v13.40.3

fix(deps): bump smartproxy and remoteingress dependencies
v13.40.2
2026-05-31 16:23:56 +00:00 · 2026-05-31 16:23:48 +00:00 · 2026-05-31 15:26:43 +00:00 · 2026-05-31 15:26:18 +00:00 · 2026-05-31 11:50:08 +00:00 · 2026-05-31 11:49:25 +00:00
57 changed files with 3041 additions and 562 deletions
@@ -0,0 +1,140 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Configure pnpm registry
+        run: pnpm config set registry https://verdaccio.lossless.digital/
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Get version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version_number=${VERSION#v}" >> $GITHUB_OUTPUT
+          echo "Building version: $VERSION"
+
+      - name: Verify package.json version matches tag
+        run: |
+          PACKAGE_VERSION=$(node -p "JSON.parse(require('fs').readFileSync('package.json', 'utf8')).version")
+          TAG_VERSION="${{ steps.version.outputs.version_number }}"
+          echo "package.json version: $PACKAGE_VERSION"
+          echo "Tag version: $TAG_VERSION"
+          if [ "$PACKAGE_VERSION" != "$TAG_VERSION" ]; then
+            echo "ERROR: Version mismatch!"
+            exit 1
+          fi
+
+      - name: Test package
+        run: pnpm test
+
+      - name: Build binary artifacts
+        run: pnpm run build:binary
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist/binaries
+          sha256sum * > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+          cd ../..
+
+      - name: Pack npm artifact
+        run: |
+          mkdir -p dist/package
+          pnpm pack --pack-destination dist/package
+          ls -lh dist/package
+
+      - name: Extract changelog for this version
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          if [ -f changelog.md ]; then
+            awk "/## $VERSION/,/## /" changelog.md | sed '$d' > /tmp/release_notes.md || true
+          fi
+          if [ ! -s /tmp/release_notes.md ]; then
+            cat > /tmp/release_notes.md << EOF
+          ## DcRouter $VERSION
+
+          NodeNext package build plus self-extracting Linux binaries.
+
+          ### Artifacts
+
+          - npm package tarball
+          - dcrouter-linux-x64
+          - dcrouter-linux-arm64
+          - SHA256SUMS.txt
+          EOF
+          fi
+
+      - name: Delete existing release if it exists
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          EXISTING_RELEASE_ID=$(curl -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases/tags/$VERSION" \
+            | jq -r '.id // empty')
+          if [ -n "$EXISTING_RELEASE_ID" ]; then
+            curl -X DELETE -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases/$EXISTING_RELEASE_ID"
+            sleep 2
+          fi
+
+      - name: Create Gitea Release
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_ID=$(curl -X POST -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases" \
+            -d "{
+              \"tag_name\": \"$VERSION\",
+              \"name\": \"DcRouter $VERSION\",
+              \"body\": $(jq -Rs . /tmp/release_notes.md),
+              \"draft\": false,
+              \"prerelease\": false
+            }" | jq -r '.id')
+          for artifact in dist/package/* dist/binaries/*; do
+            [ -f "$artifact" ] || continue
+            filename=$(basename "$artifact")
+            curl -X POST -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@$artifact" \
+              "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases/$RELEASE_ID/assets?name=$filename"
+          done
+
+      - name: Release Summary
+        run: |
+          echo "Release ${{ steps.version.outputs.version }} complete"
+          ls -lh dist/package
+          ls -lh dist/binaries
@@ -29,6 +29,28 @@
      }
    ]
  },
+  "@git.zone/tsdeno": {
+    "compileTargets": [
+      {
+        "name": "dcrouter-linux-x64",
+        "entryPoint": "binary/dcrouter.ts",
+        "outDir": "dist/binaries",
+        "target": "x86_64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true,
+        "selfExtracting": true
+      },
+      {
+        "name": "dcrouter-linux-arm64",
+        "entryPoint": "binary/dcrouter.ts",
+        "outDir": "dist/binaries",
+        "target": "aarch64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true,
+        "selfExtracting": true
+      }
+    ]
+  },
  "@git.zone/cli": {
    "schemaVersion": 2,
    "projectType": "service",
@@ -96,4 +118,4 @@
    ]
  },
  "@ship.zone/szci": {}
-}
+}
@@ -0,0 +1,4 @@
+process.env.CLI_CALL = 'true';
+
+const cliTool = await import('../dist_ts/index.js');
+await cliTool.runCli();
@@ -7,6 +7,220 @@



+
+
+
+
+
+
+
+
+
+## 2026-05-31 - 13.40.3
+
+### Fixes
+
+- bump smartproxy and remoteingress dependencies (deps)
+  - Bumped @push.rocks/smartproxy from ^27.12.1 to ^27.12.2
+  - Bumped @serve.zone/remoteingress from ^4.22.2 to ^4.22.3
+  - Updated dependency versions in both package.json and deno.json
+
+## 2026-05-31 - 13.40.2
+
+### Fixes
+
+- ensure source profiles fully own route security (routes)
+  - Resolve profile-backed routes by cloning source profile security instead of merging inline route overrides
+  - Clear stale route security when a source profile reference is removed without explicit replacement security
+  - Add a migration to rematerialize persisted profile-backed route security
+
+## 2026-05-31 - 13.40.1
+
+### Fixes
+
+- update smartproxy, remoteingress, and tsdeno dependencies (deps)
+  - Bump @push.rocks/smartproxy to ^27.12.1 in Deno imports
+  - Bump @serve.zone/remoteingress to ^4.22.2 in package and Deno configuration
+  - Bump @git.zone/tsdeno to ^1.5.0
+
+## 2026-05-30 - 13.40.0
+
+### Features
+
+- use active connection snapshots for proxy metrics and RADIUS network secrets (monitoring-opsserver-radius)
+  - Add cached SmartProxy active connection snapshots for connection info and network statistics.
+  - Report ops security active connections from per-connection snapshots with protocol, state, and byte counters.
+  - Configure RADIUS clients through smartradius network secrets, including CIDR ranges, and forward additional RADIUS attributes.
+  - Bump smartproxy to ^27.12.1 and smartradius to ^1.3.0.
+
+## 2026-05-30 - 13.39.0
+
+### Features
+
+- add remote ingress performance overrides and update RADIUS integration (remoteingress,radius)
+  - Persist and propagate optional remote ingress performance overrides through remote ingress create/update APIs, database documents, and hub allowed-edge sync.
+  - Add web UI controls and status display for per-edge maximum connection overrides.
+  - Extend remote ingress performance interfaces with stream payload, timeout, and server-first port settings.
+  - Update RADIUS server integration for smartradius 1.2 request/response handling and client secret resolution, including CIDR matching.
+
+## 2026-05-30 - 13.38.4
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.22.1 (deps)
+  - Updated @serve.zone/remoteingress in package.json and deno.json.
+
+## 2026-05-30 - 13.38.3
+
+### Fixes
+
+- update @serve.zone/remoteingress to ^4.22.0 (deps)
+  - Updated @serve.zone/remoteingress from ^4.21.1 to ^4.22.0 in package.json and deno.json.
+
+## 2026-05-30 - 13.38.2
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.21.1 (deps)
+  - Updated @serve.zone/remoteingress in package.json and deno.json from ^4.21.0 to ^4.21.1.
+
+## 2026-05-30 - 13.38.1
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.21.0 (deps)
+  - Updates @serve.zone/remoteingress from ^4.18.0 to ^4.21.0.
+- update @serve.zone/remoteingress to ^4.21.0 (deps)
+  - Updates the Deno import mapping for @serve.zone/remoteingress from ^4.18.0 to ^4.21.0.
+
+## 2026-05-29 - 13.38.0
+
+### Features
+
+- support explicit DNS bind interface configuration (dns)
+  - Add a dnsBindInterface option to override the embedded DNS UDP bind address.
+  - Read DCROUTER_DNS_BIND_INTERFACE from OCI container configuration and document it in CLI help.
+  - Add test coverage for explicit DNS bind interface handling in OCI config.
+
+## 2026-05-29 - 13.37.2
+
+### Fixes
+
+- exclude assets from compiled and published artifacts (packaging)
+  - Removed assets from the Deno compile include list.
+  - Removed assets from the npm package files list.
+
+## 2026-05-29 - 13.37.1
+
+### Fixes
+
+- configure pnpm registry for release workflow (release)
+  - Sets the pnpm registry before dependency installation so release builds resolve packages from the configured registry.
+
+## 2026-05-29 - 13.37.0
+
+### Features
+
+- add CLI binary distribution (distribution)
+  - Add dcrouter bin entry, Deno compile targets, binary entrypoint, and tag-driven release workflow for Linux artifacts.
+  - Add --version and --help handling to the CLI for safe package and binary smoke tests.
+  - Keep the Deno binary import map aligned with the current SmartDNS and SmartProxy runtime dependencies.
+- add one-line installer and Docker distribution docs (distribution)
+  - Add an install.sh flow that installs Linux x64 and arm64 release binaries by default with a NodeNext source-build fallback.
+  - Document installer modes, binary artifact names, and the published multi-arch Docker image.
+
+## 2026-05-29 - 13.36.3
+
+### Fixes
+
+- update SmartProxy to keep idle WebSocket tunnels on dedicated lifecycle timeouts
+  - Bump @push.rocks/smartproxy to ^27.11.1.
+  - Prevent public gateway WebSocket routes from inheriting the HTTP socket timeout.
+- bump smartproxy to keep idle WebSocket tunnels on dedicated lifecycle timeouts (deps)
+  - Bump @push.rocks/smartproxy to ^27.11.1.
+  - Prevent public gateway WebSocket routes from inheriting the HTTP socket timeout.
+
+## 2026-05-29 - 13.36.2
+
+### Fixes
+
+- preserve parallel ACME DNS-01 TXT challenges and consume case-insensitive DNS matching (dns,certificates)
+  - Keep exact and wildcard SAN challenge TXT records at the same owner name instead of deleting sibling challenge values.
+  - Match local dcrouter-hosted DNS records case-insensitively so DNS 0x20 mixed-case queries keep resolving.
+  - Update @push.rocks/smartdns to 7.9.3 for case-insensitive handler matching in the embedded DNS server.
+- preserve parallel ACME TXT challenges and mixed-case DNS queries (dns)
+  - Remove only matching ACME DNS-01 TXT challenge values during setup and cleanup so parallel challenges can coexist.
+  - Resolve locally hosted DNS records case-insensitively while preserving the query name casing in responses.
+  - Bump @push.rocks/smartdns to ^7.9.3.
+
+## 2026-05-28 - 13.36.1
+
+### Fixes
+
+- consume RemoteIngress 4.18.0 tunnel performance improvements (remoteingress)
+  - Update @serve.zone/remoteingress to 4.18.0 so DcRouter uses zero-copy TCP/TLS tunnel frame handling and the partial-write priority fix.
+- bump @serve.zone/remoteingress to ^4.18.0 (remoteingress)
+  - Updates @serve.zone/remoteingress from ^4.17.1 to ^4.18.0.
+  - Consumes zero-copy TCP/TLS tunnel frame handling and the partial-write priority fix from RemoteIngress.
+
+## 2026-05-28 - 13.36.0
+
+### Features
+
+- add top connected ASN activity to Network Activity (network)
+  - Aggregate live per-IP connection and bandwidth metrics by ASN using stored IP intelligence.
+  - Expose ASN activity through network stats and combined metrics APIs.
+  - Add a Network Activity table with ASN and organization block actions.
+  - Add MetricsManager coverage for ASN aggregation.
+- add top connected ASN activity to network monitoring (network)
+  - Aggregate live per-IP connection and bandwidth metrics by ASN using stored IP intelligence.
+  - Expose top ASN activity through network stats and combined metrics API responses.
+  - Add a Network Activity table for top ASNs with ASN and organization block actions.
+  - Add MetricsManager coverage for ASN aggregation.
+
+## 2026-05-24 - 13.35.0
+
+### Features
+
+- switch VPN route authorization to authenticated SmartVPN metadata (vpn)
+  - configure SmartVPN to forward real client source IPs plus VPN metadata through trusted PROXY v2 headers
+  - map target profiles to SmartProxy VPN client grants instead of mutating route source IP allow lists
+  - keep live VPN client source IP tracking as status/UI data while SmartProxy enforces source policy per connection
+
+## 2026-05-21 - 13.34.0
+
+### Features
+
+- allow VPN target profiles to grant routes by live client source IP (vpn)
+  - Add an opt-in target profile flag that evaluates non-vpnOnly route source security against the VPN client's real connecting IP.
+  - Track live VPN client source IPs from smartvpn remote addresses and WireGuard peer endpoints, refreshing routes when they change.
+  - Expose the setting and current source IPs in the Ops UI with regression coverage for source-IP matching behavior.
+- allow target profiles to grant non-vpnOnly routes by live client source IP (vpn)
+  - add an opt-in target profile flag to match route source security against a VPN client's real connecting IP
+  - track live client source IPs from VPN remote addresses and WireGuard peer endpoints and re-apply routes when they change
+  - expose source IP access settings and current client source IPs through the ops API and UI
+  - add regression tests for source-IP route matching, block-list handling, vpnOnly exclusions, and WireGuard endpoint refresh
+
+## 2026-05-21 - 13.33.0
+
+### Features
+
+- add queued IP intelligence observation and filtered retrieval for network and security views (security)
+  - Queue observed public IPs from network metrics with throttled background enrichment instead of awaiting lookups during stats collection.
+  - Allow listing IP intelligence records by specific IP addresses and limit through the security handler and request interface.
+  - Update web app state to refresh IP intelligence asynchronously in the background and preserve current UI state during refreshes.
+  - Improve security policy manager observation handling so forced refresh waits for in-flight lookups before fetching updated intelligence.
+
+## 2026-05-20 - 13.32.1
+
+### Fixes
+
+- tighten admin bootstrap behavior when the database is unavailable and include wildcard VPN profile matches in route access rules (opsserver,vpn)
+  - Block ephemeral admin bootstrap login and user listing until the configured database is ready, and report bootstrap availability accurately in admin status responses.
+  - Preserve persisted admin accounts across OpsServer restarts with added regression coverage.
+  - Merge matching VPN client IPs into restricted non-vpnOnly route allow lists without duplicating entries.
+  - Handle string and wildcard route domains consistently when resolving target profile access and VPN client matches.
+
 ## 2026-05-19 - 13.32.0

 ### Features
@@ -0,0 +1,49 @@
+{
+  "name": "@serve.zone/dcrouter",
+  "version": "13.40.3",
+  "exports": "./binary/dcrouter.ts",
+  "compile": {
+    "include": [
+      "dist_serve"
+    ]
+  },
+  "imports": {
+    "@api.global/typedrequest": "npm:@api.global/typedrequest@^3.3.1",
+    "@api.global/typedrequest-interfaces": "npm:@api.global/typedrequest-interfaces@^3.0.19",
+    "@api.global/typedserver": "npm:@api.global/typedserver@^8.4.6",
+    "@api.global/typedsocket": "npm:@api.global/typedsocket@^4.1.3",
+    "@apiclient.xyz/cloudflare": "npm:@apiclient.xyz/cloudflare@^7.1.0",
+    "@idp.global/sdk/server": "npm:@idp.global/sdk@^1.3.1/server",
+    "@push.rocks/lik": "npm:@push.rocks/lik@^6.4.1",
+    "@push.rocks/projectinfo": "npm:@push.rocks/projectinfo@^5.1.0",
+    "@push.rocks/qenv": "npm:@push.rocks/qenv@^6.1.4",
+    "@push.rocks/smartacme": "npm:@push.rocks/smartacme@^9.5.0",
+    "@push.rocks/smartdata": "npm:@push.rocks/smartdata@^7.1.7",
+    "@push.rocks/smartdb": "npm:@push.rocks/smartdb@^2.10.1",
+    "@push.rocks/smartdns": "npm:@push.rocks/smartdns@^7.9.3",
+    "@push.rocks/smartfs": "npm:@push.rocks/smartfs@^1.5.1",
+    "@push.rocks/smartguard": "npm:@push.rocks/smartguard@^3.1.0",
+    "@push.rocks/smartjwt": "npm:@push.rocks/smartjwt@^2.2.2",
+    "@push.rocks/smartlog": "npm:@push.rocks/smartlog@^3.2.2",
+    "@push.rocks/smartmetrics": "npm:@push.rocks/smartmetrics@^3.0.3",
+    "@push.rocks/smartmigration": "npm:@push.rocks/smartmigration@1.4.1",
+    "@push.rocks/smartmta": "npm:@push.rocks/smartmta@^5.3.3",
+    "@push.rocks/smartnetwork": "npm:@push.rocks/smartnetwork@^4.7.2",
+    "@push.rocks/smartpath": "npm:@push.rocks/smartpath@^6.0.0",
+    "@push.rocks/smartpromise": "npm:@push.rocks/smartpromise@^4.2.4",
+    "@push.rocks/smartproxy": "npm:@push.rocks/smartproxy@^27.12.2",
+    "@push.rocks/smartradius": "npm:@push.rocks/smartradius@^1.1.2",
+    "@push.rocks/smartrequest": "npm:@push.rocks/smartrequest@^5.0.3",
+    "@push.rocks/smartrx": "npm:@push.rocks/smartrx@^3.0.10",
+    "@push.rocks/smartstate": "npm:@push.rocks/smartstate@^2.3.1",
+    "@push.rocks/smartunique": "npm:@push.rocks/smartunique@^3.0.9",
+    "@push.rocks/smartvpn": "npm:@push.rocks/smartvpn@1.20.0",
+    "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^8.0.2",
+    "@serve.zone/interfaces": "npm:@serve.zone/interfaces@^5.8.0",
+    "@serve.zone/remoteingress": "npm:@serve.zone/remoteingress@^4.22.3",
+    "@tsclass/tsclass": "npm:@tsclass/tsclass@^9.5.1",
+    "lru-cache": "npm:lru-cache@^11.4.0",
+    "qrcode": "npm:qrcode@^1.5.4",
+    "uuid": "npm:uuid@^14.0.0"
+  }
+}
@@ -0,0 +1,359 @@
+#!/bin/bash
+
+# DcRouter Installer Script
+# Installs the self-extracting Linux binary by default, or builds the NodeNext
+# source package when --source is specified.
+#
+# Usage:
+#   Binary install:
+#     curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash
+#
+#   Source install:
+#     curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --source
+#
+# Options:
+#   -h, --help             Show this help message
+#   --version VERSION      Install a specific tag/version (e.g. vX.Y.Z)
+#   --install-dir DIR      Installation directory (default: /opt/dcrouter)
+#   --binary               Install release binary (default)
+#   --source               Clone the tag and build the NodeNext package locally
+
+set -euo pipefail
+
+SHOW_HELP=0
+SPECIFIED_VERSION=""
+INSTALL_DIR="/opt/dcrouter"
+INSTALL_MODE="binary"
+GITEA_BASE_URL="https://code.foss.global"
+GITEA_REPO="serve.zone/dcrouter"
+SERVICE_NAME="dcrouter"
+BIN_DIR="/usr/local/bin"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -h|--help)
+      SHOW_HELP=1
+      shift
+      ;;
+    --version)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --version requires a value"
+        exit 1
+      fi
+      SPECIFIED_VERSION="$2"
+      shift 2
+      ;;
+    --install-dir)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --install-dir requires a value"
+        exit 1
+      fi
+      INSTALL_DIR="$2"
+      shift 2
+      ;;
+    --binary)
+      INSTALL_MODE="binary"
+      shift
+      ;;
+    --source)
+      INSTALL_MODE="source"
+      shift
+      ;;
+    *)
+      echo "Unknown option: $1"
+      echo "Use -h or --help for usage information"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ $SHOW_HELP -eq 1 ]]; then
+  echo "DcRouter Installer Script"
+  echo "Installs DcRouter as a self-extracting binary or NodeNext source build."
+  echo ""
+  echo "Usage: $0 [options]"
+  echo ""
+  echo "Options:"
+  echo "  -h, --help             Show this help message"
+  echo "  --version VERSION      Install a specific tag/version (e.g. vX.Y.Z)"
+  echo "  --install-dir DIR      Installation directory (default: /opt/dcrouter)"
+  echo "  --binary               Install release binary (default)"
+  echo "  --source               Clone the tag and build the NodeNext package locally"
+  echo ""
+  echo "Examples:"
+  echo "  curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash"
+  echo "  curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --source"
+  echo "  curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --version vX.Y.Z"
+  exit 0
+fi
+
+if [[ "$EUID" -ne 0 ]]; then
+  echo "Please run as root (sudo bash install.sh or pipe to sudo bash)"
+  exit 1
+fi
+
+case "$INSTALL_DIR" in
+  ""|"/")
+    echo "Error: unsafe install directory: $INSTALL_DIR"
+    exit 1
+    ;;
+esac
+
+require_command() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "Error: required command not found: $1"
+    exit 1
+  fi
+}
+
+ensure_pnpm() {
+  if command -v pnpm >/dev/null 2>&1; then
+    return
+  fi
+  if command -v corepack >/dev/null 2>&1; then
+    corepack enable
+  fi
+  if ! command -v pnpm >/dev/null 2>&1; then
+    echo "Error: pnpm is required for --source installs. Install Node.js with corepack/pnpm first."
+    exit 1
+  fi
+}
+
+make_executable_if_present() {
+  if [[ -f "$1" ]]; then
+    chmod 0755 "$1"
+  fi
+}
+
+get_latest_version() {
+  echo "Fetching latest release version from Gitea..." >&2
+
+  local api_url="${GITEA_BASE_URL}/api/v1/repos/${GITEA_REPO}/releases/latest"
+  local response
+  if ! response=$(curl -fsSL "$api_url" 2>/dev/null); then
+    echo "Error: Failed to fetch latest release information from Gitea API" >&2
+    echo "URL: $api_url" >&2
+    exit 1
+  fi
+
+  local version
+  version=$(printf '%s' "$response" | sed -n 's/.*"tag_name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+  if [[ -z "$version" ]]; then
+    echo "Error: Could not determine latest version from API response" >&2
+    exit 1
+  fi
+
+  echo "$version"
+}
+
+detect_binary_name() {
+  local os
+  local arch
+  os=$(uname -s)
+  arch=$(uname -m)
+
+  if [[ "$os" != "Linux" ]]; then
+    echo "Error: binary installer currently supports Linux only. Use --source for this platform." >&2
+    exit 1
+  fi
+
+  case "$arch" in
+    x86_64|amd64)
+      echo "dcrouter-linux-x64"
+      ;;
+    aarch64|arm64)
+      echo "dcrouter-linux-arm64"
+      ;;
+    *)
+      echo "Error: unsupported architecture for binary install: $arch. Use --source." >&2
+      exit 1
+      ;;
+  esac
+}
+
+echo "================================================"
+echo "  DcRouter Installation Script"
+echo "================================================"
+echo ""
+
+require_command curl
+require_command sed
+
+if [[ -n "$SPECIFIED_VERSION" ]]; then
+  VERSION="$SPECIFIED_VERSION"
+  echo "Installing specified version: $VERSION"
+else
+  VERSION=$(get_latest_version)
+  echo "Installing latest version: $VERSION"
+fi
+echo "Install mode: $INSTALL_MODE"
+echo ""
+
+SOURCE_REF="$VERSION"
+REPO_URL="${GITEA_BASE_URL}/${GITEA_REPO}.git"
+TEMP_DIR=$(mktemp -d)
+SOURCE_DIR="$TEMP_DIR/source"
+BACKUP_DIR=""
+SERVICE_WAS_RUNNING=0
+SERVICE_STOPPED=0
+SYSTEMD_AVAILABLE=0
+
+cleanup_temp() {
+  rm -rf "$TEMP_DIR"
+}
+trap cleanup_temp EXIT
+
+if command -v systemctl >/dev/null 2>&1; then
+  SYSTEMD_AVAILABLE=1
+  if systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    SERVICE_WAS_RUNNING=1
+  fi
+fi
+
+restore_previous_installation() {
+  if [[ -n "$BACKUP_DIR" && -d "$BACKUP_DIR" ]]; then
+    echo "Restoring previous installation from $BACKUP_DIR..."
+    rm -rf "$INSTALL_DIR" || true
+    mv "$BACKUP_DIR" "$INSTALL_DIR" || true
+    if [[ -f "$INSTALL_DIR/dcrouter" ]]; then
+      mkdir -p "$BIN_DIR" || true
+      ln -sf "$INSTALL_DIR/dcrouter" "$BIN_DIR/dcrouter" || true
+    elif [[ -f "$INSTALL_DIR/cli.js" ]]; then
+      mkdir -p "$BIN_DIR" || true
+      ln -sf "$INSTALL_DIR/cli.js" "$BIN_DIR/dcrouter" || true
+    fi
+  fi
+}
+
+restart_previous_service_on_error() {
+  if [[ $SERVICE_STOPPED -eq 1 && $SYSTEMD_AVAILABLE -eq 1 ]]; then
+    echo "Installation failed after stopping DcRouter; restarting previous service..."
+    systemctl start "$SERVICE_NAME" || true
+  fi
+}
+
+handle_install_error() {
+  trap - ERR
+  restore_previous_installation
+  restart_previous_service_on_error
+}
+trap handle_install_error ERR
+
+stop_service_if_running() {
+  if [[ $SERVICE_WAS_RUNNING -eq 1 && $SYSTEMD_AVAILABLE -eq 1 ]] && systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    echo "Stopping DcRouter service..."
+    systemctl stop "$SERVICE_NAME"
+    SERVICE_STOPPED=1
+  fi
+}
+
+move_previous_installation() {
+  mkdir -p "$(dirname "$INSTALL_DIR")"
+  if [[ -d "$INSTALL_DIR" ]]; then
+    BACKUP_DIR="${INSTALL_DIR}.previous.$$"
+    echo "Moving previous installation to $BACKUP_DIR"
+    mv "$INSTALL_DIR" "$BACKUP_DIR"
+  fi
+}
+
+install_source_build() {
+  require_command git
+  require_command node
+  ensure_pnpm
+
+  echo "Cloning DcRouter source from $REPO_URL ($SOURCE_REF)..."
+  git clone --depth 1 --branch "$SOURCE_REF" "$REPO_URL" "$SOURCE_DIR"
+
+  echo "Installing dependencies..."
+  pnpm --dir "$SOURCE_DIR" install --frozen-lockfile
+
+  echo "Building DcRouter..."
+  pnpm --dir "$SOURCE_DIR" run build
+
+  echo "Validating built CLI..."
+  node "$SOURCE_DIR/cli.js" --version >/dev/null
+
+  stop_service_if_running
+  move_previous_installation
+
+  echo "Installing source build to $INSTALL_DIR"
+  mv "$SOURCE_DIR" "$INSTALL_DIR"
+  make_executable_if_present "$INSTALL_DIR/cli.js"
+  make_executable_if_present "$INSTALL_DIR/cli.ts.js"
+  make_executable_if_present "$INSTALL_DIR/cli.child.js"
+
+  mkdir -p "$BIN_DIR"
+  ln -sf "$INSTALL_DIR/cli.js" "$BIN_DIR/dcrouter"
+}
+
+install_release_binary() {
+  local binary_name
+  local download_url
+  local temp_file
+
+  binary_name=$(detect_binary_name)
+  download_url="${GITEA_BASE_URL}/${GITEA_REPO}/releases/download/${VERSION}/${binary_name}"
+  temp_file="$TEMP_DIR/$binary_name"
+
+  echo "Downloading DcRouter binary: $download_url"
+  curl -fSL "$download_url" -o "$temp_file"
+  chmod 0755 "$temp_file"
+
+  echo "Validating downloaded binary..."
+  "$temp_file" --version >/dev/null
+
+  stop_service_if_running
+  move_previous_installation
+
+  echo "Installing binary to $INSTALL_DIR"
+  mkdir -p "$INSTALL_DIR"
+  install -m 0755 "$temp_file" "$INSTALL_DIR/dcrouter"
+
+  mkdir -p "$BIN_DIR"
+  ln -sf "$INSTALL_DIR/dcrouter" "$BIN_DIR/dcrouter"
+}
+
+if [[ "$INSTALL_MODE" == "source" ]]; then
+  install_source_build
+else
+  install_release_binary
+fi
+
+echo "Symlink created: $BIN_DIR/dcrouter"
+
+if ! "$BIN_DIR/dcrouter" --version >/dev/null; then
+  echo "Error: Installed DcRouter CLI failed validation"
+  restore_previous_installation
+  restart_previous_service_on_error
+  exit 1
+fi
+
+if [[ -n "$BACKUP_DIR" && -d "$BACKUP_DIR" ]]; then
+  rm -rf "$BACKUP_DIR"
+fi
+
+if [[ $SERVICE_WAS_RUNNING -eq 1 && $SYSTEMD_AVAILABLE -eq 1 ]]; then
+  echo "Restarting DcRouter service..."
+  systemctl restart "$SERVICE_NAME"
+  SERVICE_STOPPED=0
+  echo "Service restarted successfully."
+  echo ""
+fi
+
+trap - ERR
+
+echo "================================================"
+echo "  DcRouter Installation Complete!"
+echo "================================================"
+echo ""
+echo "Installation details:"
+echo "  Install directory: $INSTALL_DIR"
+echo "  Symlink location: $BIN_DIR/dcrouter"
+echo "  Version: $VERSION"
+echo "  Mode: $INSTALL_MODE"
+echo ""
+echo "Get started:"
+echo ""
+echo "  dcrouter --version"
+echo "  dcrouter --help"
+echo ""
@@ -1,9 +1,12 @@
 {
  "name": "@serve.zone/dcrouter",
  "private": false,
-  "version": "13.32.0",
+  "version": "13.40.3",
  "description": "A multifaceted routing service handling mail and SMS delivery functions.",
  "type": "module",
+  "bin": {
+    "dcrouter": "./cli.js"
+  },
  "exports": {
    ".": "./dist_ts/index.js",
    "./interfaces": "./dist_ts_interfaces/index.js",
@@ -15,20 +18,22 @@
    "test": "(tstest test/ --verbose --logfile --timeout 60)",
    "start": "(node ./cli.js)",
    "startTs": "(node cli.ts.js)",
-    "build": "(tsbuild tsfolders --allowimplicitany && npm run bundle)",
+    "build": "(tsbuild tsfolders --allowimplicitany && pnpm run bundle)",
+    "build:binary": "(pnpm run build && tsdeno compile)",
    "build:docker": "tsdocker build --verbose",
    "release:docker": "tsdocker push --verbose",
    "bundle": "(tsbundle)",
    "watch": "tswatch"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^4.4.1",
+    "@git.zone/tsbuild": "^4.4.2",
    "@git.zone/tsbundle": "^2.10.4",
-    "@git.zone/tsdocker": "^2.3.0",
+    "@git.zone/tsdocker": "^2.4.0",
+    "@git.zone/tsdeno": "^1.5.0",
    "@git.zone/tsrun": "^2.0.4",
    "@git.zone/tstest": "^3.6.6",
    "@git.zone/tswatch": "^3.3.5",
-    "@types/node": "^25.9.0"
+    "@types/node": "^25.9.1"
  },
  "dependencies": {
    "@api.global/typedrequest": "^3.3.1",
@@ -36,7 +41,7 @@
    "@api.global/typedserver": "^8.4.6",
    "@api.global/typedsocket": "^4.1.3",
    "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.81.0",
+    "@design.estate/dees-catalog": "^3.83.0",
    "@design.estate/dees-element": "^2.2.4",
    "@idp.global/sdk": "^1.3.1",
    "@push.rocks/lik": "^6.4.1",
@@ -44,8 +49,8 @@
    "@push.rocks/qenv": "^6.1.4",
    "@push.rocks/smartacme": "^9.5.0",
    "@push.rocks/smartdata": "^7.1.7",
-    "@push.rocks/smartdb": "^2.10.0",
-    "@push.rocks/smartdns": "^7.9.2",
+    "@push.rocks/smartdb": "^2.10.1",
+    "@push.rocks/smartdns": "^7.9.3",
    "@push.rocks/smartfs": "^1.5.1",
    "@push.rocks/smartguard": "^3.1.0",
    "@push.rocks/smartjwt": "^2.2.2",
@@ -53,20 +58,20 @@
    "@push.rocks/smartmetrics": "^3.0.3",
    "@push.rocks/smartmigration": "1.4.1",
    "@push.rocks/smartmta": "^5.3.3",
-    "@push.rocks/smartnetwork": "^4.7.1",
+    "@push.rocks/smartnetwork": "^4.7.2",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.10.2",
-    "@push.rocks/smartradius": "^1.1.2",
+    "@push.rocks/smartproxy": "^27.12.2",
+    "@push.rocks/smartradius": "^1.3.0",
    "@push.rocks/smartrequest": "^5.0.3",
    "@push.rocks/smartrx": "^3.0.10",
    "@push.rocks/smartstate": "^2.3.1",
    "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smartvpn": "1.19.4",
+    "@push.rocks/smartvpn": "1.20.0",
    "@push.rocks/taskbuffer": "^8.0.2",
    "@serve.zone/catalog": "^2.12.4",
    "@serve.zone/interfaces": "^5.8.0",
-    "@serve.zone/remoteingress": "^4.17.1",
+    "@serve.zone/remoteingress": "^4.22.3",
    "@tsclass/tsclass": "^9.5.1",
    "@types/qrcode": "^1.5.6",
    "lru-cache": "^11.4.0",
@@ -99,25 +104,22 @@
    "VLAN assignment",
    "MAC authentication"
  ],
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "esbuild",
-      "mongodb-memory-server",
-      "puppeteer"
-    ]
-  },
  "packageManager": "pnpm@10.11.0",
  "files": [
    "ts/**/*",
+    "binary/**/*",
    "ts_web/**/*",
    "ts_apiclient/**/*",
-    "dist/**/*",
    "dist_*/**/*",
    "dist_ts/**/*",
    "dist_ts_web/**/*",
    "dist_ts_apiclient/**/*",
-    "assets/**/*",
    "cli.js",
+    "cli.ts.js",
+    "cli.child.js",
+    "cli.child.ts",
+    "deno.json",
+    "tsconfig.json",
    ".smartconfig.json",
    "readme.md"
  ]
@@ -24,8 +24,8 @@ importers:
        specifier: ^7.1.0
        version: 7.1.0
      '@design.estate/dees-catalog':
-        specifier: ^3.81.0
-        version: 3.81.0(@tiptap/pm@2.27.2)
+        specifier: ^3.83.0
+        version: 3.83.0(@tiptap/pm@2.27.2)
      '@design.estate/dees-element':
        specifier: ^2.2.4
        version: 2.2.4
@@ -48,11 +48,11 @@ importers:
        specifier: ^7.1.7
        version: 7.1.7(socks@2.8.8)
      '@push.rocks/smartdb':
-        specifier: ^2.10.0
-        version: 2.10.0(@tiptap/pm@2.27.2)(socks@2.8.8)
+        specifier: ^2.10.1
+        version: 2.10.1(@tiptap/pm@2.27.2)(socks@2.8.8)
      '@push.rocks/smartdns':
-        specifier: ^7.9.2
-        version: 7.9.2
+        specifier: ^7.9.3
+        version: 7.9.3
      '@push.rocks/smartfs':
        specifier: ^1.5.1
        version: 1.5.1
@@ -75,8 +75,8 @@ importers:
        specifier: ^5.3.3
        version: 5.3.3
      '@push.rocks/smartnetwork':
-        specifier: ^4.7.1
-        version: 4.7.1
+        specifier: ^4.7.2
+        version: 4.7.3
      '@push.rocks/smartpath':
        specifier: ^6.0.0
        version: 6.0.0
@@ -84,11 +84,11 @@ importers:
        specifier: ^4.2.4
        version: 4.2.4
      '@push.rocks/smartproxy':
-        specifier: ^27.10.2
-        version: 27.10.2
+        specifier: ^27.12.2
+        version: 27.12.2
      '@push.rocks/smartradius':
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.3.0
+        version: 1.3.0
      '@push.rocks/smartrequest':
        specifier: ^5.0.3
        version: 5.0.3
@@ -102,8 +102,8 @@ importers:
        specifier: ^3.0.9
        version: 3.0.9
      '@push.rocks/smartvpn':
-        specifier: 1.19.4
-        version: 1.19.4
+        specifier: 1.20.0
+        version: 1.20.0
      '@push.rocks/taskbuffer':
        specifier: ^8.0.2
        version: 8.0.2
@@ -114,8 +114,8 @@ importers:
        specifier: ^5.8.0
        version: 5.8.0
      '@serve.zone/remoteingress':
-        specifier: ^4.17.1
-        version: 4.17.1
+        specifier: ^4.22.3
+        version: 4.22.3
      '@tsclass/tsclass':
        specifier: ^9.5.1
        version: 9.5.1
@@ -133,14 +133,17 @@ importers:
        version: 14.0.0
    devDependencies:
      '@git.zone/tsbuild':
-        specifier: ^4.4.1
-        version: 4.4.1
+        specifier: ^4.4.2
+        version: 4.4.2
      '@git.zone/tsbundle':
        specifier: ^2.10.4
        version: 2.10.4
+      '@git.zone/tsdeno':
+        specifier: ^1.5.0
+        version: 1.5.0
      '@git.zone/tsdocker':
-        specifier: ^2.3.0
-        version: 2.3.0
+        specifier: ^2.4.0
+        version: 2.4.0
      '@git.zone/tsrun':
        specifier: ^2.0.4
        version: 2.0.4
@@ -151,8 +154,8 @@ importers:
        specifier: ^3.3.5
        version: 3.3.5(@tiptap/pm@2.27.2)
      '@types/node':
-        specifier: ^25.9.0
-        version: 25.9.0
+        specifier: ^25.9.1
+        version: 25.9.1

 packages:

@@ -362,8 +365,8 @@ packages:
  '@configvault.io/interfaces@1.0.17':
    resolution: {integrity: sha512-bEcCUR2VBDJsTin8HQh8Uw/mlYl2v8A3jMIaQ+MTB9Hrqd6CZL2dL7iJdWyFl/3EIX+LDxWFR+Oq7liIq7w+1Q==}

-  '@design.estate/dees-catalog@3.81.0':
-    resolution: {integrity: sha512-N7ocwSKVdjDQWmVV2XWiyg3dotGEuxP4/jhyB6duH8zJ3k63wmGm8+FeoP+LzRc8/U0Bl8w7UZrewlkIEMstUA==}
+  '@design.estate/dees-catalog@3.83.0':
+    resolution: {integrity: sha512-Ia4fwZ5ndziJkSE000nCro83rD8Rujki7ASHBQhL6ZDflZRJRlfuc13azVnQC2sazKlo/bWSgiiLcpc3V2IYrw==}

  '@design.estate/dees-comms@1.0.30':
    resolution: {integrity: sha512-KchMlklJfKAjQiJiR0xmofXtQ27VgZtBIxcMwPE9d+h3jJRv+lPZxzBQVOM0eyM0uS44S5vJMZ11IeV4uDXSHg==}
@@ -718,16 +721,20 @@ packages:
    resolution: {integrity: sha512-YTVITFGN0/24PxzXrwqCgnyd7njDuzp5ZvaCx5nq/jg55kUYd94Nj8UTchBdBofi/L0nwRfjGOg0E41d2u9T1w==}
    engines: {node: '>=6'}

-  '@git.zone/tsbuild@4.4.1':
-    resolution: {integrity: sha512-usxx8BBQsAypxjFOfd1GEV9pL9EUshRKktXtRWHMDByb6ps83+PdUIb3D7O+nkkBp4C9PXo3cfbsR4Asvo33CA==}
+  '@git.zone/tsbuild@4.4.2':
+    resolution: {integrity: sha512-v2m0fFYFt3vJZMvNAlrNChHYjZZNOf4iyO0mNNiHeO+sTR3cddkYb++zO/GL3v2UkG3nDRwfEkwUS4UzuXBEWw==}
    hasBin: true

  '@git.zone/tsbundle@2.10.4':
    resolution: {integrity: sha512-/xWOGrnuMaJ/Xo/EasaF9N3N9w1J9LDywZaRTa0UTtzbEtfJP7F2NJ9l4tWCwS+vTKpnqApX7ZueRh1h5MrwPQ==}
    hasBin: true

-  '@git.zone/tsdocker@2.3.0':
-    resolution: {integrity: sha512-im2hD3Fu7vSb6qM+WMg2tbvLbFfEpX8qVmjy491R5iELky4Pw9cqRMkwzmxW92etn8v+f53ODUQDOoc9DufX2A==}
+  '@git.zone/tsdeno@1.5.0':
+    resolution: {integrity: sha512-OdGPhnBz6v92OkKKWyswpyGman3m3FOXin+9WRzEBvvwyLAAkc2mKUGViPAIxYkrak4GiglzqjTkSyReDU0QOw==}
+    hasBin: true
+
+  '@git.zone/tsdocker@2.4.0':
+    resolution: {integrity: sha512-GFE93RxFm8HDrSm5Ulggy4se7heb4GaNQgaWV6Mds6lhkm6GouO91xZYlmXVH9glzBoFJNG63pFXYHW6nrqf5A==}
    hasBin: true

  '@git.zone/tspublish@1.11.6':
@@ -1279,14 +1286,14 @@ packages:
  '@push.rocks/smartdata@7.1.7':
    resolution: {integrity: sha512-HDI/Q9dKybfsJ68oCzlE+S63Xpij9qXnMfi28yznKP0Li1ECVZZMDDGIW5IjsXlHjO+Q+RJMcVd72Pjt3QLY5Q==}

-  '@push.rocks/smartdb@2.10.0':
-    resolution: {integrity: sha512-f7Sm861LJqBxgpX3ybNeRSShothSTLJsFETh1Vfj0WdC+oUZSOgIDqfQcR/gy25hc3eSnk1Bd5zz4cbWh9wosg==}
+  '@push.rocks/smartdb@2.10.1':
+    resolution: {integrity: sha512-m33HbSZdvUjCIucHWuJRK4ly7c0fsnL1hJAjZdjf6WqaFlWAjR0SztZp/V/u1yGP7IIcaXMXaWAijB9BC91Dvg==}

  '@push.rocks/smartdelay@3.1.0':
    resolution: {integrity: sha512-59xveBMbWmbFhh/rqhQnYG/klg/VONG9hV8+RQ7ftqsNRkcmUT+VM5etAbODgAUvsF4lxK+xVR0tbZOo0kGhRQ==}

-  '@push.rocks/smartdns@7.9.2':
-    resolution: {integrity: sha512-joMroNy/1YjXjxUaW38HQTvlyRHETE2+vnKg1c1304gHqcThyRawtdcnQsvmoK9sO1ZaPAqBKL1QP9m87nCFYQ==}
+  '@push.rocks/smartdns@7.9.3':
+    resolution: {integrity: sha512-TkqDmYeO0ogIICWIM06hE/SeNpyASsqr7d+HJv8u3FyD2jRP9LHn0X0o8CjSJ+IoTHSNXFBDFrddyysFdnwSsg==}

  '@push.rocks/smartenv@5.0.13':
    resolution: {integrity: sha512-ACXmUcHZHl2CF2jnVuRw9saRRrZvJblCRs2d+K5aLR1DfkYFX3eA21kcMlKeLisI3aGNbIj9vz/rowN5qkRkfA==}
@@ -1395,8 +1402,8 @@ packages:
  '@push.rocks/smartmustache@3.0.2':
    resolution: {integrity: sha512-G3LyRXoJhyM+iQhkvP/MR/2WYMvC9U7zc2J44JxUM5tPdkQ+o3++FbfRtnZj6rz5X/A7q03//vsxPitVQwoi2Q==}

-  '@push.rocks/smartnetwork@4.7.1':
-    resolution: {integrity: sha512-x9SolGn8lU3oh+fKL26dR5dIhsus5f0p/Xiaut2pK5Wamgwrvt5y5To8F+pzF1pQr6yA0XwWZ0Dgoppp2E+ziQ==}
+  '@push.rocks/smartnetwork@4.7.3':
+    resolution: {integrity: sha512-ecv8aSGbcHUDkE0IJ+/0mRpgQv1fSjQAgcTe1qgBNY1Lk8lQTTaNjpG7g21EdK23seyShewejtGKOcK5o7Rh6A==}

  '@push.rocks/smartnftables@1.2.0':
    resolution: {integrity: sha512-VTRHnxHrJj9VOq2MaCOqxiA4JLGRnzEaZ7kXxA7v3ljX+Y2wWK9VYpwKKBEbjgjoTpQyOf+I0gEG9wkR/jtUvQ==}
@@ -1422,14 +1429,14 @@ packages:
  '@push.rocks/smartpromise@4.2.4':
    resolution: {integrity: sha512-8FUyYt94hOIY9mqHjitn4h69u0jbEtTF2RKKw2DpiTVFjpDTk9gXbVHZ/V+xEcBrN4mrzdQES0OiDmkNPoddEQ==}

-  '@push.rocks/smartproxy@27.10.2':
-    resolution: {integrity: sha512-ycTJ3OZ/LUAO0OY06O2al41bhm3s6mT9D5LcL7RepLyShjHBsaC26FNEApIVh9tll7OMHtsOa9ejOWQ8zuA4pA==}
+  '@push.rocks/smartproxy@27.12.2':
+    resolution: {integrity: sha512-q97n/UAhfvyds6MhTUAhV5OC7x3Eaot+IN25hW6StyvrxR/odg3/g2UDAJmHoD5X0tKwIhouFd/b8Nwx0p94cg==}

  '@push.rocks/smartpuppeteer@2.0.6':
    resolution: {integrity: sha512-G+8cyDERvbXQcb9Sd8lnYdWYz8b3Mv2LfFf1ULmucDqQhcRHvxrWX/dKsvBZrwKPR4Wg+795Dyd+E1iOOh3tHw==}

-  '@push.rocks/smartradius@1.1.2':
-    resolution: {integrity: sha512-p4fHhMgXZRuyRuMQjFQLVnXBG1Fz2latJ7BGAsfInOuVUaitBr/Wni9mZULAuIIddeWwUx9QvIGlv3tgmFn/ow==}
+  '@push.rocks/smartradius@1.3.0':
+    resolution: {integrity: sha512-97BQhVT5gdDTNfb8LZiqaPddTMlx5Eqpsj7jTBQ2kj4tYpK0YWRiKkpBxxEXTjsIsq7iTxHeNTwc8kMZj+yU3g==}

  '@push.rocks/smartrequest@2.1.0':
    resolution: {integrity: sha512-3eHLTRInHA+u+W98TqJwgTES7rRimBAsJC4JxVNQC3UUezmblAhM5/TIQsEBQTsbjAY8SeQKy6NHzW6iTiaD8w==}
@@ -1482,8 +1489,8 @@ packages:
  '@push.rocks/smartversion@3.1.0':
    resolution: {integrity: sha512-qsJb82p8aQzJQ04fLiZsrxarhn+IoOn6v1B869NjH06vOCbCHXNKoS8WPssE6E6zge4NPCCD5WQ2hkyzqxCv9A==}

-  '@push.rocks/smartvpn@1.19.4':
-    resolution: {integrity: sha512-Cp6yyzRcZlqQMEWAQ/CG2tvUxSR4eSmzMTDQFVJsPtV+CbhXpulbqqz0penU6drVMiRGzXhwoQZtGYynigIXwA==}
+  '@push.rocks/smartvpn@1.20.0':
+    resolution: {integrity: sha512-k5cdbHGtCUMcZTwJr+7BwXNFxbeXZEe5MZ00y/f2Isi8yLAdfmdBJ5o32vwR0LJvWm2ZFn7ST8S1AkCY/K9L3w==}

  '@push.rocks/smartwatch@6.4.0':
    resolution: {integrity: sha512-KDswRgE/siBmZRCsRA07MtW5oF4c9uQEBkwTGPIWneHzksbCDsvs/7agKFEL7WnNifLNwo8w1K1qoiVWkX1fvw==}
@@ -1712,8 +1719,9 @@ packages:
  '@serve.zone/interfaces@5.8.0':
    resolution: {integrity: sha512-0ekSKUL/b44wmmzuCRANzrjaJRAHtkqiL8cPiMASEs7UJBDqbJCrgtrlJK84pz5dxBz3jTcdznNd5qjB8c6H0A==}

-  '@serve.zone/remoteingress@4.17.1':
-    resolution: {integrity: sha512-k3n+AF1rNybiKPlHHyhwCVEF0/T7eZD46kNn7JlEJPCxfUy09mjkpwDQ2CzaUkppqNgFOAYXgAKqjDqpJ27RvA==}
+  '@serve.zone/remoteingress@4.22.3':
+    resolution: {integrity: sha512-VUI2VTMHVjju92FXjPe0EQ7op2EyqCr+JQIIGkjxnvqE9aAV9ZtaNzI7y4WwltYNo9rfaa/Bdd8+2EKUYYCD6g==}
+    hasBin: true

  '@smithy/chunked-blob-reader-native@4.2.3':
    resolution: {integrity: sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==}
@@ -2158,8 +2166,8 @@ packages:
  '@types/node@22.19.17':
    resolution: {integrity: sha512-wGdMcf+vPYM6jikpS/qhg6WiqSV/OhG+jeeHT/KlVqxYfD40iYJf9/AE1uQxVWFvU7MipKRkRv8NSHiCGgPr8Q==}

-  '@types/node@25.9.0':
-    resolution: {integrity: sha512-AOQwYUNolgy3VosiRqXrACUXTN8nJUtPl7FJXMqZVyxiiCLhQuG3jXKvCS1ALr+Y2OmZhzzLVlYPEqJaiqkaJQ==}
+  '@types/node@25.9.1':
+    resolution: {integrity: sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==}

  '@types/qrcode@1.5.6':
    resolution: {integrity: sha512-te7NQcV2BOvdj2b1hCAHzAoMNuj65kNBMz0KBaxM6c3VGBOhU0dURQKOtH8CFNI/dsKkwlv32p26qYQTWoB5bw==}
@@ -4376,7 +4384,7 @@ snapshots:
      '@api.global/typedrequest-interfaces': 3.0.19
      '@api.global/typedsocket': 4.1.3(@push.rocks/smartserve@2.0.4)
      '@cloudflare/workers-types': 4.20260507.1
-      '@design.estate/dees-catalog': 3.81.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.83.0(@tiptap/pm@2.27.2)
      '@design.estate/dees-comms': 1.0.30
      '@push.rocks/lik': 6.4.1
      '@push.rocks/smartdelay': 3.1.0
@@ -4910,7 +4918,7 @@ snapshots:
    dependencies:
      '@api.global/typedrequest-interfaces': 3.0.19

-  '@design.estate/dees-catalog@3.81.0(@tiptap/pm@2.27.2)':
+  '@design.estate/dees-catalog@3.83.0(@tiptap/pm@2.27.2)':
    dependencies:
      '@design.estate/dees-domtools': 2.5.6
      '@design.estate/dees-element': 2.2.4
@@ -5194,7 +5202,7 @@ snapshots:
    dependencies:
      '@fortawesome/fontawesome-common-types': 7.2.0

-  '@git.zone/tsbuild@4.4.1':
+  '@git.zone/tsbuild@4.4.2':
    dependencies:
      '@git.zone/tspublish': 1.11.6
      '@push.rocks/early': 4.0.4
@@ -5243,7 +5251,20 @@ snapshots:
      - supports-color
      - vue

-  '@git.zone/tsdocker@2.3.0':
+  '@git.zone/tsdeno@1.5.0':
+    dependencies:
+      '@push.rocks/early': 4.0.4
+      '@push.rocks/smartcli': 4.0.21
+      '@push.rocks/smartconfig': 6.1.1
+      '@push.rocks/smartfs': 1.5.1
+      '@push.rocks/smartshell': 3.3.8
+    transitivePeerDependencies:
+      - '@nuxt/kit'
+      - react
+      - supports-color
+      - vue
+
+  '@git.zone/tsdocker@2.4.0':
    dependencies:
      '@push.rocks/lik': 6.4.1
      '@push.rocks/projectinfo': 5.1.0
@@ -5306,7 +5327,7 @@ snapshots:
      '@push.rocks/smartjson': 6.0.1
      '@push.rocks/smartlog': 3.2.2
      '@push.rocks/smartmongo': 7.0.0(socks@2.8.8)
-      '@push.rocks/smartnetwork': 4.7.1
+      '@push.rocks/smartnetwork': 4.7.3
      '@push.rocks/smartpath': 6.0.0
      '@push.rocks/smartpromise': 4.2.4
      '@push.rocks/smartrequest': 5.0.3
@@ -5370,7 +5391,7 @@ snapshots:

  '@happy-dom/global-registrator@20.9.0':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1
      happy-dom: 20.9.0
    transitivePeerDependencies:
      - bufferutil
@@ -6113,9 +6134,9 @@ snapshots:
      '@push.rocks/lik': 6.4.1
      '@push.rocks/smartdata': 7.1.7(socks@2.8.8)
      '@push.rocks/smartdelay': 3.1.0
-      '@push.rocks/smartdns': 7.9.2
+      '@push.rocks/smartdns': 7.9.3
      '@push.rocks/smartlog': 3.2.2
-      '@push.rocks/smartnetwork': 4.7.1
+      '@push.rocks/smartnetwork': 4.7.3
      '@push.rocks/smartstring': 4.1.1
      '@push.rocks/smarttime': 4.2.3
      '@push.rocks/smartunique': 3.0.9
@@ -6293,7 +6314,7 @@ snapshots:
      - supports-color
      - vue

-  '@push.rocks/smartdb@2.10.0(@tiptap/pm@2.27.2)(socks@2.8.8)':
+  '@push.rocks/smartdb@2.10.1(@tiptap/pm@2.27.2)(socks@2.8.8)':
    dependencies:
      '@api.global/typedserver': 8.4.6(@tiptap/pm@2.27.2)
      '@design.estate/dees-element': 2.2.4
@@ -6323,7 +6344,7 @@ snapshots:
    dependencies:
      '@push.rocks/smartpromise': 4.2.4

-  '@push.rocks/smartdns@7.9.2':
+  '@push.rocks/smartdns@7.9.3':
    dependencies:
      '@push.rocks/smartdelay': 3.1.0
      '@push.rocks/smartenv': 6.1.0
@@ -6474,7 +6495,7 @@ snapshots:

  '@push.rocks/smartmail@2.2.1':
    dependencies:
-      '@push.rocks/smartdns': 7.9.2
+      '@push.rocks/smartdns': 7.9.3
      '@push.rocks/smartfile': 13.1.3
      '@push.rocks/smartmustache': 3.0.2
      '@push.rocks/smartpath': 6.0.0
@@ -6591,9 +6612,9 @@ snapshots:
    dependencies:
      handlebars: 4.7.9

-  '@push.rocks/smartnetwork@4.7.1':
+  '@push.rocks/smartnetwork@4.7.3':
    dependencies:
-      '@push.rocks/smartdns': 7.9.2
+      '@push.rocks/smartdns': 7.9.3
      '@push.rocks/smartrust': 1.4.0
      maxmind: 5.0.6
    transitivePeerDependencies:
@@ -6654,7 +6675,7 @@ snapshots:
      '@push.rocks/smartdelay': 3.1.0
      '@push.rocks/smartfs': 1.5.1
      '@push.rocks/smartjimp': 1.2.1
-      '@push.rocks/smartnetwork': 4.7.1
+      '@push.rocks/smartnetwork': 4.7.3
      '@push.rocks/smartpath': 6.0.0
      '@push.rocks/smartpromise': 4.2.4
      '@push.rocks/smartpuppeteer': 2.0.6(typescript@6.0.3)
@@ -6675,7 +6696,7 @@ snapshots:

  '@push.rocks/smartpromise@4.2.4': {}

-  '@push.rocks/smartproxy@27.10.2':
+  '@push.rocks/smartproxy@27.12.2':
    dependencies:
      '@push.rocks/smartcrypto': 2.0.4
      '@push.rocks/smartlog': 3.2.2
@@ -6699,7 +6720,7 @@ snapshots:
      - typescript
      - utf-8-validate

-  '@push.rocks/smartradius@1.1.2':
+  '@push.rocks/smartradius@1.3.0':
    dependencies:
      '@push.rocks/smartdelay': 3.1.0
      '@push.rocks/smartpromise': 4.2.4
@@ -6822,7 +6843,7 @@ snapshots:
      '@types/semver': 7.7.1
      semver: 7.7.4

-  '@push.rocks/smartvpn@1.19.4':
+  '@push.rocks/smartvpn@1.20.0':
    dependencies:
      '@push.rocks/smartnftables': 1.2.0
      '@push.rocks/smartpath': 6.0.0
@@ -7047,7 +7068,7 @@ snapshots:

  '@serve.zone/catalog@2.12.4(@tiptap/pm@2.27.2)':
    dependencies:
-      '@design.estate/dees-catalog': 3.81.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.83.0(@tiptap/pm@2.27.2)
      '@design.estate/dees-domtools': 2.5.6
      '@design.estate/dees-element': 2.2.4
      '@design.estate/dees-wcctools': 3.9.0
@@ -7064,7 +7085,7 @@ snapshots:
      '@push.rocks/smartlog-interfaces': 3.0.2
      '@tsclass/tsclass': 9.5.1

-  '@serve.zone/remoteingress@4.17.1':
+  '@serve.zone/remoteingress@4.22.3':
    dependencies:
      '@push.rocks/qenv': 6.1.4
      '@push.rocks/smartnftables': 1.2.0
@@ -7583,7 +7604,7 @@ snapshots:

  '@types/clean-css@4.2.11':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1
      source-map: 0.6.1

  '@types/debug@4.1.13':
@@ -7611,7 +7632,7 @@ snapshots:
  '@types/jsonwebtoken@9.0.10':
    dependencies:
      '@types/ms': 2.1.0
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1

  '@types/linkify-it@5.0.0': {}

@@ -7632,16 +7653,16 @@ snapshots:

  '@types/mute-stream@0.0.4':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1

  '@types/node-fetch@2.6.13':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1
      form-data: 4.0.5

  '@types/node-forge@1.3.14':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1

  '@types/node@16.9.1': {}

@@ -7653,13 +7674,13 @@ snapshots:
    dependencies:
      undici-types: 6.21.0

-  '@types/node@25.9.0':
+  '@types/node@25.9.1':
    dependencies:
      undici-types: 7.24.6

  '@types/qrcode@1.5.6':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1

  '@types/randomatic@3.1.5': {}

@@ -7671,7 +7692,7 @@ snapshots:

  '@types/through2@2.0.41':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1

  '@types/trusted-types@2.0.7': {}

@@ -7699,11 +7720,11 @@ snapshots:

  '@types/ws@8.18.1':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1

  '@types/yauzl@2.10.3':
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1
    optional: true

  '@ungap/structured-clone@1.3.1': {}
@@ -8423,7 +8444,7 @@ snapshots:

  happy-dom@20.9.0:
    dependencies:
-      '@types/node': 25.9.0
+      '@types/node': 25.9.1
      '@types/whatwg-mimetype': 3.0.2
      '@types/ws': 8.18.1
      entities: 7.0.1
@@ -0,0 +1,4 @@
+allowBuilds:
+  esbuild: true
+  mongodb-memory-server: true
+  puppeteer: true
@@ -34,6 +34,20 @@ Highlights:

 ## Install

+Install the CLI/runtime on a Linux gateway host with the released self-extracting binary:
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash
+```
+
+The installer downloads `dcrouter-linux-x64` or `dcrouter-linux-arm64` from the latest Gitea release, installs it under `/opt/dcrouter`, and links `/usr/local/bin/dcrouter`. Use `--version vX.Y.Z` to pin a release, `--install-dir /path` to change the target directory, or `--source` to clone the tag and build the NodeNext package locally.
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --source
+```
+
+Use the package as a TypeScript library:
+
 ```bash
 pnpm add @serve.zone/dcrouter
 ```
@@ -196,6 +210,19 @@ const router = new DcRouter({
 await router.start();
 ```

+## VPN Target Profiles
+
+Target profiles define what a VPN client can reach through `domains`, direct `targets`, and `routeRefs`. Set `allowRoutesByClientSourceIp: true` on a target profile when a VPN client should also be granted to routes whose source policy is meant to evaluate the client's real connecting IP.
+
+dcrouter maps target profiles to SmartProxy VPN client grants. SmartVPN forwards both the real client source IP and authenticated VPN metadata through trusted PROXY v2 headers, so SmartProxy checks source policy and VPN client authorization separately for each connection. Route `security.ipAllowList` and `security.ipBlockList` stay the source of truth for real source-IP policy; `vpnOnly` adds the requirement for authenticated VPN metadata and a matching VPN client grant.
+
+```typescript
+const targetProfile = {
+  name: 'ops laptop source access',
+  allowRoutesByClientSourceIp: true,
+};
+```
+
 ## Automation API

 The OpsServer exposes TypedRequest handlers at `/typedrequest`. You can use raw contracts or the object-oriented API client.
@@ -247,6 +274,21 @@ Supported environment overrides include:
 | `DCROUTER_CACHE_ENABLED` | Enables or disables DB-backed persistence. |
 | `DCROUTER_MAX_CONNECTIONS`, `DCROUTER_MAX_CONNECTIONS_PER_IP`, `DCROUTER_CONNECTION_RATE_LIMIT` | SmartProxy capacity and rate-limit overrides. |

+## Docker Image
+
+Release builds publish a multi-arch OCI image at `code.foss.global/serve.zone/dcrouter:latest` for `linux/amd64` and `linux/arm64`. The image sets `DCROUTER_MODE=OCI_CONTAINER` and starts `node ./cli.js`.
+
+```bash
+docker run --rm --name dcrouter \
+  --network host \
+  -v dcrouter-data:/data \
+  -e DCROUTER_BASE_DIR=/data \
+  -e DCROUTER_TLS_EMAIL=ops@example.com \
+  code.foss.global/serve.zone/dcrouter:latest
+```
+
+Host networking is the simplest container mode for a gateway that owns HTTP/S, SMTP, DNS, RADIUS, remote ingress, and dynamic proxy ports. For narrower deployments, publish only the ports you enable in `IDcRouterOptions` or via the `DCROUTER_*` environment overrides.
+
 ## Published Modules

 This repository intentionally publishes multiple module boundaries from one codebase.
@@ -14,6 +14,7 @@ let previousAdminPassword: string | undefined;
 let opsServer: OpsServer;
 let testDb: DcRouterDb;
 let storagePath: string;
+let dbName: string;
 let bootstrapIdentity: interfaces.data.IIdentity;
 let persistedIdentity: interfaces.data.IIdentity;
 let createdUserId: string;
@@ -28,6 +29,40 @@ const createLoginRequest = () => new TypedRequest<interfaces.requests.IReq_Admin
  'adminLoginWithUsernameAndPassword',
 );

+const createFakeDcRouter = (portArg: number, dcRouterDbArg?: DcRouterDb) => ({
+  options: {
+    opsServerPort: portArg,
+    dbConfig: { enabled: true },
+    adminAuth: {
+      idpClient: {
+        loginWithEmailAndPassword: async () => ({
+          jwt: 'idp-jwt',
+          refreshToken: 'idp-refresh-token',
+          user: {
+            id: 'idp-user-1',
+            data: {
+              name: 'Wrong IdP User',
+              username: 'wrong@example.com',
+              email: 'wrong@example.com',
+              status: 'active',
+              connectedOrgs: [],
+            },
+          },
+        }),
+        stop: async () => {},
+      },
+    },
+  },
+  typedrouter: new plugins.typedrequest.TypedRouter(),
+  dcRouterDb: dcRouterDbArg,
+});
+
+const restartOpsServer = async () => {
+  await opsServer.stop();
+  opsServer = new OpsServer(createFakeDcRouter(testPort, testDb) as any);
+  await opsServer.start();
+};
+
 tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
  previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
  process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword;
@@ -38,42 +73,15 @@ tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
  );

  DcRouterDb.resetInstance();
+  dbName = `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`;
  testDb = DcRouterDb.getInstance({
    storagePath,
-    dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+    dbName,
  });
  await testDb.start();
  await testDb.getDb().mongoDb.createCollection('__test_init');

-  const fakeDcRouter = {
-    options: {
-      opsServerPort: testPort,
-      dbConfig: { enabled: true },
-      adminAuth: {
-        idpClient: {
-          loginWithEmailAndPassword: async () => ({
-            jwt: 'idp-jwt',
-            refreshToken: 'idp-refresh-token',
-            user: {
-              id: 'idp-user-1',
-              data: {
-                name: 'Wrong IdP User',
-                username: 'wrong@example.com',
-                email: 'wrong@example.com',
-                status: 'active',
-                connectedOrgs: [],
-              },
-            },
-          }),
-          stop: async () => {},
-        },
-      },
-    },
-    typedrouter: new plugins.typedrequest.TypedRouter(),
-    dcRouterDb: testDb,
-  };
-
-  opsServer = new OpsServer(fakeDcRouter as any);
+  opsServer = new OpsServer(createFakeDcRouter(testPort, testDb) as any);
  await opsServer.start();
 });

@@ -170,6 +178,30 @@ tap.test('authenticates the persisted admin locally by normalized email', async
  expect(response.identity.userId).toEqual(persistedIdentity.userId);
 });

+tap.test('persists users across OpsServer restart', async () => {
+  const oldPersistedIdentity = persistedIdentity;
+  await restartOpsServer();
+
+  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
+    baseUrl,
+    'verifyIdentity',
+  );
+  const verifyResponse = await verifyRequest.fire({ identity: oldPersistedIdentity });
+  expect(verifyResponse.valid).toEqual(false);
+
+  const loginResponse = await createLoginRequest().fire({
+    username: 'admin@example.com',
+    password: persistedPassword,
+    authSource: 'local',
+  });
+
+  if (!loginResponse.identity) {
+    throw new Error('Expected persisted admin login identity after restart');
+  }
+  expect(loginResponse.identity.userId).toEqual(oldPersistedIdentity.userId);
+  persistedIdentity = loginResponse.identity;
+});
+
 tap.test('rejects idp.global login when IdP email does not match local account', async () => {
  let rejected = false;
  try {
@@ -233,6 +265,28 @@ tap.test('lists persisted users without password material', async () => {
  expect((response.users[0] as any).password).toBeUndefined();
 });

+tap.test('rejects temporary bootstrap admin when persisted-user database is unavailable', async () => {
+  await testDb.stop();
+
+  const status = await createStatusRequest().fire({});
+  expect(status.dbEnabled).toEqual(true);
+  expect(status.dbReady).toEqual(false);
+  expect(status.needsBootstrap).toEqual(false);
+  expect(status.ephemeralAdminAvailable).toEqual(false);
+
+  let rejected = false;
+  try {
+    await createLoginRequest().fire({
+      username: 'admin',
+      password: bootstrapPassword,
+    });
+  } catch {
+    rejected = true;
+  }
+
+  expect(rejected).toEqual(true);
+});
+
 tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
  await opsServer.stop();
  await testDb.stop();
@@ -246,4 +300,49 @@ tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
  }
 });

+tap.test('does not offer bootstrap while configured database is unavailable', async () => {
+  const unavailablePort = 3111;
+  const unavailableBaseUrl = `http://localhost:${unavailablePort}/typedrequest`;
+  const previousUnavailableAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
+  process.env.DCROUTER_ADMIN_PASSWORD = 'unavailable-bootstrap-password';
+  DcRouterDb.resetInstance();
+
+  const unavailableOpsServer = new OpsServer(createFakeDcRouter(unavailablePort) as any);
+  try {
+    await unavailableOpsServer.start();
+    const status = await new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(
+      unavailableBaseUrl,
+      'getAdminBootstrapStatus',
+    ).fire({});
+
+    expect(status.dbEnabled).toEqual(true);
+    expect(status.dbReady).toEqual(false);
+    expect(status.needsBootstrap).toEqual(false);
+    expect(status.ephemeralAdminAvailable).toEqual(false);
+
+    let rejected = false;
+    try {
+      await new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+        unavailableBaseUrl,
+        'adminLoginWithUsernameAndPassword',
+      ).fire({
+        username: 'admin',
+        password: 'unavailable-bootstrap-password',
+      });
+    } catch {
+      rejected = true;
+    }
+
+    expect(rejected).toEqual(true);
+  } finally {
+    await unavailableOpsServer.stop();
+    DcRouterDb.resetInstance();
+    if (previousUnavailableAdminPassword === undefined) {
+      delete process.env.DCROUTER_ADMIN_PASSWORD;
+    } else {
+      process.env.DCROUTER_ADMIN_PASSWORD = previousUnavailableAdminPassword;
+    }
+  }
+});
+
 export default tap.start();
@@ -1,7 +1,7 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/classes.dcrouter.js';
 import { ReferenceResolver, RouteConfigManager } from '../ts/config/index.js';
-import { DcRouterDb, DomainDoc, RouteDoc } from '../ts/db/index.js';
+import { DcRouterDb, DnsRecordDoc, DomainDoc, RouteDoc } from '../ts/db/index.js';
 import { DnsManager } from '../ts/dns/manager.dns.js';
 import { logger } from '../ts/logger.js';
 import * as plugins from '../ts/plugins.js';
@@ -32,6 +32,9 @@ const createTestDb = async () => {
 const testDbPromise = createTestDb();

 const clearTestState = async () => {
+  for (const record of await DnsRecordDoc.findAll()) {
+    await record.delete();
+  }
  for (const route of await RouteDoc.findAll()) {
    await route.delete();
  }
@@ -40,6 +43,86 @@ const clearTestState = async () => {
  }
 };

+tap.test('DnsManager keeps parallel ACME TXT challenges for the same host', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const now = Date.now();
+  const domain = new DomainDoc();
+  domain.id = 'central-eu';
+  domain.name = 'central.eu';
+  domain.source = 'dcrouter';
+  domain.authoritative = true;
+  domain.createdAt = now;
+  domain.updatedAt = now;
+  domain.createdBy = 'test';
+  await domain.save();
+
+  const dnsManager = new DnsManager({});
+  const provider = dnsManager.buildAcmeConvenientDnsProvider().convenience as any;
+  const hostName = '_acme-challenge.blog.central.eu';
+
+  await provider.acmeSetDnsChallenge({ hostName, challenge: 'first-token' });
+  await provider.acmeSetDnsChallenge({ hostName, challenge: 'second-token' });
+
+  const recordsAfterSet = await DnsRecordDoc.findByDomainId(domain.id);
+  expect(recordsAfterSet.map((record) => record.value).sort()).toEqual([
+    'first-token',
+    'second-token',
+  ]);
+
+  await provider.acmeRemoveDnsChallenge({ hostName, challenge: 'first-token' });
+
+  const recordsAfterRemove = await DnsRecordDoc.findByDomainId(domain.id);
+  expect(recordsAfterRemove.map((record) => record.value)).toEqual(['second-token']);
+});
+
+tap.test('DnsManager local records answer mixed-case DNS queries', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const now = Date.now();
+  const domain = new DomainDoc();
+  domain.id = 'central-eu';
+  domain.name = 'central.eu';
+  domain.source = 'dcrouter';
+  domain.authoritative = true;
+  domain.createdAt = now;
+  domain.updatedAt = now;
+  domain.createdBy = 'test';
+  await domain.save();
+
+  const registeredHandlers: Array<(question: { name: string; type: string }) => any> = [];
+  const dnsManager = new DnsManager({});
+  dnsManager.dnsServer = {
+    registerHandler: (_name: string, _types: string[], handler: (question: { name: string; type: string }) => any) => {
+      registeredHandlers.push(handler);
+    },
+  } as any;
+
+  await dnsManager.createRecord({
+    domainId: domain.id,
+    name: '_acme-challenge.central.eu',
+    type: 'TXT',
+    value: 'challenge-token',
+    ttl: 120,
+    createdBy: 'test',
+  });
+
+  const answer = registeredHandlers[0]?.({
+    name: '_aCMe-challeNge.Central.Eu',
+    type: 'txt',
+  });
+
+  expect(answer).toEqual({
+    name: '_aCMe-challeNge.Central.Eu',
+    type: 'TXT',
+    class: 'IN',
+    ttl: 120,
+    data: 'challenge-token',
+  });
+});
+
 tap.test('RouteConfigManager persists DoH system routes and hydrates runtime socket handlers', async () => {
  await testDbPromise;
  await clearTestState();
@@ -14,6 +14,38 @@ const emptyProtocolDistribution = {
  otherTotal: 0,
 };

+function createActiveConnectionSnapshots(entries: Array<{
+  count: number;
+  sourceIp?: string;
+  routeId?: string;
+  domain?: string;
+  localPort?: number;
+}>) {
+  const snapshots: any[] = [];
+  let index = 0;
+  for (const entry of entries) {
+    for (let i = 0; i < entry.count; i++) {
+      snapshots.push({
+        id: `test-connection-${index++}`,
+        sourceIp: entry.sourceIp || '192.0.2.10',
+        sourcePort: 40000 + index,
+        localPort: entry.localPort || 443,
+        domain: entry.domain,
+        routeId: entry.routeId,
+        targetHost: '127.0.0.1',
+        targetPort: 8443,
+        protocol: 'https',
+        state: 'active',
+        startedAtMs: Date.now(),
+        ageMs: 0,
+        bytesIn: 0,
+        bytesOut: 0,
+      });
+    }
+  }
+  return snapshots;
+}
+
 function createProxyMetrics(args: {
  connectionsByRoute: Map<string, number>;
  throughputByRoute: Map<string, { in: number; out: number }>;
@@ -22,14 +54,21 @@ function createProxyMetrics(args: {
  backendMetrics?: Map<string, any>;
  protocolCache?: any[];
  requestsTotal?: number;
+  connectionsByIP?: Map<string, number>;
+  throughputByIP?: Map<string, { in: number; out: number }>;
 }) {
+  const connectionsByIP = args.connectionsByIP || new Map<string, number>();
+  const throughputByIP = args.throughputByIP || new Map<string, { in: number; out: number }>();
  return {
    connections: {
      active: () => 0,
      total: () => 0,
      byRoute: () => args.connectionsByRoute,
-      byIP: () => new Map<string, number>(),
-      topIPs: () => [],
+      byIP: () => connectionsByIP,
+      topIPs: (limit = 10) => Array.from(connectionsByIP.entries())
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, limit)
+        .map(([ip, count]) => ({ ip, count })),
      domainRequestsByIP: () => args.domainRequestsByIP,
      topDomainRequests: () => [],
      frontendProtocols: () => emptyProtocolDistribution,
@@ -42,7 +81,7 @@ function createProxyMetrics(args: {
      custom: () => ({ in: 0, out: 0 }),
      history: () => [],
      byRoute: () => args.throughputByRoute,
-      byIP: () => new Map<string, { in: number; out: number }>(),
+      byIP: () => throughputByIP,
    },
    requests: {
      perSecond: () => 0,
@@ -83,6 +122,10 @@ tap.test('MetricsManager joins domain activity to id-keyed route metrics', async

  const smartProxy = {
    getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+      { count: 3, routeId: 'route-id-only', domain: 'alpha.example.com' },
+      { count: 1, routeId: 'route-id-only', domain: 'beta.example.com' },
+    ]),
    routeManager: {
      getRoutes: () => [
        {
@@ -143,6 +186,9 @@ tap.test('MetricsManager prefers live domain request rates for current activity'

  const smartProxy = {
    getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+      { count: 10, routeId: 'route-id-only', domain: 'beta.example.com' },
+    ]),
    routeManager: {
      getRoutes: () => [
        {
@@ -224,6 +270,7 @@ tap.test('MetricsManager does not duplicate backend active counts onto protocol

  const smartProxy = {
    getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => [],
    routeManager: {
      getRoutes: () => [],
    },
@@ -239,4 +286,93 @@ tap.test('MetricsManager does not duplicate backend active counts onto protocol
  expect(cacheRows.every((item) => item.activeConnections === 0)).toBeTrue();
 });

+tap.test('MetricsManager queues IP intelligence without awaiting enrichment', async () => {
+  const proxyMetrics = createProxyMetrics({
+    connectionsByRoute: new Map(),
+    throughputByRoute: new Map(),
+    domainRequestsByIP: new Map(),
+    connectionsByIP: new Map([
+      ['8.8.8.8', 4],
+      ['1.1.1.1', 2],
+    ]),
+    throughputByIP: new Map([
+      ['8.8.8.8', { in: 500, out: 250 }],
+      ['1.1.1.1', { in: 1500, out: 1000 }],
+    ]),
+  });
+
+  const queuedIps: string[][] = [];
+  const manager = new MetricsManager({
+    smartProxy: {
+      getMetrics: () => proxyMetrics,
+      getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+        { count: 4, sourceIp: '8.8.8.8' },
+        { count: 2, sourceIp: '1.1.1.1' },
+      ]),
+      routeManager: { getRoutes: () => [] },
+    },
+    securityPolicyManager: {
+      queueObservedIps: (ips: string[]) => queuedIps.push(ips),
+      listIpIntelligence: async () => [],
+    },
+  } as any);
+
+  await manager.getNetworkStats();
+
+  expect(queuedIps).toHaveLength(1);
+  expect(queuedIps[0]).toContain('8.8.8.8');
+  expect(queuedIps[0]).toContain('1.1.1.1');
+});
+
+tap.test('MetricsManager aggregates top ASNs from IP intelligence', async () => {
+  const proxyMetrics = createProxyMetrics({
+    connectionsByRoute: new Map(),
+    throughputByRoute: new Map(),
+    domainRequestsByIP: new Map(),
+    connectionsByIP: new Map([
+      ['8.8.8.8', 4],
+      ['8.8.4.4', 3],
+      ['1.1.1.1', 5],
+    ]),
+    throughputByIP: new Map([
+      ['8.8.8.8', { in: 500, out: 250 }],
+      ['8.8.4.4', { in: 700, out: 350 }],
+      ['1.1.1.1', { in: 2000, out: 1000 }],
+    ]),
+  });
+
+  const manager = new MetricsManager({
+    smartProxy: {
+      getMetrics: () => proxyMetrics,
+      getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+        { count: 4, sourceIp: '8.8.8.8' },
+        { count: 3, sourceIp: '8.8.4.4' },
+        { count: 5, sourceIp: '1.1.1.1' },
+      ]),
+      routeManager: { getRoutes: () => [] },
+    },
+    securityPolicyManager: {
+      queueObservedIps: () => undefined,
+      listIpIntelligence: async ({ ipAddresses }: { ipAddresses?: string[] }) => [
+        { ipAddress: '8.8.8.8', asn: 15169, asnOrg: 'Google LLC', countryCode: 'US' },
+        { ipAddress: '8.8.4.4', asn: 15169, asnOrg: 'Google LLC', countryCode: 'US' },
+        { ipAddress: '1.1.1.1', asn: 13335, asnOrg: 'Cloudflare, Inc.', countryCode: 'US' },
+      ].filter((record) => !ipAddresses || ipAddresses.includes(record.ipAddress)),
+    },
+  } as any);
+
+  const stats = await manager.getNetworkStats();
+
+  expect(stats.topASNs).toHaveLength(2);
+  expect(stats.topASNs[0].asn).toEqual(15169);
+  expect(stats.topASNs[0].organization).toEqual('Google LLC');
+  expect(stats.topASNs[0].activeConnections).toEqual(7);
+  expect(stats.topASNs[0].ipCount).toEqual(2);
+  expect(stats.topASNs[0].bytesInPerSecond).toEqual(1200);
+  expect(stats.topASNs[0].bytesOutPerSecond).toEqual(600);
+  expect(stats.topASNs[0].sampleIps).toContain('8.8.8.8');
+  expect(stats.topASNs[1].asn).toEqual(13335);
+  expect(stats.topASNs[1].activeConnections).toEqual(5);
+});
+
 export default tap.start();
@@ -12,13 +12,77 @@ function setPath(target: Record<string, any>, path: string, value: unknown): voi
  cursor[parts[parts.length - 1]] = value;
 }

+function getPath(target: Record<string, any>, path: string): unknown {
+  let cursor: any = target;
+  for (const part of path.split('.')) {
+    if (cursor === null || cursor === undefined) return undefined;
+    cursor = cursor[part];
+  }
+  return cursor;
+}
+
 function applySet(document: Record<string, any>, set: Record<string, unknown>): void {
  for (const [key, value] of Object.entries(set)) {
    setPath(document, key, value);
  }
 }

-function createFakeDb(currentVersion: string) {
+function matchesQuery(document: Record<string, any>, query: Record<string, any>): boolean {
+  for (const [key, expected] of Object.entries(query)) {
+    const actual = getPath(document, key);
+    if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
+      if ('$exists' in expected) {
+        const exists = actual !== undefined;
+        if (exists !== Boolean(expected.$exists)) return false;
+        continue;
+      }
+      if ('$type' in expected) {
+        if (expected.$type === 'string' && typeof actual !== 'string') return false;
+        continue;
+      }
+      if ('$in' in expected) {
+        if (!Array.isArray(expected.$in) || !expected.$in.includes(actual)) return false;
+        continue;
+      }
+    }
+    if (actual !== expected) return false;
+  }
+  return true;
+}
+
+function createFakeCollection(documents: Array<Record<string, any>> = []) {
+  return {
+    find: (query: Record<string, any> = {}) => ({
+      async *[Symbol.asyncIterator]() {
+        for (const document of documents) {
+          if (matchesQuery(document, query)) {
+            yield structuredClone(document);
+          }
+        }
+      },
+    }),
+    updateMany: async (query: Record<string, any>, update: any) => {
+      let modifiedCount = 0;
+      for (const document of documents) {
+        if (!matchesQuery(document, query)) continue;
+        applySet(document, update.$set || {});
+        modifiedCount++;
+      }
+      return { modifiedCount };
+    },
+    updateOne: async (query: Record<string, any>, update: any) => {
+      const document = documents.find((candidate) => matchesQuery(candidate, query));
+      if (!document) return { matchedCount: 0, modifiedCount: 0, upsertedCount: 0 };
+      applySet(document, update.$set || {});
+      return { matchedCount: 1, modifiedCount: 1, upsertedCount: 0 };
+    },
+  };
+}
+
+function createFakeDb(
+  currentVersion: string,
+  collections: Record<string, Array<Record<string, any>>> = {},
+) {
  const ledgerDocument = {
    nameId: 'smartmigration:smartmigration',
    data: {
@@ -29,12 +93,10 @@ function createFakeDb(currentVersion: string) {
    },
  };

-  const emptyCollection = {
-    find: () => ({
-      async *[Symbol.asyncIterator]() {},
-    }),
-    updateMany: async () => ({ modifiedCount: 0 }),
-  };
+  const fakeCollections = new Map(
+    Object.entries(collections).map(([name, documents]) => [name, createFakeCollection(documents)]),
+  );
+  const emptyCollection = createFakeCollection();

  const ledgerCollection = {
    createIndex: async () => undefined,
@@ -52,18 +114,69 @@ function createFakeDb(currentVersion: string) {
  return {
    mongoDb: {
      collection: (name: string) =>
-        name === 'SmartdataEasyStore' ? ledgerCollection : emptyCollection,
+        name === 'SmartdataEasyStore'
+          ? ledgerCollection
+          : fakeCollections.get(name) || emptyCollection,
    },
  };
 }

-tap.test('migration runner bridges old package-version targets without real schema steps', async () => {
-  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.31.0');
+tap.test('migration runner applies schema steps through the current target', async () => {
+  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.40.2');
  const result = await runner.run();

  expect(result.currentVersionBefore).toEqual('13.16.0');
-  expect(result.currentVersionAfter).toEqual('13.31.0');
+  expect(result.currentVersionAfter).toEqual('13.40.2');
  expect(result.stepsApplied).toHaveLength(3);
 });

+tap.test('migration runner rematerializes source-profile-backed route security', async () => {
+  const profiles: Array<Record<string, any>> = [
+    {
+      _id: 'profile-doc-1',
+      id: 'standard-profile',
+      name: 'Standard',
+      security: {
+        ipAllowList: ['192.168.*', '127.0.0.1'],
+        maxConnections: 1000,
+      },
+    },
+  ];
+  const routes: Array<Record<string, any>> = [
+    {
+      _id: 'route-doc-1',
+      id: 'route-1',
+      route: {
+        name: 'Public service domains',
+        match: { ports: 443, domains: ['code.foss.global'] },
+        action: { type: 'forward', targets: [{ host: '192.168.5.247', port: 443 }] },
+        security: {
+          ipAllowList: ['192.168.*', '*'],
+          maxConnections: 1000,
+        },
+      },
+      metadata: {
+        sourceProfileRef: 'standard-profile',
+        sourceProfileName: 'Standard',
+      },
+      updatedAt: 1,
+    },
+  ];
+
+  const runner = await createMigrationRunner(
+    createFakeDb('13.40.1', {
+      SourceProfileDoc: profiles,
+      RouteDoc: routes,
+    }),
+    '13.40.2',
+  );
+  const result = await runner.run();
+
+  expect(result.stepsApplied).toHaveLength(1);
+  expect(routes[0].route.security.ipAllowList.includes('*')).toBeFalse();
+  expect(routes[0].route.security.ipAllowList).toContain('192.168.*');
+  expect(routes[0].route.security.maxConnections).toEqual(1000);
+  expect(routes[0].metadata.lastResolvedAt).toBeTruthy();
+});
+
 export default tap.start();
@@ -0,0 +1,20 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { getOciContainerConfig } from '../ts_oci_container/index.js';
+
+tap.test('OCI config should accept explicit DNS bind interface', async () => {
+  const previousValue = process.env.DCROUTER_DNS_BIND_INTERFACE;
+  process.env.DCROUTER_DNS_BIND_INTERFACE = '192.168.190.3';
+
+  try {
+    const config = getOciContainerConfig();
+    expect(config.dnsBindInterface).toEqual('192.168.190.3');
+  } finally {
+    if (previousValue === undefined) {
+      delete process.env.DCROUTER_DNS_BIND_INTERFACE;
+    } else {
+      process.env.DCROUTER_DNS_BIND_INTERFACE = previousValue;
+    }
+  }
+});
+
+export default tap.start();
@@ -91,7 +91,7 @@ tap.test('should resolve source profile onto a route', async () => {
  expect(result.metadata.lastResolvedAt).toBeTruthy();
 });

-tap.test('should merge inline route security with profile security', async () => {
+tap.test('should replace inline route security when source profile is selected', async () => {
  const route = makeRoute({
    security: {
      ipAllowList: ['127.0.0.1'],
@@ -102,13 +102,26 @@ tap.test('should merge inline route security with profile security', async () =>

  const result = resolver.resolveRoute(route, metadata);

-  // IP lists are unioned
  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.ipAllowList).toContain('127.0.0.1');
+  expect(result.route.security!.ipAllowList!.includes('127.0.0.1')).toBeFalse();
+  expect(result.route.security!.maxConnections).toEqual(1000);
+});

-  // Inline maxConnections overrides profile
-  expect(result.route.security!.maxConnections).toEqual(5000);
+tap.test('should remove stale wildcard security from a profile-backed route', async () => {
+  const route = makeRoute({
+    security: {
+      ipAllowList: ['*'],
+      maxConnections: 5000,
+    },
+  });
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  expect(result.route.security!.ipAllowList!.includes('*')).toBeFalse();
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.maxConnections).toEqual(1000);
 });

 tap.test('should deduplicate IP lists during merge', async () => {
@@ -40,6 +40,23 @@ const clearTestState = async () => {
  }
 };

+const createIntelligenceResult = (asn: number) => ({
+  asn,
+  asnOrg: `ASN ${asn}`,
+  registrantOrg: null,
+  registrantCountry: null,
+  networkRange: null,
+  networkCidrs: null,
+  abuseContact: null,
+  country: null,
+  countryCode: 'US',
+  city: null,
+  latitude: null,
+  longitude: null,
+  accuracyRadius: null,
+  timezone: null,
+});
+
 tap.test('SecurityPolicyManager compiles start-end CIDR rules for edge firewall snapshots', async () => {
  await testDbPromise;
  await clearTestState();
@@ -120,6 +137,60 @@ tap.test('SecurityPolicyManager returns an explicit empty edge firewall snapshot
  expect(firewall).toEqual({ blockedIps: [] });
 });

+tap.test('SecurityPolicyManager filters listed IP intelligence records', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const manager = new SecurityPolicyManager();
+
+  for (const [ipAddress, asn] of [['8.8.8.8', 15169], ['1.1.1.1', 13335]] as const) {
+    const intelligenceDoc = new IpIntelligenceDoc();
+    intelligenceDoc.ipAddress = ipAddress;
+    intelligenceDoc.asn = asn;
+    intelligenceDoc.asnOrg = `ASN ${asn}`;
+    intelligenceDoc.firstSeenAt = Date.now();
+    intelligenceDoc.lastSeenAt = Date.now();
+    intelligenceDoc.updatedAt = Date.now();
+    intelligenceDoc.seenCount = 1;
+    await intelligenceDoc.save();
+  }
+
+  const records = await manager.listIpIntelligence({ ipAddresses: ['1.1.1.1'] });
+
+  expect(records).toHaveLength(1);
+  expect(records[0].ipAddress).toEqual('1.1.1.1');
+});
+
+tap.test('SecurityPolicyManager force refresh waits for an in-flight background observation', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const manager = new SecurityPolicyManager({ intelligenceRefreshMs: 0 });
+
+  let releaseFirstLookup!: () => void;
+  let lookupCount = 0;
+  (manager as any).smartNetwork = {
+    getIpIntelligence: async () => {
+      lookupCount++;
+      if (lookupCount === 1) {
+        await new Promise<void>((resolve) => { releaseFirstLookup = resolve; });
+        return createIntelligenceResult(64500);
+      }
+      return createIntelligenceResult(64501);
+    },
+    stop: async () => {},
+  };
+
+  const backgroundObservation = manager.observeIp('8.8.8.8');
+  await new Promise((resolve) => setTimeout(resolve, 10));
+  const forcedRefresh = manager.refreshIpIntelligence('8.8.8.8');
+  releaseFirstLookup();
+
+  const record = await forcedRefresh;
+  await backgroundObservation;
+
+  expect(lookupCount).toEqual(2);
+  expect(record?.asn).toEqual(64501);
+});
+
 tap.test('cleanup security policy test db', async () => {
  const dbHandle = await testDbPromise;
  await clearTestState();
@@ -2,6 +2,7 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/classes.dcrouter.js';
 import { VpnManager } from '../ts/vpn/classes.vpn-manager.js';
 import { RouteConfigManager } from '../ts/config/classes.route-config-manager.js';
+import { TargetProfileManager } from '../ts/config/classes.target-profile-manager.js';

 tap.test('VpnManager downgrades back to socket mode when no host-IP clients remain', async () => {
  const manager = new VpnManager({ forwardingMode: 'socket' });
@@ -76,7 +77,7 @@ tap.test('DcRouter.updateVpnConfig swaps the runtime VPN resolver and restarts V
    },
  } as any;
  (dcRouter as any).routeConfigManager = {
-    setVpnClientIpsResolver: (resolver: unknown) => {
+    setVpnClientAccessResolver: (resolver: unknown) => {
      resolverValues.push(resolver);
    },
    applyRoutes: async () => {
@@ -120,15 +121,15 @@ tap.test('RouteConfigManager makes vpnOnly routes fail closed without VPN client

  const prepared = (manager as any).injectVpnSecurity(route);

-  expect(prepared.security.ipAllowList).toEqual([]);
-  expect(prepared.security.ipBlockList).toContain('*');
+  expect(prepared.security.ipAllowList).toEqual(['*']);
+  expect(prepared.security.vpn).toEqual({ required: true, allowedClients: [] });
 });

-tap.test('RouteConfigManager replaces public allow lists for vpnOnly routes', async () => {
+tap.test('RouteConfigManager adds VPN client grants for vpnOnly routes', async () => {
  const manager = new RouteConfigManager(
    () => undefined,
    undefined,
-    () => ['10.8.0.2'],
+    () => ['client-1'],
  );
  const route = {
    name: 'private-route',
@@ -143,8 +144,301 @@ tap.test('RouteConfigManager replaces public allow lists for vpnOnly routes', as

  const prepared = (manager as any).injectVpnSecurity(route);

-  expect(prepared.security.ipAllowList).toEqual(['10.8.0.2']);
+  expect(prepared.security.ipAllowList).toEqual(['*', '203.0.113.10']);
  expect(prepared.security.ipBlockList).toEqual(['198.51.100.5']);
+  expect(prepared.security.vpn).toEqual({ required: true, allowedClients: ['client-1'] });
+});
+
+tap.test('RouteConfigManager adds matching VPN clients to restricted non-vpnOnly routes', async () => {
+  const manager = new RouteConfigManager(
+    () => undefined,
+    undefined,
+    () => ['client-1'],
+  );
+  const route = {
+    name: 'shared-private-route',
+    match: { domains: ['app.example.com'] },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8080 }] },
+    security: {
+      ipAllowList: ['203.0.113.10'],
+      ipBlockList: ['198.51.100.5'],
+    },
+  } as any;
+
+  const prepared = (manager as any).injectVpnSecurity(route);
+
+  expect(prepared.security.ipAllowList).toEqual(['203.0.113.10']);
+  expect(prepared.security.ipBlockList).toEqual(['198.51.100.5']);
+  expect(prepared.security.vpn).toEqual({ required: undefined, allowedClients: ['client-1'] });
+});
+
+tap.test('TargetProfileManager matches wildcard profiles against string route domains', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'hagen.team VPN access',
+    domains: ['*.hagen.team'],
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingVpnClients(
+    {
+      name: 'hagen-app',
+      match: { domains: 'app.hagen.team', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+    } as any,
+    'route-1',
+    [{ clientId: 'client-1', enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+  );
+
+  expect(entries).toEqual(['client-1']);
+});
+
+tap.test('TargetProfileManager expands wildcard profile domains to matching concrete route domains', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'hagen.team VPN access',
+    domains: ['*.hagen.team'],
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const routes = new Map([
+    ['route-1', {
+      id: 'route-1',
+      enabled: true,
+      createdAt: 1,
+      updatedAt: 1,
+      createdBy: 'test',
+      origin: 'api',
+      route: {
+        name: 'hagen-app',
+        match: { domains: 'app.hagen.team', ports: [443] },
+        action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+      },
+    }],
+  ]) as any;
+
+  const accessSpec = manager.getClientAccessSpec(['profile-1'], routes);
+
+  expect(accessSpec.domains).toContain('*.hagen.team');
+  expect(accessSpec.domains).toContain('app.hagen.team');
+});
+
+tap.test('TargetProfileManager allows source-IP reachable routes for opted-in profiles', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'source-ip access',
+    allowRoutesByClientSourceIp: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingVpnClients(
+    {
+      name: 'restricted-public-route',
+      match: { domains: 'app.example.com', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+      security: { ipAllowList: ['203.0.113.10'] },
+    } as any,
+    'route-1',
+    [{ clientId: 'client-1', enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+    new Map(),
+  );
+
+  expect(entries).toEqual(['client-1']);
+});
+
+tap.test('TargetProfileManager leaves real source-IP enforcement to SmartProxy', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'source-ip access',
+    allowRoutesByClientSourceIp: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingVpnClients(
+    {
+      name: 'restricted-public-route',
+      match: { domains: 'app.example.com', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+      security: { ipAllowList: ['203.0.113.10'] },
+    } as any,
+    'route-1',
+    [{ clientId: 'client-1', enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+    new Map(),
+  );
+
+  expect(entries).toEqual(['client-1']);
+});
+
+tap.test('TargetProfileManager does not grant routes with wildcard source block', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'source-ip access',
+    allowRoutesByClientSourceIp: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingVpnClients(
+    {
+      name: 'blocked-route',
+      match: { domains: 'app.example.com', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+      security: {
+        ipAllowList: ['203.0.113.0/24'],
+        ipBlockList: ['*'],
+      },
+    } as any,
+    'route-1',
+    [{ clientId: 'client-1', enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+    new Map(),
+  );
+
+  expect(entries).toEqual([]);
+});
+
+tap.test('TargetProfileManager treats public non-vpnOnly routes as source-IP reachable', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'source-ip access',
+    allowRoutesByClientSourceIp: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingVpnClients(
+    {
+      name: 'public-route',
+      match: { domains: 'public.example.com', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+    } as any,
+    'route-1',
+    [{ clientId: 'client-1', enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+    new Map(),
+  );
+
+  expect(entries).toEqual(['client-1']);
+});
+
+tap.test('TargetProfileManager grants vpnOnly routes through source-policy profiles', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'source-ip access',
+    allowRoutesByClientSourceIp: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const entries = manager.getMatchingVpnClients(
+    {
+      name: 'vpn-only-route',
+      vpnOnly: true,
+      match: { domains: 'private.example.com', ports: [443] },
+      action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+      security: { ipAllowList: ['203.0.113.10'] },
+    } as any,
+    'route-1',
+    [{ clientId: 'client-1', enabled: true, assignedIp: '10.8.0.2', targetProfileIds: ['profile-1'] }] as any,
+    new Map(),
+  );
+
+  expect(entries).toEqual(['client-1']);
+});
+
+tap.test('TargetProfileManager includes source-IP reachable route domains in client access specs', async () => {
+  const manager = new TargetProfileManager();
+  (manager as any).profiles.set('profile-1', {
+    id: 'profile-1',
+    name: 'source-ip access',
+    allowRoutesByClientSourceIp: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+  });
+
+  const routes = new Map([
+    ['route-1', {
+      id: 'route-1',
+      enabled: true,
+      createdAt: 1,
+      updatedAt: 1,
+      createdBy: 'test',
+      origin: 'api',
+      route: {
+        name: 'source-reachable-app',
+        match: { domains: 'app.example.com', ports: [443] },
+        action: { type: 'forward', targets: [{ host: '10.0.0.5', port: 443 }] },
+        security: { ipAllowList: ['203.0.113.0/24'] },
+      },
+    }],
+  ]) as any;
+
+  const accessSpec = manager.getClientAccessSpec(['profile-1'], routes);
+
+  expect(accessSpec.domains).toContain('app.example.com');
+});
+
+tap.test('VpnManager normalizes real remote addresses', async () => {
+  expect(VpnManager.normalizeRemoteAddress('203.0.113.10:51234')).toEqual('203.0.113.10');
+  expect(VpnManager.normalizeRemoteAddress('[2001:db8::1]:51234')).toEqual('2001:db8::1');
+  expect(VpnManager.normalizeRemoteAddress('2001:db8::1')).toEqual('2001:db8::1');
+});
+
+tap.test('VpnManager refreshes live source IPs from WireGuard peer endpoints', async () => {
+  const manager = new VpnManager({});
+  let sourceIpChangeCalls = 0;
+  (manager as any).config.onClientSourceIpsChanged = () => {
+    sourceIpChangeCalls++;
+  };
+  (manager as any).clients = new Map([
+    ['client-1', { clientId: 'client-1', wgPublicKey: 'wg-public-key' }],
+  ]);
+  (manager as any).vpnServer = {
+    listClients: async () => ([
+      {
+        clientId: 'runtime-client-1',
+        registeredClientId: 'client-1',
+        assignedIp: '10.8.0.2',
+        transportType: 'wireguard',
+      },
+    ]),
+    listWgPeers: async () => ([
+      {
+        publicKey: 'wg-public-key',
+        allowedIps: ['10.8.0.2/32'],
+        endpoint: '198.51.100.44:61234',
+        bytesSent: 0,
+        bytesReceived: 0,
+        packetsSent: 0,
+        packetsReceived: 0,
+      },
+    ]),
+  };
+
+  const changed = await manager.refreshClientSourceIps();
+  const changedAgain = await manager.refreshClientSourceIps();
+
+  expect(changed).toEqual(true);
+  expect(changedAgain).toEqual(false);
+  expect(manager.getClientSourceIp('client-1')).toEqual('198.51.100.44');
+  expect(sourceIpChangeCalls).toEqual(1);
 });

 tap.test('VpnManager rewrites WireGuard AllowedIPs after key rotation', async () => {
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.32.0',
+  version: '13.40.3',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -26,7 +26,7 @@ import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
 import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
 import { VpnManager, type IVpnManagerConfig } from './vpn/index.js';
 import { RouteConfigManager, ApiTokenManager, GatewayClientManager, ReferenceResolver, DbSeeder, TargetProfileManager } from './config/index.js';
-import type { TIpAllowEntry } from './config/classes.route-config-manager.js';
+import type { TVpnClientAllowEntry } from './config/classes.route-config-manager.js';
 import { SecurityLogger, ContentScanner, IPReputationChecker, SecurityPolicyManager } from './security/index.js';
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
@@ -93,6 +93,9 @@ export interface IDcRouterOptions {
   * Email domains with `internal-dns` mode must be included here
   */
  dnsScopes?: string[];
+
+  /** Explicit UDP bind address for the embedded DNS server. Defaults to auto-detection. */
+  dnsBindInterface?: string;
  
  /**
   * IPs of proxies that forward traffic to your server (optional)
@@ -605,7 +608,7 @@ export class DcRouter {
            this.routeConfigManager = new RouteConfigManager(
              () => this.smartProxy,
              () => this.options.http3,
-              this.createVpnRouteAllowListResolver(),
+              this.createVpnClientAccessResolver(),
              this.referenceResolver,
              // Sync routes to RemoteIngressManager whenever routes change,
              // then push updated derived ports to the Rust hub binary
@@ -1875,16 +1878,21 @@ export class DcRouter {
    logger.log('info', `Setting up DNS server with primary nameserver: ${primaryNameserver}`);
    
    // Get VM IP address for UDP binding
-    const networkInterfaces = plugins.os.networkInterfaces();
-    let vmIpAddress = '0.0.0.0'; // Default to all interfaces
-    
-    // Try to find the VM's internal IP address
-    for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
-      if (interfaces) {
-        for (const iface of interfaces) {
-          if (!iface.internal && iface.family === 'IPv4') {
-            vmIpAddress = iface.address;
-            break;
+    const networkInterfaces = plugins.os.networkInterfaces() as Record<
+      string,
+      Array<{ internal: boolean; family: string; address: string }> | undefined
+    >;
+    let vmIpAddress = this.options.dnsBindInterface || '0.0.0.0'; // Default to all interfaces
+
+    // Try to find the VM's internal IP address when no explicit bind address is configured.
+    if (!this.options.dnsBindInterface) {
+      interfaceLoop: for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
+        if (interfaces) {
+          for (const iface of interfaces) {
+            if (!iface.internal && iface.family === 'IPv4') {
+              vmIpAddress = iface.address;
+              break interfaceLoop;
+            }
          }
        }
      }
@@ -2399,10 +2407,10 @@ export class DcRouter {
  /**
   * Set up VPN server for VPN-based route access control.
   */
-  private createVpnRouteAllowListResolver(): ((
+  private createVpnClientAccessResolver(): ((
    route: import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig,
    routeId?: string,
-  ) => TIpAllowEntry[]) | undefined {
+  ) => TVpnClientAllowEntry[]) | undefined {
    if (!this.options.vpnConfig?.enabled) {
      return undefined;
    }
@@ -2416,7 +2424,7 @@ export class DcRouter {
        return [];
      }

-      return this.targetProfileManager.getMatchingClientIps(
+      return this.targetProfileManager.getMatchingVpnClients(
        route,
        routeId,
        this.vpnManager.listClients(),
@@ -2452,17 +2460,21 @@ export class DcRouter {
      bridgeIpRangeStart: this.options.vpnConfig.bridgeIpRangeStart,
      bridgeIpRangeEnd: this.options.vpnConfig.bridgeIpRangeEnd,
      onClientChanged: () => {
-        // Re-apply routes so profile-based ipAllowLists get updated
+        // Re-apply routes so profile-based VPN client grants get updated
        // (serialized by RouteConfigManager's mutex — safe as fire-and-forget)
        this.routeConfigManager?.applyRoutes().catch((err) => {
          logger.log('warn', `Failed to re-apply routes after VPN client change: ${err?.message || err}`);
        });
      },
+      onClientSourceIpsChanged: () => {
+        // SmartProxy now receives the real source IP per connection via PROXY v2.
+        // Source-IP changes are reflected in status/UI only; route config is static.
+      },
      getClientDirectTargets: (targetProfileIds: string[]) => {
        if (!this.targetProfileManager) return [];
        return this.targetProfileManager.getDirectTargetIps(targetProfileIds);
      },
-      getClientAllowedIPs: async (targetProfileIds: string[]) => {
+      getClientAllowedIPs: async (targetProfileIds: string[], clientId?: string, _sourceIp?: string) => {
        const subnet = this.options.vpnConfig?.subnet || '10.8.0.0/24';
        const ips = new Set<string>([subnet]);

@@ -2471,7 +2483,8 @@ export class DcRouter {
        const allRoutes = this.routeConfigManager?.getRoutes() || new Map();

        const { domains, targetIps } = this.targetProfileManager.getClientAccessSpec(
-          targetProfileIds, allRoutes,
+          targetProfileIds,
+          allRoutes,
        );

        // Add target IPs directly
@@ -2498,7 +2511,7 @@ export class DcRouter {
    await this.vpnManager.start();

    // Re-apply routes now that VPN clients are loaded — ensures vpnOnly routes
-    // get correct profile-based ipAllowLists
+    // get correct profile-based VPN client grants.
    await this.routeConfigManager?.applyRoutes();
  }

@@ -2594,7 +2607,7 @@ export class DcRouter {
    this.options.vpnConfig = config;
    this.vpnDomainIpCache.clear();
    this.warnedWildcardVpnDomains.clear();
-    this.routeConfigManager?.setVpnClientIpsResolver(this.createVpnRouteAllowListResolver());
+    this.routeConfigManager?.setVpnClientAccessResolver(this.createVpnClientAccessResolver());

    if (this.options.vpnConfig?.enabled) {
      await this.setupVpnServer();
@@ -281,6 +281,7 @@ export class ReferenceResolver {
  /**
   * Resolve references for a single route.
   * Materializes source profile and/or network target into the route's fields.
+   * When a source profile is selected, it owns the route security fully.
   * Returns the resolved route and updated metadata.
   */
  public resolveRoute(
@@ -293,10 +294,9 @@ export class ReferenceResolver {
      const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
      if (resolvedSecurity) {
        const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
-        // Merge: profile provides base, route's inline values override
        route = {
          ...route,
-          security: this.mergeSecurityFields(resolvedSecurity, route.security),
+          security: this.cloneSecurityFields(resolvedSecurity),
        };
        resolvedMetadata.sourceProfileName = profile?.name;
        resolvedMetadata.lastResolvedAt = Date.now();
@@ -445,10 +445,15 @@ export class ReferenceResolver {
    if (override.authentication !== undefined) merged.authentication = override.authentication;
    if (override.basicAuth !== undefined) merged.basicAuth = override.basicAuth;
    if (override.jwtAuth !== undefined) merged.jwtAuth = override.jwtAuth;
+    if (override.vpn !== undefined) merged.vpn = override.vpn;

    return merged;
  }

+  private cloneSecurityFields(security: IRouteSecurity): IRouteSecurity {
+    return structuredClone(security);
+  }
+
  // =========================================================================
  // Private: persistence
  // =========================================================================
@@ -11,8 +11,7 @@ import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingres
 import { type IHttp3Config, augmentRouteWithHttp3 } from '../http3/index.js';
 import type { ReferenceResolver } from './classes.reference-resolver.js';

-/** An IP allow entry: plain IP/CIDR or domain-scoped. */
-export type TIpAllowEntry = string | { ip: string; domains: string[] };
+export type TVpnClientAllowEntry = string | { clientId: string; domains: string[] };

 export interface IRouteMutationResult {
  success: boolean;
@@ -57,7 +56,7 @@ export class RouteConfigManager {
  constructor(
    private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
    private getHttp3Config?: () => IHttp3Config | undefined,
-    private getVpnClientIpsForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
+    private getVpnClientAccessForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TVpnClientAllowEntry[],
    private referenceResolver?: ReferenceResolver,
    private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void | Promise<void>,
    private getRuntimeRoutes?: () => plugins.smartproxy.IRouteConfig[],
@@ -73,10 +72,10 @@ export class RouteConfigManager {
    return this.routes.get(id);
  }

-  public setVpnClientIpsResolver(
-    resolver?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
+  public setVpnClientAccessResolver(
+    resolver?: (route: IDcRouterRouteConfig, routeId?: string) => TVpnClientAllowEntry[],
  ): void {
-    this.getVpnClientIpsForRoute = resolver;
+    this.getVpnClientAccessForRoute = resolver;
  }

  /**
@@ -176,6 +175,8 @@ export class RouteConfigManager {
      return { success: false, message: 'Route not found' };
    }

+    const previousSourceProfileRef = stored.metadata?.sourceProfileRef;
+
    const isToggleOnlyPatch = patch.enabled !== undefined
      && patch.route === undefined
      && patch.metadata === undefined;
@@ -217,6 +218,13 @@ export class RouteConfigManager {
        ...stored.metadata,
        ...patch.metadata,
      });
+      if (
+        previousSourceProfileRef
+        && !stored.metadata?.sourceProfileRef
+        && !patch.route?.security
+      ) {
+        delete stored.route.security;
+      }
    }

    // Re-resolve if metadata refs exist and resolver is available
@@ -608,21 +616,47 @@ export class RouteConfigManager {
    routeId?: string,
  ): plugins.smartproxy.IRouteConfig {
    const dcRoute = route as IDcRouterRouteConfig;
-    if (!dcRoute.vpnOnly) return route;
+    const vpnEntries = this.getVpnClientAccessForRoute?.(dcRoute, routeId) || [];

-    const vpnEntries = this.getVpnClientIpsForRoute?.(dcRoute, routeId) || [];
-    const existingBlockList = route.security?.ipBlockList || [];
-    const ipBlockList = vpnEntries.length
-      ? existingBlockList
-      : [...new Set([...existingBlockList, '*'])];
+    if (!dcRoute.vpnOnly && vpnEntries.length === 0) {
+      return route;
+    }
+
+    const existingVpnSecurity = route.security?.vpn || {};
+    const mergedAllowedClients = this.mergeVpnClientAllowEntries(
+      existingVpnSecurity.allowedClients || [],
+      vpnEntries,
+    );

    return {
      ...route,
      security: {
        ...route.security,
-        ipAllowList: vpnEntries,
-        ipBlockList,
+        vpn: {
+          ...existingVpnSecurity,
+          required: dcRoute.vpnOnly ? true : existingVpnSecurity.required,
+          allowedClients: mergedAllowedClients,
+        },
      },
    };
  }
+
+  private mergeVpnClientAllowEntries(
+    existingEntries: TVpnClientAllowEntry[],
+    vpnEntries: TVpnClientAllowEntry[],
+  ): TVpnClientAllowEntry[] {
+    const merged: TVpnClientAllowEntry[] = [];
+    const seen = new Set<string>();
+
+    for (const entry of [...existingEntries, ...vpnEntries]) {
+      const key = typeof entry === 'string'
+        ? `client:${entry}`
+        : `domain:${entry.clientId}:${[...entry.domains].sort().join(',')}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      merged.push(entry);
+    }
+
+    return merged;
+  }
 }
@@ -5,6 +5,8 @@ import type { ITargetProfile, ITargetProfileTarget } from '../../ts_interfaces/d
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import type { IRoute } from '../../ts_interfaces/data/route-management.js';

+type TVpnClientAllowEntry = string | { clientId: string; domains: string[] };
+
 /**
 * Manages TargetProfiles (target-side: what can be accessed).
 * TargetProfiles define what resources a VPN client can reach:
@@ -35,6 +37,7 @@ export class TargetProfileManager {
    domains?: string[];
    targets?: ITargetProfileTarget[];
    routeRefs?: string[];
+    allowRoutesByClientSourceIp?: boolean;
    createdBy: string;
  }): Promise<string> {
    // Enforce unique profile names
@@ -55,6 +58,7 @@ export class TargetProfileManager {
      domains: data.domains,
      targets: data.targets,
      routeRefs,
+      allowRoutesByClientSourceIp: data.allowRoutesByClientSourceIp === true,
      createdAt: now,
      updatedAt: now,
      createdBy: data.createdBy,
@@ -88,6 +92,9 @@ export class TargetProfileManager {
    if (patch.domains !== undefined) profile.domains = patch.domains;
    if (patch.targets !== undefined) profile.targets = patch.targets;
    if (patch.routeRefs !== undefined) profile.routeRefs = this.normalizeRouteRefs(patch.routeRefs);
+    if (patch.allowRoutesByClientSourceIp !== undefined) {
+      profile.allowRoutesByClientSourceIp = patch.allowRoutesByClientSourceIp === true;
+    }
    profile.updatedAt = Date.now();

    await this.persistProfile(profile);
@@ -199,29 +206,30 @@ export class TargetProfileManager {
  }

  // =========================================================================
-  // Core matching: route → client IPs
+  // Core matching: route → VPN client grants
  // =========================================================================

  /**
-   * For a vpnOnly route, find all enabled VPN clients whose assigned TargetProfile
-   * matches the route. Returns IP allow entries for injection into ipAllowList.
+   * Find all enabled VPN clients whose assigned TargetProfile matches the route.
+   * Returns SmartProxy VPN client allow entries for authenticated metadata checks.
   *
   * Entries are domain-scoped when a profile matches via specific domains that are
   * a subset of the route's wildcard. Plain IPs are returned for routeRef/target matches
-   * or when profile domains exactly equal the route's domains.
+   * or when profile domains exactly equal the route's domains. Profiles can also opt
+   * into source-policy routes; SmartProxy evaluates the real source IP per connection.
   */
-  public getMatchingClientIps(
+  public getMatchingVpnClients(
    route: IDcRouterRouteConfig,
    routeId: string | undefined,
    clients: VpnClientDoc[],
    allRoutes: Map<string, IRoute> = new Map(),
-  ): Array<string | { ip: string; domains: string[] }> {
-    const entries: Array<string | { ip: string; domains: string[] }> = [];
-    const routeDomains: string[] = (route.match as any)?.domains || [];
+  ): TVpnClientAllowEntry[] {
+    const entries: TVpnClientAllowEntry[] = [];
+    const routeDomains = this.getRouteDomains(route);
    const routeNameIndex = this.buildRouteNameIndex(allRoutes);

    for (const client of clients) {
-      if (!client.enabled || !client.assignedIp) continue;
+      if (!client.enabled || !client.clientId) continue;
      if (!client.targetProfileIds?.length) continue;

      // Collect scoped domains from all matching profiles for this client
@@ -246,12 +254,20 @@ export class TargetProfileManager {
        if (matchResult !== 'none') {
          for (const d of matchResult.domains) scopedDomains.add(d);
        }
+
+        if (
+          profile.allowRoutesByClientSourceIp === true
+          && this.routeHasSourcePolicy(route)
+        ) {
+          fullAccess = true;
+          break;
+        }
      }

      if (fullAccess) {
-        entries.push(client.assignedIp);
+        entries.push(client.clientId);
      } else if (scopedDomains.size > 0) {
-        entries.push({ ip: client.assignedIp, domains: [...scopedDomains] });
+        entries.push({ clientId: client.clientId, domains: [...scopedDomains] });
      }
    }

@@ -292,17 +308,19 @@ export class TargetProfileManager {
      // Route references: scan all routes
      for (const [routeId, route] of allRoutes) {
        if (!route.enabled) continue;
-        if (this.routeMatchesProfile(
-          route.route as IDcRouterRouteConfig,
+        const dcRoute = route.route as IDcRouterRouteConfig;
+        const routeDomains = this.getRouteDomains(dcRoute);
+        const profileMatchesRoute = this.routeMatchesProfile(
+          dcRoute,
          routeId,
          profile,
          routeNameIndex,
-        )) {
-          const routeDomains = (route.route.match as any)?.domains;
-          if (Array.isArray(routeDomains)) {
-            for (const d of routeDomains) {
-              domains.add(d);
-            }
+        );
+        const sourceIpMatchesRoute = profile.allowRoutesByClientSourceIp === true
+          && this.routeHasSourcePolicy(dcRoute);
+        if (profileMatchesRoute || sourceIpMatchesRoute) {
+          for (const d of routeDomains) {
+            domains.add(d);
          }
        }
      }
@@ -327,7 +345,7 @@ export class TargetProfileManager {
    profile: ITargetProfile,
    routeNameIndex: Map<string, string[]>,
  ): boolean {
-    const routeDomains: string[] = (route.match as any)?.domains || [];
+    const routeDomains = this.getRouteDomains(route);
    const result = this.routeMatchesProfileDetailed(
      route,
      routeId,
@@ -425,6 +443,22 @@ export class TargetProfileManager {
    return false;
  }

+  private routeHasSourcePolicy(route: IDcRouterRouteConfig): boolean {
+    const security = (route as any).security;
+    const blockEntries = Array.isArray(security?.ipBlockList)
+      ? security.ipBlockList
+      : security?.ipBlockList
+        ? [security.ipBlockList]
+        : [];
+    return !blockEntries.some((entry: unknown) => typeof entry === 'string' && entry.trim() === '*');
+  }
+
+  private getRouteDomains(route: IDcRouterRouteConfig): string[] {
+    const domains = (route.match as any)?.domains;
+    if (!domains) return [];
+    return Array.isArray(domains) ? domains : [domains];
+  }
+
  private normalizeRouteRefs(routeRefs?: string[]): string[] | undefined {
    const allRoutes = this.getAllRoutes?.() || new Map<string, IRoute>();
    return this.normalizeRouteRefsAgainstRoutes(routeRefs, allRoutes, 'strict');
@@ -500,6 +534,7 @@ export class TargetProfileManager {
          domains: doc.domains,
          targets: doc.targets,
          routeRefs: doc.routeRefs,
+          allowRoutesByClientSourceIp: doc.allowRoutesByClientSourceIp === true,
          createdAt: doc.createdAt,
          updatedAt: doc.updatedAt,
          createdBy: doc.createdBy,
@@ -519,6 +554,7 @@ export class TargetProfileManager {
      existingDoc.domains = profile.domains;
      existingDoc.targets = profile.targets;
      existingDoc.routeRefs = profile.routeRefs;
+      existingDoc.allowRoutesByClientSourceIp = profile.allowRoutesByClientSourceIp === true;
      existingDoc.updatedAt = profile.updatedAt;
      await existingDoc.save();
    } else {
@@ -529,6 +565,7 @@ export class TargetProfileManager {
      doc.domains = profile.domains;
      doc.targets = profile.targets;
      doc.routeRefs = profile.routeRefs;
+      doc.allowRoutesByClientSourceIp = profile.allowRoutesByClientSourceIp === true;
      doc.createdAt = profile.createdAt;
      doc.updatedAt = profile.updatedAt;
      doc.createdBy = profile.createdBy;
@@ -1,5 +1,6 @@
 import * as plugins from '../../plugins.js';
 import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IRemoteIngressPerformanceConfig } from '../../../ts_interfaces/data/remoteingress.js';

 const getDb = () => DcRouterDb.getInstance().getDb();

@@ -27,6 +28,9 @@ export class RemoteIngressEdgeDoc extends plugins.smartdata.SmartDataDbDoc<Remot
  @plugins.smartdata.svDb()
  public autoDerivePorts!: boolean;

+  @plugins.smartdata.svDb()
+  public performance?: IRemoteIngressPerformanceConfig;
+
  @plugins.smartdata.svDb()
  public tags!: string[];

@@ -25,6 +25,9 @@ export class TargetProfileDoc extends plugins.smartdata.SmartDataDbDoc<TargetPro
  @plugins.smartdata.svDb()
  public routeRefs?: string[];

+  @plugins.smartdata.svDb()
+  public allowRoutesByClientSourceIp?: boolean;
+
  @plugins.smartdata.svDb()
  public createdAt!: number;

@@ -209,9 +209,9 @@ export class DnsManager {
  private registerRecordWithDnsServer(rec: DnsRecordDoc): void {
    if (!this.dnsServer) return;
    this.dnsServer.registerHandler(rec.name, [rec.type], (question) => {
-      if (question.name === rec.name && question.type === rec.type) {
+      if (question.name.toLowerCase() === rec.name.toLowerCase() && question.type.toUpperCase() === rec.type) {
        return {
-          name: rec.name,
+          name: question.name,
          type: rec.type,
          class: 'IN',
          ttl: rec.ttl,
@@ -313,17 +313,23 @@ export class DnsManager {
  }

  /**
-   * Delete all DNS records matching a name and type under a domain.
-   * Used for ACME challenge cleanup (may have multiple TXT records at the same name).
+   * Delete DNS records matching a name and type under a domain.
+   * When value is provided, only that exact record is removed so parallel ACME
+   * challenges for the same host can coexist.
   */
  public async deleteRecordsByNameAndType(
    domainId: string,
    name: string,
    type: TDnsRecordType,
+    value?: string,
  ): Promise<void> {
    const records = await DnsRecordDoc.findByDomainId(domainId);
    for (const rec of records) {
-      if (rec.name.toLowerCase() === name.toLowerCase() && rec.type === type) {
+      if (
+        rec.name.toLowerCase() === name.toLowerCase()
+        && rec.type === type
+        && (value === undefined || rec.value === value)
+      ) {
        await this.deleteRecord(rec.id);
      }
    }
@@ -358,9 +364,15 @@ export class DnsManager {
              'Add the domain in Domains before issuing certificates.',
          );
        }
-        // Clean leftover challenge records first to avoid duplicates.
+        // Clean only the same challenge value. Exact + wildcard SAN orders can
+        // legitimately need multiple TXT records at the same name.
        try {
-          await self.deleteRecordsByNameAndType(domainDoc.id, dnsChallenge.hostName, 'TXT');
+          await self.deleteRecordsByNameAndType(
+            domainDoc.id,
+            dnsChallenge.hostName,
+            'TXT',
+            dnsChallenge.challenge,
+          );
        } catch (err: unknown) {
          logger.log('warn', `DnsManager: failed to clean existing TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
        }
@@ -381,7 +393,12 @@ export class DnsManager {
          return;
        }
        try {
-          await self.deleteRecordsByNameAndType(domainDoc.id, dnsChallenge.hostName, 'TXT');
+          await self.deleteRecordsByNameAndType(
+            domainDoc.id,
+            dnsChallenge.hostName,
+            'TXT',
+            dnsChallenge.challenge,
+          );
        } catch (err: unknown) {
          logger.log('warn', `DnsManager: failed to remove TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
        }
@@ -1,4 +1,4 @@
-import type * as plugins from '../plugins.js';
+import * as plugins from '../plugins.js';

 /**
 * Configuration for HTTP/3 (QUIC) route augmentation.
@@ -36,22 +36,6 @@ export interface IHttp3Config {
  };
 }

-type TPortRange = plugins.smartproxy.IRouteConfig['match']['ports'];
-
-/**
- * Check whether a TPortRange includes port 443.
- */
-function portRangeIncludes443(ports: TPortRange): boolean {
-  if (typeof ports === 'number') return ports === 443;
-  if (Array.isArray(ports)) {
-    return ports.some((p) => {
-      if (typeof p === 'number') return p === 443;
-      return p.from <= 443 && p.to >= 443;
-    });
-  }
-  return false;
-}
-
 /**
 * Check if a route name indicates an email route that should not get HTTP/3.
 */
@@ -85,7 +69,7 @@ export function routeQualifiesForHttp3(
  if (route.action.type !== 'forward') return false;

  // Must include port 443
-  if (!portRangeIncludes443(route.match.ports)) return false;
+  if (!plugins.smartproxy.portRangeIncludes(route.match.ports, 443)) return false;

  // Must have TLS
  if (!route.action.tls) return false;
@@ -1,3 +1,4 @@
+import { commitinfo } from './00_commitinfo_data.js';
 export * from './00_commitinfo_data.js';

 // Re-export smartmta (excluding commitinfo to avoid naming conflict)
@@ -18,6 +19,29 @@ export * from './remoteingress/index.js';
 export type { IHttp3Config } from './http3/index.js';

 export const runCli = async () => {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--version') || args.includes('version')) {
+    console.log(commitinfo.version);
+    return;
+  }
+
+  if (args.includes('--help') || args.includes('-h') || args.includes('help')) {
+    console.log(`dcrouter ${commitinfo.version}
+
+Usage:
+  dcrouter
+  dcrouter --version
+  dcrouter --help
+
+Environment:
+  DCROUTER_MODE=OCI_CONTAINER   Start with OCI container configuration
+  DCROUTER_DNS_BIND_INTERFACE   Override the embedded DNS UDP bind address
+  DATA_DIR=<path>               Override the writable dcrouter data directory
+`);
+    return;
+  }
+
  let options: import('./classes.dcrouter.js').IDcRouterOptions = {};

  if (process.env.DCROUTER_MODE === 'OCI_CONTAINER') {
@@ -3,6 +3,7 @@ import { DcRouter } from '../classes.dcrouter.js';
 import { MetricsCache } from './classes.metricscache.js';
 import { SecurityLogger, SecurityEventType } from '../security/classes.securitylogger.js';
 import { logger } from '../logger.js';
+import type { IAsnActivity } from '../../ts_interfaces/data/stats.js';

 export class MetricsManager {
  private metricsLogger: plugins.smartlog.Smartlog;
@@ -142,8 +143,9 @@ export class MetricsManager {
  public async getServerStats() {
    return this.metricsCache.get('serverStats', async () => {
      const smartMetricsData = await this.smartMetrics.getMetrics();
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
-      const proxyStats = this.dcRouter.smartProxy ? await this.dcRouter.smartProxy.getStatistics() : null;
+      const smartProxy = this.dcRouter.smartProxy;
+      const proxyMetrics = smartProxy ? smartProxy.getMetrics() : null;
+      const proxyStats = smartProxy ? await smartProxy.getStatistics() : null;
      const { heapUsed, heapTotal, external, rss } = process.memoryUsage();

      return {
@@ -290,27 +292,44 @@ export class MetricsManager {
    });
  }
  
+  public async getActiveConnectionSnapshots(
+    options: plugins.smartproxy.IActiveConnectionSnapshotOptions = {},
+  ): Promise<plugins.smartproxy.IActiveConnectionSnapshot[]> {
+    const cacheKey = `activeConnectionSnapshots:${options.limit ?? 1000}:${options.routeId ?? ''}`;
+    return await this.metricsCache.get<plugins.smartproxy.IActiveConnectionSnapshot[]>(cacheKey, async () => {
+      if (!this.dcRouter.smartProxy) {
+        return [];
+      }
+      return this.dcRouter.smartProxy.getActiveConnectionSnapshots(options);
+    }, 500);
+  }
+
  // Get connection info from SmartProxy
  public async getConnectionInfo() {
-    return this.metricsCache.get('connectionInfo', () => {
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
-      
-      if (!proxyMetrics) {
-        return [] as Array<{ type: string; count: number; source: string; lastActivity: Date }>;
+    return this.metricsCache.get('connectionInfo', async () => {
+      const snapshots = await this.getActiveConnectionSnapshots({ limit: 10000 });
+      const connectionsByRoute = new Map<string, { count: number; lastActivity: Date }>();
+
+      for (const snapshot of snapshots) {
+        const source = snapshot.routeId || snapshot.domain || `${snapshot.protocol || 'connection'}:${snapshot.localPort}`;
+        const existing = connectionsByRoute.get(source) || { count: 0, lastActivity: new Date(snapshot.startedAtMs) };
+        existing.count++;
+        if (snapshot.startedAtMs > existing.lastActivity.getTime()) {
+          existing.lastActivity = new Date(snapshot.startedAtMs);
+        }
+        connectionsByRoute.set(source, existing);
      }

-      const connectionsByRoute = proxyMetrics.connections.byRoute();
      const connectionInfo: Array<{ type: string; count: number; source: string; lastActivity: Date }> = [];
-      
-      for (const [routeName, count] of connectionsByRoute) {
+      for (const [source, info] of connectionsByRoute) {
        connectionInfo.push({
          type: 'https',
-          count,
-          source: routeName,
-          lastActivity: new Date(),
+          count: info.count,
+          source,
+          lastActivity: info.lastActivity,
        });
      }
-      
+
      return connectionInfo;
    });
  }
@@ -545,8 +564,9 @@ export class MetricsManager {
  // Get network metrics from SmartProxy
  public async getNetworkStats() {
    // Use shorter cache TTL for network stats to ensure real-time updates
-    return this.metricsCache.get('networkStats', () => {
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
+    return this.metricsCache.get('networkStats', async () => {
+      const smartProxy = this.dcRouter.smartProxy;
+      const proxyMetrics = smartProxy ? smartProxy.getMetrics() : null;

      if (!proxyMetrics) {
        return {
@@ -554,6 +574,7 @@ export class MetricsManager {
          throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
          topIPs: [] as Array<{ ip: string; count: number }>,
          topIPsByBandwidth: [] as Array<{ ip: string; count: number; bwIn: number; bwOut: number }>,
+          topASNs: [] as IAsnActivity[],
          totalDataTransferred: { bytesIn: 0, bytesOut: 0 },
          throughputHistory: [] as Array<{ timestamp: number; in: number; out: number }>,
          throughputByIP: new Map<string, { in: number; out: number }>(),
@@ -566,8 +587,22 @@ export class MetricsManager {
        };
      }

-      // Get metrics using the new API
-      const connectionsByIP = proxyMetrics.connections.byIP();
+      const activeConnectionSnapshots = await this.getActiveConnectionSnapshots({ limit: 10000 });
+
+      const connectionsByIP = new Map<string, number>();
+      const connectionsByRoute = new Map<string, number>();
+      const activeConnectionsByDomain = new Map<string, number>();
+
+      for (const snapshot of activeConnectionSnapshots) {
+        connectionsByIP.set(snapshot.sourceIp, (connectionsByIP.get(snapshot.sourceIp) || 0) + 1);
+        if (snapshot.routeId) {
+          connectionsByRoute.set(snapshot.routeId, (connectionsByRoute.get(snapshot.routeId) || 0) + 1);
+        }
+        if (snapshot.domain) {
+          activeConnectionsByDomain.set(snapshot.domain, (activeConnectionsByDomain.get(snapshot.domain) || 0) + 1);
+        }
+      }
+
      const instantThroughput = proxyMetrics.throughput.instant();

      // Get throughput rate
@@ -576,8 +611,11 @@ export class MetricsManager {
        bytesOutPerSecond: instantThroughput.out
      };

-      // Get top IPs by connection count
-      const topIPs = proxyMetrics.connections.topIPs(10);
+      // Get top IPs by active connection count
+      const topIPs = Array.from(connectionsByIP.entries())
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 10)
+        .map(([ip, count]) => ({ ip, count }));

      // Get total data transferred
      const totalDataTransferred = {
@@ -725,10 +763,17 @@ export class MetricsManager {
        .slice(0, 10)
        .map(([ip, data]) => ({ ip, count: data.count, bwIn: data.bwIn, bwOut: data.bwOut }));

-      void this.dcRouter.securityPolicyManager?.observeIps([...allIPData.keys()]);
+      const observedIps = [...new Set([
+        ...connectionsByIP.keys(),
+        ...throughputByIP.keys(),
+        ...topIPs.map((item) => item.ip),
+        ...topIPsByBandwidth.map((item) => item.ip),
+      ])];
+      this.dcRouter.securityPolicyManager?.queueObservedIps(observedIps);
+
+      const topASNs = await this.buildTopASNs(observedIps, allIPData);

      // Build domain activity using per-IP domain request counts from Rust engine
-      const connectionsByRoute = proxyMetrics.connections.byRoute();
      const throughputByRoute = proxyMetrics.throughput.byRoute();

      // Aggregate per-IP domain request counts into per-domain totals
@@ -763,6 +808,9 @@ export class MetricsManager {
      for (const entry of protocolCache) {
        if (entry.domain) allKnownDomains.add(entry.domain);
      }
+      for (const snapshot of activeConnectionSnapshots) {
+        if (snapshot.domain) allKnownDomains.add(snapshot.domain);
+      }

      // Build reverse map: concrete domain → canonical route key(s)
      const domainToRoutes = new Map<string, string[]>();
@@ -834,7 +882,7 @@ export class MetricsManager {
        }

        domainAgg.set(domain, {
-          activeConnections: Math.round(totalConns),
+          activeConnections: activeConnectionsByDomain.get(domain) ?? Math.round(totalConns),
          bytesInPerSec: totalIn,
          bytesOutPerSec: totalOut,
          routeCount: routeKeys.length,
@@ -869,6 +917,7 @@ export class MetricsManager {
        throughputRate,
        topIPs,
        topIPsByBandwidth,
+        topASNs,
        totalDataTransferred,
        throughputHistory,
        throughputByIP,
@@ -882,6 +931,60 @@ export class MetricsManager {
    }, 1000); // 1s cache — matches typical dashboard poll interval
  }

+  private async buildTopASNs(
+    observedIps: string[],
+    allIPData: Map<string, { count: number; bwIn: number; bwOut: number }>,
+  ): Promise<IAsnActivity[]> {
+    const manager = this.dcRouter.securityPolicyManager;
+    if (!manager || observedIps.length === 0) {
+      return [];
+    }
+
+    const intelligenceRecords = await manager.listIpIntelligence({
+      ipAddresses: observedIps,
+      limit: Math.max(100, observedIps.length),
+    });
+    const asnActivity = new Map<number, IAsnActivity>();
+
+    for (const record of intelligenceRecords) {
+      if (typeof record.asn !== 'number') continue;
+
+      const ipData = allIPData.get(record.ipAddress);
+      if (!ipData) continue;
+
+      const existing = asnActivity.get(record.asn);
+      const activity = existing || {
+        asn: record.asn,
+        organization: record.asnOrg || record.registrantOrg || `AS${record.asn}`,
+        country: record.countryCode || record.country || record.registrantCountry || null,
+        activeConnections: 0,
+        ipCount: 0,
+        bytesInPerSecond: 0,
+        bytesOutPerSecond: 0,
+        sampleIps: [],
+      };
+
+      activity.activeConnections += ipData.count;
+      activity.bytesInPerSecond += ipData.bwIn;
+      activity.bytesOutPerSecond += ipData.bwOut;
+      activity.ipCount++;
+      if (activity.sampleIps.length < 5) {
+        activity.sampleIps.push(record.ipAddress);
+      }
+      asnActivity.set(record.asn, activity);
+    }
+
+    return [...asnActivity.values()]
+      .sort((a, b) => {
+        const connectionDiff = b.activeConnections - a.activeConnections;
+        if (connectionDiff !== 0) return connectionDiff;
+        const bandwidthA = a.bytesInPerSecond + a.bytesOutPerSecond;
+        const bandwidthB = b.bytesInPerSecond + b.bytesOutPerSecond;
+        return bandwidthB - bandwidthA;
+      })
+      .slice(0, 10);
+  }
+
  // --- Time-series helpers ---

  private static minuteKey(ts: number = Date.now()): number {
@@ -24,7 +24,8 @@ export class AdminHandler {
  // JWT instance
  public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
  
-  // Ephemeral bootstrap users. Persisted accounts take over once an active admin exists.
+  // Ephemeral bootstrap users. DB-backed instances may use these only until the
+  // database is ready and the first persistent admin account has been created.
  private users = new Map<string, {
    id: string;
    username: string;
@@ -87,9 +88,12 @@ export class AdminHandler {
   * Used by UsersHandler to serve the admin-only listUsers endpoint.
   */
  public async listUsers(): Promise<interfaces.requests.IAdminUserProjection[]> {
-    if (await this.hasPersistentAdminAccount()) {
-      const store = this.getAccountStore();
-      const accounts = await store!.listAccounts();
+    const accountState = await this.getPersistentAccountState();
+    if (accountState.dbEnabled && !accountState.dbReady) {
+      throw new plugins.typedrequest.TypedResponseError('database is not ready');
+    }
+    if (accountState.hasPersistentAdmin) {
+      const accounts = await accountState.store!.listAccounts();
      return accounts.map((accountArg) => this.accountToUser(accountArg));
    }

@@ -101,16 +105,14 @@ export class AdminHandler {
  }

  public async getBootstrapStatus(): Promise<interfaces.requests.IReq_GetAdminBootstrapStatus['response']> {
-    const dbEnabled = this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
-    const store = this.getAccountStore();
-    const dbReady = !!store;
-    const hasPersistentAdmin = dbReady ? await store.hasActiveAdminAccount() : false;
+    const accountState = await this.getPersistentAccountState();
+    const bootstrapAvailable = !accountState.dbEnabled || (accountState.dbReady && !accountState.hasPersistentAdmin);
    return {
-      dbEnabled,
-      dbReady,
-      hasPersistentAdmin,
-      needsBootstrap: dbEnabled && dbReady && !hasPersistentAdmin,
-      ephemeralAdminAvailable: !hasPersistentAdmin,
+      dbEnabled: accountState.dbEnabled,
+      dbReady: accountState.dbReady,
+      hasPersistentAdmin: accountState.hasPersistentAdmin,
+      needsBootstrap: accountState.dbEnabled && accountState.dbReady && !accountState.hasPersistentAdmin,
+      ephemeralAdminAvailable: bootstrapAvailable,
      idpGlobalConfigured: this.isIdpGlobalConfigured(),
    };
  }
@@ -408,10 +410,14 @@ export class AdminHandler {
    password: string;
    authSource?: interfaces.requests.TAdminLoginAuthSource;
  }): Promise<TAdminUser | null> {
-    if (await this.hasPersistentAdminAccount()) {
-      const store = this.getAccountStore();
+    const accountState = await this.getPersistentAccountState();
+    if (accountState.dbEnabled && !accountState.dbReady) {
+      throw new plugins.typedrequest.TypedResponseError('database is not ready');
+    }
+
+    if (accountState.hasPersistentAdmin) {
      const authService = new plugins.idpSdkServer.AccountAuthService({
-        store: store!,
+        store: accountState.store!,
        idpClient: this.getIdpClient() as plugins.idpSdkServer.IdpGlobalServerClient | undefined,
      });
      const result = await authService.authenticate({
@@ -431,8 +437,13 @@ export class AdminHandler {
  }

  private async resolveUser(userIdArg: string): Promise<TAdminUser | null> {
-    if (await this.hasPersistentAdminAccount()) {
-      const account = await this.getAccountStore()!.getAccountById(userIdArg);
+    const accountState = await this.getPersistentAccountState();
+    if (accountState.dbEnabled && !accountState.dbReady) {
+      return null;
+    }
+
+    if (accountState.hasPersistentAdmin) {
+      const account = await accountState.store!.getAccountById(userIdArg);
      if (!account || account.status !== 'active') {
        return null;
      }
@@ -442,13 +453,25 @@ export class AdminHandler {
    return this.users.get(userIdArg) || null;
  }

-  private async hasPersistentAdminAccount(): Promise<boolean> {
-    const store = this.getAccountStore();
-    return store ? store.hasActiveAdminAccount() : false;
+  private async getPersistentAccountState(): Promise<{
+    dbEnabled: boolean;
+    dbReady: boolean;
+    store: plugins.idpSdkServer.SmartdataAccountStore | null;
+    hasPersistentAdmin: boolean;
+  }> {
+    const dbEnabled = this.isPersistenceEnabled();
+    const store = dbEnabled ? this.getAccountStore() : null;
+    const dbReady = !!store;
+    const hasPersistentAdmin = store ? await store.hasActiveAdminAccount() : false;
+    return { dbEnabled, dbReady, store, hasPersistentAdmin };
+  }
+
+  private isPersistenceEnabled(): boolean {
+    return this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
  }

  private getAccountStore(): plugins.idpSdkServer.SmartdataAccountStore | null {
-    if (this.opsServerRef.dcRouterRef.options.dbConfig?.enabled === false) {
+    if (!this.isPersistenceEnabled()) {
      return null;
    }
    const dcRouterDb = this.opsServerRef.dcRouterRef.dcRouterDb;
@@ -67,6 +67,7 @@ export class RemoteIngressHandler {
            dataArg.listenPorts || [],
            dataArg.tags,
            dataArg.autoDerivePorts ?? true,
+            dataArg.performance,
          );

          // Sync allowed edges with the hub
@@ -129,6 +130,7 @@ export class RemoteIngressHandler {
            listenPorts: dataArg.listenPorts,
            autoDerivePorts: dataArg.autoDerivePorts,
            enabled: dataArg.enabled,
+            performance: dataArg.performance,
            tags: dataArg.tags,
          });

@@ -1,7 +1,6 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
-import { MetricsManager } from '../../monitoring/index.js';
 import { requireOpsAuth } from '../helpers/auth.js';

 export class SecurityHandler {
@@ -46,18 +45,7 @@ export class SecurityHandler {
        'getActiveConnections',
        async (dataArg, toolsArg) => {
          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
-          const connections = await this.getActiveConnections(dataArg.protocol, dataArg.state);
-          const connectionInfos: interfaces.data.IConnectionInfo[] = connections.map(conn => ({
-            id: conn.id,
-            remoteAddress: conn.source.ip,
-            localAddress: conn.destination.ip,
-            startTime: conn.startTime,
-            protocol: conn.type === 'http' ? 'https' : conn.type as any,
-            state: conn.status === 'active' ? 'connected' : conn.status as any,
-            bytesReceived: (conn as any)._throughputIn || 0,
-            bytesSent: (conn as any)._throughputOut || 0,
-            connectionCount: conn.bytesTransferred || 1,
-          }));
+          const connectionInfos = await this.getActiveConnections(dataArg.protocol, dataArg.state);
          const totalConnections = connectionInfos.reduce((sum, conn) => sum + (conn.connectionCount || 1), 0);
          
          const summary = {
@@ -103,6 +91,7 @@ export class SecurityHandler {
              throughputRate: networkStats.throughputRate,
              topIPs: networkStats.topIPs,
              topIPsByBandwidth: networkStats.topIPsByBandwidth,
+              topASNs: networkStats.topASNs,
              totalDataTransferred: networkStats.totalDataTransferred,
              throughputHistory: networkStats.throughputHistory || [],
              throughputByIP,
@@ -121,6 +110,7 @@ export class SecurityHandler {
            throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
            topIPs: [],
            topIPsByBandwidth: [],
+            topASNs: [],
            totalDataTransferred: { bytesIn: 0, bytesOut: 0 },
            throughputHistory: [],
            throughputByIP: [],
@@ -180,7 +170,14 @@ export class SecurityHandler {
        async (dataArg) => {
          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'security:read' });
          const manager = this.opsServerRef.dcRouterRef.securityPolicyManager;
-          return { records: manager ? await manager.listIpIntelligence() : [] };
+          return {
+            records: manager
+              ? await manager.listIpIntelligence({
+                  ipAddresses: dataArg.ipAddresses,
+                  limit: dataArg.limit,
+                })
+              : [],
+          };
        },
      ),
    );
@@ -353,106 +350,66 @@ export class SecurityHandler {
  private async getActiveConnections(
    protocol?: 'http' | 'https' | 'smtp' | 'smtps',
    state?: string
-  ): Promise<Array<{
-    id: string;
-    type: 'http' | 'smtp' | 'dns';
-    source: {
-      ip: string;
-      port: number;
-      country?: string;
-    };
-    destination: {
-      ip: string;
-      port: number;
-      service?: string;
-    };
-    startTime: number;
-    bytesTransferred: number;
-    status: 'active' | 'idle' | 'closing';
-  }>> {
-    const connections: Array<{
-      id: string;
-      type: 'http' | 'smtp' | 'dns';
-      source: {
-        ip: string;
-        port: number;
-        country?: string;
-      };
-      destination: {
-        ip: string;
-        port: number;
-        service?: string;
-      };
-      startTime: number;
-      bytesTransferred: number;
-      status: 'active' | 'idle' | 'closing';
-    }> = [];
-    
-    // Get connection info and network stats from MetricsManager if available
-    if (this.opsServerRef.dcRouterRef.metricsManager) {
-      const connectionInfo = await this.opsServerRef.dcRouterRef.metricsManager.getConnectionInfo();
-      const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
-      
-      // One aggregate row per IP with real throughput data
-      if (networkStats.connectionsByIP && networkStats.connectionsByIP.size > 0) {
-        let connIndex = 0;
-        const publicIp = this.opsServerRef.dcRouterRef.options.publicIp || 'server';
+  ): Promise<interfaces.data.IConnectionInfo[]> {
+    const metricsManager = this.opsServerRef.dcRouterRef.metricsManager;
+    if (!metricsManager) {
+      return [];
+    }

-        for (const [ip, count] of networkStats.connectionsByIP) {
-          const tp = networkStats.throughputByIP?.get(ip);
-          connections.push({
-            id: `ip-${connIndex++}`,
-            type: 'http',
-            source: {
-              ip: ip,
-              port: 0,
-            },
-            destination: {
-              ip: publicIp,
-              port: 443,
-              service: 'proxy',
-            },
-            startTime: 0,
-            bytesTransferred: count, // Store connection count here
-            status: 'active',
-            // Attach real throughput for the handler mapping
-            ...(tp ? { _throughputIn: tp.in, _throughputOut: tp.out } : {}),
-          } as any);
-        }
-      } else if (connectionInfo.length > 0) {
-        // Fallback to route-based connection info if no IP data available
-        connectionInfo.forEach((info, index) => {
-          connections.push({
-            id: `conn-${index}`,
-            type: 'http',
-            source: {
-              ip: 'unknown',
-              port: 0,
-            },
-            destination: {
-              ip: this.opsServerRef.dcRouterRef.options.publicIp || 'server',
-              port: 443,
-              service: info.source,
-            },
-            startTime: info.lastActivity.getTime(),
-            bytesTransferred: 0,
-            status: 'active',
-          });
-        });
+    const snapshots = await metricsManager.getActiveConnectionSnapshots({ limit: 10000 });
+    const connections = snapshots.map((snapshot): interfaces.data.IConnectionInfo => ({
+      id: String(snapshot.id),
+      remoteAddress: snapshot.sourcePort === null
+        ? snapshot.sourceIp
+        : `${snapshot.sourceIp}:${snapshot.sourcePort}`,
+      localAddress: snapshot.targetHost
+        ? `${snapshot.targetHost}:${snapshot.targetPort ?? snapshot.localPort}`
+        : `${this.opsServerRef.dcRouterRef.options.publicIp || 'server'}:${snapshot.localPort}`,
+      startTime: snapshot.startedAtMs,
+      protocol: this.mapSnapshotProtocol(snapshot),
+      state: this.mapSnapshotState(snapshot.state),
+      bytesReceived: snapshot.bytesIn,
+      bytesSent: snapshot.bytesOut,
+    }));
+
+    return connections.filter((connection) => {
+      if (protocol && connection.protocol !== protocol) {
+        return false;
      }
+      if (state && connection.state !== state) {
+        return false;
+      }
+      return true;
+    });
+  }
+
+  private mapSnapshotProtocol(
+    snapshot: plugins.smartproxy.IActiveConnectionSnapshot,
+  ): interfaces.data.IConnectionInfo['protocol'] {
+    if (snapshot.localPort === 465) {
+      return 'smtps';
    }
-    
-    // Filter by protocol if specified
-    if (protocol) {
-      return connections.filter(conn => {
-        if (protocol === 'https' || protocol === 'http') {
-          return conn.type === 'http';
-        }
-        return conn.type === protocol.replace('s', ''); // smtp/smtps -> smtp
-      });
+    if ([25, 587, 2525].includes(snapshot.localPort)) {
+      return 'smtp';
    }
-    
-    return connections;
+
+    switch (snapshot.protocol) {
+      case 'http':
+        return 'http';
+      case 'https':
+      case 'tls':
+      case 'tls-passthrough':
+      case 'tls-reencrypt':
+      case 'tls-socket-handler':
+      case 'quic':
+        return 'https';
+      default:
+        return snapshot.localPort === 80 ? 'http' : 'https';
+    }
+  }
+
+  private mapSnapshotState(state: string): interfaces.data.IConnectionInfo['state'] {
+    return state === 'closing' ? 'closing' : 'connected';
  }
  
  private async getRateLimitStatus(
@@ -334,6 +334,7 @@ export class StatsHandler {
                    connections: ip.count,
                    bandwidth: { in: ip.bwIn, out: ip.bwOut },
                  })),
+                  topASNs: stats.topASNs || [],
                  domainActivity: stats.domainActivity || [],
                  throughputHistory: stats.throughputHistory || [],
                  requestsPerSecond: stats.requestsPerSecond || 0,
@@ -69,6 +69,7 @@ export class TargetProfileHandler {
            domains: dataArg.domains,
            targets: dataArg.targets,
            routeRefs: dataArg.routeRefs,
+            allowRoutesByClientSourceIp: dataArg.allowRoutesByClientSourceIp,
            createdBy: userId,
          });
          await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
@@ -94,6 +95,7 @@ export class TargetProfileHandler {
            domains: dataArg.domains,
            targets: dataArg.targets,
            routeRefs: dataArg.routeRefs,
+            allowRoutesByClientSourceIp: dataArg.allowRoutesByClientSourceIp,
          });
          // Re-apply routes and refresh VPN client security to update access
          await this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
@@ -102,6 +102,8 @@ export class VpnHandler {
              bytesSent: c.bytesSent,
              bytesReceived: c.bytesReceived,
              transport: c.transportType,
+              remoteAddr: c.remoteAddr,
+              sourceIp: manager.getClientSourceIp(c.registeredClientId || c.clientId),
            })),
          };
        },
@@ -1,13 +1,13 @@
 // node native
-import * as dns from 'dns';
-import * as fs from 'fs';
-import * as crypto from 'crypto';
-import * as http from 'http';
-import * as net from 'net';
-import * as os from 'os';
-import * as path from 'path';
-import * as tls from 'tls';
-import * as util from 'util';
+import * as dns from 'node:dns';
+import * as fs from 'node:fs';
+import * as crypto from 'node:crypto';
+import * as http from 'node:http';
+import * as net from 'node:net';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import * as tls from 'node:tls';
+import * as util from 'node:util';

 export {
  dns,
@@ -91,7 +91,6 @@ export class RadiusServer {
  private vlanManager: VlanManager;
  private accountingManager: AccountingManager;
  private config: IRadiusServerConfig;
-  private clientSecrets: Map<string, string> = new Map();
  private running: boolean = false;

  // Statistics
@@ -138,24 +137,18 @@ export class RadiusServer {
      await this.vlanManager.importMappings(this.config.vlanAssignment.mappings);
    }

-    // Build client secrets map
-    this.buildClientSecretsMap();
+    const cidrSecrets = this.buildClientSecretsMap();

    // Create the RADIUS server
    this.radiusServer = new plugins.smartradius.RadiusServer({
      authPort: this.config.authPort,
      acctPort: this.config.acctPort,
      bindAddress: this.config.bindAddress,
-      defaultSecret: this.getDefaultSecret(),
+      cidrSecrets,
      authenticationHandler: this.handleAuthentication.bind(this),
      accountingHandler: this.handleAccounting.bind(this),
    });

-    // Configure per-client secrets
-    for (const [ip, secret] of this.clientSecrets) {
-      this.radiusServer.setClientSecret(ip, secret);
-    }
-
    // Start the server
    await this.radiusServer.start();

@@ -189,19 +182,22 @@ export class RadiusServer {
  /**
   * Handle authentication request
   */
-  private async handleAuthentication(request: any): Promise<any> {
+  private async handleAuthentication(
+    request: plugins.smartradius.IAuthenticationRequest,
+  ): Promise<plugins.smartradius.IAuthenticationResponse> {
    this.stats.authRequests++;

    const authData: IAuthRequestData = {
-      username: request.attributes?.UserName || '',
-      password: request.attributes?.UserPassword,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      password: request.password,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
+      framedMtu: request.framedMtu,
    };

    logger.log('debug', `RADIUS Auth Request: user=${authData.username}, NAS=${authData.nasIpAddress}`);
@@ -215,15 +211,15 @@ export class RadiusServer {
      logger.log('info', `RADIUS Auth Accept: user=${authData.username}, VLAN=${result.vlanId}`);

      // Build response with VLAN attributes
-      const response: any = {
+      const response: plugins.smartradius.IAuthenticationResponse = {
        code: plugins.smartradius.ERadiusCode.AccessAccept,
        replyMessage: result.replyMessage,
      };

      // Add VLAN attributes if assigned
      if (result.vlanId !== undefined) {
-        response.tunnelType = 13; // VLAN
-        response.tunnelMediumType = 6; // IEEE 802
+        response.tunnelType = plugins.smartradius.ETunnelType.Vlan;
+        response.tunnelMediumType = plugins.smartradius.ETunnelMediumType.Ieee802;
        response.tunnelPrivateGroupId = String(result.vlanId);
      }

@@ -257,34 +253,37 @@ export class RadiusServer {
  /**
   * Handle accounting request
   */
-  private async handleAccounting(request: any): Promise<any> {
+  private async handleAccounting(
+    request: plugins.smartradius.IAccountingRequest,
+  ): Promise<plugins.smartradius.IAccountingResponse> {
    this.stats.accountingRequests++;

    if (!this.config.accounting?.enabled) {
      // Still respond even if not tracking
-      return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+      return { success: true };
    }

-    const statusType = request.attributes?.AcctStatusType;
-    const sessionId = request.attributes?.AcctSessionId || '';
+    const statusType = request.statusType;
+    const sessionId = request.sessionId || '';

    const accountingData = {
      sessionId,
-      username: request.attributes?.UserName || '',
-      macAddress: request.attributes?.CallingStationId,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      inputOctets: request.attributes?.AcctInputOctets,
-      outputOctets: request.attributes?.AcctOutputOctets,
-      inputPackets: request.attributes?.AcctInputPackets,
-      outputPackets: request.attributes?.AcctOutputPackets,
-      sessionTime: request.attributes?.AcctSessionTime,
-      terminateCause: request.attributes?.AcctTerminateCause,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      macAddress: request.callingStationId,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      inputOctets: request.inputOctets,
+      outputOctets: request.outputOctets,
+      inputPackets: request.inputPackets,
+      outputPackets: request.outputPackets,
+      sessionTime: request.sessionTime,
+      terminateCause: request.terminateCause !== undefined ? String(request.terminateCause) : undefined,
+      framedIpAddress: request.framedIpAddress,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
    };

    try {
@@ -311,7 +310,7 @@ export class RadiusServer {
      logger.log('error', `RADIUS accounting error: ${(error as Error).message}`);
    }

-    return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+    return { success: true };
  }

  /**
@@ -391,37 +390,18 @@ export class RadiusServer {
  /**
   * Build client secrets map from configuration
   */
-  private buildClientSecretsMap(): void {
-    this.clientSecrets.clear();
+  private buildClientSecretsMap(): Record<string, string> {
+    const cidrSecrets: Record<string, string> = {};

    for (const client of this.config.clients) {
      if (!client.enabled) {
        continue;
      }

-      // Handle CIDR ranges
-      if (client.ipRange.includes('/')) {
-        // For CIDR ranges, we'll use the network address as key
-        // In practice, smartradius may handle this differently
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.clientSecrets.set(client.ipRange, client.secret);
-      }
+      cidrSecrets[client.ipRange] = client.secret;
    }
-  }

-  /**
-   * Get default secret for unknown clients
-   */
-  private getDefaultSecret(): string {
-    // Use first enabled client's secret as default, or a random one
-    for (const client of this.config.clients) {
-      if (client.enabled) {
-        return client.secret;
-      }
-    }
-    return plugins.crypto.randomBytes(16).toString('hex');
+    return cidrSecrets;
  }

  /**
@@ -430,21 +410,19 @@ export class RadiusServer {
  async addClient(client: IRadiusClient): Promise<void> {
    // Check if client already exists
    const existingIndex = this.config.clients.findIndex(c => c.name === client.name);
+    const previousClient = existingIndex >= 0 ? this.config.clients[existingIndex] : undefined;
    if (existingIndex >= 0) {
      this.config.clients[existingIndex] = client;
    } else {
      this.config.clients.push(client);
    }

-    // Update client secrets if running
-    if (this.running && this.radiusServer && client.enabled) {
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.radiusServer.setClientSecret(network, client.secret);
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.radiusServer.setClientSecret(client.ipRange, client.secret);
-        this.clientSecrets.set(client.ipRange, client.secret);
+    if (this.running && this.radiusServer) {
+      if (previousClient) {
+        this.radiusServer.removeNetworkSecret(previousClient.ipRange);
+      }
+      if (client.enabled) {
+        this.radiusServer.setNetworkSecret(client.ipRange, client.secret);
      }
    }

@@ -460,12 +438,8 @@ export class RadiusServer {
      const client = this.config.clients[index];
      this.config.clients.splice(index, 1);

-      // Remove from secrets map
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.delete(network);
-      } else {
-        this.clientSecrets.delete(client.ipRange);
+      if (this.radiusServer) {
+        this.radiusServer.removeNetworkSecret(client.ipRange);
      }

      logger.log('info', `RADIUS client removed: ${name}`);
@@ -1,29 +1,13 @@
 import * as plugins from '../plugins.js';
-import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { IRemoteIngress, IRemoteIngressPerformanceConfig, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import { RemoteIngressEdgeDoc } from '../db/index.js';

 interface IRemoteIngressFirewallConfig {
  blockedIps?: string[];
 }

-/**
- * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
- */
-function extractPorts(portRange: number | Array<number | { from: number; to: number }>): number[] {
-  const ports = new Set<number>();
-  if (typeof portRange === 'number') {
-    ports.add(portRange);
-  } else if (Array.isArray(portRange)) {
-    for (const entry of portRange) {
-      if (typeof entry === 'number') {
-        ports.add(entry);
-      } else if (typeof entry === 'object' && 'from' in entry && 'to' in entry) {
-        for (let p = entry.from; p <= entry.to; p++) {
-          ports.add(p);
-        }
-      }
-    }
-  }
+function extractPorts(portRange: plugins.smartproxy.IRouteConfig['match']['ports']): number[] {
+  const ports = new Set<number>(plugins.smartproxy.expandPortRange(portRange) as number[]);
  return [...ports].sort((a, b) => a - b);
 }

@@ -59,6 +43,7 @@ export class RemoteIngressManager {
        listenPortsUdp: doc.listenPortsUdp,
        enabled: doc.enabled,
        autoDerivePorts: doc.autoDerivePorts,
+        performance: doc.performance,
        tags: doc.tags,
        createdAt: doc.createdAt,
        updatedAt: doc.updatedAt,
@@ -189,6 +174,7 @@ export class RemoteIngressManager {
    listenPorts: number[] = [],
    tags?: string[],
    autoDerivePorts: boolean = true,
+    performance?: IRemoteIngressPerformanceConfig,
  ): Promise<IRemoteIngress> {
    const id = plugins.uuid.v4();
    const secret = plugins.crypto.randomBytes(32).toString('hex');
@@ -201,6 +187,7 @@ export class RemoteIngressManager {
      listenPorts,
      enabled: true,
      autoDerivePorts,
+      performance,
      tags: tags || [],
      createdAt: now,
      updatedAt: now,
@@ -237,6 +224,7 @@ export class RemoteIngressManager {
      listenPorts?: number[];
      autoDerivePorts?: boolean;
      enabled?: boolean;
+      performance?: IRemoteIngressPerformanceConfig;
      tags?: string[];
    },
  ): Promise<IRemoteIngress | null> {
@@ -249,6 +237,7 @@ export class RemoteIngressManager {
    if (updates.listenPorts !== undefined) edge.listenPorts = updates.listenPorts;
    if (updates.autoDerivePorts !== undefined) edge.autoDerivePorts = updates.autoDerivePorts;
    if (updates.enabled !== undefined) edge.enabled = updates.enabled;
+    if (updates.performance !== undefined) edge.performance = updates.performance;
    if (updates.tags !== undefined) edge.tags = updates.tags;
    edge.updatedAt = Date.now();

@@ -317,17 +306,19 @@ export class RemoteIngressManager {
   * Get the list of allowed edges (enabled only) for the Rust hub.
   * Includes listenPortsUdp when routes with transport 'udp' or 'all' are present.
   */
-  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> {
-    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> = [];
    for (const edge of this.edges.values()) {
      if (edge.enabled) {
        const listenPortsUdp = this.getEffectiveListenPortsUdp(edge);
+        const performance = edge.performance && Object.keys(edge.performance).length > 0 ? edge.performance : undefined;
        result.push({
          id: edge.id,
          secret: edge.secret,
          listenPorts: this.getEffectiveListenPorts(edge),
          ...(listenPortsUdp.length > 0 ? { listenPortsUdp } : {}),
          ...(this.firewallConfig ? { firewallConfig: this.firewallConfig } : {}),
+          ...(performance ? { performance } : {}),
        });
      }
    }
@@ -19,12 +19,24 @@ export interface IRemoteIngressFirewallSnapshot {
  blockedIps: string[];
 }

+const OBSERVED_IP_QUEUE_LIMIT = 512;
+const OBSERVED_IP_BATCH_LIMIT = 20;
+const OBSERVED_IP_QUEUE_CONCURRENCY = 2;
+const OBSERVED_IP_REQUEUE_THROTTLE_MS = 60_000;
+
 export class SecurityPolicyManager {
  private readonly smartNetwork = new plugins.smartnetwork.SmartNetwork({
    cacheTtl: 24 * 60 * 60 * 1000,
+    ipIntelligenceTimeout: 5_000,
  });
  private readonly intelligenceRefreshMs: number;
-  private readonly inFlightObservations = new Set<string>();
+  private readonly inFlightObservations = new Map<string, Promise<void>>();
+  private readonly queuedObservations = new Set<string>();
+  private readonly observationQueue: string[] = [];
+  private readonly lastQueuedAt = new Map<string, number>();
+  private activeQueuedObservations = 0;
+  private queueDrainScheduled = false;
+  private isStopping = false;
  private readonly onPolicyChanged?: () => void | Promise<void>;

  constructor(options: ISecurityPolicyManagerOptions = {}) {
@@ -37,6 +49,9 @@ export class SecurityPolicyManager {
  }

  public async stop(): Promise<void> {
+    this.isStopping = true;
+    this.observationQueue.length = 0;
+    this.queuedObservations.clear();
    await this.smartNetwork.stop();
  }

@@ -45,13 +60,55 @@ export class SecurityPolicyManager {
    await Promise.allSettled(uniqueIps.map((ip) => this.observeIp(ip)));
  }

+  public queueObservedIps(ips: string[]): void {
+    if (this.isStopping) return;
+
+    const now = Date.now();
+    const uniqueIps = [...new Set(ips.map((ip) => this.normalizeIp(ip)).filter(Boolean) as string[])];
+
+    for (const ip of uniqueIps.slice(0, OBSERVED_IP_BATCH_LIMIT)) {
+      if (!this.isPublicIp(ip)) continue;
+      if (this.inFlightObservations.has(ip) || this.queuedObservations.has(ip)) continue;
+
+      const lastQueuedAt = this.lastQueuedAt.get(ip);
+      if (lastQueuedAt && now - lastQueuedAt < OBSERVED_IP_REQUEUE_THROTTLE_MS) continue;
+
+      if (this.observationQueue.length >= OBSERVED_IP_QUEUE_LIMIT) {
+        const droppedIp = this.observationQueue.shift();
+        if (droppedIp) this.queuedObservations.delete(droppedIp);
+      }
+
+      this.observationQueue.push(ip);
+      this.queuedObservations.add(ip);
+      this.lastQueuedAt.set(ip, now);
+    }
+
+    this.pruneQueuedIpMemory(now);
+    this.scheduleQueueDrain();
+  }
+
  public async observeIp(ipAddress: string, options: { force?: boolean } = {}): Promise<void> {
    const ip = this.normalizeIp(ipAddress);
-    if (!ip || !this.isPublicIp(ip) || this.inFlightObservations.has(ip)) {
+    if (!ip || !this.isPublicIp(ip)) {
      return;
    }

-    this.inFlightObservations.add(ip);
+    const existingObservation = this.inFlightObservations.get(ip);
+    if (existingObservation) {
+      await existingObservation;
+      if (!options.force) return;
+    }
+
+    const observationPromise = this.performObserveIp(ip, options).finally(() => {
+      if (this.inFlightObservations.get(ip) === observationPromise) {
+        this.inFlightObservations.delete(ip);
+      }
+    });
+    this.inFlightObservations.set(ip, observationPromise);
+    await observationPromise;
+  }
+
+  private async performObserveIp(ip: string, options: { force?: boolean } = {}): Promise<void> {
    try {
      const now = Date.now();
      let doc = await IpIntelligenceDoc.findByIp(ip);
@@ -81,8 +138,6 @@ export class SecurityPolicyManager {
      }
    } catch (err) {
      logger.log('warn', `Failed to enrich IP ${ip}: ${(err as Error).message}`);
-    } finally {
-      this.inFlightObservations.delete(ip);
    }
  }

@@ -90,8 +145,22 @@ export class SecurityPolicyManager {
    return (await SecurityBlockRuleDoc.findAll()).map((doc) => this.ruleFromDoc(doc));
  }

-  public async listIpIntelligence(): Promise<IIpIntelligenceRecord[]> {
-    return (await IpIntelligenceDoc.findAll()).map((doc) => this.intelligenceFromDoc(doc));
+  public async listIpIntelligence(options: { ipAddresses?: string[]; limit?: number } = {}): Promise<IIpIntelligenceRecord[]> {
+    const limit = Number.isInteger(options.limit) && options.limit! > 0
+      ? Math.min(options.limit!, 500)
+      : undefined;
+
+    let docs: IpIntelligenceDoc[];
+    if (options.ipAddresses?.length) {
+      const ips = [...new Set(options.ipAddresses.map((ip) => this.normalizeIp(ip)).filter(Boolean) as string[])];
+      const results = await Promise.all(ips.map((ip) => IpIntelligenceDoc.findByIp(ip)));
+      docs = results.filter(Boolean) as IpIntelligenceDoc[];
+    } else {
+      docs = await IpIntelligenceDoc.findAll();
+    }
+
+    const sortedDocs = docs.sort((a, b) => (b.lastSeenAt || 0) - (a.lastSeenAt || 0));
+    return (limit ? sortedDocs.slice(0, limit) : sortedDocs).map((doc) => this.intelligenceFromDoc(doc));
  }

  public async refreshIpIntelligence(ipAddress: string): Promise<IIpIntelligenceRecord | null> {
@@ -104,6 +173,45 @@ export class SecurityPolicyManager {
    return doc ? this.intelligenceFromDoc(doc) : null;
  }

+  private scheduleQueueDrain(): void {
+    if (this.queueDrainScheduled || this.isStopping) return;
+    this.queueDrainScheduled = true;
+    setTimeout(() => {
+      this.queueDrainScheduled = false;
+      this.drainObservationQueue();
+    }, 0);
+  }
+
+  private drainObservationQueue(): void {
+    if (this.isStopping) return;
+
+    while (
+      this.activeQueuedObservations < OBSERVED_IP_QUEUE_CONCURRENCY &&
+      this.observationQueue.length > 0
+    ) {
+      const ip = this.observationQueue.shift()!;
+      this.queuedObservations.delete(ip);
+      this.activeQueuedObservations++;
+      void this.observeIp(ip)
+        .catch(() => undefined)
+        .finally(() => {
+          this.activeQueuedObservations--;
+          if (this.observationQueue.length > 0) {
+            this.scheduleQueueDrain();
+          }
+        });
+    }
+  }
+
+  private pruneQueuedIpMemory(now: number): void {
+    if (this.lastQueuedAt.size <= OBSERVED_IP_QUEUE_LIMIT * 2) return;
+    for (const [ip, lastQueuedAt] of this.lastQueuedAt) {
+      if (now - lastQueuedAt > OBSERVED_IP_REQUEUE_THROTTLE_MS * 2) {
+        this.lastQueuedAt.delete(ip);
+      }
+    }
+  }
+
  public async listAuditEvents(limit = 100): Promise<ISecurityPolicyAuditEvent[]> {
    return (await SecurityPolicyAuditDoc.findRecent(limit)).map((doc) => ({
      id: doc.id,
@@ -19,6 +19,10 @@ export interface IVpnManagerConfig {
  }>;
  /** Called when clients are created/deleted/toggled — triggers route re-application */
  onClientChanged?: () => void;
+  /** Called when a live VPN client's real source IP changes. */
+  onClientSourceIpsChanged?: () => void;
+  /** Poll interval for live VPN client real source IP updates. Default: 10 seconds. */
+  clientSourceIpPollIntervalMs?: number;
  /** Destination routing policy override. Default: forceTarget to 127.0.0.1 */
  destinationPolicy?: {
    default: 'forceTarget' | 'block' | 'allow';
@@ -29,7 +33,7 @@ export interface IVpnManagerConfig {
  /** Compute per-client AllowedIPs based on the client's target profile IDs.
   *  Called at config generation time (create/export). Returns CIDRs for WireGuard AllowedIPs.
   *  When not set, defaults to [subnet]. */
-  getClientAllowedIPs?: (targetProfileIds: string[]) => Promise<string[]>;
+  getClientAllowedIPs?: (targetProfileIds: string[], clientId?: string, sourceIp?: string) => Promise<string[]>;
  /** Resolve per-client destination allow-list IPs from target profile IDs.
   *  Returns IP strings that should bypass forceTarget and go direct to the real destination. */
  getClientDirectTargets?: (targetProfileIds: string[]) => string[];
@@ -57,6 +61,9 @@ export class VpnManager {
  private serverKeys?: VpnServerKeysDoc;
  private resolvedForwardingMode?: 'socket' | 'bridge' | 'hybrid';
  private forwardingModeOverride?: 'socket' | 'bridge' | 'hybrid';
+  private clientSourceIps = new Map<string, string>();
+  private clientSourceIpPollTimer?: ReturnType<typeof setInterval>;
+  private clientSourceIpRefreshInFlight = false;

  constructor(config: IVpnManagerConfig) {
    this.config = config;
@@ -145,6 +152,8 @@ export class VpnManager {
      wgListenPort,
      clients: clientEntries,
      socketForwardProxyProtocol: !isBridge,
+      socketForwardProxyProtocolSource: 'remoteIp',
+      socketForwardProxyProtocolVpnMetadata: true,
      destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
      serverEndpoint,
      clientAllowedIPs: [subnet],
@@ -173,6 +182,9 @@ export class VpnManager {
      }
    }

+    await this.refreshClientSourceIps(false);
+    this.startClientSourceIpPolling();
+
    logger.log('info', `VPN server started: subnet=${subnet}, wg=:${wgListenPort}, clients=${this.clients.size}`);
  }

@@ -180,6 +192,7 @@ export class VpnManager {
   * Stop the VPN server.
   */
  public async stop(): Promise<void> {
+    this.stopClientSourceIpPolling();
    if (this.vpnServer) {
      try {
        await this.vpnServer.stopServer();
@@ -189,6 +202,11 @@ export class VpnManager {
      await this.vpnServer.stop();
      this.vpnServer = undefined;
    }
+    const hadClientSourceIps = this.clientSourceIps.size > 0;
+    this.clientSourceIps.clear();
+    if (hadClientSourceIps) {
+      this.config.onClientSourceIpsChanged?.();
+    }
    this.resolvedForwardingMode = undefined;
    logger.log('info', 'VPN server stopped');
  }
@@ -246,6 +264,7 @@ export class VpnManager {
    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
      bundle.wireguardConfig,
      doc.targetProfileIds || [],
+      doc.clientId,
    );

    // Persist client entry (including WG private key for export/QR)
@@ -287,6 +306,7 @@ export class VpnManager {
    await this.vpnServer.removeClient(clientId);
    const doc = this.clients.get(clientId);
    this.clients.delete(clientId);
+    this.clientSourceIps.delete(clientId);
    if (doc) {
      await doc.delete();
    }
@@ -328,6 +348,7 @@ export class VpnManager {
      client.updatedAt = Date.now();
      await this.persistClient(client);
    }
+    this.clientSourceIps.delete(clientId);
    this.config.onClientChanged?.();
  }

@@ -380,6 +401,7 @@ export class VpnManager {
    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
      bundle.wireguardConfig,
      client?.targetProfileIds || [],
+      clientId,
    );

    // Update persisted entry with new keys (including private key for export/QR)
@@ -413,7 +435,11 @@ export class VpnManager {
        );
      }

-      config = await this.rewriteWireGuardAllowedIPs(config, persisted?.targetProfileIds || []);
+      config = await this.rewriteWireGuardAllowedIPs(
+        config,
+        persisted?.targetProfileIds || [],
+        clientId,
+      );
    }

    return config;
@@ -445,6 +471,107 @@ export class VpnManager {
    return this.vpnServer.listClients();
  }

+  public getClientSourceIp(clientId: string): string | undefined {
+    return this.clientSourceIps.get(clientId);
+  }
+
+  public getClientSourceIpMap(): Map<string, string> {
+    return new Map(this.clientSourceIps);
+  }
+
+  public async refreshClientSourceIps(notifyOnChange = true): Promise<boolean> {
+    if (!this.vpnServer || this.clientSourceIpRefreshInFlight) {
+      return false;
+    }
+
+    this.clientSourceIpRefreshInFlight = true;
+    try {
+      const connectedClients = await this.vpnServer.listClients();
+      const nextSourceIps = new Map<string, string>();
+      const wireguardClientIds = new Set<string>();
+
+      for (const connectedClient of connectedClients) {
+        const clientId = connectedClient.registeredClientId || connectedClient.clientId;
+        if (!clientId) continue;
+        if (connectedClient.transportType === 'wireguard') {
+          wireguardClientIds.add(clientId);
+        }
+
+        const sourceIp = VpnManager.normalizeRemoteAddress(connectedClient.remoteAddr);
+        if (sourceIp) {
+          nextSourceIps.set(clientId, sourceIp);
+        }
+      }
+
+      if (wireguardClientIds.size > 0 && typeof (this.vpnServer as any).listWgPeers === 'function') {
+        try {
+          const wgPeers = await this.vpnServer.listWgPeers();
+          const endpointByPublicKey = new Map<string, string>();
+          for (const peer of wgPeers) {
+            const endpointIp = VpnManager.normalizeRemoteAddress(peer.endpoint);
+            if (peer.publicKey && endpointIp) {
+              endpointByPublicKey.set(peer.publicKey, endpointIp);
+            }
+          }
+
+          for (const client of this.clients.values()) {
+            if (nextSourceIps.has(client.clientId)) continue;
+            if (!wireguardClientIds.has(client.clientId)) continue;
+            if (!client.wgPublicKey) continue;
+            const endpointIp = endpointByPublicKey.get(client.wgPublicKey);
+            if (endpointIp) {
+              nextSourceIps.set(client.clientId, endpointIp);
+            }
+          }
+        } catch (err) {
+          logger.log('warn', `VPN: Failed to refresh WireGuard peer endpoints: ${(err as Error).message}`);
+        }
+      }
+
+      if (this.sameSourceIpMap(this.clientSourceIps, nextSourceIps)) {
+        return false;
+      }
+
+      this.clientSourceIps = nextSourceIps;
+      if (notifyOnChange) {
+        this.config.onClientSourceIpsChanged?.();
+      }
+      return true;
+    } catch (err) {
+      logger.log('warn', `VPN: Failed to refresh client source IPs: ${(err as Error).message}`);
+      return false;
+    } finally {
+      this.clientSourceIpRefreshInFlight = false;
+    }
+  }
+
+  public static normalizeRemoteAddress(remoteAddress?: string): string | undefined {
+    const remoteAddressString = remoteAddress?.trim();
+    if (!remoteAddressString) return undefined;
+
+    if (remoteAddressString.startsWith('[')) {
+      const closingBracketIndex = remoteAddressString.indexOf(']');
+      if (closingBracketIndex > 0) {
+        const bracketedIp = remoteAddressString.slice(1, closingBracketIndex);
+        return plugins.net.isIP(bracketedIp) ? bracketedIp : undefined;
+      }
+    }
+
+    if (plugins.net.isIP(remoteAddressString)) {
+      return remoteAddressString;
+    }
+
+    const lastColonIndex = remoteAddressString.lastIndexOf(':');
+    if (lastColonIndex > -1 && remoteAddressString.indexOf(':') === lastColonIndex) {
+      const host = remoteAddressString.slice(0, lastColonIndex);
+      if (plugins.net.isIP(host)) {
+        return host;
+      }
+    }
+
+    return undefined;
+  }
+
  /**
   * Get telemetry for a specific client.
   */
@@ -533,10 +660,15 @@ export class VpnManager {
  private async rewriteWireGuardAllowedIPs(
    wireguardConfig: string,
    targetProfileIds: string[],
+    clientId?: string,
  ): Promise<string> {
    if (!this.config.getClientAllowedIPs) return wireguardConfig;

-    const allowedIPs = await this.config.getClientAllowedIPs(targetProfileIds);
+    const allowedIPs = await this.config.getClientAllowedIPs(
+      targetProfileIds,
+      clientId,
+      clientId ? this.getClientSourceIp(clientId) : undefined,
+    );
    const effectiveAllowedIPs = allowedIPs.length ? allowedIPs : [this.getSubnet()];
    const allowedLine = `AllowedIPs = ${effectiveAllowedIPs.join(', ')}`;

@@ -587,6 +719,31 @@ export class VpnManager {
    }
  }

+  private startClientSourceIpPolling(): void {
+    this.stopClientSourceIpPolling();
+    const pollIntervalMs = Math.max(1000, this.config.clientSourceIpPollIntervalMs ?? 10_000);
+    this.clientSourceIpPollTimer = setInterval(() => {
+      void this.refreshClientSourceIps().catch((err) => {
+        logger.log('warn', `VPN: Client source IP polling failed: ${err?.message || err}`);
+      });
+    }, pollIntervalMs);
+    this.clientSourceIpPollTimer.unref?.();
+  }
+
+  private stopClientSourceIpPolling(): void {
+    if (!this.clientSourceIpPollTimer) return;
+    clearInterval(this.clientSourceIpPollTimer);
+    this.clientSourceIpPollTimer = undefined;
+  }
+
+  private sameSourceIpMap(left: Map<string, string>, right: Map<string, string>): boolean {
+    if (left.size !== right.size) return false;
+    for (const [clientId, sourceIp] of left) {
+      if (right.get(clientId) !== sourceIp) return false;
+    }
+    return true;
+  }
+
  private getResolvedForwardingMode(): 'socket' | 'bridge' | 'hybrid' {
    return this.resolvedForwardingMode
      ?? this.forwardingModeOverride
@@ -13,6 +13,8 @@ export interface IRemoteIngress {
  enabled: boolean;
  /** Whether to auto-derive ports from remoteIngress-tagged routes. Defaults to true. */
  autoDerivePorts: boolean;
+  /** Optional per-edge performance overrides. */
+  performance?: IRemoteIngressPerformanceConfig;
  tags?: string[];
  createdAt: number;
  updatedAt: number;
@@ -55,6 +57,10 @@ export interface IRemoteIngressPerformanceConfig {
  maxStreamWindowBytes?: number;
  sustainedStreamWindowBytes?: number;
  quicDatagramReceiveBufferBytes?: number;
+  streamFramePayloadBytes?: number;
+  firstDataConnectTimeoutMs?: number;
+  clientWriteTimeoutMs?: number;
+  serverFirstPorts?: number[];
 }

 export interface IRemoteIngressPerformanceEffective {
@@ -65,6 +71,10 @@ export interface IRemoteIngressPerformanceEffective {
  maxStreamWindowBytes: number;
  sustainedStreamWindowBytes: number;
  quicDatagramReceiveBufferBytes: number;
+  streamFramePayloadBytes: number;
+  firstDataConnectTimeoutMs: number;
+  clientWriteTimeoutMs: number;
+  serverFirstPorts: number[];
 }

 export interface IRemoteIngressFlowControlStatus {
@@ -159,6 +159,17 @@ export interface IDomainActivity {
  requestsLastMinute?: number;
 }

+export interface IAsnActivity {
+  asn: number;
+  organization: string;
+  country: string | null;
+  activeConnections: number;
+  ipCount: number;
+  bytesInPerSecond: number;
+  bytesOutPerSecond: number;
+  sampleIps: string[];
+}
+
 export interface INetworkMetrics {
  totalBandwidth: {
    in: number;
@@ -186,6 +197,7 @@ export interface INetworkMetrics {
      out: number;
    };
  }>;
+  topASNs: IAsnActivity[];
  domainActivity: IDomainActivity[];
  throughputHistory?: Array<{ timestamp: number; in: number; out: number }>;
  requestsPerSecond?: number;
@@ -23,6 +23,8 @@ export interface ITargetProfile {
  targets?: ITargetProfileTarget[];
  /** Route references by stored route ID. Legacy route names are normalized when unique. */
  routeRefs?: string[];
+  /** Also allow routes whose source security would allow the VPN client's real connecting IP. */
+  allowRoutesByClientSourceIp?: boolean;
  createdAt: number;
  updatedAt: number;
  createdBy: string;
@@ -45,6 +45,10 @@ export interface IVpnConnectedClient {
  bytesSent: number;
  bytesReceived: number;
  transport: string;
+  /** Real client IP:port reported by the VPN transport, when available. */
+  remoteAddr?: string;
+  /** Parsed real client IP reported by the VPN transport, when available. */
+  sourceIp?: string;
 }

 /**
@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
-import type { IRemoteIngress, IRemoteIngressStatus } from '../data/remoteingress.js';
+import type { IRemoteIngress, IRemoteIngressPerformanceConfig, IRemoteIngressStatus } from '../data/remoteingress.js';

 // ============================================================================
 // Remote Ingress Edge Management
@@ -20,6 +20,7 @@ export interface IReq_CreateRemoteIngress extends plugins.typedrequestInterfaces
    name: string;
    listenPorts?: number[];
    autoDerivePorts?: boolean;
+    performance?: IRemoteIngressPerformanceConfig;
    tags?: string[];
  };
  response: {
@@ -63,6 +64,7 @@ export interface IReq_UpdateRemoteIngress extends plugins.typedrequestInterfaces
    listenPorts?: number[];
    autoDerivePorts?: boolean;
    enabled?: boolean;
+    performance?: IRemoteIngressPerformanceConfig;
    tags?: string[];
  };
  response: {
@@ -89,6 +89,8 @@ export interface IReq_ListIpIntelligence extends plugins.typedrequestInterfaces.
  request: {
    identity?: authInterfaces.IIdentity;
    apiToken?: string;
+    ipAddresses?: string[];
+    limit?: number;
  };
  response: {
    records: IIpIntelligenceRecord[];
@@ -190,6 +190,7 @@ export interface IReq_GetNetworkStats extends plugins.typedrequestInterfaces.imp
    requestsTotal: number;
    backends?: statsInterfaces.IBackendInfo[];
    topIPsByBandwidth: Array<{ ip: string; count: number; bwIn: number; bwOut: number }>;
+    topASNs: statsInterfaces.IAsnActivity[];
    domainActivity: statsInterfaces.IDomainActivity[];
    frontendProtocols?: statsInterfaces.IProtocolDistribution | null;
    backendProtocols?: statsInterfaces.IProtocolDistribution | null;
@@ -57,6 +57,7 @@ export interface IReq_CreateTargetProfile extends plugins.typedrequestInterfaces
    domains?: string[];
    targets?: ITargetProfileTarget[];
    routeRefs?: string[];
+    allowRoutesByClientSourceIp?: boolean;
  };
  response: {
    success: boolean;
@@ -82,6 +83,7 @@ export interface IReq_UpdateTargetProfile extends plugins.typedrequestInterfaces
    domains?: string[];
    targets?: ITargetProfileTarget[];
    routeRefs?: string[];
+    allowRoutesByClientSourceIp?: boolean;
  };
  response: {
    success: boolean;
@@ -19,6 +19,131 @@ export interface IMigrationRunner {
  run(): Promise<IMigrationRunResult>;
 }

+type TMigrationSecurity = Record<string, any>;
+
+function mergeMigrationSecurityFields(
+  base: TMigrationSecurity | undefined,
+  override: TMigrationSecurity | undefined,
+): TMigrationSecurity {
+  if (!base && !override) return {};
+  if (!base) return structuredClone(override || {});
+  if (!override) return structuredClone(base || {});
+
+  const merged: TMigrationSecurity = structuredClone(base);
+
+  if (override.ipAllowList || base.ipAllowList) {
+    merged.ipAllowList = [
+      ...new Set([
+        ...(base.ipAllowList || []),
+        ...(override.ipAllowList || []),
+      ]),
+    ];
+  }
+
+  if (override.ipBlockList || base.ipBlockList) {
+    merged.ipBlockList = [
+      ...new Set([
+        ...(base.ipBlockList || []),
+        ...(override.ipBlockList || []),
+      ]),
+    ];
+  }
+
+  for (const key of ['maxConnections', 'rateLimit', 'authentication', 'basicAuth', 'jwtAuth', 'vpn']) {
+    if (override[key] !== undefined) {
+      merged[key] = structuredClone(override[key]);
+    }
+  }
+
+  return merged;
+}
+
+function resolveMigrationSourceProfileSecurity(
+  profileId: string,
+  profiles: Map<string, any>,
+  visited = new Set<string>(),
+  depth = 0,
+): TMigrationSecurity | null {
+  if (depth > 5 || visited.has(profileId)) return null;
+
+  const profile = profiles.get(profileId);
+  if (!profile) return null;
+
+  visited.add(profileId);
+  let baseSecurity: TMigrationSecurity = {};
+  const extendsProfiles = Array.isArray(profile.extendsProfiles) ? profile.extendsProfiles : [];
+  for (const parentId of extendsProfiles) {
+    if (typeof parentId !== 'string') continue;
+    const parentSecurity = resolveMigrationSourceProfileSecurity(
+      parentId,
+      profiles,
+      new Set(visited),
+      depth + 1,
+    );
+    if (parentSecurity) {
+      baseSecurity = mergeMigrationSecurityFields(baseSecurity, parentSecurity);
+    }
+  }
+
+  return mergeMigrationSecurityFields(baseSecurity, profile.security || {});
+}
+
+async function rematerializeSourceProfileRouteSecurity(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const profileCollection = ctx.mongo!.collection('SourceProfileDoc');
+  const routeCollection = ctx.mongo!.collection('RouteDoc');
+  const profiles = new Map<string, any>();
+
+  for await (const profile of profileCollection.find({})) {
+    if (typeof (profile as any).id === 'string') {
+      profiles.set((profile as any).id, profile);
+    }
+  }
+
+  let inspected = 0;
+  let migrated = 0;
+  let skippedMissingProfile = 0;
+  const now = Date.now();
+
+  for await (const routeDoc of routeCollection.find({})) {
+    const sourceProfileRef = (routeDoc as any).metadata?.sourceProfileRef;
+    if (typeof sourceProfileRef !== 'string' || sourceProfileRef.trim() === '') continue;
+    inspected++;
+
+    const resolvedSecurity = resolveMigrationSourceProfileSecurity(sourceProfileRef, profiles);
+    const profile = profiles.get(sourceProfileRef);
+    if (!resolvedSecurity || !profile) {
+      skippedMissingProfile++;
+      continue;
+    }
+
+    const currentSecurity = (routeDoc as any).route?.security || {};
+    const securityChanged = JSON.stringify(currentSecurity) !== JSON.stringify(resolvedSecurity);
+    const profileNameChanged = (routeDoc as any).metadata?.sourceProfileName !== profile.name;
+    if (!securityChanged && !profileNameChanged) continue;
+
+    const query = (routeDoc as any)._id
+      ? { _id: (routeDoc as any)._id }
+      : { id: (routeDoc as any).id };
+    await routeCollection.updateOne(query, {
+      $set: {
+        'route.security': structuredClone(resolvedSecurity),
+        'metadata.sourceProfileName': profile.name,
+        'metadata.lastResolvedAt': now,
+        updatedAt: now,
+      },
+    });
+    migrated++;
+  }
+
+  ctx.log.log(
+    'info',
+    `rematerialize-source-profile-route-security: migrated ${migrated}/${inspected} route(s), skipped ${skippedMissingProfile} missing profile ref(s)`,
+  );
+}
+
 async function migrateTargetProfileTargetHosts(ctx: {
  mongo?: { collection: (name: string) => any };
  log: { log: (level: 'info', message: string) => void };
@@ -167,6 +292,12 @@ export async function createMigrationRunner(
    .description('Backfill RouteDoc.systemKey for persisted config/email/dns routes')
    .up(async (ctx) => {
      await backfillSystemRouteKeys(ctx);
+    })
+    .step('rematerialize-source-profile-route-security')
+    .from('13.18.0').to('13.40.2')
+    .description('Replace stale route security with resolved source profile security')
+    .up(async (ctx) => {
+      await rematerializeSourceProfileRouteSecurity(ctx);
    });

  return migration;
@@ -74,6 +74,10 @@ export function getOciContainerConfig(): IDcRouterOptions {
    options.dnsScopes = dnsScopes;
  }

+  if (process.env.DCROUTER_DNS_BIND_INTERFACE) {
+    options.dnsBindInterface = process.env.DCROUTER_DNS_BIND_INTERFACE;
+  }
+
  // Email config
  const emailHostname = process.env.DCROUTER_EMAIL_HOSTNAME;
  const emailPorts = parseCommaSeparatedNumbers(process.env.DCROUTER_EMAIL_PORTS);
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.32.0',
+  version: '13.40.3',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -55,6 +55,7 @@ export interface INetworkState {
  totalBytes: { in: number; out: number };
  topIPs: Array<{ ip: string; count: number }>;
  topIPsByBandwidth: Array<{ ip: string; count: number; bwIn: number; bwOut: number }>;
+  topASNs: interfaces.data.IAsnActivity[];
  throughputByIP: Array<{ ip: string; in: number; out: number }>;
  ipIntelligence: interfaces.data.IIpIntelligenceRecord[];
  domainActivity: interfaces.data.IDomainActivity[];
@@ -176,6 +177,7 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
    totalBytes: { in: 0, out: 0 },
    topIPs: [],
    topIPsByBandwidth: [],
+    topASNs: [],
    throughputByIP: [],
    ipIntelligence: [],
    domainActivity: [],
@@ -582,6 +584,52 @@ export const setActiveViewAction = uiStatePart.createAction<string>(async (state
  };
 });

+const backgroundRefreshesInFlight = new Set<string>();
+
+function runBackgroundRefresh(key: string, errorMessage: string, task: () => Promise<void>): void {
+  if (backgroundRefreshesInFlight.has(key)) return;
+  backgroundRefreshesInFlight.add(key);
+  void task()
+    .catch((error) => console.error(errorMessage, error))
+    .finally(() => backgroundRefreshesInFlight.delete(key));
+}
+
+function refreshNetworkIpIntelligence(identity: interfaces.data.IIdentity, ipAddresses: string[]): void {
+  const ips = [...new Set(ipAddresses.filter(Boolean))].slice(0, 100);
+  if (ips.length === 0) return;
+
+  runBackgroundRefresh('networkIpIntelligence', 'IP intelligence refresh failed:', async () => {
+    const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListIpIntelligence
+    >('/typedrequest', 'listIpIntelligence');
+    const intelligenceResponse = await intelligenceRequest.fire({
+      identity,
+      ipAddresses: ips,
+      limit: Math.max(100, ips.length),
+    });
+    networkStatePart.setState({
+      ...networkStatePart.getState()!,
+      ipIntelligence: intelligenceResponse.records || [],
+    });
+  });
+}
+
+function refreshSecurityIpIntelligence(identity: interfaces.data.IIdentity): void {
+  runBackgroundRefresh('securityIpIntelligence', 'Security IP intelligence refresh failed:', async () => {
+    const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListIpIntelligence
+    >('/typedrequest', 'listIpIntelligence');
+    const intelligenceResponse = await intelligenceRequest.fire({
+      identity,
+      limit: 500,
+    });
+    securityPolicyStatePart.setState({
+      ...securityPolicyStatePart.getState()!,
+      ipIntelligence: intelligenceResponse.records || [],
+    });
+  });
+}
+
 // Fetch Network Stats Action
 export const fetchNetworkStatsAction = networkStatePart.createAction(async (statePartArg): Promise<INetworkState> => {
  const context = getActionContext();
@@ -594,18 +642,9 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
      interfaces.requests.IReq_GetNetworkStats
    >('/typedrequest', 'getNetworkStats');

-    const ipIntelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_ListIpIntelligence
-    >('/typedrequest', 'listIpIntelligence');
-
-    const [networkStatsResponse, ipIntelligenceResponse] = await Promise.all([
-      networkStatsRequest.fire({
-        identity: context.identity,
-      }),
-      ipIntelligenceRequest.fire({
-        identity: context.identity,
-      }),
-    ]);
+    const networkStatsResponse = await networkStatsRequest.fire({
+      identity: context.identity,
+    });

    // Use the connections data for the connection list
    // and network stats for throughput and IP analytics
@@ -637,6 +676,12 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
      };
    });

+    refreshNetworkIpIntelligence(context.identity, [
+      ...Object.keys(connectionsByIP),
+      ...(networkStatsResponse.topIPs || []).map((item) => item.ip),
+      ...(networkStatsResponse.topIPsByBandwidth || []).map((item) => item.ip),
+    ]);
+
    return {
      connections,
      connectionsByIP,
@@ -646,8 +691,9 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
        : { in: 0, out: 0 },
      topIPs: networkStatsResponse.topIPs || [],
      topIPsByBandwidth: networkStatsResponse.topIPsByBandwidth || [],
+      topASNs: networkStatsResponse.topASNs || [],
      throughputByIP: networkStatsResponse.throughputByIP || [],
-      ipIntelligence: ipIntelligenceResponse.records || [],
+      ipIntelligence: currentState.ipIntelligence,
      domainActivity: networkStatsResponse.domainActivity || [],
      throughputHistory: networkStatsResponse.throughputHistory || [],
      requestsPerSecond: networkStatsResponse.requestsPerSecond || 0,
@@ -683,9 +729,6 @@ export const fetchSecurityPolicyAction = securityPolicyStatePart.createAction(
      const rulesRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
        interfaces.requests.IReq_ListSecurityBlockRules
      >('/typedrequest', 'listSecurityBlockRules');
-      const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
-        interfaces.requests.IReq_ListIpIntelligence
-      >('/typedrequest', 'listIpIntelligence');
      const compiledPolicyRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
        interfaces.requests.IReq_GetCompiledSecurityPolicy
      >('/typedrequest', 'getCompiledSecurityPolicy');
@@ -693,16 +736,17 @@ export const fetchSecurityPolicyAction = securityPolicyStatePart.createAction(
        interfaces.requests.IReq_ListSecurityPolicyAudit
      >('/typedrequest', 'listSecurityPolicyAudit');

-      const [rulesResponse, intelligenceResponse, compiledPolicyResponse, auditResponse] = await Promise.all([
+      const [rulesResponse, compiledPolicyResponse, auditResponse] = await Promise.all([
        rulesRequest.fire({ identity: context.identity }),
-        intelligenceRequest.fire({ identity: context.identity }),
        compiledPolicyRequest.fire({ identity: context.identity }),
        auditRequest.fire({ identity: context.identity, limit: 100 }),
      ]);

+      refreshSecurityIpIntelligence(context.identity);
+
      return {
        rules: rulesResponse.rules || [],
-        ipIntelligence: intelligenceResponse.records || [],
+        ipIntelligence: currentState.ipIntelligence,
        compiledPolicy: compiledPolicyResponse.policy,
        auditEvents: auditResponse.events || [],
        isLoading: false,
@@ -835,7 +879,15 @@ export const refreshIpIntelligenceAction = securityPolicyStatePart.createAction<
      if (!response.success) {
        return { ...currentState, error: response.message || 'Failed to refresh IP intelligence' };
      }
-      return await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+      const refreshedState = await actionContext!.dispatch(fetchSecurityPolicyAction, null);
+      if (!response.record) return refreshedState;
+      return {
+        ...refreshedState,
+        ipIntelligence: [
+          response.record,
+          ...refreshedState.ipIntelligence.filter((record) => record.ipAddress !== response.record!.ipAddress),
+        ],
+      };
    } catch (error: unknown) {
      return {
        ...currentState,
@@ -1068,6 +1120,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
  name: string;
  listenPorts?: number[];
  autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
  tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
  const context = getActionContext();
@@ -1083,6 +1136,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
      name: dataArg.name,
      listenPorts: dataArg.listenPorts,
      autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
      tags: dataArg.tags,
    });

@@ -1135,6 +1189,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
  name?: string;
  listenPorts?: number[];
  autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
  tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
  const context = getActionContext();
@@ -1151,6 +1206,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
      name: dataArg.name,
      listenPorts: dataArg.listenPorts,
      autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
      tags: dataArg.tags,
    });

@@ -1520,6 +1576,7 @@ export const createTargetProfileAction = targetProfilesStatePart.createAction<{
  domains?: string[];
  targets?: Array<{ ip: string; port: number }>;
  routeRefs?: string[];
+  allowRoutesByClientSourceIp?: boolean;
 }>(async (statePartArg, dataArg, actionContext): Promise<ITargetProfilesState> => {
  const context = getActionContext();
  try {
@@ -1533,6 +1590,7 @@ export const createTargetProfileAction = targetProfilesStatePart.createAction<{
      domains: dataArg.domains,
      targets: dataArg.targets,
      routeRefs: dataArg.routeRefs,
+      allowRoutesByClientSourceIp: dataArg.allowRoutesByClientSourceIp,
    });
    if (!response.success) {
      return {
@@ -1556,6 +1614,7 @@ export const updateTargetProfileAction = targetProfilesStatePart.createAction<{
  domains?: string[];
  targets?: Array<{ ip: string; port: number }>;
  routeRefs?: string[];
+  allowRoutesByClientSourceIp?: boolean;
 }>(async (statePartArg, dataArg, actionContext): Promise<ITargetProfilesState> => {
  const context = getActionContext();
  try {
@@ -1570,6 +1629,7 @@ export const updateTargetProfileAction = targetProfilesStatePart.createAction<{
      domains: dataArg.domains,
      targets: dataArg.targets,
      routeRefs: dataArg.routeRefs,
+      allowRoutesByClientSourceIp: dataArg.allowRoutesByClientSourceIp,
    });
    if (!response.success) {
      return {
@@ -3099,6 +3159,7 @@ async function dispatchCombinedRefreshActionInner() {
          bwIn: e.bandwidth?.in || 0,
          bwOut: e.bandwidth?.out || 0,
        })),
+        topASNs: network.topASNs || [],
        throughputByIP: network.topEndpoints.map(e => ({ ip: e.endpoint, in: e.bandwidth?.in || 0, out: e.bandwidth?.out || 0 })),
        domainActivity: network.domainActivity || [],
        throughputHistory: network.throughputHistory || [],
@@ -3112,53 +3173,38 @@ async function dispatchCombinedRefreshActionInner() {
        error: null,
      });

-      try {
-        const intelligenceRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
-          interfaces.requests.IReq_ListIpIntelligence
-        >('/typedrequest', 'listIpIntelligence');
-        const intelligenceResponse = await intelligenceRequest.fire({ identity: context.identity });
-        networkStatePart.setState({
-          ...networkStatePart.getState()!,
-          ipIntelligence: intelligenceResponse.records || [],
-        });
-      } catch (error) {
-        console.error('IP intelligence refresh failed:', error);
-      }
+      refreshNetworkIpIntelligence(context.identity, [
+        ...network.connectionDetails.map((conn) => conn.remoteAddress),
+        ...network.topEndpoints.map((endpoint) => endpoint.endpoint),
+        ...(network.topEndpointsByBandwidth || []).map((endpoint) => endpoint.endpoint),
+      ]);
    }

    if (currentView === 'security') {
-      try {
+      runBackgroundRefresh('securityPolicy', 'Security policy refresh failed:', async () => {
        await securityPolicyStatePart.dispatchAction(fetchSecurityPolicyAction, null);
-      } catch (error) {
-        console.error('Security policy refresh failed:', error);
-      }
+      });
    }

    // Refresh certificate data if on Domains > Certificates subview
    if (currentView === 'domains' && currentSubview === 'certificates') {
-      try {
+      runBackgroundRefresh('certificates', 'Certificate refresh failed:', async () => {
        await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      } catch (error) {
-        console.error('Certificate refresh failed:', error);
-      }
+      });
    }

    // Refresh remote ingress data if on the Network → Remote Ingress subview
    if (currentView === 'network' && currentSubview === 'remoteingress') {
-      try {
+      runBackgroundRefresh('remoteIngress', 'Remote ingress refresh failed:', async () => {
        await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-      } catch (error) {
-        console.error('Remote ingress refresh failed:', error);
-      }
+      });
    }

    // Refresh VPN data if on the Network → VPN subview
    if (currentView === 'network' && currentSubview === 'vpn') {
-      try {
+      runBackgroundRefresh('vpn', 'VPN refresh failed:', async () => {
        await vpnStatePart.dispatchAction(fetchVpnAction, null);
-      } catch (error) {
-        console.error('VPN refresh failed:', error);
-      }
+      });
    }
  } catch (error) {
    console.error('Combined refresh failed:', error);
@@ -308,6 +308,9 @@ export class OpsViewNetworkActivity extends DeesElement {
        <!-- Top IPs by Connection Count -->
        ${this.renderTopIPs()}

+        <!-- Top ASNs by Connection Count -->
+        ${this.renderTopASNs()}
+
        <!-- Top IPs by Bandwidth -->
        ${this.renderTopIPsByBandwidth()}

@@ -450,6 +453,28 @@ export class OpsViewNetworkActivity extends DeesElement {
    ];
  }

+  private getAsnDataActions() {
+    return [
+      {
+        name: 'Block ASN',
+        iconName: 'lucide:radio-tower',
+        type: ['inRow', 'contextmenu'] as any,
+        actionFunc: async (actionData: any) => {
+          await this.createBlockRuleDialog('asn', String(actionData.item.asn), 'Blocked ASN from Network Activity');
+        },
+      },
+      {
+        name: 'Block Organization',
+        iconName: 'lucide:building-2',
+        type: ['contextmenu'] as any,
+        actionRelevancyCheckFunc: (actionData: any) => Boolean(actionData.item.organization),
+        actionFunc: async (actionData: any) => {
+          await this.createBlockRuleDialog('organization', actionData.item.organization, 'Blocked organization from Network Activity');
+        },
+      },
+    ];
+  }
+
  private calculateThroughput(): { in: number; out: number } {
    // Use real throughput data from network state
    return {
@@ -619,6 +644,40 @@ export class OpsViewNetworkActivity extends DeesElement {
    `;
  }

+  private renderTopASNs(): TemplateResult {
+    if (!this.networkState.topASNs || this.networkState.topASNs.length === 0) {
+      return html``;
+    }
+
+    return html`
+      <dees-table
+        .data=${this.networkState.topASNs}
+        .rowKey=${'asn'}
+        .highlightUpdates=${'flash'}
+        .displayFunction=${(asnData: appstate.INetworkState['topASNs'][number]) => {
+          return {
+            'ASN': `AS${asnData.asn}`,
+            'Organization': this.formatOptional(asnData.organization),
+            'Connections': asnData.activeConnections,
+            'IPs': asnData.ipCount,
+            'Bandwidth In': this.formatBitsPerSecond(asnData.bytesInPerSecond),
+            'Bandwidth Out': this.formatBitsPerSecond(asnData.bytesOutPerSecond),
+            'Total Bandwidth': this.formatBitsPerSecond(asnData.bytesInPerSecond + asnData.bytesOutPerSecond),
+            'Country': this.formatOptional(asnData.country),
+            'Sample IPs': asnData.sampleIps.join(', '),
+          };
+        }}
+        .dataActions=${this.getAsnDataActions()}
+        heading1="Top Connected ASNs"
+        heading2="Organizations causing the most active connections across observed IPs"
+        searchable
+        .showColumnFilters=${true}
+        .pagination=${false}
+        dataName="ASN"
+      ></dees-table>
+    `;
+  }
+
  private renderTopIPsByBandwidth(): TemplateResult {
    if (!this.networkState.topIPsByBandwidth || this.networkState.topIPsByBandwidth.length === 0) {
      return html``;
@@ -242,6 +242,7 @@ export class OpsViewRemoteIngress extends DeesElement {
            publicIp: this.getEdgePublicIp(edge.id),
            ports: this.getPortsHtml(edge),
            tunnels: this.getEdgeTunnelCount(edge.id),
+            maxConnections: this.getMaxConnectionsHtml(edge),
            window: this.getWindowHtml(edge.id),
            queues: this.getQueuesHtml(edge.id),
            traffic: this.getTrafficHtml(edge.id),
@@ -261,6 +262,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                      <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers, optional'}></dees-input-text>
                      <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${true}></dees-input-checkbox>
+                      <dees-input-text .key=${'maxStreamsPerEdge'} .label=${'Max Connections'} .description=${'Optional maximum concurrent client connections for this edge. Leave empty to use the hub default.'}></dees-input-text>
                      <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated, optional'}></dees-input-text>
                    </dees-form>
                  `,
@@ -284,12 +286,20 @@ export class OpsViewRemoteIngress extends DeesElement {
                          ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
                          : undefined;
                        const autoDerivePorts = formData.autoDerivePorts !== false;
+                        let performance: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+                        try {
+                          performance = this.collectPerformanceOverride(formData);
+                        } catch (err: unknown) {
+                          const { DeesToast } = await import('@design.estate/dees-catalog');
+                          DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+                          return;
+                        }
                        const tags = formData.tags
                          ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
                          : undefined;
                        await appstate.remoteIngressStatePart.dispatchAction(
                          appstate.createRemoteIngressAction,
-                          { name, listenPorts, autoDerivePorts, tags },
+                          { name, listenPorts, autoDerivePorts, performance, tags },
                        );
                        await modalArg.destroy();
                      },
@@ -338,6 +348,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                      <dees-input-text .key=${'name'} .label=${'Name'} .value=${edge.name}></dees-input-text>
                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers'} .value=${(edge.listenPorts || []).join(', ')}></dees-input-text>
                      <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${edge.autoDerivePorts !== false}></dees-input-checkbox>
+                      <dees-input-text .key=${'maxStreamsPerEdge'} .label=${'Max Connections'} .description=${'Optional maximum concurrent client connections for this edge. Leave empty to use the hub default.'} .value=${edge.performance?.maxStreamsPerEdge?.toString() || ''}></dees-input-text>
                      <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated'} .value=${(edge.tags || []).join(', ')}></dees-input-text>
                    </dees-form>
                  `,
@@ -359,6 +370,14 @@ export class OpsViewRemoteIngress extends DeesElement {
                          ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
                          : [];
                        const autoDerivePorts = formData.autoDerivePorts !== false;
+                        let performance: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+                        try {
+                          performance = this.collectPerformanceOverride(formData, edge.performance);
+                        } catch (err: unknown) {
+                          const { DeesToast } = await import('@design.estate/dees-catalog');
+                          DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+                          return;
+                        }
                        const tags = formData.tags
                          ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
                          : [];
@@ -369,6 +388,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                            name: formData.name || edge.name,
                            listenPorts,
                            autoDerivePorts,
+                            performance,
                            tags,
                          },
                        );
@@ -475,6 +495,19 @@ export class OpsViewRemoteIngress extends DeesElement {
    return status?.activeTunnels || 0;
  }

+  private getMaxConnectionsHtml(edge: interfaces.data.IRemoteIngress): TemplateResult | string {
+    const status = this.getEdgeStatus(edge.id);
+    const override = edge.performance?.maxStreamsPerEdge;
+    const effective = status?.performance?.maxStreamsPerEdge;
+    if (!override && !effective) return '-';
+    return html`
+      <div class="metricStack">
+        <span>${override || effective}</span>
+        <span class="metricMuted">${override ? 'edge override' : 'hub default'}</span>
+      </div>
+    `;
+  }
+
  private getTransportHtml(edgeId: string): TemplateResult | string {
    const status = this.getEdgeStatus(edgeId);
    if (!status?.connected) return '-';
@@ -535,4 +568,27 @@ export class OpsViewRemoteIngress extends DeesElement {
    }
    return `${value >= 10 || unitIndex === 0 ? value.toFixed(0) : value.toFixed(1)} ${units[unitIndex]}`;
  }
+
+  private collectPerformanceOverride(
+    formData: Record<string, any>,
+    base?: interfaces.data.IRemoteIngressPerformanceConfig,
+  ): interfaces.data.IRemoteIngressPerformanceConfig | undefined {
+    const next: interfaces.data.IRemoteIngressPerformanceConfig = { ...(base || {}) };
+    const maxStreamsText = `${formData.maxStreamsPerEdge || ''}`.trim();
+    if (maxStreamsText) {
+      const maxStreamsPerEdge = Number.parseInt(maxStreamsText, 10);
+      if (!Number.isInteger(maxStreamsPerEdge) || maxStreamsPerEdge < 1) {
+        throw new Error('Max Connections must be a positive integer');
+      }
+      next.maxStreamsPerEdge = maxStreamsPerEdge;
+    } else {
+      delete next.maxStreamsPerEdge;
+    }
+
+    if (Object.keys(next).length > 0) {
+      return next;
+    }
+
+    return base ? {} : undefined;
+  }
 }
@@ -97,6 +97,7 @@ export class OpsViewTargetProfiles extends DeesElement {
            'Route Refs': profile.routeRefs?.length
              ? html`${profile.routeRefs.map(r => html`<span class="tagBadge">${this.formatRouteRef(r)}</span>`)}`
              : '-',
+            'Source-Policy Route Grants': profile.allowRoutesByClientSourceIp ? 'Yes' : 'No',
            Created: new Date(profile.createdAt).toLocaleDateString(),
          })}
          .dataActions=${[
@@ -223,6 +224,7 @@ export class OpsViewTargetProfiles extends DeesElement {
          <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'e.g. *.example.com'} .allowFreeform=${true}></dees-input-list>
          <dees-input-list .key=${'targets'} .label=${'Targets'} .description=${'Format: ip:port, e.g. 10.0.0.1:443'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true}></dees-input-list>
          <dees-input-list .key=${'routeRefs'} .label=${'Route Refs'} .placeholder=${'Type to search routes...'} .candidates=${routeCandidates} .allowFreeform=${true}></dees-input-list>
+          <dees-input-checkbox .key=${'allowRoutesByClientSourceIp'} .label=${'Allow source-policy route grants'} .description=${'Grant these VPN clients to source-policy routes; SmartProxy still checks their real connecting IP per connection'} .value=${false}></dees-input-checkbox>
        </dees-form>
      `,
      menuOptions: [
@@ -258,6 +260,7 @@ export class OpsViewTargetProfiles extends DeesElement {
              domains: domains.length > 0 ? domains : undefined,
              targets: targets.length > 0 ? targets : undefined,
              routeRefs: routeRefs.length > 0 ? routeRefs : undefined,
+              allowRoutesByClientSourceIp: data.allowRoutesByClientSourceIp === true,
            });
            modalArg.destroy();
          },
@@ -284,6 +287,7 @@ export class OpsViewTargetProfiles extends DeesElement {
          <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'e.g. *.example.com'} .allowFreeform=${true} .value=${currentDomains}></dees-input-list>
          <dees-input-list .key=${'targets'} .label=${'Targets'} .description=${'Format: ip:port, e.g. 10.0.0.1:443'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true} .value=${currentTargets}></dees-input-list>
          <dees-input-list .key=${'routeRefs'} .label=${'Route Refs'} .placeholder=${'Type to search routes...'} .candidates=${routeCandidates} .allowFreeform=${true} .value=${currentRouteRefs}></dees-input-list>
+          <dees-input-checkbox .key=${'allowRoutesByClientSourceIp'} .label=${'Allow source-policy route grants'} .description=${'Grant these VPN clients to source-policy routes; SmartProxy still checks their real connecting IP per connection'} .value=${profile.allowRoutesByClientSourceIp === true}></dees-input-checkbox>
        </dees-form>
      `,
      menuOptions: [
@@ -319,6 +323,7 @@ export class OpsViewTargetProfiles extends DeesElement {
              domains,
              targets,
              routeRefs,
+              allowRoutesByClientSourceIp: data.allowRoutesByClientSourceIp === true,
            });
            modalArg.destroy();
          },
@@ -389,6 +394,10 @@ export class OpsViewTargetProfiles extends DeesElement {
                : '-'}
            </div>
          </div>
+          <div>
+            <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.05em; color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};">Client Source IP Routes</div>
+            <div style="font-size: 14px; margin-top: 4px;">${profile.allowRoutesByClientSourceIp ? 'Enabled' : 'Disabled'}</div>
+          </div>
          <div>
            <div style="font-size: 11px; font-weight: 600; text-transform: uppercase; letter-spacing: 0.05em; color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};">Created</div>
            <div style="font-size: 14px; margin-top: 4px;">${new Date(profile.createdAt).toLocaleString()} by ${profile.createdBy}</div>
@@ -339,6 +339,7 @@ export class OpsViewVpn extends DeesElement {
            'Status': statusHtml,
            'Routing': routingHtml,
            'VPN IP': client.assignedIp || '-',
+            'Source IP': conn?.sourceIp || '-',
            'Target Profiles': this.renderTargetProfileBadges(client.targetProfileIds),
            'Description': client.description || '-',
            'Created': new Date(client.createdAt).toLocaleDateString(),
@@ -487,6 +488,7 @@ export class OpsViewVpn extends DeesElement {
                    ${conn ? html`
                      <div class="infoItem"><span class="infoLabel">Connected Since</span><span class="infoValue">${new Date(conn.connectedSince).toLocaleString()}</span></div>
                      <div class="infoItem"><span class="infoLabel">Transport</span><span class="infoValue">${conn.transport}</span></div>
+                      <div class="infoItem"><span class="infoLabel">Source IP</span><span class="infoValue">${conn.sourceIp || '-'}</span></div>
                    ` : ''}
                    <div class="infoItem"><span class="infoLabel">Description</span><span class="infoValue">${client.description || '-'}</span></div>
                    <div class="infoItem"><span class="infoLabel">Target Profiles</span><span class="infoValue">${this.resolveProfileIdsToLabels(client.targetProfileIds)?.join(', ') || '-'}</span></div>
@@ -304,6 +304,16 @@ export class OpsViewConfig extends DeesElement {
      { key: 'Connected Edge IPs', value: ri.connectedEdgeIps?.length > 0 ? ri.connectedEdgeIps : null, type: 'pills' },
    ];

+    if (ri.performance) {
+      fields.push(
+        { key: 'Performance Profile', value: ri.performance.profile || null, type: 'badge' },
+        { key: 'Max Connections / Edge', value: ri.performance.maxStreamsPerEdge ?? null },
+        { key: 'Client Write Timeout', value: ri.performance.clientWriteTimeoutMs ? `${ri.performance.clientWriteTimeoutMs} ms` : null },
+        { key: 'First Data Timeout', value: ri.performance.firstDataConnectTimeoutMs ? `${ri.performance.firstDataConnectTimeoutMs} ms` : null },
+        { key: 'Server-first Ports', value: ri.performance.serverFirstPorts?.length ? ri.performance.serverFirstPorts.map(String) : null, type: 'pills' },
+      );
+    }
+
    const actions: IConfigSectionAction[] = [
      { label: 'View Remote Ingress', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'network', subview: 'remoteingress' } },
    ];
Author	SHA1	Message	Date
jkunz	776c65a18c	v13.40.3 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m44s Details	2026-05-31 16:23:56 +00:00
jkunz	5f6ec63770	fix(deps): bump smartproxy and remoteingress dependencies	2026-05-31 16:23:48 +00:00
jkunz	1b4cc0567f	v13.40.2 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m0s Details	2026-05-31 15:26:43 +00:00
jkunz	22de50b544	fix(routes): ensure source profiles fully own route security	2026-05-31 15:26:18 +00:00
jkunz	2e3bead40c	v13.40.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 19m10s Details	2026-05-31 11:50:08 +00:00
jkunz	85065b05c8	fix(deps): update smartproxy, remoteingress, and tsdeno dependencies	2026-05-31 11:49:25 +00:00
jkunz	7f7a26fb38	v13.40.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 8m31s Details	2026-05-30 19:57:32 +00:00
jkunz	a089b681c4	feat(monitoring-opsserver-radius): use active connection snapshots for proxy metrics and RADIUS network secrets	2026-05-30 19:57:09 +00:00
jkunz	3e71301bf5	v13.39.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m54s Details	2026-05-30 18:09:42 +00:00
jkunz	58cc8c0753	feat(remoteingress,radius): add remote ingress performance overrides and update RADIUS integration	2026-05-30 18:09:18 +00:00
jkunz	e279814803	v13.38.4 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m11s Details	2026-05-30 15:05:32 +00:00
jkunz	6bee2eb172	fix(deps): bump @serve.zone/remoteingress to ^4.22.1	2026-05-30 15:05:16 +00:00
jkunz	db8ea99e88	v13.38.3 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m19s Details	2026-05-30 13:19:15 +00:00
jkunz	98ccf82af0	fix(deps): update @serve.zone/remoteingress to ^4.22.0	2026-05-30 13:18:48 +00:00
jkunz	0f99525612	v13.38.2 Docker (tags) / release (push) Failing after 16m7s Details Release / build-and-release (push) Failing after 14m45s Details	2026-05-30 11:40:28 +00:00
jkunz	8e707d9c4d	fix(deps): bump @serve.zone/remoteingress to ^4.21.1	2026-05-30 11:40:00 +00:00
jkunz	418c825b01	v13.38.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 8m58s Details	2026-05-30 10:35:31 +00:00
jkunz	75f29af27f	fix(deps): update @serve.zone/remoteingress to ^4.21.0	2026-05-30 10:35:02 +00:00
jkunz	4467fe629a	fix(deps): bump @serve.zone/remoteingress to ^4.21.0	2026-05-30 10:31:37 +00:00
jkunz	1912feffe5	v13.38.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m45s Details	2026-05-29 17:57:08 +00:00
jkunz	9077b3dad6	feat(dns): support explicit DNS bind interface configuration	2026-05-29 17:56:33 +00:00
jkunz	d09ac51c5b	v13.37.2 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m10s Details	2026-05-29 15:21:54 +00:00
jkunz	9d7975721d	fix(packaging): exclude assets from compiled and published artifacts	2026-05-29 15:21:22 +00:00
jkunz	667d62b456	v13.37.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 4m28s Details	2026-05-29 14:52:42 +00:00
jkunz	90b1ca8de3	fix(release): configure pnpm registry for release workflow	2026-05-29 14:45:22 +00:00
jkunz	17d824d718	v13.37.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 20s Details	2026-05-29 14:05:26 +00:00
jkunz	06a8636aee	feat(distribution): add binary installer	2026-05-29 13:58:05 +00:00
jkunz	4bf08c1fc3	fix(distribution): sync Deno binary import map	2026-05-29 10:43:12 +00:00
jkunz	7e721c54d0	feat(distribution): add CLI binary distribution and improve DNS challenge handling	2026-05-29 10:38:54 +00:00
jkunz	e6aa5a1dd2	v13.36.3 Docker (tags) / release (push) Failing after 1s Details	2026-05-29 08:42:32 +00:00
jkunz	bbe18e1413	fix(deps): bump smartproxy to keep idle WebSocket tunnels on dedicated lifecycle timeouts	2026-05-29 08:42:14 +00:00
jkunz	e2a10bdc3c	v13.36.2 Docker (tags) / release (push) Failing after 1s Details	2026-05-29 04:00:16 +00:00
jkunz	42a5f6df7b	fix(dns): preserve parallel ACME TXT challenges and mixed-case DNS queries	2026-05-29 03:59:59 +00:00
jkunz	c61d832b43	v13.36.1 Docker (tags) / release (push) Failing after 1s Details	2026-05-28 14:39:36 +00:00
jkunz	872a822ed7	fix(remoteingress): bump @serve.zone/remoteingress to ^4.18.0	2026-05-28 14:38:57 +00:00
jkunz	34bfd1528b	v13.36.0 Docker (tags) / release (push) Failing after 1s Details	2026-05-28 08:48:03 +00:00
jkunz	be38808795	feat(network): add top connected ASN activity to network monitoring	2026-05-28 08:47:12 +00:00
jkunz	b9ae4ac344	v13.35.0 Docker (tags) / release (push) Failing after 1s Details	2026-05-24 05:12:13 +00:00
jkunz	37adcc9ddc	feat(vpn): use authenticated VPN route grants	2026-05-24 05:11:48 +00:00
jkunz	ac118397f9	v13.34.0 Docker (tags) / release (push) Failing after 0s Details	2026-05-21 23:45:34 +00:00
jkunz	8188b4712c	feat(vpn): allow target profiles to grant non-vpnOnly routes by live client source IP	2026-05-21 23:44:01 +00:00
jkunz	27d077feed	v13.33.0 Docker (tags) / release (push) Failing after 0s Details	2026-05-21 01:56:32 +00:00
jkunz	98913c1977	feat(security): add queued IP intelligence observation and filtered retrieval for network and security views	2026-05-21 01:56:17 +00:00
jkunz	ca5c57a329	v13.32.1 Docker (tags) / release (push) Failing after 1s Details	2026-05-20 16:24:44 +00:00
jkunz	707fbc2413	fix(opsserver,vpn): tighten admin bootstrap behavior when the database is unavailable and include wildcard VPN profile matches in route access rules	2026-05-20 16:24:30 +00:00
jkunz	a0c9d40e87	fix(deps): update smartproxy for Alpine compatibility	2026-05-20 15:15:34 +00:00
jkunz	2a73973eda	fix(deps): update smartdb for Alpine compatibility	2026-05-20 13:46:01 +00:00