selectedMatchMode = rule?.matchMode || defaults.matchMode || 'contains';
+
+    await DeesModal.createAndShow({
+      heading: rule ? `Edit Block Rule: ${rule.type}:${rule.value}` : 'Create Block Rule',
+      content: html`
+        <dees-form>
+          ${rule ? html`` : html`
+            <dees-input-dropdown
+              .key=${'type'}
+              .label=${'Rule Type'}
+              .options=${typeOptions}
+              .selectedOption=${typeOptions.find((option) => option.key === selectedType)}
+            ></dees-input-dropdown>
+          `}
+          <dees-input-text
+            .key=${'value'}
+            .label=${'Value'}
+            .value=${rule?.value || defaults.value || ''}
+            .required=${true}
+          ></dees-input-text>
+          <dees-input-dropdown
+            .key=${'matchMode'}
+            .label=${'Organization Match Mode'}
+            .description=${'Only used for organization rules'}
+            .options=${matchModeOptions}
+            .selectedOption=${matchModeOptions.find((option) => option.key === selectedMatchMode)}
+          ></dees-input-dropdown>
+          <dees-input-text
+            .key=${'reason'}
+            .label=${'Reason'}
+            .value=${rule?.reason || defaults.reason || ''}
+          ></dees-input-text>
+          <dees-input-checkbox
+            .key=${'enabled'}
+            .label=${'Enabled'}
+            .value=${rule ? rule.enabled : defaults.enabled !== false}
+          ></dees-input-checkbox>
+        </dees-form>
+      `,
+      menuOptions: [
+        { name: 'Cancel', iconName: 'lucide:x', action: async (modalArg: any) => modalArg.destroy() },
+        {
+          name: rule ? 'Save' : 'Create',
+          iconName: rule ? 'lucide:check' : 'lucide:plus',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const data = await form.collectFormData();
+            const type = (rule?.type || this.getDropdownKey(data.type)) as interfaces.data.TSecurityBlockRuleType;
+            const value = String(data.value || '').trim();
+            if (!type || !value) return;
+            const matchMode = type === 'organization'
+              ? this.getDropdownKey(data.matchMode) as interfaces.data.TSecurityBlockRuleMatchMode
+              : undefined;
+            const payload = {
+              value,
+              matchMode,
+              reason: String(data.reason || '').trim() || undefined,
+              enabled: data.enabled !== false,
+            };
+            if (rule) {
+              await appstate.securityPolicyStatePart.dispatchAction(appstate.updateSecurityBlockRuleAction, {
+                id: rule.id,
+                ...payload,
+              });
+            } else {
+              await appstate.securityPolicyStatePart.dispatchAction(appstate.createSecurityBlockRuleAction, {
+                type,
+                ...payload,
+              });
+            }
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
+  private getDropdownKey(value: any): string {
+    return typeof value === 'string' ? value : value?.key || '';
+  }
+
+  private formatDateTime(timestamp?: number): string {
+    return timestamp ? new Date(timestamp).toLocaleString() : '-';
+  }
+
+  private formatAuditDetails(details: Record<string, unknown>): string {
+    const text = JSON.stringify(details);
+    return text.length > 160 ? `${text.slice(0, 157)}...` : text;
   }
 }

ts_web/readme.md

@@ -1,72 +1,69 @@
 # @serve.zone/dcrouter-web
 
-Browser UI package for dcrouter's operations dashboard. 🖥️
-
-This package contains the browser entrypoint, app state, router, and web components that power the Ops dashboard served by dcrouter.
+`@serve.zone/dcrouter-web` is the browser-side Ops dashboard module for dcrouter. It provides the SPA entry point, route synchronization, app state, and web-component views that OpsServer serves from the main dcrouter runtime.
 
 ## Issue Reporting and Security
 
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 
-## What Is In Here
+## What It Boots
 
-| Path | Purpose |
+| File | Purpose |
 | --- | --- |
-| `index.ts` | Browser entrypoint that initializes routing and renders `<ops-dashboard>` |
-| `appstate.ts` | Central reactive state and action definitions |
-| `router.ts` | URL-based dashboard routing |
-| `elements/` | Dashboard views and reusable UI pieces |
+| `index.ts` | Initializes the app router and renders `<ops-dashboard>` into `document.body`. |
+| `router.ts` | Defines top-level dashboard routes, subviews, redirects, and URL/state synchronization. |
+| `appstate.ts` | Holds reactive login, UI, config, stats, route, DNS, email, remote ingress, VPN, and log state. |
+| `elements/` | Contains the dashboard shell and feature-specific Dees web components. |
 
-## Main Views
+## View Map
 
-The dashboard currently includes views for:
+| Top-level view | Subviews |
+| --- | --- |
+| `overview` | `stats`, `configuration` |
+| `network` | `activity`, `routes`, `sourceprofiles`, `networktargets`, `targetprofiles`, `remoteingress`, `vpn` |
+| `email` | `log`, `security`, `domains` |
+| `logs` | flat view |
+| `access` | `apitokens`, `users` |
+| `security` | `overview`, `blocked`, `authentication` |
+| `domains` | `providers`, `domains`, `dns`, `certificates` |
 
-- overview and configuration
-- network activity and route management
-- source profiles, target profiles, and network targets
-- email activity and email domains
-- DNS providers, domains, DNS records, and certificates
-- API tokens and users
-- VPN, remote ingress, logs, and security views
+## Runtime Communication
 
-## Route Management UX
+The dashboard talks to the dcrouter OpsServer through:
 
-The web UI reflects dcrouter's current route ownership model:
+- TypedRequest calls for normal API actions
+- shared contracts from `@serve.zone/dcrouter-interfaces`
+- TypedSocket log streaming for live operational output
+- Dees web components and app-state subscriptions for UI updates
+- QR code rendering for VPN client UX
 
-- system routes are shown separately from user routes
-- system routes are visible and toggleable
-- system routes are not directly editable or deletable
-- API routes are fully managed through the route-management forms
+## Usage
 
-## How It Talks To dcrouter
-
-The frontend uses TypedRequest and shared interfaces from `@serve.zone/dcrouter-interfaces`.
-
-State actions in `appstate.ts` fetch and mutate:
-
-- stats and health
-- logs
-- routes and tokens
-- certificates and ACME config
-- DNS providers, domains, and records
-- email domains and email operations
-- VPN, remote ingress, and RADIUS data
-
-## Development Notes
-
-The browser bundle is built from this package and served by the main dcrouter package.
+This package is primarily consumed by the main dcrouter build and served by OpsServer. Install it directly only when you intentionally need the dashboard module boundary.
 
 ```bash
-pnpm run bundle
+pnpm add @serve.zone/dcrouter-web
+```
+
+For the full server and hosted dashboard, use `@serve.zone/dcrouter`.
+
+## Development
+
+This folder is published from the dcrouter monorepo via `tspublish.json` with order `4`.
+
+```bash
+pnpm run build
 pnpm run watch
 ```
 
-The generated bundle is written into `dist_serve/` by the main build pipeline.
+The dcrouter build emits served dashboard assets into `dist_serve/`.
 
-## When To Use This Package
+Useful source entry points:
 
-- Use it if you want the dashboard frontend as a package/module boundary.
-- Use the main `@serve.zone/dcrouter` package if you want the server that actually serves this UI.
+- `index.ts` boots the frontend.
+- `router.ts` owns URL/view state synchronization.
+- `elements/ops-dashboard.ts` defines the app shell and tab map.
+- `elements/network/`, `elements/domains/`, `elements/email/`, `elements/security/`, `elements/access/`, and `elements/overview/` hold feature views.
 
 ## License and Legal Information
 
@@ -82,7 +79,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH  
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

ts_web/router.ts

@@ -11,7 +11,7 @@ const subviewMap: Record<string, readonly string[]> = {
   overview: ['stats', 'configuration'] as const,
   network: ['activity', 'routes', 'sourceprofiles', 'networktargets', 'targetprofiles', 'remoteingress', 'vpn'] as const,
   email: ['log', 'security', 'domains'] as const,
-  access: ['apitokens', 'users'] as const,
+  access: ['gatewayclients', 'apitokens', 'users'] as const,
   security: ['overview', 'blocked', 'authentication'] as const,
   domains: ['providers', 'domains', 'dns', 'certificates'] as const,
 };
@@ -21,7 +21,7 @@ const defaultSubview: Record<string, string> = {
   overview: 'stats',
   network: 'activity',
   email: 'log',
-  access: 'apitokens',
+  access: 'gatewayclients',
   security: 'overview',
   domains: 'domains',
 };

tsconfig.json

@@ -3,6 +3,9 @@
     "target": "ES2022",
     "module": "NodeNext",
     "moduleResolution": "NodeNext",
+    "types": [
+      "node"
+    ],
     "esModuleInterop": true,
     "verbatimModuleSyntax": true
   },