v13.42.2

fix(dev-deps): bump @git.zone/tsdocker to ^2.4.1
v13.42.1
2026-06-02 14:11:18 +00:00 · 2026-06-02 14:10:49 +00:00 · 2026-06-02 12:48:16 +00:00 · 2026-06-02 12:47:53 +00:00 · 2026-06-02 00:29:38 +00:00 · 2026-06-02 00:29:13 +00:00
57 changed files with 5414 additions and 594 deletions
@@ -0,0 +1,140 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    container:
+      image: code.foss.global/host.today/ht-docker-node:latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Deno
+        uses: denoland/setup-deno@v1
+        with:
+          deno-version: v2.x
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Configure pnpm registry
+        run: pnpm config set registry https://verdaccio.lossless.digital/
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Get version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version_number=${VERSION#v}" >> $GITHUB_OUTPUT
+          echo "Building version: $VERSION"
+
+      - name: Verify package.json version matches tag
+        run: |
+          PACKAGE_VERSION=$(node -p "JSON.parse(require('fs').readFileSync('package.json', 'utf8')).version")
+          TAG_VERSION="${{ steps.version.outputs.version_number }}"
+          echo "package.json version: $PACKAGE_VERSION"
+          echo "Tag version: $TAG_VERSION"
+          if [ "$PACKAGE_VERSION" != "$TAG_VERSION" ]; then
+            echo "ERROR: Version mismatch!"
+            exit 1
+          fi
+
+      - name: Test package
+        run: pnpm test
+
+      - name: Build binary artifacts
+        run: pnpm run build:binary
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist/binaries
+          sha256sum * > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+          cd ../..
+
+      - name: Pack npm artifact
+        run: |
+          mkdir -p dist/package
+          pnpm pack --pack-destination dist/package
+          ls -lh dist/package
+
+      - name: Extract changelog for this version
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          if [ -f changelog.md ]; then
+            awk "/## $VERSION/,/## /" changelog.md | sed '$d' > /tmp/release_notes.md || true
+          fi
+          if [ ! -s /tmp/release_notes.md ]; then
+            cat > /tmp/release_notes.md << EOF
+          ## DcRouter $VERSION
+
+          NodeNext package build plus self-extracting Linux binaries.
+
+          ### Artifacts
+
+          - npm package tarball
+          - dcrouter-linux-x64
+          - dcrouter-linux-arm64
+          - SHA256SUMS.txt
+          EOF
+          fi
+
+      - name: Delete existing release if it exists
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          EXISTING_RELEASE_ID=$(curl -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases/tags/$VERSION" \
+            | jq -r '.id // empty')
+          if [ -n "$EXISTING_RELEASE_ID" ]; then
+            curl -X DELETE -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases/$EXISTING_RELEASE_ID"
+            sleep 2
+          fi
+
+      - name: Create Gitea Release
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_ID=$(curl -X POST -s \
+            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases" \
+            -d "{
+              \"tag_name\": \"$VERSION\",
+              \"name\": \"DcRouter $VERSION\",
+              \"body\": $(jq -Rs . /tmp/release_notes.md),
+              \"draft\": false,
+              \"prerelease\": false
+            }" | jq -r '.id')
+          for artifact in dist/package/* dist/binaries/*; do
+            [ -f "$artifact" ] || continue
+            filename=$(basename "$artifact")
+            curl -X POST -s \
+              -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary "@$artifact" \
+              "https://code.foss.global/api/v1/repos/serve.zone/dcrouter/releases/$RELEASE_ID/assets?name=$filename"
+          done
+
+      - name: Release Summary
+        run: |
+          echo "Release ${{ steps.version.outputs.version }} complete"
+          ls -lh dist/package
+          ls -lh dist/binaries
@@ -29,6 +29,28 @@
      }
    ]
  },
+  "@git.zone/tsdeno": {
+    "compileTargets": [
+      {
+        "name": "dcrouter-linux-x64",
+        "entryPoint": "binary/dcrouter.ts",
+        "outDir": "dist/binaries",
+        "target": "x86_64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true,
+        "selfExtracting": true
+      },
+      {
+        "name": "dcrouter-linux-arm64",
+        "entryPoint": "binary/dcrouter.ts",
+        "outDir": "dist/binaries",
+        "target": "aarch64-unknown-linux-gnu",
+        "permissions": ["--allow-all"],
+        "noCheck": true,
+        "selfExtracting": true
+      }
+    ]
+  },
  "@git.zone/cli": {
    "schemaVersion": 2,
    "projectType": "service",
@@ -96,4 +118,4 @@
    ]
  },
  "@ship.zone/szci": {}
-}
+}
@@ -0,0 +1,4 @@
+process.env.CLI_CALL = 'true';
+
+const cliTool = await import('../dist_ts/index.js');
+await cliTool.runCli();
@@ -3,6 +3,199 @@
 ## Pending


+
+
+
+## 2026-06-02 - 13.42.2
+
+### Fixes
+
+- bump @git.zone/tsdocker to ^2.4.1 (dev-deps)
+  - Updated @git.zone/tsdocker from ^2.4.0 to ^2.4.1.
+
+## 2026-06-02 - 13.42.1
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.22.5 (deps)
+  - Updates @serve.zone/remoteingress from ^4.22.4 to ^4.22.5.
+
+## 2026-06-02 - 13.42.0
+
+### Features
+
+- add ordered route source policies with Gitea preset support (source-policy)
+  - Compile metadata.sourcePolicy bindings into SmartProxy route variants with ordered source matching, path-class overrides, and terminal 429 rate/connection limit handling
+  - Add shared source-policy interfaces, Gitea path-class patterns, validation limits, and resolver support for policy-backed profile usage and display names
+  - Add Ops UI controls for manual and Gitea source-policy presets plus rate-limit editing for source profiles
+  - Seed TRUSTED NETWORKS, AI CRAWLERS, and PUBLIC default profiles through defaults and the 13.42.0 migration
+  - Bump smartproxy to ^27.12.4 and add coverage for source-policy compilation, rate-limit behavior, migrations, and port-safe server tests
+
+## 2026-06-01 - 13.41.2
+
+### Fixes
+
+- update SmartProxy and RemoteIngress dependencies (deps)
+  - Bump SmartProxy to 27.12.3 for the published half-close regression coverage.
+  - Bump RemoteIngress to 4.22.4 for the half-close/reset and UDP startup lifecycle fixes.
+  - Align npm and Deno import metadata for both runtime dependencies.
+
+## 2026-05-31 - 13.41.1
+
+### Fixes
+
+- prevent SmartAcme startup from blocking router startup (smartacme)
+  - Start SmartAcme in the background with bounded exponential retry handling
+  - Re-trigger certificate provisioning after SmartAcme becomes ready
+  - Cancel stale retry timers and clean up SmartAcme instances during shutdown or config updates
+
+## 2026-05-31 - 13.41.0
+
+### Features
+
+- add RemoteIngress hub settings management (remoteingress)
+  - Persist hub-level RemoteIngress performance settings with validation and seed defaults from config
+  - Add typed read/update handlers and web UI controls for hub performance settings
+  - Restart the tunnel hub after hub setting updates so new performance defaults take effect
+  - Serialize RemoteIngress lifecycle tasks, edge mutations, route syncs, and stop/start operations to avoid hub race conditions
+
+## 2026-05-31 - 13.40.3
+
+### Fixes
+
+- bump smartproxy and remoteingress dependencies (deps)
+  - Bumped @push.rocks/smartproxy from ^27.12.1 to ^27.12.2
+  - Bumped @serve.zone/remoteingress from ^4.22.2 to ^4.22.3
+  - Updated dependency versions in both package.json and deno.json
+
+## 2026-05-31 - 13.40.2
+
+### Fixes
+
+- ensure source profiles fully own route security (routes)
+  - Resolve profile-backed routes by cloning source profile security instead of merging inline route overrides
+  - Clear stale route security when a source profile reference is removed without explicit replacement security
+  - Add a migration to rematerialize persisted profile-backed route security
+
+## 2026-05-31 - 13.40.1
+
+### Fixes
+
+- update smartproxy, remoteingress, and tsdeno dependencies (deps)
+  - Bump @push.rocks/smartproxy to ^27.12.1 in Deno imports
+  - Bump @serve.zone/remoteingress to ^4.22.2 in package and Deno configuration
+  - Bump @git.zone/tsdeno to ^1.5.0
+
+## 2026-05-30 - 13.40.0
+
+### Features
+
+- use active connection snapshots for proxy metrics and RADIUS network secrets (monitoring-opsserver-radius)
+  - Add cached SmartProxy active connection snapshots for connection info and network statistics.
+  - Report ops security active connections from per-connection snapshots with protocol, state, and byte counters.
+  - Configure RADIUS clients through smartradius network secrets, including CIDR ranges, and forward additional RADIUS attributes.
+  - Bump smartproxy to ^27.12.1 and smartradius to ^1.3.0.
+
+## 2026-05-30 - 13.39.0
+
+### Features
+
+- add remote ingress performance overrides and update RADIUS integration (remoteingress,radius)
+  - Persist and propagate optional remote ingress performance overrides through remote ingress create/update APIs, database documents, and hub allowed-edge sync.
+  - Add web UI controls and status display for per-edge maximum connection overrides.
+  - Extend remote ingress performance interfaces with stream payload, timeout, and server-first port settings.
+  - Update RADIUS server integration for smartradius 1.2 request/response handling and client secret resolution, including CIDR matching.
+
+## 2026-05-30 - 13.38.4
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.22.1 (deps)
+  - Updated @serve.zone/remoteingress in package.json and deno.json.
+
+## 2026-05-30 - 13.38.3
+
+### Fixes
+
+- update @serve.zone/remoteingress to ^4.22.0 (deps)
+  - Updated @serve.zone/remoteingress from ^4.21.1 to ^4.22.0 in package.json and deno.json.
+
+## 2026-05-30 - 13.38.2
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.21.1 (deps)
+  - Updated @serve.zone/remoteingress in package.json and deno.json from ^4.21.0 to ^4.21.1.
+
+## 2026-05-30 - 13.38.1
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.21.0 (deps)
+  - Updates @serve.zone/remoteingress from ^4.18.0 to ^4.21.0.
+- update @serve.zone/remoteingress to ^4.21.0 (deps)
+  - Updates the Deno import mapping for @serve.zone/remoteingress from ^4.18.0 to ^4.21.0.
+
+## 2026-05-29 - 13.38.0
+
+### Features
+
+- support explicit DNS bind interface configuration (dns)
+  - Add a dnsBindInterface option to override the embedded DNS UDP bind address.
+  - Read DCROUTER_DNS_BIND_INTERFACE from OCI container configuration and document it in CLI help.
+  - Add test coverage for explicit DNS bind interface handling in OCI config.
+
+## 2026-05-29 - 13.37.2
+
+### Fixes
+
+- exclude assets from compiled and published artifacts (packaging)
+  - Removed assets from the Deno compile include list.
+  - Removed assets from the npm package files list.
+
+## 2026-05-29 - 13.37.1
+
+### Fixes
+
+- configure pnpm registry for release workflow (release)
+  - Sets the pnpm registry before dependency installation so release builds resolve packages from the configured registry.
+
+## 2026-05-29 - 13.37.0
+
+### Features
+
+- add CLI binary distribution (distribution)
+  - Add dcrouter bin entry, Deno compile targets, binary entrypoint, and tag-driven release workflow for Linux artifacts.
+  - Add --version and --help handling to the CLI for safe package and binary smoke tests.
+  - Keep the Deno binary import map aligned with the current SmartDNS and SmartProxy runtime dependencies.
+- add one-line installer and Docker distribution docs (distribution)
+  - Add an install.sh flow that installs Linux x64 and arm64 release binaries by default with a NodeNext source-build fallback.
+  - Document installer modes, binary artifact names, and the published multi-arch Docker image.
+
+## 2026-05-29 - 13.36.3
+
+### Fixes
+
+- update SmartProxy to keep idle WebSocket tunnels on dedicated lifecycle timeouts
+  - Bump @push.rocks/smartproxy to ^27.11.1.
+  - Prevent public gateway WebSocket routes from inheriting the HTTP socket timeout.
+- bump smartproxy to keep idle WebSocket tunnels on dedicated lifecycle timeouts (deps)
+  - Bump @push.rocks/smartproxy to ^27.11.1.
+  - Prevent public gateway WebSocket routes from inheriting the HTTP socket timeout.
+
+## 2026-05-29 - 13.36.2
+
+### Fixes
+
+- preserve parallel ACME DNS-01 TXT challenges and consume case-insensitive DNS matching (dns,certificates)
+  - Keep exact and wildcard SAN challenge TXT records at the same owner name instead of deleting sibling challenge values.
+  - Match local dcrouter-hosted DNS records case-insensitively so DNS 0x20 mixed-case queries keep resolving.
+  - Update @push.rocks/smartdns to 7.9.3 for case-insensitive handler matching in the embedded DNS server.
+- preserve parallel ACME TXT challenges and mixed-case DNS queries (dns)
+  - Remove only matching ACME DNS-01 TXT challenge values during setup and cleanup so parallel challenges can coexist.
+  - Resolve locally hosted DNS records case-insensitively while preserving the query name casing in responses.
+  - Bump @push.rocks/smartdns to ^7.9.3.
+
 ## 2026-05-28 - 13.36.1

 ### Fixes
@@ -0,0 +1,49 @@
+{
+  "name": "@serve.zone/dcrouter",
+  "version": "13.42.2",
+  "exports": "./binary/dcrouter.ts",
+  "compile": {
+    "include": [
+      "dist_serve"
+    ]
+  },
+  "imports": {
+    "@api.global/typedrequest": "npm:@api.global/typedrequest@^3.3.1",
+    "@api.global/typedrequest-interfaces": "npm:@api.global/typedrequest-interfaces@^3.0.19",
+    "@api.global/typedserver": "npm:@api.global/typedserver@^8.4.6",
+    "@api.global/typedsocket": "npm:@api.global/typedsocket@^4.1.3",
+    "@apiclient.xyz/cloudflare": "npm:@apiclient.xyz/cloudflare@^7.1.0",
+    "@idp.global/sdk/server": "npm:@idp.global/sdk@^1.3.1/server",
+    "@push.rocks/lik": "npm:@push.rocks/lik@^6.4.1",
+    "@push.rocks/projectinfo": "npm:@push.rocks/projectinfo@^5.1.0",
+    "@push.rocks/qenv": "npm:@push.rocks/qenv@^6.1.4",
+    "@push.rocks/smartacme": "npm:@push.rocks/smartacme@^9.5.0",
+    "@push.rocks/smartdata": "npm:@push.rocks/smartdata@^7.1.7",
+    "@push.rocks/smartdb": "npm:@push.rocks/smartdb@^2.10.1",
+    "@push.rocks/smartdns": "npm:@push.rocks/smartdns@^7.9.3",
+    "@push.rocks/smartfs": "npm:@push.rocks/smartfs@^1.5.1",
+    "@push.rocks/smartguard": "npm:@push.rocks/smartguard@^3.1.0",
+    "@push.rocks/smartjwt": "npm:@push.rocks/smartjwt@^2.2.2",
+    "@push.rocks/smartlog": "npm:@push.rocks/smartlog@^3.2.2",
+    "@push.rocks/smartmetrics": "npm:@push.rocks/smartmetrics@^3.0.3",
+    "@push.rocks/smartmigration": "npm:@push.rocks/smartmigration@1.4.1",
+    "@push.rocks/smartmta": "npm:@push.rocks/smartmta@^5.3.3",
+    "@push.rocks/smartnetwork": "npm:@push.rocks/smartnetwork@^4.7.2",
+    "@push.rocks/smartpath": "npm:@push.rocks/smartpath@^6.0.0",
+    "@push.rocks/smartpromise": "npm:@push.rocks/smartpromise@^4.2.4",
+    "@push.rocks/smartproxy": "npm:@push.rocks/smartproxy@^27.12.3",
+    "@push.rocks/smartradius": "npm:@push.rocks/smartradius@^1.1.2",
+    "@push.rocks/smartrequest": "npm:@push.rocks/smartrequest@^5.0.3",
+    "@push.rocks/smartrx": "npm:@push.rocks/smartrx@^3.0.10",
+    "@push.rocks/smartstate": "npm:@push.rocks/smartstate@^2.3.1",
+    "@push.rocks/smartunique": "npm:@push.rocks/smartunique@^3.0.9",
+    "@push.rocks/smartvpn": "npm:@push.rocks/smartvpn@1.20.0",
+    "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^8.0.2",
+    "@serve.zone/interfaces": "npm:@serve.zone/interfaces@^5.8.0",
+    "@serve.zone/remoteingress": "npm:@serve.zone/remoteingress@^4.22.4",
+    "@tsclass/tsclass": "npm:@tsclass/tsclass@^9.5.1",
+    "lru-cache": "npm:lru-cache@^11.4.0",
+    "qrcode": "npm:qrcode@^1.5.4",
+    "uuid": "npm:uuid@^14.0.0"
+  }
+}
@@ -0,0 +1,359 @@
+#!/bin/bash
+
+# DcRouter Installer Script
+# Installs the self-extracting Linux binary by default, or builds the NodeNext
+# source package when --source is specified.
+#
+# Usage:
+#   Binary install:
+#     curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash
+#
+#   Source install:
+#     curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --source
+#
+# Options:
+#   -h, --help             Show this help message
+#   --version VERSION      Install a specific tag/version (e.g. vX.Y.Z)
+#   --install-dir DIR      Installation directory (default: /opt/dcrouter)
+#   --binary               Install release binary (default)
+#   --source               Clone the tag and build the NodeNext package locally
+
+set -euo pipefail
+
+SHOW_HELP=0
+SPECIFIED_VERSION=""
+INSTALL_DIR="/opt/dcrouter"
+INSTALL_MODE="binary"
+GITEA_BASE_URL="https://code.foss.global"
+GITEA_REPO="serve.zone/dcrouter"
+SERVICE_NAME="dcrouter"
+BIN_DIR="/usr/local/bin"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -h|--help)
+      SHOW_HELP=1
+      shift
+      ;;
+    --version)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --version requires a value"
+        exit 1
+      fi
+      SPECIFIED_VERSION="$2"
+      shift 2
+      ;;
+    --install-dir)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --install-dir requires a value"
+        exit 1
+      fi
+      INSTALL_DIR="$2"
+      shift 2
+      ;;
+    --binary)
+      INSTALL_MODE="binary"
+      shift
+      ;;
+    --source)
+      INSTALL_MODE="source"
+      shift
+      ;;
+    *)
+      echo "Unknown option: $1"
+      echo "Use -h or --help for usage information"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ $SHOW_HELP -eq 1 ]]; then
+  echo "DcRouter Installer Script"
+  echo "Installs DcRouter as a self-extracting binary or NodeNext source build."
+  echo ""
+  echo "Usage: $0 [options]"
+  echo ""
+  echo "Options:"
+  echo "  -h, --help             Show this help message"
+  echo "  --version VERSION      Install a specific tag/version (e.g. vX.Y.Z)"
+  echo "  --install-dir DIR      Installation directory (default: /opt/dcrouter)"
+  echo "  --binary               Install release binary (default)"
+  echo "  --source               Clone the tag and build the NodeNext package locally"
+  echo ""
+  echo "Examples:"
+  echo "  curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash"
+  echo "  curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --source"
+  echo "  curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --version vX.Y.Z"
+  exit 0
+fi
+
+if [[ "$EUID" -ne 0 ]]; then
+  echo "Please run as root (sudo bash install.sh or pipe to sudo bash)"
+  exit 1
+fi
+
+case "$INSTALL_DIR" in
+  ""|"/")
+    echo "Error: unsafe install directory: $INSTALL_DIR"
+    exit 1
+    ;;
+esac
+
+require_command() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "Error: required command not found: $1"
+    exit 1
+  fi
+}
+
+ensure_pnpm() {
+  if command -v pnpm >/dev/null 2>&1; then
+    return
+  fi
+  if command -v corepack >/dev/null 2>&1; then
+    corepack enable
+  fi
+  if ! command -v pnpm >/dev/null 2>&1; then
+    echo "Error: pnpm is required for --source installs. Install Node.js with corepack/pnpm first."
+    exit 1
+  fi
+}
+
+make_executable_if_present() {
+  if [[ -f "$1" ]]; then
+    chmod 0755 "$1"
+  fi
+}
+
+get_latest_version() {
+  echo "Fetching latest release version from Gitea..." >&2
+
+  local api_url="${GITEA_BASE_URL}/api/v1/repos/${GITEA_REPO}/releases/latest"
+  local response
+  if ! response=$(curl -fsSL "$api_url" 2>/dev/null); then
+    echo "Error: Failed to fetch latest release information from Gitea API" >&2
+    echo "URL: $api_url" >&2
+    exit 1
+  fi
+
+  local version
+  version=$(printf '%s' "$response" | sed -n 's/.*"tag_name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+  if [[ -z "$version" ]]; then
+    echo "Error: Could not determine latest version from API response" >&2
+    exit 1
+  fi
+
+  echo "$version"
+}
+
+detect_binary_name() {
+  local os
+  local arch
+  os=$(uname -s)
+  arch=$(uname -m)
+
+  if [[ "$os" != "Linux" ]]; then
+    echo "Error: binary installer currently supports Linux only. Use --source for this platform." >&2
+    exit 1
+  fi
+
+  case "$arch" in
+    x86_64|amd64)
+      echo "dcrouter-linux-x64"
+      ;;
+    aarch64|arm64)
+      echo "dcrouter-linux-arm64"
+      ;;
+    *)
+      echo "Error: unsupported architecture for binary install: $arch. Use --source." >&2
+      exit 1
+      ;;
+  esac
+}
+
+echo "================================================"
+echo "  DcRouter Installation Script"
+echo "================================================"
+echo ""
+
+require_command curl
+require_command sed
+
+if [[ -n "$SPECIFIED_VERSION" ]]; then
+  VERSION="$SPECIFIED_VERSION"
+  echo "Installing specified version: $VERSION"
+else
+  VERSION=$(get_latest_version)
+  echo "Installing latest version: $VERSION"
+fi
+echo "Install mode: $INSTALL_MODE"
+echo ""
+
+SOURCE_REF="$VERSION"
+REPO_URL="${GITEA_BASE_URL}/${GITEA_REPO}.git"
+TEMP_DIR=$(mktemp -d)
+SOURCE_DIR="$TEMP_DIR/source"
+BACKUP_DIR=""
+SERVICE_WAS_RUNNING=0
+SERVICE_STOPPED=0
+SYSTEMD_AVAILABLE=0
+
+cleanup_temp() {
+  rm -rf "$TEMP_DIR"
+}
+trap cleanup_temp EXIT
+
+if command -v systemctl >/dev/null 2>&1; then
+  SYSTEMD_AVAILABLE=1
+  if systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    SERVICE_WAS_RUNNING=1
+  fi
+fi
+
+restore_previous_installation() {
+  if [[ -n "$BACKUP_DIR" && -d "$BACKUP_DIR" ]]; then
+    echo "Restoring previous installation from $BACKUP_DIR..."
+    rm -rf "$INSTALL_DIR" || true
+    mv "$BACKUP_DIR" "$INSTALL_DIR" || true
+    if [[ -f "$INSTALL_DIR/dcrouter" ]]; then
+      mkdir -p "$BIN_DIR" || true
+      ln -sf "$INSTALL_DIR/dcrouter" "$BIN_DIR/dcrouter" || true
+    elif [[ -f "$INSTALL_DIR/cli.js" ]]; then
+      mkdir -p "$BIN_DIR" || true
+      ln -sf "$INSTALL_DIR/cli.js" "$BIN_DIR/dcrouter" || true
+    fi
+  fi
+}
+
+restart_previous_service_on_error() {
+  if [[ $SERVICE_STOPPED -eq 1 && $SYSTEMD_AVAILABLE -eq 1 ]]; then
+    echo "Installation failed after stopping DcRouter; restarting previous service..."
+    systemctl start "$SERVICE_NAME" || true
+  fi
+}
+
+handle_install_error() {
+  trap - ERR
+  restore_previous_installation
+  restart_previous_service_on_error
+}
+trap handle_install_error ERR
+
+stop_service_if_running() {
+  if [[ $SERVICE_WAS_RUNNING -eq 1 && $SYSTEMD_AVAILABLE -eq 1 ]] && systemctl is-active --quiet "$SERVICE_NAME" 2>/dev/null; then
+    echo "Stopping DcRouter service..."
+    systemctl stop "$SERVICE_NAME"
+    SERVICE_STOPPED=1
+  fi
+}
+
+move_previous_installation() {
+  mkdir -p "$(dirname "$INSTALL_DIR")"
+  if [[ -d "$INSTALL_DIR" ]]; then
+    BACKUP_DIR="${INSTALL_DIR}.previous.$$"
+    echo "Moving previous installation to $BACKUP_DIR"
+    mv "$INSTALL_DIR" "$BACKUP_DIR"
+  fi
+}
+
+install_source_build() {
+  require_command git
+  require_command node
+  ensure_pnpm
+
+  echo "Cloning DcRouter source from $REPO_URL ($SOURCE_REF)..."
+  git clone --depth 1 --branch "$SOURCE_REF" "$REPO_URL" "$SOURCE_DIR"
+
+  echo "Installing dependencies..."
+  pnpm --dir "$SOURCE_DIR" install --frozen-lockfile
+
+  echo "Building DcRouter..."
+  pnpm --dir "$SOURCE_DIR" run build
+
+  echo "Validating built CLI..."
+  node "$SOURCE_DIR/cli.js" --version >/dev/null
+
+  stop_service_if_running
+  move_previous_installation
+
+  echo "Installing source build to $INSTALL_DIR"
+  mv "$SOURCE_DIR" "$INSTALL_DIR"
+  make_executable_if_present "$INSTALL_DIR/cli.js"
+  make_executable_if_present "$INSTALL_DIR/cli.ts.js"
+  make_executable_if_present "$INSTALL_DIR/cli.child.js"
+
+  mkdir -p "$BIN_DIR"
+  ln -sf "$INSTALL_DIR/cli.js" "$BIN_DIR/dcrouter"
+}
+
+install_release_binary() {
+  local binary_name
+  local download_url
+  local temp_file
+
+  binary_name=$(detect_binary_name)
+  download_url="${GITEA_BASE_URL}/${GITEA_REPO}/releases/download/${VERSION}/${binary_name}"
+  temp_file="$TEMP_DIR/$binary_name"
+
+  echo "Downloading DcRouter binary: $download_url"
+  curl -fSL "$download_url" -o "$temp_file"
+  chmod 0755 "$temp_file"
+
+  echo "Validating downloaded binary..."
+  "$temp_file" --version >/dev/null
+
+  stop_service_if_running
+  move_previous_installation
+
+  echo "Installing binary to $INSTALL_DIR"
+  mkdir -p "$INSTALL_DIR"
+  install -m 0755 "$temp_file" "$INSTALL_DIR/dcrouter"
+
+  mkdir -p "$BIN_DIR"
+  ln -sf "$INSTALL_DIR/dcrouter" "$BIN_DIR/dcrouter"
+}
+
+if [[ "$INSTALL_MODE" == "source" ]]; then
+  install_source_build
+else
+  install_release_binary
+fi
+
+echo "Symlink created: $BIN_DIR/dcrouter"
+
+if ! "$BIN_DIR/dcrouter" --version >/dev/null; then
+  echo "Error: Installed DcRouter CLI failed validation"
+  restore_previous_installation
+  restart_previous_service_on_error
+  exit 1
+fi
+
+if [[ -n "$BACKUP_DIR" && -d "$BACKUP_DIR" ]]; then
+  rm -rf "$BACKUP_DIR"
+fi
+
+if [[ $SERVICE_WAS_RUNNING -eq 1 && $SYSTEMD_AVAILABLE -eq 1 ]]; then
+  echo "Restarting DcRouter service..."
+  systemctl restart "$SERVICE_NAME"
+  SERVICE_STOPPED=0
+  echo "Service restarted successfully."
+  echo ""
+fi
+
+trap - ERR
+
+echo "================================================"
+echo "  DcRouter Installation Complete!"
+echo "================================================"
+echo ""
+echo "Installation details:"
+echo "  Install directory: $INSTALL_DIR"
+echo "  Symlink location: $BIN_DIR/dcrouter"
+echo "  Version: $VERSION"
+echo "  Mode: $INSTALL_MODE"
+echo ""
+echo "Get started:"
+echo ""
+echo "  dcrouter --version"
+echo "  dcrouter --help"
+echo ""
@@ -1,9 +1,12 @@
 {
  "name": "@serve.zone/dcrouter",
  "private": false,
-  "version": "13.36.1",
+  "version": "13.42.2",
  "description": "A multifaceted routing service handling mail and SMS delivery functions.",
  "type": "module",
+  "bin": {
+    "dcrouter": "./cli.js"
+  },
  "exports": {
    ".": "./dist_ts/index.js",
    "./interfaces": "./dist_ts_interfaces/index.js",
@@ -15,7 +18,8 @@
    "test": "(tstest test/ --verbose --logfile --timeout 60)",
    "start": "(node ./cli.js)",
    "startTs": "(node cli.ts.js)",
-    "build": "(tsbuild tsfolders --allowimplicitany && npm run bundle)",
+    "build": "(tsbuild tsfolders --allowimplicitany && pnpm run bundle)",
+    "build:binary": "(pnpm run build && tsdeno compile)",
    "build:docker": "tsdocker build --verbose",
    "release:docker": "tsdocker push --verbose",
    "bundle": "(tsbundle)",
@@ -24,7 +28,8 @@
  "devDependencies": {
    "@git.zone/tsbuild": "^4.4.2",
    "@git.zone/tsbundle": "^2.10.4",
-    "@git.zone/tsdocker": "^2.4.0",
+    "@git.zone/tsdeno": "^1.5.0",
+    "@git.zone/tsdocker": "^2.4.1",
    "@git.zone/tsrun": "^2.0.4",
    "@git.zone/tstest": "^3.6.6",
    "@git.zone/tswatch": "^3.3.5",
@@ -36,7 +41,7 @@
    "@api.global/typedserver": "^8.4.6",
    "@api.global/typedsocket": "^4.1.3",
    "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.81.0",
+    "@design.estate/dees-catalog": "^3.83.0",
    "@design.estate/dees-element": "^2.2.4",
    "@idp.global/sdk": "^1.3.1",
    "@push.rocks/lik": "^6.4.1",
@@ -45,7 +50,7 @@
    "@push.rocks/smartacme": "^9.5.0",
    "@push.rocks/smartdata": "^7.1.7",
    "@push.rocks/smartdb": "^2.10.1",
-    "@push.rocks/smartdns": "^7.9.2",
+    "@push.rocks/smartdns": "^7.9.3",
    "@push.rocks/smartfs": "^1.5.1",
    "@push.rocks/smartguard": "^3.1.0",
    "@push.rocks/smartjwt": "^2.2.2",
@@ -56,8 +61,8 @@
    "@push.rocks/smartnetwork": "^4.7.2",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.11.0",
-    "@push.rocks/smartradius": "^1.1.2",
+    "@push.rocks/smartproxy": "^27.12.4",
+    "@push.rocks/smartradius": "^1.3.0",
    "@push.rocks/smartrequest": "^5.0.3",
    "@push.rocks/smartrx": "^3.0.10",
    "@push.rocks/smartstate": "^2.3.1",
@@ -66,7 +71,7 @@
    "@push.rocks/taskbuffer": "^8.0.2",
    "@serve.zone/catalog": "^2.12.4",
    "@serve.zone/interfaces": "^5.8.0",
-    "@serve.zone/remoteingress": "^4.18.0",
+    "@serve.zone/remoteingress": "^4.22.5",
    "@tsclass/tsclass": "^9.5.1",
    "@types/qrcode": "^1.5.6",
    "lru-cache": "^11.4.0",
@@ -99,25 +104,22 @@
    "VLAN assignment",
    "MAC authentication"
  ],
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "esbuild",
-      "mongodb-memory-server",
-      "puppeteer"
-    ]
-  },
  "packageManager": "pnpm@10.11.0",
  "files": [
    "ts/**/*",
+    "binary/**/*",
    "ts_web/**/*",
    "ts_apiclient/**/*",
-    "dist/**/*",
    "dist_*/**/*",
    "dist_ts/**/*",
    "dist_ts_web/**/*",
    "dist_ts_apiclient/**/*",
-    "assets/**/*",
    "cli.js",
+    "cli.ts.js",
+    "cli.child.js",
+    "cli.child.ts",
+    "deno.json",
+    "tsconfig.json",
    ".smartconfig.json",
    "readme.md"
  ]
@@ -24,8 +24,8 @@ importers:
        specifier: ^7.1.0
        version: 7.1.0
      '@design.estate/dees-catalog':
-        specifier: ^3.81.0
-        version: 3.81.0(@tiptap/pm@2.27.2)
+        specifier: ^3.83.0
+        version: 3.83.0(@tiptap/pm@2.27.2)
      '@design.estate/dees-element':
        specifier: ^2.2.4
        version: 2.2.4
@@ -51,8 +51,8 @@ importers:
        specifier: ^2.10.1
        version: 2.10.1(@tiptap/pm@2.27.2)(socks@2.8.8)
      '@push.rocks/smartdns':
-        specifier: ^7.9.2
-        version: 7.9.2
+        specifier: ^7.9.3
+        version: 7.9.3
      '@push.rocks/smartfs':
        specifier: ^1.5.1
        version: 1.5.1
@@ -76,7 +76,7 @@ importers:
        version: 5.3.3
      '@push.rocks/smartnetwork':
        specifier: ^4.7.2
-        version: 4.7.2
+        version: 4.7.3
      '@push.rocks/smartpath':
        specifier: ^6.0.0
        version: 6.0.0
@@ -84,11 +84,11 @@ importers:
        specifier: ^4.2.4
        version: 4.2.4
      '@push.rocks/smartproxy':
-        specifier: ^27.11.0
-        version: 27.11.0
+        specifier: ^27.12.4
+        version: 27.12.4
      '@push.rocks/smartradius':
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.3.0
+        version: 1.3.0
      '@push.rocks/smartrequest':
        specifier: ^5.0.3
        version: 5.0.3
@@ -114,8 +114,8 @@ importers:
        specifier: ^5.8.0
        version: 5.8.0
      '@serve.zone/remoteingress':
-        specifier: ^4.18.0
-        version: 4.18.0
+        specifier: ^4.22.5
+        version: 4.22.5
      '@tsclass/tsclass':
        specifier: ^9.5.1
        version: 9.5.1
@@ -138,9 +138,12 @@ importers:
      '@git.zone/tsbundle':
        specifier: ^2.10.4
        version: 2.10.4
+      '@git.zone/tsdeno':
+        specifier: ^1.5.0
+        version: 1.5.0
      '@git.zone/tsdocker':
-        specifier: ^2.4.0
-        version: 2.4.0
+        specifier: ^2.4.1
+        version: 2.4.1
      '@git.zone/tsrun':
        specifier: ^2.0.4
        version: 2.0.4
@@ -362,8 +365,8 @@ packages:
  '@configvault.io/interfaces@1.0.17':
    resolution: {integrity: sha512-bEcCUR2VBDJsTin8HQh8Uw/mlYl2v8A3jMIaQ+MTB9Hrqd6CZL2dL7iJdWyFl/3EIX+LDxWFR+Oq7liIq7w+1Q==}

-  '@design.estate/dees-catalog@3.81.0':
-    resolution: {integrity: sha512-N7ocwSKVdjDQWmVV2XWiyg3dotGEuxP4/jhyB6duH8zJ3k63wmGm8+FeoP+LzRc8/U0Bl8w7UZrewlkIEMstUA==}
+  '@design.estate/dees-catalog@3.83.0':
+    resolution: {integrity: sha512-Ia4fwZ5ndziJkSE000nCro83rD8Rujki7ASHBQhL6ZDflZRJRlfuc13azVnQC2sazKlo/bWSgiiLcpc3V2IYrw==}

  '@design.estate/dees-comms@1.0.30':
    resolution: {integrity: sha512-KchMlklJfKAjQiJiR0xmofXtQ27VgZtBIxcMwPE9d+h3jJRv+lPZxzBQVOM0eyM0uS44S5vJMZ11IeV4uDXSHg==}
@@ -726,8 +729,12 @@ packages:
    resolution: {integrity: sha512-/xWOGrnuMaJ/Xo/EasaF9N3N9w1J9LDywZaRTa0UTtzbEtfJP7F2NJ9l4tWCwS+vTKpnqApX7ZueRh1h5MrwPQ==}
    hasBin: true

-  '@git.zone/tsdocker@2.4.0':
-    resolution: {integrity: sha512-GFE93RxFm8HDrSm5Ulggy4se7heb4GaNQgaWV6Mds6lhkm6GouO91xZYlmXVH9glzBoFJNG63pFXYHW6nrqf5A==}
+  '@git.zone/tsdeno@1.5.0':
+    resolution: {integrity: sha512-OdGPhnBz6v92OkKKWyswpyGman3m3FOXin+9WRzEBvvwyLAAkc2mKUGViPAIxYkrak4GiglzqjTkSyReDU0QOw==}
+    hasBin: true
+
+  '@git.zone/tsdocker@2.4.1':
+    resolution: {integrity: sha512-T7c0yf8eUNsT+ZYACv43FZqTY5OvhR+quSrc6+zgvAyzRIN4rG4t5lO0tyXkiakKp9QnIkjnLSPqWqeoP68jzQ==}
    hasBin: true

  '@git.zone/tspublish@1.11.6':
@@ -1285,8 +1292,8 @@ packages:
  '@push.rocks/smartdelay@3.1.0':
    resolution: {integrity: sha512-59xveBMbWmbFhh/rqhQnYG/klg/VONG9hV8+RQ7ftqsNRkcmUT+VM5etAbODgAUvsF4lxK+xVR0tbZOo0kGhRQ==}

-  '@push.rocks/smartdns@7.9.2':
-    resolution: {integrity: sha512-joMroNy/1YjXjxUaW38HQTvlyRHETE2+vnKg1c1304gHqcThyRawtdcnQsvmoK9sO1ZaPAqBKL1QP9m87nCFYQ==}
+  '@push.rocks/smartdns@7.9.3':
+    resolution: {integrity: sha512-TkqDmYeO0ogIICWIM06hE/SeNpyASsqr7d+HJv8u3FyD2jRP9LHn0X0o8CjSJ+IoTHSNXFBDFrddyysFdnwSsg==}

  '@push.rocks/smartenv@5.0.13':
    resolution: {integrity: sha512-ACXmUcHZHl2CF2jnVuRw9saRRrZvJblCRs2d+K5aLR1DfkYFX3eA21kcMlKeLisI3aGNbIj9vz/rowN5qkRkfA==}
@@ -1395,8 +1402,8 @@ packages:
  '@push.rocks/smartmustache@3.0.2':
    resolution: {integrity: sha512-G3LyRXoJhyM+iQhkvP/MR/2WYMvC9U7zc2J44JxUM5tPdkQ+o3++FbfRtnZj6rz5X/A7q03//vsxPitVQwoi2Q==}

-  '@push.rocks/smartnetwork@4.7.2':
-    resolution: {integrity: sha512-OwT8kwQeEO+E3RuCyCfgQEBz+FyydUVaTBivZzzVchdJCUDgoDkXSnRkbIuGoHd1BfRFkUg9DQlSzt0uDfsIbw==}
+  '@push.rocks/smartnetwork@4.7.3':
+    resolution: {integrity: sha512-ecv8aSGbcHUDkE0IJ+/0mRpgQv1fSjQAgcTe1qgBNY1Lk8lQTTaNjpG7g21EdK23seyShewejtGKOcK5o7Rh6A==}

  '@push.rocks/smartnftables@1.2.0':
    resolution: {integrity: sha512-VTRHnxHrJj9VOq2MaCOqxiA4JLGRnzEaZ7kXxA7v3ljX+Y2wWK9VYpwKKBEbjgjoTpQyOf+I0gEG9wkR/jtUvQ==}
@@ -1422,14 +1429,14 @@ packages:
  '@push.rocks/smartpromise@4.2.4':
    resolution: {integrity: sha512-8FUyYt94hOIY9mqHjitn4h69u0jbEtTF2RKKw2DpiTVFjpDTk9gXbVHZ/V+xEcBrN4mrzdQES0OiDmkNPoddEQ==}

-  '@push.rocks/smartproxy@27.11.0':
-    resolution: {integrity: sha512-ruyUMbrk28BTtrhcZpB5fX35FRQyyhJgVd7snPFa3Zttw0N8ahYrwKXpKfuagvOcaIpORMQoyR5WSv0C2ATFVA==}
+  '@push.rocks/smartproxy@27.12.4':
+    resolution: {integrity: sha512-oqr4IE4hqNOL38RRzCux/dF0PjKjeIf4Z/vbe2JXZUz9ZF2ANNPsLSvs0Z/LFlfsrvV35k0rqeEmBvKIq+1lVQ==}

  '@push.rocks/smartpuppeteer@2.0.6':
    resolution: {integrity: sha512-G+8cyDERvbXQcb9Sd8lnYdWYz8b3Mv2LfFf1ULmucDqQhcRHvxrWX/dKsvBZrwKPR4Wg+795Dyd+E1iOOh3tHw==}

-  '@push.rocks/smartradius@1.1.2':
-    resolution: {integrity: sha512-p4fHhMgXZRuyRuMQjFQLVnXBG1Fz2latJ7BGAsfInOuVUaitBr/Wni9mZULAuIIddeWwUx9QvIGlv3tgmFn/ow==}
+  '@push.rocks/smartradius@1.3.0':
+    resolution: {integrity: sha512-97BQhVT5gdDTNfb8LZiqaPddTMlx5Eqpsj7jTBQ2kj4tYpK0YWRiKkpBxxEXTjsIsq7iTxHeNTwc8kMZj+yU3g==}

  '@push.rocks/smartrequest@2.1.0':
    resolution: {integrity: sha512-3eHLTRInHA+u+W98TqJwgTES7rRimBAsJC4JxVNQC3UUezmblAhM5/TIQsEBQTsbjAY8SeQKy6NHzW6iTiaD8w==}
@@ -1712,8 +1719,9 @@ packages:
  '@serve.zone/interfaces@5.8.0':
    resolution: {integrity: sha512-0ekSKUL/b44wmmzuCRANzrjaJRAHtkqiL8cPiMASEs7UJBDqbJCrgtrlJK84pz5dxBz3jTcdznNd5qjB8c6H0A==}

-  '@serve.zone/remoteingress@4.18.0':
-    resolution: {integrity: sha512-/cW9wb/e57u9+715RzV5d8HCezWtR88LcpistTNSl7GACi5ai+C2tPy7ZQprnnrNhqjfgzWiAH4bKZafwONntg==}
+  '@serve.zone/remoteingress@4.22.5':
+    resolution: {integrity: sha512-P2aQ/0VLPATbIBMYm4DT2XqLnBa15WXB1HcyE7RMVNC5RntGbmfj5FES3R5OgxY1V00E7wTMTCNrkfbKhj5xqQ==}
+    hasBin: true

  '@smithy/chunked-blob-reader-native@4.2.3':
    resolution: {integrity: sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==}
@@ -4376,7 +4384,7 @@ snapshots:
      '@api.global/typedrequest-interfaces': 3.0.19
      '@api.global/typedsocket': 4.1.3(@push.rocks/smartserve@2.0.4)
      '@cloudflare/workers-types': 4.20260507.1
-      '@design.estate/dees-catalog': 3.81.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.83.0(@tiptap/pm@2.27.2)
      '@design.estate/dees-comms': 1.0.30
      '@push.rocks/lik': 6.4.1
      '@push.rocks/smartdelay': 3.1.0
@@ -4910,7 +4918,7 @@ snapshots:
    dependencies:
      '@api.global/typedrequest-interfaces': 3.0.19

-  '@design.estate/dees-catalog@3.81.0(@tiptap/pm@2.27.2)':
+  '@design.estate/dees-catalog@3.83.0(@tiptap/pm@2.27.2)':
    dependencies:
      '@design.estate/dees-domtools': 2.5.6
      '@design.estate/dees-element': 2.2.4
@@ -5243,7 +5251,20 @@ snapshots:
      - supports-color
      - vue

-  '@git.zone/tsdocker@2.4.0':
+  '@git.zone/tsdeno@1.5.0':
+    dependencies:
+      '@push.rocks/early': 4.0.4
+      '@push.rocks/smartcli': 4.0.21
+      '@push.rocks/smartconfig': 6.1.1
+      '@push.rocks/smartfs': 1.5.1
+      '@push.rocks/smartshell': 3.3.8
+    transitivePeerDependencies:
+      - '@nuxt/kit'
+      - react
+      - supports-color
+      - vue
+
+  '@git.zone/tsdocker@2.4.1':
    dependencies:
      '@push.rocks/lik': 6.4.1
      '@push.rocks/projectinfo': 5.1.0
@@ -5306,7 +5327,7 @@ snapshots:
      '@push.rocks/smartjson': 6.0.1
      '@push.rocks/smartlog': 3.2.2
      '@push.rocks/smartmongo': 7.0.0(socks@2.8.8)
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
      '@push.rocks/smartpath': 6.0.0
      '@push.rocks/smartpromise': 4.2.4
      '@push.rocks/smartrequest': 5.0.3
@@ -6113,9 +6134,9 @@ snapshots:
      '@push.rocks/lik': 6.4.1
      '@push.rocks/smartdata': 7.1.7(socks@2.8.8)
      '@push.rocks/smartdelay': 3.1.0
-      '@push.rocks/smartdns': 7.9.2
+      '@push.rocks/smartdns': 7.9.3
      '@push.rocks/smartlog': 3.2.2
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
      '@push.rocks/smartstring': 4.1.1
      '@push.rocks/smarttime': 4.2.3
      '@push.rocks/smartunique': 3.0.9
@@ -6323,7 +6344,7 @@ snapshots:
    dependencies:
      '@push.rocks/smartpromise': 4.2.4

-  '@push.rocks/smartdns@7.9.2':
+  '@push.rocks/smartdns@7.9.3':
    dependencies:
      '@push.rocks/smartdelay': 3.1.0
      '@push.rocks/smartenv': 6.1.0
@@ -6474,7 +6495,7 @@ snapshots:

  '@push.rocks/smartmail@2.2.1':
    dependencies:
-      '@push.rocks/smartdns': 7.9.2
+      '@push.rocks/smartdns': 7.9.3
      '@push.rocks/smartfile': 13.1.3
      '@push.rocks/smartmustache': 3.0.2
      '@push.rocks/smartpath': 6.0.0
@@ -6591,9 +6612,9 @@ snapshots:
    dependencies:
      handlebars: 4.7.9

-  '@push.rocks/smartnetwork@4.7.2':
+  '@push.rocks/smartnetwork@4.7.3':
    dependencies:
-      '@push.rocks/smartdns': 7.9.2
+      '@push.rocks/smartdns': 7.9.3
      '@push.rocks/smartrust': 1.4.0
      maxmind: 5.0.6
    transitivePeerDependencies:
@@ -6654,7 +6675,7 @@ snapshots:
      '@push.rocks/smartdelay': 3.1.0
      '@push.rocks/smartfs': 1.5.1
      '@push.rocks/smartjimp': 1.2.1
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
      '@push.rocks/smartpath': 6.0.0
      '@push.rocks/smartpromise': 4.2.4
      '@push.rocks/smartpuppeteer': 2.0.6(typescript@6.0.3)
@@ -6675,7 +6696,7 @@ snapshots:

  '@push.rocks/smartpromise@4.2.4': {}

-  '@push.rocks/smartproxy@27.11.0':
+  '@push.rocks/smartproxy@27.12.4':
    dependencies:
      '@push.rocks/smartcrypto': 2.0.4
      '@push.rocks/smartlog': 3.2.2
@@ -6699,7 +6720,7 @@ snapshots:
      - typescript
      - utf-8-validate

-  '@push.rocks/smartradius@1.1.2':
+  '@push.rocks/smartradius@1.3.0':
    dependencies:
      '@push.rocks/smartdelay': 3.1.0
      '@push.rocks/smartpromise': 4.2.4
@@ -7047,7 +7068,7 @@ snapshots:

  '@serve.zone/catalog@2.12.4(@tiptap/pm@2.27.2)':
    dependencies:
-      '@design.estate/dees-catalog': 3.81.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.83.0(@tiptap/pm@2.27.2)
      '@design.estate/dees-domtools': 2.5.6
      '@design.estate/dees-element': 2.2.4
      '@design.estate/dees-wcctools': 3.9.0
@@ -7064,7 +7085,7 @@ snapshots:
      '@push.rocks/smartlog-interfaces': 3.0.2
      '@tsclass/tsclass': 9.5.1

-  '@serve.zone/remoteingress@4.18.0':
+  '@serve.zone/remoteingress@4.22.5':
    dependencies:
      '@push.rocks/qenv': 6.1.4
      '@push.rocks/smartnftables': 1.2.0
@@ -0,0 +1,4 @@
+allowBuilds:
+  esbuild: true
+  mongodb-memory-server: true
+  puppeteer: true
@@ -34,6 +34,20 @@ Highlights:

 ## Install

+Install the CLI/runtime on a Linux gateway host with the released self-extracting binary:
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash
+```
+
+The installer downloads `dcrouter-linux-x64` or `dcrouter-linux-arm64` from the latest Gitea release, installs it under `/opt/dcrouter`, and links `/usr/local/bin/dcrouter`. Use `--version vX.Y.Z` to pin a release, `--install-dir /path` to change the target directory, or `--source` to clone the tag and build the NodeNext package locally.
+
+```bash
+curl -sSL https://code.foss.global/serve.zone/dcrouter/raw/branch/main/install.sh | sudo bash -s -- --source
+```
+
+Use the package as a TypeScript library:
+
 ```bash
 pnpm add @serve.zone/dcrouter
 ```
@@ -132,6 +146,80 @@ dcrouter keeps generated and operator-created routes separate so automation can

 System routes are persisted with stable `systemKey` values. API-created routes are the editable route layer intended for operators and automation.

+## Route Source Policies
+
+API-created route records pass `metadata.sourcePolicy` alongside the SmartProxy route config to express ordered source and path policy variants without duplicating whole routes by hand. A source policy contains ordered `bindings`, each pointing at a source profile id through `sourceProfileRef`. Dashboard presets resolve seeded profile names to ids before saving.
+
+Runtime behavior:
+
+- Source matching uses the referenced `SourceProfile.security.ipAllowList`.
+- Bindings are evaluated in order and the first matching source profile wins.
+- A matched binding that exceeds its configured rate or connection limit is terminal and returns `429`; dcrouter does not fall through to later bindings.
+- Source-policy rate limits are always keyed by source IP; dcrouter ignores `path` and `header` keying on source-policy binding and path-policy overrides.
+- A public fallback binding must be last and must use `*`, or both `0.0.0.0/0` and `::/0`, in `security.ipAllowList`.
+- Create/update paths reject source policies with missing source profiles, source profiles without source matches, missing final all-source fallback, or any all-source binding that shadows later bindings; persisted invalid policies fail closed at compile time.
+- Server-side caps bound policy expansion to 16 source bindings, 12 path policies per binding, 64 path patterns per path policy, 256 characters and 8 wildcards per custom path pattern, and 512 compiled SmartProxy route-port variants per stored route.
+
+Path policies let a source binding override rate limits or connection limits for specific path classes. dcrouter currently ships Gitea-oriented classes: `git-smart-http`, `static`, `normal-html`, `expensive-html`, `raw`, and `archive`. Path-specific variants win over the same binding's fallback; if every path policy is path-specific, dcrouter adds a source-level fallback route for unmatched paths so normal browsing cannot fall through to a later source binding. The Gitea preset keeps `git-smart-http` high-limit and separate from HTML crawling paths so normal `git clone`, `git fetch`, `git push`, and Git LFS traffic are not subject to the lower HTML crawler limits.
+
+```typescript
+const trustedProfileId = 'source-profile-id-trusted';
+const publicProfileId = 'source-profile-id-public';
+
+const createRoutePayload = {
+  route: {
+    name: 'public-gitea',
+    match: { domains: ['code.example.com'], ports: [443] },
+    action: {
+      type: 'forward',
+      targets: [{ host: '10.10.0.20', port: 3000 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+    },
+  },
+  metadata: {
+    sourcePolicy: {
+      bindings: [
+        {
+          sourceProfileRef: trustedProfileId,
+          maxConnections: 5000,
+          onExceeded: { type: '429' },
+        },
+        {
+          sourceProfileRef: publicProfileId,
+          onExceeded: { type: '429' },
+          pathPolicies: [
+            {
+              pathClass: 'git-smart-http',
+              rateLimit: { enabled: true, maxRequests: 1200, window: 60, keyBy: 'ip' },
+            },
+            {
+              pathClass: 'static',
+              rateLimit: { enabled: true, maxRequests: 600, window: 60, keyBy: 'ip' },
+            },
+            {
+              pathClass: 'raw',
+              rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+            },
+            {
+              pathClass: 'archive',
+              rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+            },
+            {
+              pathClass: 'expensive-html',
+              rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+            },
+            {
+              pathClass: 'normal-html',
+              rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+            },
+          ],
+        },
+      ],
+    },
+  },
+};
+```
+
 ## Production-Flavored Example

 ```typescript
@@ -260,6 +348,21 @@ Supported environment overrides include:
 | `DCROUTER_CACHE_ENABLED` | Enables or disables DB-backed persistence. |
 | `DCROUTER_MAX_CONNECTIONS`, `DCROUTER_MAX_CONNECTIONS_PER_IP`, `DCROUTER_CONNECTION_RATE_LIMIT` | SmartProxy capacity and rate-limit overrides. |

+## Docker Image
+
+Release builds publish a multi-arch OCI image at `code.foss.global/serve.zone/dcrouter:latest` for `linux/amd64` and `linux/arm64`. The image sets `DCROUTER_MODE=OCI_CONTAINER` and starts `node ./cli.js`.
+
+```bash
+docker run --rm --name dcrouter \
+  --network host \
+  -v dcrouter-data:/data \
+  -e DCROUTER_BASE_DIR=/data \
+  -e DCROUTER_TLS_EMAIL=ops@example.com \
+  code.foss.global/serve.zone/dcrouter:latest
+```
+
+Host networking is the simplest container mode for a gateway that owns HTTP/S, SMTP, DNS, RADIUS, remote ingress, and dynamic proxy ports. For narrower deployments, publish only the ports you enable in `IDcRouterOptions` or via the `DCROUTER_*` environment overrides.
+
 ## Published Modules

 This repository intentionally publishes multiple module boundaries from one codebase.
@@ -2,9 +2,21 @@ import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
 import * as path from 'path';
 import * as fs from 'fs';
+import * as net from 'node:net';
 import { DcRouter, type IDcRouterOptions } from '../ts/classes.dcrouter.js';
 import type { IUnifiedEmailServerOptions } from '@push.rocks/smartmta';

+async function getFreePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = net.createServer();
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close(() => resolve(port));
+    });
+  });
+}

 tap.test('DcRouter class - Custom email port configuration', async () => {
  // Define custom port mapping
@@ -115,6 +127,7 @@ tap.test('DcRouter class - Custom email port configuration', async () => {
 });

 tap.test('DcRouter class - Email config with domains and routes', async () => {
+  const opsServerPort = await getFreePort();
  // Create a basic email configuration
  const emailConfig: IUnifiedEmailServerOptions = {
    ports: [2525],
@@ -129,7 +142,7 @@ tap.test('DcRouter class - Email config with domains and routes', async () => {
    tls: {
      contactEmail: 'test@example.com'
    },
-    opsServerPort: 3104,
+    opsServerPort,
    dbConfig: {
      enabled: false,
    }
@@ -1,7 +1,7 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/classes.dcrouter.js';
 import { ReferenceResolver, RouteConfigManager } from '../ts/config/index.js';
-import { DcRouterDb, DomainDoc, RouteDoc } from '../ts/db/index.js';
+import { DcRouterDb, DnsRecordDoc, DomainDoc, RouteDoc } from '../ts/db/index.js';
 import { DnsManager } from '../ts/dns/manager.dns.js';
 import { logger } from '../ts/logger.js';
 import * as plugins from '../ts/plugins.js';
@@ -32,6 +32,9 @@ const createTestDb = async () => {
 const testDbPromise = createTestDb();

 const clearTestState = async () => {
+  for (const record of await DnsRecordDoc.findAll()) {
+    await record.delete();
+  }
  for (const route of await RouteDoc.findAll()) {
    await route.delete();
  }
@@ -40,6 +43,86 @@ const clearTestState = async () => {
  }
 };

+tap.test('DnsManager keeps parallel ACME TXT challenges for the same host', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const now = Date.now();
+  const domain = new DomainDoc();
+  domain.id = 'central-eu';
+  domain.name = 'central.eu';
+  domain.source = 'dcrouter';
+  domain.authoritative = true;
+  domain.createdAt = now;
+  domain.updatedAt = now;
+  domain.createdBy = 'test';
+  await domain.save();
+
+  const dnsManager = new DnsManager({});
+  const provider = dnsManager.buildAcmeConvenientDnsProvider().convenience as any;
+  const hostName = '_acme-challenge.blog.central.eu';
+
+  await provider.acmeSetDnsChallenge({ hostName, challenge: 'first-token' });
+  await provider.acmeSetDnsChallenge({ hostName, challenge: 'second-token' });
+
+  const recordsAfterSet = await DnsRecordDoc.findByDomainId(domain.id);
+  expect(recordsAfterSet.map((record) => record.value).sort()).toEqual([
+    'first-token',
+    'second-token',
+  ]);
+
+  await provider.acmeRemoveDnsChallenge({ hostName, challenge: 'first-token' });
+
+  const recordsAfterRemove = await DnsRecordDoc.findByDomainId(domain.id);
+  expect(recordsAfterRemove.map((record) => record.value)).toEqual(['second-token']);
+});
+
+tap.test('DnsManager local records answer mixed-case DNS queries', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const now = Date.now();
+  const domain = new DomainDoc();
+  domain.id = 'central-eu';
+  domain.name = 'central.eu';
+  domain.source = 'dcrouter';
+  domain.authoritative = true;
+  domain.createdAt = now;
+  domain.updatedAt = now;
+  domain.createdBy = 'test';
+  await domain.save();
+
+  const registeredHandlers: Array<(question: { name: string; type: string }) => any> = [];
+  const dnsManager = new DnsManager({});
+  dnsManager.dnsServer = {
+    registerHandler: (_name: string, _types: string[], handler: (question: { name: string; type: string }) => any) => {
+      registeredHandlers.push(handler);
+    },
+  } as any;
+
+  await dnsManager.createRecord({
+    domainId: domain.id,
+    name: '_acme-challenge.central.eu',
+    type: 'TXT',
+    value: 'challenge-token',
+    ttl: 120,
+    createdBy: 'test',
+  });
+
+  const answer = registeredHandlers[0]?.({
+    name: '_aCMe-challeNge.Central.Eu',
+    type: 'txt',
+  });
+
+  expect(answer).toEqual({
+    name: '_aCMe-challeNge.Central.Eu',
+    type: 'TXT',
+    class: 'IN',
+    ttl: 120,
+    data: 'challenge-token',
+  });
+});
+
 tap.test('RouteConfigManager persists DoH system routes and hydrates runtime socket handlers', async () => {
  await testDbPromise;
  await clearTestState();
@@ -1,15 +1,29 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/classes.dcrouter.js';
 import * as plugins from '../ts/plugins.js';
+import * as net from 'node:net';

 let dcRouter: DcRouter;

+async function getFreePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = net.createServer();
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close(() => resolve(port));
+    });
+  });
+}
+
 tap.test('should NOT instantiate DNS server when dnsNsDomains is not set', async () => {
+  const opsServerPort = await getFreePort();
  dcRouter = new DcRouter({
    smartProxyConfig: {
      routes: []
    },
-    opsServerPort: 3100,
+    opsServerPort,
    dbConfig: { enabled: false }
  });

@@ -146,4 +160,4 @@ tap.test('stop', async () => {
  await tap.stopForcefully();
 });

-export default tap.start();
+export default tap.start();
@@ -2,16 +2,35 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/index.js';
 import { TypedRequest } from '@api.global/typedrequest';
 import * as interfaces from '../ts_interfaces/index.js';
+import * as net from 'node:net';

 let testDcRouter: DcRouter;
 let identity: interfaces.data.IIdentity;
+let opsServerPort: number;
 const testAdminPassword = 'test-admin-password';

+async function getFreePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = net.createServer();
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close(() => resolve(port));
+    });
+  });
+}
+
+function getTypedRequestUrl(): string {
+  return `http://localhost:${opsServerPort}/typedrequest`;
+}
+
 tap.test('should start DCRouter with OpsServer', async () => {
  process.env.DCROUTER_ADMIN_PASSWORD = testAdminPassword;
+  opsServerPort = await getFreePort();
  testDcRouter = new DcRouter({
    // Minimal config for testing
-    opsServerPort: 3102,
+    opsServerPort,
    dbConfig: { enabled: false },
  });
  
@@ -21,7 +40,7 @@ tap.test('should start DCRouter with OpsServer', async () => {

 tap.test('should login with admin credentials and receive JWT', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3102/typedrequest',
+    getTypedRequestUrl(),
    'adminLoginWithUsernameAndPassword'
  );
  
@@ -48,7 +67,7 @@ tap.test('should login with admin credentials and receive JWT', async () => {

 tap.test('should verify valid JWT identity', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3102/typedrequest',
+    getTypedRequestUrl(),
    'verifyIdentity'
  );
  
@@ -68,7 +87,7 @@ tap.test('should verify valid JWT identity', async () => {

 tap.test('should reject invalid JWT', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3102/typedrequest',
+    getTypedRequestUrl(),
    'verifyIdentity'
  );
  
@@ -85,7 +104,7 @@ tap.test('should reject invalid JWT', async () => {

 tap.test('should verify JWT matches identity data', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3102/typedrequest',
+    getTypedRequestUrl(),
    'verifyIdentity'
  );
  
@@ -106,7 +125,7 @@ tap.test('should verify JWT matches identity data', async () => {

 tap.test('should handle logout', async () => {
  const logoutRequest = new TypedRequest<interfaces.requests.IReq_AdminLogout>(
-    'http://localhost:3102/typedrequest',
+    getTypedRequestUrl(),
    'adminLogout'
  );
  
@@ -120,7 +139,7 @@ tap.test('should handle logout', async () => {

 tap.test('should reject wrong credentials', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3102/typedrequest',
+    getTypedRequestUrl(),
    'adminLoginWithUsernameAndPassword'
  );
  
@@ -14,6 +14,38 @@ const emptyProtocolDistribution = {
  otherTotal: 0,
 };

+function createActiveConnectionSnapshots(entries: Array<{
+  count: number;
+  sourceIp?: string;
+  routeId?: string;
+  domain?: string;
+  localPort?: number;
+}>) {
+  const snapshots: any[] = [];
+  let index = 0;
+  for (const entry of entries) {
+    for (let i = 0; i < entry.count; i++) {
+      snapshots.push({
+        id: `test-connection-${index++}`,
+        sourceIp: entry.sourceIp || '192.0.2.10',
+        sourcePort: 40000 + index,
+        localPort: entry.localPort || 443,
+        domain: entry.domain,
+        routeId: entry.routeId,
+        targetHost: '127.0.0.1',
+        targetPort: 8443,
+        protocol: 'https',
+        state: 'active',
+        startedAtMs: Date.now(),
+        ageMs: 0,
+        bytesIn: 0,
+        bytesOut: 0,
+      });
+    }
+  }
+  return snapshots;
+}
+
 function createProxyMetrics(args: {
  connectionsByRoute: Map<string, number>;
  throughputByRoute: Map<string, { in: number; out: number }>;
@@ -90,6 +122,10 @@ tap.test('MetricsManager joins domain activity to id-keyed route metrics', async

  const smartProxy = {
    getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+      { count: 3, routeId: 'route-id-only', domain: 'alpha.example.com' },
+      { count: 1, routeId: 'route-id-only', domain: 'beta.example.com' },
+    ]),
    routeManager: {
      getRoutes: () => [
        {
@@ -150,6 +186,9 @@ tap.test('MetricsManager prefers live domain request rates for current activity'

  const smartProxy = {
    getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+      { count: 10, routeId: 'route-id-only', domain: 'beta.example.com' },
+    ]),
    routeManager: {
      getRoutes: () => [
        {
@@ -231,6 +270,7 @@ tap.test('MetricsManager does not duplicate backend active counts onto protocol

  const smartProxy = {
    getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => [],
    routeManager: {
      getRoutes: () => [],
    },
@@ -265,6 +305,10 @@ tap.test('MetricsManager queues IP intelligence without awaiting enrichment', as
  const manager = new MetricsManager({
    smartProxy: {
      getMetrics: () => proxyMetrics,
+      getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+        { count: 4, sourceIp: '8.8.8.8' },
+        { count: 2, sourceIp: '1.1.1.1' },
+      ]),
      routeManager: { getRoutes: () => [] },
    },
    securityPolicyManager: {
@@ -300,6 +344,11 @@ tap.test('MetricsManager aggregates top ASNs from IP intelligence', async () =>
  const manager = new MetricsManager({
    smartProxy: {
      getMetrics: () => proxyMetrics,
+      getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+        { count: 4, sourceIp: '8.8.8.8' },
+        { count: 3, sourceIp: '8.8.4.4' },
+        { count: 5, sourceIp: '1.1.1.1' },
+      ]),
      routeManager: { getRoutes: () => [] },
    },
    securityPolicyManager: {
@@ -12,13 +12,85 @@ function setPath(target: Record<string, any>, path: string, value: unknown): voi
  cursor[parts[parts.length - 1]] = value;
 }

+function getPath(target: Record<string, any>, path: string): unknown {
+  let cursor: any = target;
+  for (const part of path.split('.')) {
+    if (cursor === null || cursor === undefined) return undefined;
+    cursor = cursor[part];
+  }
+  return cursor;
+}
+
 function applySet(document: Record<string, any>, set: Record<string, unknown>): void {
  for (const [key, value] of Object.entries(set)) {
    setPath(document, key, value);
  }
 }

-function createFakeDb(currentVersion: string) {
+function matchesQuery(document: Record<string, any>, query: Record<string, any>): boolean {
+  for (const [key, expected] of Object.entries(query)) {
+    const actual = getPath(document, key);
+    if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
+      if ('$exists' in expected) {
+        const exists = actual !== undefined;
+        if (exists !== Boolean(expected.$exists)) return false;
+        continue;
+      }
+      if ('$type' in expected) {
+        if (expected.$type === 'string' && typeof actual !== 'string') return false;
+        continue;
+      }
+      if ('$in' in expected) {
+        if (!Array.isArray(expected.$in) || !expected.$in.includes(actual)) return false;
+        continue;
+      }
+    }
+    if (actual !== expected) return false;
+  }
+  return true;
+}
+
+function createFakeCollection(documents: Array<Record<string, any>> = []) {
+  return {
+    findOne: async (query: Record<string, any> = {}) => {
+      const document = documents.find((candidate) => matchesQuery(candidate, query));
+      return document ? structuredClone(document) : null;
+    },
+    find: (query: Record<string, any> = {}) => ({
+      async *[Symbol.asyncIterator]() {
+        for (const document of documents) {
+          if (matchesQuery(document, query)) {
+            yield structuredClone(document);
+          }
+        }
+      },
+    }),
+    insertOne: async (document: Record<string, any>) => {
+      documents.push(structuredClone(document));
+      return { insertedId: document._id || document.id };
+    },
+    updateMany: async (query: Record<string, any>, update: any) => {
+      let modifiedCount = 0;
+      for (const document of documents) {
+        if (!matchesQuery(document, query)) continue;
+        applySet(document, update.$set || {});
+        modifiedCount++;
+      }
+      return { modifiedCount };
+    },
+    updateOne: async (query: Record<string, any>, update: any) => {
+      const document = documents.find((candidate) => matchesQuery(candidate, query));
+      if (!document) return { matchedCount: 0, modifiedCount: 0, upsertedCount: 0 };
+      applySet(document, update.$set || {});
+      return { matchedCount: 1, modifiedCount: 1, upsertedCount: 0 };
+    },
+  };
+}
+
+function createFakeDb(
+  currentVersion: string,
+  collections: Record<string, Array<Record<string, any>>> = {},
+) {
  const ledgerDocument = {
    nameId: 'smartmigration:smartmigration',
    data: {
@@ -29,12 +101,10 @@ function createFakeDb(currentVersion: string) {
    },
  };

-  const emptyCollection = {
-    find: () => ({
-      async *[Symbol.asyncIterator]() {},
-    }),
-    updateMany: async () => ({ modifiedCount: 0 }),
-  };
+  const fakeCollections = new Map(
+    Object.entries(collections).map(([name, documents]) => [name, createFakeCollection(documents)]),
+  );
+  const emptyCollection = createFakeCollection();

  const ledgerCollection = {
    createIndex: async () => undefined,
@@ -52,18 +122,104 @@ function createFakeDb(currentVersion: string) {
  return {
    mongoDb: {
      collection: (name: string) =>
-        name === 'SmartdataEasyStore' ? ledgerCollection : emptyCollection,
+        name === 'SmartdataEasyStore'
+          ? ledgerCollection
+          : fakeCollections.get(name) || emptyCollection,
    },
  };
 }

-tap.test('migration runner bridges old package-version targets without real schema steps', async () => {
-  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.31.0');
+tap.test('migration runner applies schema steps through the current target', async () => {
+  const sourceProfiles: Array<Record<string, any>> = [];
+  const runner = await createMigrationRunner(
+    createFakeDb('13.16.0', { SourceProfileDoc: sourceProfiles }),
+    '13.42.0',
+  );
  const result = await runner.run();

  expect(result.currentVersionBefore).toEqual('13.16.0');
-  expect(result.currentVersionAfter).toEqual('13.31.0');
-  expect(result.stepsApplied).toHaveLength(3);
+  expect(result.currentVersionAfter).toEqual('13.42.0');
+  expect(result.stepsApplied).toHaveLength(4);
+  expect(sourceProfiles.map((profile) => profile.name)).toContain('TRUSTED NETWORKS');
+  expect(sourceProfiles.map((profile) => profile.name)).toContain('AI CRAWLERS');
+  expect(sourceProfiles.map((profile) => profile.name)).toContain('PUBLIC');
+});
+
+tap.test('migration runner rematerializes source-profile-backed route security', async () => {
+  const profiles: Array<Record<string, any>> = [
+    {
+      _id: 'profile-doc-1',
+      id: 'standard-profile',
+      name: 'Standard',
+      security: {
+        ipAllowList: ['192.168.*', '127.0.0.1'],
+        maxConnections: 1000,
+      },
+    },
+  ];
+  const routes: Array<Record<string, any>> = [
+    {
+      _id: 'route-doc-1',
+      id: 'route-1',
+      route: {
+        name: 'Public service domains',
+        match: { ports: 443, domains: ['code.foss.global'] },
+        action: { type: 'forward', targets: [{ host: '192.168.5.247', port: 443 }] },
+        security: {
+          ipAllowList: ['192.168.*', '*'],
+          maxConnections: 1000,
+        },
+      },
+      metadata: {
+        sourceProfileRef: 'standard-profile',
+        sourceProfileName: 'Standard',
+      },
+      updatedAt: 1,
+    },
+  ];
+
+  const runner = await createMigrationRunner(
+    createFakeDb('13.40.1', {
+      SourceProfileDoc: profiles,
+      RouteDoc: routes,
+    }),
+    '13.40.2',
+  );
+  const result = await runner.run();
+
+  expect(result.stepsApplied).toHaveLength(1);
+  expect(routes[0].route.security.ipAllowList.includes('*')).toBeFalse();
+  expect(routes[0].route.security.ipAllowList).toContain('192.168.*');
+  expect(routes[0].route.security.maxConnections).toEqual(1000);
+  expect(routes[0].metadata.lastResolvedAt).toBeTruthy();
+});
+
+tap.test('migration runner seeds only missing default source profiles', async () => {
+  const sourceProfiles: Array<Record<string, any>> = [
+    {
+      id: 'public-profile',
+      name: 'PUBLIC',
+      description: 'Existing public profile',
+      security: { ipAllowList: ['*'] },
+      createdAt: 1,
+      updatedAt: 1,
+      createdBy: 'test',
+    },
+  ];
+
+  const runner = await createMigrationRunner(
+    createFakeDb('13.40.2', { SourceProfileDoc: sourceProfiles }),
+    '13.42.0',
+  );
+  const result = await runner.run();
+
+  const publicProfiles = sourceProfiles.filter((profile) => profile.name === 'PUBLIC');
+  expect(result.stepsApplied).toHaveLength(1);
+  expect(sourceProfiles).toHaveLength(3);
+  expect(publicProfiles).toHaveLength(1);
+  expect(publicProfiles[0].security.rateLimit).toBeUndefined();
+  expect(sourceProfiles.map((profile) => profile.name)).toContain('TRUSTED NETWORKS');
+  expect(sourceProfiles.map((profile) => profile.name)).toContain('AI CRAWLERS');
 });

 export default tap.start();
@@ -0,0 +1,20 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { getOciContainerConfig } from '../ts_oci_container/index.js';
+
+tap.test('OCI config should accept explicit DNS bind interface', async () => {
+  const previousValue = process.env.DCROUTER_DNS_BIND_INTERFACE;
+  process.env.DCROUTER_DNS_BIND_INTERFACE = '192.168.190.3';
+
+  try {
+    const config = getOciContainerConfig();
+    expect(config.dnsBindInterface).toEqual('192.168.190.3');
+  } finally {
+    if (previousValue === undefined) {
+      delete process.env.DCROUTER_DNS_BIND_INTERFACE;
+    } else {
+      process.env.DCROUTER_DNS_BIND_INTERFACE = previousValue;
+    }
+  }
+});
+
+export default tap.start();
@@ -2,16 +2,35 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/index.js';
 import { TypedRequest } from '@api.global/typedrequest';
 import * as interfaces from '../ts_interfaces/index.js';
+import * as net from 'node:net';

 let testDcRouter: DcRouter;
 let adminIdentity: interfaces.data.IIdentity;
 const testAdminPassword = 'test-admin-password';
+let opsServerPort: number;
+
+async function getFreePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = net.createServer();
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close(() => resolve(port));
+    });
+  });
+}
+
+function typedRequestUrl(): string {
+  return `http://127.0.0.1:${opsServerPort}/typedrequest`;
+}

 tap.test('should start DCRouter with OpsServer', async () => {
  process.env.DCROUTER_ADMIN_PASSWORD = testAdminPassword;
+  opsServerPort = await getFreePort();
  testDcRouter = new DcRouter({
    // Minimal config for testing
-    opsServerPort: 3101,
+    opsServerPort,
    dbConfig: { enabled: false },
  });

@@ -21,7 +40,7 @@ tap.test('should start DCRouter with OpsServer', async () => {

 tap.test('should login as admin', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3101/typedrequest',
+    typedRequestUrl(),
    'adminLoginWithUsernameAndPassword'
  );

@@ -40,7 +59,7 @@ tap.test('should login as admin', async () => {

 tap.test('should respond to health status request', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3101/typedrequest',
+    typedRequestUrl(),
    'getHealthStatus'
  );

@@ -56,7 +75,7 @@ tap.test('should respond to health status request', async () => {

 tap.test('should respond to server statistics request', async () => {
  const statsRequest = new TypedRequest<interfaces.requests.IReq_GetServerStatistics>(
-    'http://localhost:3101/typedrequest',
+    typedRequestUrl(),
    'getServerStatistics'
  );

@@ -73,7 +92,7 @@ tap.test('should respond to server statistics request', async () => {

 tap.test('should respond to configuration request', async () => {
  const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
-    'http://localhost:3101/typedrequest',
+    typedRequestUrl(),
    'getConfiguration'
  );

@@ -94,7 +113,7 @@ tap.test('should respond to configuration request', async () => {

 tap.test('should handle log retrieval request', async () => {
  const logsRequest = new TypedRequest<interfaces.requests.IReq_GetRecentLogs>(
-    'http://localhost:3101/typedrequest',
+    typedRequestUrl(),
    'getRecentLogs'
  );

@@ -111,7 +130,7 @@ tap.test('should handle log retrieval request', async () => {

 tap.test('should reject unauthenticated requests', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3101/typedrequest',
+    typedRequestUrl(),
    'getHealthStatus'
  );

@@ -2,16 +2,35 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { DcRouter } from '../ts/index.js';
 import { TypedRequest } from '@api.global/typedrequest';
 import * as interfaces from '../ts_interfaces/index.js';
+import * as net from 'node:net';

 let testDcRouter: DcRouter;
 let adminIdentity: interfaces.data.IIdentity;
+let opsServerPort: number;
 const testAdminPassword = 'test-admin-password';

+async function getFreePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = net.createServer();
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close(() => resolve(port));
+    });
+  });
+}
+
+function getTypedRequestUrl(): string {
+  return `http://localhost:${opsServerPort}/typedrequest`;
+}
+
 tap.test('should start DCRouter with OpsServer', async () => {
  process.env.DCROUTER_ADMIN_PASSWORD = testAdminPassword;
+  opsServerPort = await getFreePort();
  testDcRouter = new DcRouter({
    // Minimal config for testing
-    opsServerPort: 3103,
+    opsServerPort,
    dbConfig: { enabled: false },
  });

@@ -21,7 +40,7 @@ tap.test('should start DCRouter with OpsServer', async () => {

 tap.test('should login as admin', async () => {
  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
-    'http://localhost:3103/typedrequest',
+    getTypedRequestUrl(),
    'adminLoginWithUsernameAndPassword'
  );

@@ -41,7 +60,7 @@ tap.test('should login as admin', async () => {

 tap.test('should allow admin to verify identity', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3103/typedrequest',
+    getTypedRequestUrl(),
    'verifyIdentity'
  );

@@ -56,7 +75,7 @@ tap.test('should allow admin to verify identity', async () => {

 tap.test('should reject verify identity without identity', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3103/typedrequest',
+    getTypedRequestUrl(),
    'verifyIdentity'
  );

@@ -71,7 +90,7 @@ tap.test('should reject verify identity without identity', async () => {

 tap.test('should reject verify identity with invalid JWT', async () => {
  const verifyRequest = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
-    'http://localhost:3103/typedrequest',
+    getTypedRequestUrl(),
    'verifyIdentity'
  );

@@ -91,7 +110,7 @@ tap.test('should reject verify identity with invalid JWT', async () => {

 tap.test('should reject protected endpoints without auth', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
-    'http://localhost:3103/typedrequest',
+    getTypedRequestUrl(),
    'getHealthStatus'
  );

@@ -107,7 +126,7 @@ tap.test('should reject protected endpoints without auth', async () => {

 tap.test('should allow authenticated access to protected endpoints', async () => {
  const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
-    'http://localhost:3103/typedrequest',
+    getTypedRequestUrl(),
    'getConfiguration'
  );

@@ -91,7 +91,7 @@ tap.test('should resolve source profile onto a route', async () => {
  expect(result.metadata.lastResolvedAt).toBeTruthy();
 });

-tap.test('should merge inline route security with profile security', async () => {
+tap.test('should replace inline route security when source profile is selected', async () => {
  const route = makeRoute({
    security: {
      ipAllowList: ['127.0.0.1'],
@@ -102,13 +102,26 @@ tap.test('should merge inline route security with profile security', async () =>

  const result = resolver.resolveRoute(route, metadata);

-  // IP lists are unioned
  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.ipAllowList).toContain('127.0.0.1');
+  expect(result.route.security!.ipAllowList!.includes('127.0.0.1')).toBeFalse();
+  expect(result.route.security!.maxConnections).toEqual(1000);
+});

-  // Inline maxConnections overrides profile
-  expect(result.route.security!.maxConnections).toEqual(5000);
+tap.test('should remove stale wildcard security from a profile-backed route', async () => {
+  const route = makeRoute({
+    security: {
+      ipAllowList: ['*'],
+      maxConnections: 5000,
+    },
+  });
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  expect(result.route.security!.ipAllowList!.includes('*')).toBeFalse();
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.maxConnections).toEqual(1000);
 });

 tap.test('should deduplicate IP lists during merge', async () => {
@@ -302,11 +315,22 @@ tap.test('should find routes by profile ref (sync)', async () => {
    enabled: true,
    metadata: { sourceProfileRef: 'profile-1', networkTargetRef: 'target-1' },
  });
+  storedRoutes.set('route-d', {
+    id: 'route-d',
+    route: makeRoute({ name: 'route-d' }),
+    enabled: true,
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'profile-1' }],
+      },
+    },
+  });

  const profileRefs = resolver.findRoutesByProfileRefSync('profile-1', storedRoutes);
-  expect(profileRefs.length).toEqual(2);
+  expect(profileRefs.length).toEqual(3);
  expect(profileRefs).toContain('route-a');
  expect(profileRefs).toContain('route-c');
+  expect(profileRefs).toContain('route-d');

  const targetRefs = resolver.findRoutesByTargetRefSync('target-1', storedRoutes);
  expect(targetRefs.length).toEqual(2);
@@ -314,6 +338,20 @@ tap.test('should find routes by profile ref (sync)', async () => {
  expect(targetRefs).toContain('route-c');
 });

+tap.test('should resolve source policy binding display names', async () => {
+  const route = makeRoute();
+  const metadata: IRouteMetadata = {
+    sourcePolicy: {
+      bindings: [{ sourceProfileRef: 'profile-1' }],
+    },
+  };
+
+  const result = resolver.resolveRoute(route, metadata);
+  expect(result.route.security).toBeUndefined();
+  expect(result.metadata.sourcePolicy!.bindings[0].sourceProfileName).toEqual('STANDARD');
+  expect(result.metadata.lastResolvedAt).toBeTruthy();
+});
+
 tap.test('should get profile usage for a specific profile ID', async () => {
  const storedRoutes = new Map<string, any>();
  storedRoutes.set('route-x', {
@@ -0,0 +1,296 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '@push.rocks/smartproxy';
+import { Buffer } from 'node:buffer';
+import * as http from 'node:http';
+import * as net from 'node:net';
+
+async function getFreePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = net.createServer();
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close(() => resolve(port));
+    });
+  });
+}
+
+async function startBackend(
+  handler: http.RequestListener = (_request, response) => {
+    response.writeHead(200, { 'content-type': 'text/plain' });
+    response.end('ok');
+  },
+): Promise<{ server: http.Server; port: number }> {
+  const server = http.createServer(handler);
+  const port = await new Promise<number>((resolve, reject) => {
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      resolve(typeof address === 'object' && address ? address.port : 0);
+    });
+  });
+  return { server, port };
+}
+
+async function closeServer(server: http.Server): Promise<void> {
+  if (!server.listening) return;
+  await new Promise<void>((resolve, reject) => server.close((error) => error ? reject(error) : resolve()));
+}
+
+async function requestHeaders(
+  port: number,
+  path: string,
+  headers?: Record<string, string>,
+): Promise<http.IncomingMessage> {
+  return await new Promise<http.IncomingMessage>((resolve, reject) => {
+    const request = http.get({ host: '127.0.0.1', port, path, headers, agent: false }, resolve);
+    request.once('error', reject);
+  });
+}
+
+async function readResponseBody(response: http.IncomingMessage): Promise<string> {
+  const chunks: Buffer[] = [];
+  for await (const chunk of response) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  return Buffer.concat(chunks).toString('utf8');
+}
+
+tap.test('SmartProxy route rateLimit returns 429 after threshold', async () => {
+  const backend = await startBackend();
+  const proxyPort = await getFreePort();
+  const proxy = new SmartProxy({
+    connectionRateLimitPerMinute: 1000,
+    routes: [
+      {
+        name: 'rate-limit-smoke',
+        match: {
+          ports: proxyPort,
+        },
+        action: {
+          type: 'forward',
+          targets: [{ host: '127.0.0.1', port: backend.port }],
+        },
+        security: {
+          rateLimit: {
+            enabled: true,
+            maxRequests: 1,
+            window: 60,
+            keyBy: 'ip',
+            errorMessage: 'too many requests',
+          },
+        },
+      },
+    ],
+  });
+
+  try {
+    await proxy.start();
+    const firstResponse = await fetch(`http://127.0.0.1:${proxyPort}/`);
+    const secondResponse = await fetch(`http://127.0.0.1:${proxyPort}/`);
+    const firstBody = await firstResponse.text();
+    const secondBody = await secondResponse.text();
+
+    expect(firstResponse.status).toEqual(200);
+    expect(firstBody).toEqual('ok');
+    expect(secondResponse.status).toEqual(429);
+    expect(secondBody).toContain('too many requests');
+  } finally {
+    await Promise.allSettled([
+      proxy.stop(),
+      closeServer(backend.server),
+    ]);
+  }
+});
+
+tap.test('SmartProxy rateLimit is terminal and does not fall through to a lower priority route', async () => {
+  const limitedBackend = await startBackend((_request, response) => {
+    response.writeHead(200, { 'content-type': 'text/plain' });
+    response.end('limited');
+  });
+  const fallbackBackend = await startBackend((_request, response) => {
+    response.writeHead(200, { 'content-type': 'text/plain' });
+    response.end('fallback');
+  });
+  const proxyPort = await getFreePort();
+  const proxy = new SmartProxy({
+    connectionRateLimitPerMinute: 1000,
+    routes: [
+      {
+        id: 'terminal-rate-limit',
+        name: 'terminal-rate-limit',
+        priority: 10,
+        match: { ports: proxyPort, domains: 'limited.local' },
+        action: {
+          type: 'forward',
+          targets: [{ host: '127.0.0.1', port: limitedBackend.port }],
+        },
+        security: {
+          rateLimit: {
+            enabled: true,
+            maxRequests: 1,
+            window: 60,
+            keyBy: 'ip',
+            errorMessage: 'limited route exceeded',
+          },
+        },
+      },
+      {
+        id: 'lower-priority-fallback',
+        name: 'lower-priority-fallback',
+        priority: 0,
+        match: { ports: proxyPort },
+        action: {
+          type: 'forward',
+          targets: [{ host: '127.0.0.1', port: fallbackBackend.port }],
+        },
+      },
+    ],
+  });
+
+  try {
+    await proxy.start();
+    const firstResponse = await requestHeaders(proxyPort, '/', { host: 'limited.local' });
+    const secondResponse = await requestHeaders(proxyPort, '/', { host: 'limited.local' });
+    const firstBody = await readResponseBody(firstResponse);
+    const secondBody = await readResponseBody(secondResponse);
+
+    expect(firstResponse.statusCode).toEqual(200);
+    expect(firstBody).toEqual('limited');
+    expect(secondResponse.statusCode).toEqual(429);
+    expect(secondBody).toContain('limited route exceeded');
+    expect(secondBody.includes('fallback')).toBeFalse();
+  } finally {
+    await Promise.allSettled([
+      proxy.stop(),
+      closeServer(limitedBackend.server),
+      closeServer(fallbackBackend.server),
+    ]);
+  }
+});
+
+tap.test('SmartProxy route maxConnections returns 429 when concurrent limit is exceeded', async () => {
+  let firstResponse: http.IncomingMessage | undefined;
+  let secondResponse: http.IncomingMessage | undefined;
+  let releaseResponse: (() => void) | undefined;
+  const releasePromise = new Promise<void>((resolve) => {
+    releaseResponse = resolve;
+  });
+  const backend = await startBackend((_request, response) => {
+    response.writeHead(200, { 'content-type': 'text/plain' });
+    response.flushHeaders();
+    void releasePromise.then(() => response.end('released'));
+  });
+  const proxyPort = await getFreePort();
+  const proxy = new SmartProxy({
+    connectionRateLimitPerMinute: 1000,
+    routes: [
+      {
+        id: 'max-connections-smoke',
+        name: 'max-connections-smoke',
+        match: { ports: proxyPort },
+        action: {
+          type: 'forward',
+          targets: [{ host: '127.0.0.1', port: backend.port }],
+        },
+        security: {
+          maxConnections: 1,
+        },
+      },
+    ],
+  });
+
+  try {
+    await proxy.start();
+    firstResponse = await requestHeaders(proxyPort, '/hold');
+    secondResponse = await requestHeaders(proxyPort, '/blocked');
+
+    expect(firstResponse.statusCode).toEqual(200);
+    expect(secondResponse.statusCode).toEqual(429);
+    const secondBody = await readResponseBody(secondResponse);
+    releaseResponse?.();
+    expect(await readResponseBody(firstResponse)).toEqual('released');
+    expect(secondBody.length > 0).toBeTrue();
+  } finally {
+    releaseResponse?.();
+    firstResponse?.destroy();
+    secondResponse?.destroy();
+    await Promise.allSettled([
+      proxy.stop(),
+      closeServer(backend.server),
+    ]);
+  }
+});
+
+tap.test('SmartProxy maxConnections is terminal and does not fall through to a lower priority route', async () => {
+  let firstResponse: http.IncomingMessage | undefined;
+  let secondResponse: http.IncomingMessage | undefined;
+  let releaseResponse: (() => void) | undefined;
+  const releasePromise = new Promise<void>((resolve) => {
+    releaseResponse = resolve;
+  });
+  const limitedBackend = await startBackend((_request, response) => {
+    response.writeHead(200, { 'content-type': 'text/plain' });
+    response.flushHeaders();
+    void releasePromise.then(() => response.end('limited released'));
+  });
+  const fallbackBackend = await startBackend((_request, response) => {
+    response.writeHead(200, { 'content-type': 'text/plain' });
+    response.end('fallback');
+  });
+  const proxyPort = await getFreePort();
+  const proxy = new SmartProxy({
+    connectionRateLimitPerMinute: 1000,
+    routes: [
+      {
+        id: 'terminal-max-connections',
+        name: 'terminal-max-connections',
+        priority: 10,
+        match: { ports: proxyPort, domains: 'limited.local' },
+        action: {
+          type: 'forward',
+          targets: [{ host: '127.0.0.1', port: limitedBackend.port }],
+        },
+        security: {
+          maxConnections: 1,
+        },
+      },
+      {
+        id: 'max-connections-lower-priority-fallback',
+        name: 'max-connections-lower-priority-fallback',
+        priority: 0,
+        match: { ports: proxyPort },
+        action: {
+          type: 'forward',
+          targets: [{ host: '127.0.0.1', port: fallbackBackend.port }],
+        },
+      },
+    ],
+  });
+
+  try {
+    await proxy.start();
+    firstResponse = await requestHeaders(proxyPort, '/hold', { host: 'limited.local' });
+    secondResponse = await requestHeaders(proxyPort, '/blocked', { host: 'limited.local' });
+    const secondBody = await readResponseBody(secondResponse);
+    releaseResponse?.();
+    const firstBody = await readResponseBody(firstResponse);
+
+    expect(firstResponse.statusCode).toEqual(200);
+    expect(firstBody).toEqual('limited released');
+    expect(secondResponse.statusCode).toEqual(429);
+    expect(secondBody.includes('fallback')).toBeFalse();
+  } finally {
+    releaseResponse?.();
+    firstResponse?.destroy();
+    secondResponse?.destroy();
+    await Promise.allSettled([
+      proxy.stop(),
+      closeServer(limitedBackend.server),
+      closeServer(fallbackBackend.server),
+    ]);
+  }
+});
+
+export default tap.start();
@@ -0,0 +1,869 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { ReferenceResolver } from '../ts/config/classes.reference-resolver.js';
+import { RouteConfigManager } from '../ts/config/classes.route-config-manager.js';
+import { SourcePolicyCompiler, sourcePolicyLimits } from '../ts/config/classes.source-policy-compiler.js';
+import type { ISourceProfile, IRouteMetadata } from '../ts_interfaces/data/route-management.js';
+import type { IRouteConfig } from '@push.rocks/smartproxy';
+
+function injectProfile(resolver: ReferenceResolver, profile: ISourceProfile): void {
+  (resolver as any).profiles.set(profile.id, profile);
+}
+
+function makeRoute(): IRouteConfig {
+  return {
+    id: 'route-1',
+    name: 'gitea',
+    priority: 10,
+    match: { ports: 443, domains: 'code.example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] },
+  };
+}
+
+function makeProfile(profile: Partial<ISourceProfile> & Pick<ISourceProfile, 'id' | 'name'>): ISourceProfile {
+  return {
+    description: '',
+    security: {},
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    ...profile,
+  };
+}
+
+tap.test('source policy compiler expands one route into ordered source variants', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'ai',
+    name: 'AI Crawlers',
+    security: {
+      ipAllowList: ['203.0.113.0/24'],
+      rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+    },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const metadata: IRouteMetadata = {
+    sourcePolicy: {
+      bindings: [
+        { sourceProfileRef: 'trusted' },
+        { sourceProfileRef: 'ai' },
+        { sourceProfileRef: 'public' },
+      ],
+    },
+  };
+
+  const variants = SourcePolicyCompiler.compileRoute(makeRoute(), metadata, resolver, 'route-1');
+
+  expect(variants.length).toEqual(3);
+  expect(variants[0].name).toEqual('gitea:source:Trusted');
+  expect(variants[0].match.clientIp).toEqual(['10.0.0.0/8']);
+  expect(variants[0].security?.ipAllowList).toBeUndefined();
+  expect(variants[1].security?.rateLimit?.maxRequests).toEqual(30);
+  expect(variants[2].match.clientIp).toBeUndefined();
+  expect(variants[2].security?.rateLimit?.maxRequests).toEqual(120);
+  expect(variants[0].priority! > variants[1].priority!).toBeTrue();
+  expect(variants[1].priority! > variants[2].priority!).toBeTrue();
+});
+
+tap.test('source policy binding can override profile rate limit and 429 message', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const metadata: IRouteMetadata = {
+    sourcePolicy: {
+      bindings: [
+        {
+          sourceProfileRef: 'public',
+          rateLimit: { enabled: true, maxRequests: 10, window: 60, keyBy: 'ip' },
+          onExceeded: { type: '429', errorMessage: 'Slow down' },
+        },
+      ],
+    },
+  };
+
+  const [variant] = SourcePolicyCompiler.compileRoute(makeRoute(), metadata, resolver, 'route-1');
+
+  expect(variant.security?.rateLimit?.maxRequests).toEqual(10);
+  expect(variant.security?.rateLimit?.errorMessage).toEqual('Slow down');
+});
+
+tap.test('source policy compiler forces source-policy rate limits to source IP keys', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: {
+        enabled: true,
+        maxRequests: 120,
+        window: 60,
+        keyBy: 'header',
+        headerName: 'x-forwarded-for',
+      },
+    },
+  }));
+
+  const variants = SourcePolicyCompiler.compileRoute(
+    makeRoute(),
+    {
+      sourcePolicy: {
+        bindings: [
+          {
+            sourceProfileRef: 'public',
+            rateLimit: {
+              enabled: true,
+              maxRequests: 10,
+              window: 60,
+              keyBy: 'header',
+              headerName: 'x-client-id',
+            },
+            pathPolicies: [
+              {
+                pathClass: 'git-smart-http',
+                pathPatterns: ['/git'],
+                rateLimit: { enabled: true, maxRequests: 20, window: 60, keyBy: 'path' },
+              },
+            ],
+          },
+        ],
+      },
+    },
+    resolver,
+    'route-1',
+  );
+
+  expect(variants).toHaveLength(2);
+  expect(variants[0].security?.rateLimit?.keyBy).toEqual('ip');
+  expect(variants[0].security?.rateLimit?.headerName).toBeUndefined();
+  expect(variants[1].security?.rateLimit?.keyBy).toEqual('ip');
+  expect(variants[1].security?.rateLimit?.headerName).toBeUndefined();
+});
+
+tap.test('source policy binding can split Gitea path classes before its fallback', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'ai',
+    name: 'AI Crawlers',
+    security: {
+      ipAllowList: ['203.0.113.0/24'],
+      rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+    },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const variants = SourcePolicyCompiler.compileRoute(
+    makeRoute(),
+    {
+      sourcePolicy: {
+        bindings: [
+          {
+            sourceProfileRef: 'ai',
+            pathPolicies: [
+              {
+                pathClass: 'git-smart-http',
+                pathPatterns: ['/*/*.git/info/refs'],
+                rateLimit: { enabled: true, maxRequests: 600, window: 60, keyBy: 'ip' },
+              },
+              {
+                pathClass: 'normal-html',
+                rateLimit: { enabled: true, maxRequests: 20, window: 60, keyBy: 'ip' },
+              },
+            ],
+          },
+          { sourceProfileRef: 'public' },
+        ],
+      },
+    },
+    resolver,
+    'route-1',
+  );
+
+  expect(variants.length).toEqual(3);
+  expect(variants[0].name).toEqual('gitea:source:AI Crawlers:path:Git Smart HTTP');
+  expect(variants[0].match.clientIp).toEqual(['203.0.113.0/24']);
+  expect(variants[0].match.path).toEqual('/*/*.git/info/refs');
+  expect(variants[0].security?.rateLimit?.maxRequests).toEqual(600);
+  expect(variants[1].name).toEqual('gitea:source:AI Crawlers:path:Normal HTML');
+  expect(variants[1].match.path).toBeUndefined();
+  expect(variants[1].security?.rateLimit?.maxRequests).toEqual(20);
+  expect(variants[2].name).toEqual('gitea:source:Public');
+  expect(variants[0].priority! > variants[1].priority!).toBeTrue();
+  expect(variants[1].priority! > variants[2].priority!).toBeTrue();
+});
+
+tap.test('source policy compiler uses built-in Gitea path class patterns', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const variants = SourcePolicyCompiler.compileRoute(
+    makeRoute(),
+    {
+      sourcePolicy: {
+        bindings: [
+          {
+            sourceProfileRef: 'public',
+            pathPolicies: [{ pathClass: 'git-smart-http' }],
+          },
+        ],
+      },
+    },
+    resolver,
+    'route-1',
+  );
+
+  expect(variants.map((variant) => variant.match.path)).toEqual([
+    '/*/*.git/info/refs',
+    '/*/*.git/git-upload-pack',
+    '/*/*.git/git-receive-pack',
+    '/*/*.git/info/lfs',
+    '/*/*.git/info/lfs/*',
+    undefined,
+  ]);
+  expect(variants[0].id).toEqual('route-1:source:public:path:git-smart-http:1');
+  expect(variants[5].id).toEqual('route-1:source:public');
+  expect(variants[0].priority! > variants[5].priority!).toBeTrue();
+});
+
+tap.test('source policy compiler fails closed when wildcard binding shadows later bindings', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+
+  const variants = SourcePolicyCompiler.compileRoute(
+    makeRoute(),
+    {
+      sourcePolicy: {
+        bindings: [
+          { sourceProfileRef: 'public' },
+          { sourceProfileRef: 'trusted' },
+        ],
+      },
+    },
+    resolver,
+    'route-1',
+  );
+
+  expect(variants).toEqual([]);
+});
+
+tap.test('source policy compiler fails closed when expansion would exceed route variant caps', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+  const pathPolicies = Array.from({ length: sourcePolicyLimits.maxPathPoliciesPerBinding }, (_policy, policyIndex) => ({
+    pathClass: 'git-smart-http' as const,
+    pathPatterns: Array.from(
+      { length: sourcePolicyLimits.maxPathPatternsPerPolicy },
+      (_pattern, patternIndex) => `/heavy-${policyIndex}-${patternIndex}`,
+    ),
+  }));
+  const metadata: IRouteMetadata = {
+    sourcePolicy: {
+      bindings: [{ sourceProfileRef: 'public', pathPolicies }],
+    },
+  };
+
+  expect(SourcePolicyCompiler.validateSourcePolicyShape(metadata.sourcePolicy)).toContain('compiled route variants');
+  expect(SourcePolicyCompiler.compileRoute(makeRoute(), metadata, resolver, 'route-1')).toEqual([]);
+});
+
+tap.test('source policy compiler fails closed when configured bindings cannot compile', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'empty-ai',
+    name: 'Empty AI',
+    security: {
+      ipAllowList: [],
+      rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const emptyProfileVariants = SourcePolicyCompiler.compileRoute(
+    makeRoute(),
+    {
+      sourcePolicy: {
+        bindings: [
+          { sourceProfileRef: 'empty-ai' },
+        ],
+      },
+    },
+    resolver,
+    'route-1',
+  );
+
+  const missingResolverVariants = SourcePolicyCompiler.compileRoute(
+    makeRoute(),
+    {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'empty-ai' }],
+      },
+    },
+    undefined,
+    'route-1',
+  );
+
+  expect(emptyProfileVariants.length).toEqual(0);
+  expect(missingResolverVariants.length).toEqual(0);
+});
+
+tap.test('source policy compiler keeps generated priorities inside SmartProxy bounds', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const route = makeRoute();
+  route.priority = 10000;
+  const variants = SourcePolicyCompiler.compileRoute(
+    route,
+    {
+      sourcePolicy: {
+        bindings: [
+          { sourceProfileRef: 'trusted' },
+          {
+            sourceProfileRef: 'public',
+            pathPolicies: [{ pathClass: 'git-smart-http' }, { pathClass: 'normal-html' }],
+          },
+        ],
+      },
+    },
+    resolver,
+    'route-1',
+  );
+
+  expect(variants.length > 0).toBeTrue();
+  expect(variants.every((variant) => variant.priority! <= 10000 && variant.priority! >= 0)).toBeTrue();
+  expect(variants[0].priority! > variants[1].priority!).toBeTrue();
+});
+
+tap.test('RouteConfigManager applies source policy as expanded runtime routes', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const appliedRoutes: IRouteConfig[][] = [];
+  const manager = new RouteConfigManager(
+    () => ({
+      updateRoutes: async (routes: IRouteConfig[]) => {
+        appliedRoutes.push(routes);
+      },
+    } as any),
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [
+          { sourceProfileRef: 'trusted' },
+          { sourceProfileRef: 'public' },
+        ],
+      },
+    },
+  });
+
+  await manager.applyRoutes();
+
+  expect(appliedRoutes.length).toEqual(1);
+  expect(appliedRoutes[0].length).toEqual(2);
+  expect(appliedRoutes[0][0].match.clientIp).toEqual(['10.0.0.0/8']);
+  expect(appliedRoutes[0][1].match.clientIp).toBeUndefined();
+  expect(appliedRoutes[0][1].security?.rateLimit?.maxRequests).toEqual(120);
+});
+
+tap.test('RouteConfigManager does not apply an uncompiled source-policy route', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'empty-ai',
+    name: 'Empty AI',
+    security: {
+      ipAllowList: [],
+      rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+    },
+  }));
+
+  const appliedRoutes: IRouteConfig[][] = [];
+  const manager = new RouteConfigManager(
+    () => ({
+      updateRoutes: async (routes: IRouteConfig[]) => {
+        appliedRoutes.push(routes);
+      },
+    } as any),
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'empty-ai' }],
+      },
+    },
+  });
+
+  await manager.applyRoutes();
+
+  expect(appliedRoutes.length).toEqual(1);
+  expect(appliedRoutes[0].length).toEqual(0);
+});
+
+tap.test('RouteConfigManager rejects wildcard source policy bindings before later bindings', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'trusted' }, { sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }, { sourceProfileRef: 'trusted' }],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain('Wildcard source profile bindings must be last');
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings[0].sourceProfileRef).toEqual('trusted');
+});
+
+tap.test('RouteConfigManager rejects missing source policy profiles', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'missing' }, { sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain("Source profile 'missing' not found");
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings).toHaveLength(1);
+});
+
+tap.test('RouteConfigManager rejects source profiles without source matches', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'empty-ai',
+    name: 'Empty AI',
+    security: { ipAllowList: [] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'empty-ai' }, { sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain("Source profile 'Empty AI' has no source matches");
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings).toHaveLength(1);
+});
+
+tap.test('RouteConfigManager rejects source policies without a final all-source fallback', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'trusted' }],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain('Source policy must end with an all-source fallback profile');
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings[0].sourceProfileRef).toEqual('public');
+});
+
+tap.test('RouteConfigManager rejects source policies with broad port range expansion', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'trusted',
+    name: 'Trusted',
+    security: { ipAllowList: ['10.0.0.0/8'] },
+  }));
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'trusted' }, { sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    route: {
+      match: { ports: [{ from: 1, to: 1_000_000_000 }], domains: 'code.example.com' },
+    } as any,
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain('compiled route-port variants');
+  expect(manager.getRoute('route-1')?.route.match.ports).toEqual(443);
+});
+
+tap.test('RouteConfigManager rejects negative source-policy maxConnections overrides', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public', maxConnections: -1 }],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain('maxConnections');
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings[0].maxConnections).toBeUndefined();
+});
+
+tap.test('RouteConfigManager rejects oversized nested source-policy rate limit messages', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [
+          {
+            sourceProfileRef: 'public',
+            rateLimit: {
+              enabled: true,
+              maxRequests: 10,
+              window: 60,
+              keyBy: 'ip',
+              errorMessage: 'x'.repeat(sourcePolicyLimits.maxExceededMessageLength + 1),
+            },
+          },
+        ],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain('rate limit error message');
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings[0].rateLimit).toBeUndefined();
+});
+
+tap.test('RouteConfigManager rejects oversized source policy path patterns', async () => {
+  const resolver = new ReferenceResolver();
+  injectProfile(resolver, makeProfile({
+    id: 'public',
+    name: 'Public',
+    security: { ipAllowList: ['*'] },
+  }));
+
+  const manager = new RouteConfigManager(
+    () => undefined,
+    () => ({ enabled: false }),
+    undefined,
+    resolver,
+  );
+  (manager as any).routes.set('route-1', {
+    id: 'route-1',
+    route: makeRoute(),
+    enabled: true,
+    createdAt: 1,
+    updatedAt: 1,
+    createdBy: 'test',
+    origin: 'api',
+    metadata: {
+      sourcePolicy: {
+        bindings: [{ sourceProfileRef: 'public' }],
+      },
+    },
+  });
+
+  const result = await manager.updateRoute('route-1', {
+    metadata: {
+      sourcePolicy: {
+        bindings: [
+          {
+            sourceProfileRef: 'public',
+            pathPolicies: [
+              {
+                pathClass: 'git-smart-http',
+                pathPatterns: Array.from(
+                  { length: sourcePolicyLimits.maxPathPatternsPerPolicy + 1 },
+                  (_item, index) => `/too-many-${index}`,
+                ),
+              },
+            ],
+          },
+        ],
+      },
+    },
+  });
+
+  expect(result.success).toBeFalse();
+  expect(result.message).toContain('path patterns');
+  expect(manager.getRoute('route-1')?.metadata?.sourcePolicy?.bindings[0].pathPolicies).toBeUndefined();
+});
+
+export default tap.start();
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.36.1',
+  version: '13.42.2',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -33,6 +33,7 @@ import { DnsManager } from './dns/manager.dns.js';
 import { AcmeConfigManager } from './acme/manager.acme-config.js';
 import { EmailDomainManager, SmartMtaStorageManager, WorkAppMailManager, buildEmailDnsRecords } from './email/index.js';
 import type { IRoute } from '../ts_interfaces/data/route-management.js';
+import type { IDcRouterRouteConfig, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig } from '../ts_interfaces/data/remoteingress.js';
 import type { ISecurityCompiledPolicy } from '../ts_interfaces/data/security-policy.js';

 export interface IDcRouterOptions {
@@ -93,6 +94,9 @@ export interface IDcRouterOptions {
   * Email domains with `internal-dns` mode must be included here
   */
  dnsScopes?: string[];
+
+  /** Explicit UDP bind address for the embedded DNS server. Defaults to auto-detection. */
+  dnsBindInterface?: string;
  
  /**
   * IPs of proxies that forward traffic to your server (optional)
@@ -277,6 +281,9 @@ export class DcRouter {
  // Remote Ingress
  public remoteIngressManager?: RemoteIngressManager;
  public tunnelManager?: TunnelManager;
+  private remoteIngressHubLifecycleChain: Promise<void> = Promise.resolve();
+  private remoteIngressHubStopping = false;
+  private remoteIngressHubGeneration = 0;

  // VPN
  public vpnManager?: VpnManager;
@@ -323,6 +330,11 @@ export class DcRouter {
  public serviceManager: plugins.taskbuffer.ServiceManager;
  private serviceSubjectSubscription?: plugins.smartrx.rxjs.Subscription;
  public smartAcmeReady = false;
+  private smartAcmeServiceStarted = false;
+  private smartAcmeStartGeneration = 0;
+  private smartAcmeStartPromise?: Promise<void>;
+  private smartAcmeRetryTimer?: ReturnType<typeof setTimeout>;
+  private smartAcmeRetryAttempt = 0;

  // TypedRouter for API endpoints
  public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -542,45 +554,14 @@ export class DcRouter {
          .optional()
          .dependsOn('SmartProxy')
          .withStart(async () => {
-            if (this.smartAcme) {
-              await this.smartAcme.start();
-              this.smartAcmeReady = true;
-              logger.log('info', 'SmartAcme DNS-01 provider is now ready');
-
-              // Re-trigger certificate provisioning for all auto-cert routes.
-              // During startup, certProvisionFunction returned 'http01' (SmartAcme not ready),
-              // but Rust ACME is disabled when certProvisionFunction is set — so all domains
-              // failed silently (SmartProxy doesn't emit certificate-failed for this path).
-              // Calling updateRoutes() re-triggers provisionCertificatesViaCallback internally,
-              // which calls certProvisionFunction again — now with smartAcmeReady === true.
-              if (this.routeConfigManager) {
-                // Go through RouteConfigManager to get the full merged route set
-                // and serialize via the route-update mutex (prevents stale overwrites)
-                logger.log('info', 'Re-triggering certificate provisioning via RouteConfigManager');
-                this.routeConfigManager.applyRoutes().catch((err: any) => {
-                  logger.log('warn', `Failed to re-trigger cert provisioning: ${err?.message || err}`);
-                });
-              } else if (this.smartProxy) {
-                // No RouteConfigManager (DB disabled) — re-send current routes to trigger cert provisioning
-                if (this.certProvisionScheduler) {
-                  this.certProvisionScheduler.clear();
-                }
-                const currentRoutes = this.smartProxy.routeManager.getRoutes();
-                logger.log('info', `Re-triggering certificate provisioning for ${currentRoutes.length} routes`);
-                this.smartProxy.updateRoutes(currentRoutes).catch((err: any) => {
-                  logger.log('warn', `Failed to re-trigger cert provisioning: ${err?.message || err}`);
-                });
-              }
-            }
+            this.smartAcmeServiceStarted = true;
+            this.startSmartAcmeInBackground();
          })
          .withStop(async () => {
-            this.smartAcmeReady = false;
-            if (this.smartAcme) {
-              await this.smartAcme.stop();
-              this.smartAcme = undefined;
-            }
+            this.smartAcmeServiceStarted = false;
+            await this.stopSmartAcme();
          })
-          .withRetry({ maxRetries: 20, baseDelayMs: 5000, maxDelayMs: 3_600_000, backoffFactor: 2 }),
+          .withRetry({ maxRetries: 0 }),
      );
    }

@@ -610,15 +591,10 @@ export class DcRouter {
              // Sync routes to RemoteIngressManager whenever routes change,
              // then push updated derived ports to the Rust hub binary
              async (routes) => {
-                if (this.remoteIngressManager) {
-                  this.remoteIngressManager.setRoutes(routes as any[]);
-                }
-                if (this.tunnelManager) {
-                  try {
-                    await this.tunnelManager.syncAllowedEdges();
-                  } catch (err: unknown) {
-                    logger.log('error', `Failed to sync Remote Ingress allowed edges: ${(err as Error).message}`);
-                  }
+                try {
+                  await this.updateRemoteIngressRoutes(routes as IDcRouterRouteConfig[]);
+                } catch (err: unknown) {
+                  logger.log('error', `Failed to sync Remote Ingress allowed edges: ${(err as Error).message}`);
                }
              },
              undefined,
@@ -736,11 +712,7 @@ export class DcRouter {
            await this.setupRemoteIngress();
          })
          .withStop(async () => {
-            if (this.tunnelManager) {
-              await this.tunnelManager.stop();
-              this.tunnelManager = undefined;
-            }
-            this.remoteIngressManager = undefined;
+            await this.stopRemoteIngress();
          })
          .withRetry({ maxRetries: 3, baseDelayMs: 2000, maxDelayMs: 30_000 }),
      );
@@ -780,6 +752,138 @@ export class DcRouter {
    });
  }

+  private startSmartAcmeInBackground(): void {
+    if (!this.smartAcme) {
+      this.smartAcmeReady = false;
+      return;
+    }
+
+    const generation = ++this.smartAcmeStartGeneration;
+    this.smartAcmeReady = false;
+    this.smartAcmeRetryAttempt = 0;
+    this.clearSmartAcmeRetryTimer();
+    this.scheduleSmartAcmeStart(generation, 0);
+  }
+
+  private scheduleSmartAcmeStart(generation: number, delayMs: number): void {
+    this.clearSmartAcmeRetryTimer();
+    const retryTimer = setTimeout(() => {
+      this.smartAcmeRetryTimer = undefined;
+      this.runSmartAcmeStartAttempt(generation).catch((err) => {
+        logger.log('error', `Unexpected SmartAcme startup error: ${(err as Error).message}`);
+      });
+    }, delayMs);
+    this.smartAcmeRetryTimer = retryTimer;
+    const unrefableTimer = retryTimer as any;
+    if (typeof unrefableTimer?.unref === 'function') {
+      unrefableTimer.unref();
+    }
+  }
+
+  private async runSmartAcmeStartAttempt(generation: number): Promise<void> {
+    const smartAcme = this.smartAcme;
+    if (!smartAcme || generation !== this.smartAcmeStartGeneration) {
+      return;
+    }
+
+    const startPromise = smartAcme.start();
+    this.smartAcmeStartPromise = startPromise;
+
+    try {
+      await startPromise;
+      if (generation !== this.smartAcmeStartGeneration || this.smartAcme !== smartAcme) {
+        await smartAcme.stop().catch((err) => {
+          logger.log('warn', `Failed to stop stale SmartAcme instance: ${(err as Error).message}`);
+        });
+        return;
+      }
+
+      this.smartAcmeReady = true;
+      this.smartAcmeRetryAttempt = 0;
+      logger.log('info', 'SmartAcme DNS-01 provider is now ready');
+      this.retriggerCertificateProvisioningAfterSmartAcmeReady();
+    } catch (err) {
+      if (generation !== this.smartAcmeStartGeneration || this.smartAcme !== smartAcme) {
+        return;
+      }
+
+      this.smartAcmeReady = false;
+      await smartAcme.stop().catch((stopErr) => {
+        logger.log('warn', `Failed to clean up SmartAcme after startup failure: ${(stopErr as Error).message}`);
+      });
+      this.smartAcmeRetryAttempt++;
+      if (this.smartAcmeRetryAttempt > 20) {
+        logger.log('error', `SmartAcme DNS-01 provider failed after 20 startup attempts: ${(err as Error).message}`);
+        return;
+      }
+
+      const baseDelayMs = 5000;
+      const maxDelayMs = 3_600_000;
+      const delayMs = Math.min(baseDelayMs * Math.pow(2, this.smartAcmeRetryAttempt - 1), maxDelayMs);
+      const jitter = 0.8 + Math.random() * 0.4;
+      const actualDelayMs = Math.floor(delayMs * jitter);
+      logger.log('warn', `SmartAcme DNS-01 provider startup failed: ${(err as Error).message}; retrying in ${actualDelayMs}ms (attempt ${this.smartAcmeRetryAttempt}/20)`);
+      this.scheduleSmartAcmeStart(generation, actualDelayMs);
+    } finally {
+      if (this.smartAcmeStartPromise === startPromise) {
+        this.smartAcmeStartPromise = undefined;
+      }
+    }
+  }
+
+  private retriggerCertificateProvisioningAfterSmartAcmeReady(): void {
+    // During startup, certProvisionFunction returns 'http01' while SmartAcme is not ready,
+    // but Rust ACME is disabled when certProvisionFunction is set. Re-applying routes
+    // retries provisioning now that DNS-01 is available.
+    if (this.routeConfigManager) {
+      logger.log('info', 'Re-triggering certificate provisioning via RouteConfigManager');
+      this.routeConfigManager.applyRoutes().catch((err: any) => {
+        logger.log('warn', `Failed to re-trigger cert provisioning: ${err?.message || err}`);
+      });
+      return;
+    }
+
+    if (this.smartProxy) {
+      if (this.certProvisionScheduler) {
+        this.certProvisionScheduler.clear();
+      }
+      const currentRoutes = this.smartProxy.routeManager.getRoutes();
+      logger.log('info', `Re-triggering certificate provisioning for ${currentRoutes.length} routes`);
+      this.smartProxy.updateRoutes(currentRoutes).catch((err: any) => {
+        logger.log('warn', `Failed to re-trigger cert provisioning: ${err?.message || err}`);
+      });
+    }
+  }
+
+  private clearSmartAcmeRetryTimer(): void {
+    if (this.smartAcmeRetryTimer) {
+      clearTimeout(this.smartAcmeRetryTimer);
+      this.smartAcmeRetryTimer = undefined;
+    }
+  }
+
+  private async stopSmartAcme(): Promise<void> {
+    this.smartAcmeStartGeneration++;
+    this.smartAcmeReady = false;
+    this.smartAcmeRetryAttempt = 0;
+    this.clearSmartAcmeRetryTimer();
+
+    const smartAcme = this.smartAcme;
+    if (!smartAcme) {
+      return;
+    }
+
+    try {
+      await smartAcme.stop();
+    } catch (err) {
+      logger.log('error', 'Error stopping SmartAcme', { error: String(err) });
+    } finally {
+      if (this.smartAcme === smartAcme) {
+        this.smartAcme = undefined;
+      }
+    }
+  }
+
  public async start() {
    await this.checkSystemLimits();
    logger.log('info', 'Starting DcRouter Services');
@@ -1095,17 +1199,13 @@ export class DcRouter {
      // Initialize cert provision scheduler
      this.certProvisionScheduler = new CertProvisionScheduler();

-      // If we have DNS challenge handlers, create SmartAcme instance and wire certProvisionFunction
-      // Note: SmartAcme.start() is NOT called here — it runs as a separate optional service
-      // via the ServiceManager, with aggressive retry for rate-limit resilience.
+      // If we have DNS challenge handlers, create SmartAcme instance and wire certProvisionFunction.
+      // SmartAcme starts in the background because ACME account setup can be slow or rate-limited,
+      // and must not block dcrouter's global startup timeout.
+      if (this.smartAcme) {
+        await this.stopSmartAcme();
+      }
      if (challengeHandlers.length > 0) {
-        // Stop old SmartAcme if it exists (e.g., during updateSmartProxyConfig)
-        if (this.smartAcme) {
-          this.smartAcmeReady = false;
-          await this.smartAcme.stop().catch(err =>
-            logger.log('error', 'Error stopping old SmartAcme', { error: String(err) })
-          );
-        }
        // Safe non-null: challengeHandlers.length > 0 implies both dnsManager
        // and acmeConfig exist (enforced above).
        this.smartAcme = new plugins.smartacme.SmartAcme({
@@ -1115,6 +1215,9 @@ export class DcRouter {
          challengeHandlers: challengeHandlers,
          challengePriority: ['dns-01'],
        });
+        if (this.smartAcmeServiceStarted) {
+          this.startSmartAcmeInBackground();
+        }

        const scheduler = this.certProvisionScheduler;
        smartProxyConfig.certProvisionFallbackToAcme = false;
@@ -1316,12 +1419,15 @@ export class DcRouter {
    }

    const firewallConfig = await this.securityPolicyManager.compileRemoteIngressFirewall();
-    if (this.remoteIngressManager) {
-      (this.remoteIngressManager as any).setFirewallConfig?.(firewallConfig);
-    }
-    if (this.tunnelManager) {
-      await this.tunnelManager.syncAllowedEdges();
-    }
+    await this.queueRemoteIngressHubTask(async () => {
+      if (this.remoteIngressHubStopping) return;
+      if (this.remoteIngressManager) {
+        this.remoteIngressManager.setFirewallConfig(firewallConfig);
+      }
+      if (this.tunnelManager) {
+        await this.tunnelManager.syncAllowedEdges();
+      }
+    });
  }

  private mergeSecurityPolicies(
@@ -1875,16 +1981,21 @@ export class DcRouter {
    logger.log('info', `Setting up DNS server with primary nameserver: ${primaryNameserver}`);
    
    // Get VM IP address for UDP binding
-    const networkInterfaces = plugins.os.networkInterfaces();
-    let vmIpAddress = '0.0.0.0'; // Default to all interfaces
-    
-    // Try to find the VM's internal IP address
-    for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
-      if (interfaces) {
-        for (const iface of interfaces) {
-          if (!iface.internal && iface.family === 'IPv4') {
-            vmIpAddress = iface.address;
-            break;
+    const networkInterfaces = plugins.os.networkInterfaces() as Record<
+      string,
+      Array<{ internal: boolean; family: string; address: string }> | undefined
+    >;
+    let vmIpAddress = this.options.dnsBindInterface || '0.0.0.0'; // Default to all interfaces
+
+    // Try to find the VM's internal IP address when no explicit bind address is configured.
+    if (!this.options.dnsBindInterface) {
+      interfaceLoop: for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
+        if (interfaces) {
+          for (const iface of interfaces) {
+            if (!iface.internal && iface.family === 'IPv4') {
+              vmIpAddress = iface.address;
+              break interfaceLoop;
+            }
          }
        }
      }
@@ -2332,28 +2443,180 @@ export class DcRouter {
    }

    logger.log('info', 'Setting up Remote Ingress hub...');
+    this.remoteIngressHubStopping = false;
+    const generation = ++this.remoteIngressHubGeneration;

    // Initialize the edge registration manager
-    this.remoteIngressManager = new RemoteIngressManager();
-    await this.remoteIngressManager.initialize();
-    this.remoteIngressManager.setFirewallConfig(
-      await this.securityPolicyManager?.compileRemoteIngressFirewall(),
-    );
+    const remoteIngressManager = new RemoteIngressManager(this.options.remoteIngressConfig.performance);
+    this.remoteIngressManager = remoteIngressManager;
+    await remoteIngressManager.initialize();
+    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }
+
+    const firewallConfig = await this.securityPolicyManager?.compileRemoteIngressFirewall();
+    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }
+    remoteIngressManager.setFirewallConfig(firewallConfig);

    // Pass current bootstrap routes so the manager can derive edge ports initially.
    // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
    // will push the complete merged routes here.
    const bootstrapRoutes = [...this.seedConfigRoutes, ...this.seedEmailRoutes, ...this.runtimeDnsRoutes];
-    this.remoteIngressManager.setRoutes(bootstrapRoutes as any[]);
+    remoteIngressManager.setRoutes(bootstrapRoutes as any[]);

    // If ConfigManagers finished before us, re-apply routes
    // so the callback delivers the full DB set to our newly-created remoteIngressManager.
    if (this.routeConfigManager) {
      await this.routeConfigManager.applyRoutes();
    }
+    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }

-    // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
+    await this.queueRemoteIngressHubTask(async () => {
+      await this.startRemoteIngressTunnelHubLocked(generation);
+    });
+    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }
+
+    const edgeCount = remoteIngressManager.getAllEdges().length;
+    logger.log('info', `Remote Ingress hub started on port ${this.options.remoteIngressConfig.tunnelPort || 8443} with ${edgeCount} registered edge(s)`);
+  }
+
+  private isRemoteIngressHubGenerationCurrent(generation: number, manager: RemoteIngressManager): boolean {
+    return !this.remoteIngressHubStopping
+      && generation === this.remoteIngressHubGeneration
+      && this.remoteIngressManager === manager;
+  }
+
+  private queueRemoteIngressHubTask<T>(task: () => Promise<T>): Promise<T> {
+    const run = this.remoteIngressHubLifecycleChain.then(task);
+    this.remoteIngressHubLifecycleChain = run.then(() => undefined, () => undefined);
+    return run;
+  }
+
+  private async stopRemoteIngress(): Promise<void> {
+    this.remoteIngressHubStopping = true;
+    this.remoteIngressHubGeneration++;
+    await this.queueRemoteIngressHubTask(async () => {
+      const currentTunnelManager = this.tunnelManager;
+      this.tunnelManager = undefined;
+      if (currentTunnelManager) {
+        await currentTunnelManager.stop();
+      }
+    });
+    this.remoteIngressManager = undefined;
+  }
+
+  public async mutateRemoteIngressEdges<T>(
+    mutation: (manager: RemoteIngressManager) => Promise<T>,
+    syncAllowedEdges = true,
+  ): Promise<T> {
+    return await this.queueRemoteIngressHubTask(async () => {
+      if (this.remoteIngressHubStopping) {
+        throw new Error('RemoteIngress is stopping');
+      }
+      const manager = this.remoteIngressManager;
+      if (!manager) {
+        throw new Error('RemoteIngress not configured');
+      }
+      const result = await mutation(manager);
+      if (syncAllowedEdges && this.tunnelManager) {
+        await this.tunnelManager.syncAllowedEdges();
+      }
+      return result;
+    });
+  }
+
+  private async updateRemoteIngressRoutes(routes: IDcRouterRouteConfig[]): Promise<void> {
+    await this.queueRemoteIngressHubTask(async () => {
+      if (this.remoteIngressHubStopping) return;
+      if (this.remoteIngressManager) {
+        this.remoteIngressManager.setRoutes(routes);
+      }
+      if (this.tunnelManager) {
+        await this.tunnelManager.syncAllowedEdges();
+      }
+    });
+  }
+
+  public async updateRemoteIngressHubSettings(
+    updates: { performance?: IRemoteIngressPerformanceConfig },
+    updatedBy: string,
+  ): Promise<IRemoteIngressHubSettings> {
+    return await this.queueRemoteIngressHubTask(async () => {
+      if (this.remoteIngressHubStopping) {
+        throw new Error('RemoteIngress is stopping');
+      }
+      if (!this.remoteIngressManager) {
+        throw new Error('RemoteIngress is not configured');
+      }
+
+      const settings = await this.remoteIngressManager.updateHubSettings(updates, updatedBy);
+      if (this.options.remoteIngressConfig?.enabled) {
+        await this.restartRemoteIngressTunnelHubLocked();
+      }
+      return settings;
+    });
+  }
+
+  private async restartRemoteIngressTunnelHubLocked(): Promise<void> {
+    const generation = ++this.remoteIngressHubGeneration;
+    if (!this.remoteIngressManager || !this.options.remoteIngressConfig?.enabled || this.remoteIngressHubStopping) {
+      return;
+    }
+
+    const currentTunnelManager = this.tunnelManager;
+    this.tunnelManager = undefined;
+    if (currentTunnelManager) {
+      await currentTunnelManager.stop();
+    }
+
+    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
+      return;
+    }
+    await this.startRemoteIngressTunnelHubLocked(generation);
+  }
+
+  private async startRemoteIngressTunnelHubLocked(generation: number): Promise<void> {
    const riCfg = this.options.remoteIngressConfig;
+    const manager = this.remoteIngressManager;
+    if (!riCfg?.enabled || !manager || this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
+      return;
+    }
+
+    const tlsConfig = await this.resolveRemoteIngressTlsConfig(riCfg);
+    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
+      return;
+    }
+
+    const tunnelManager = new TunnelManager(manager, {
+      tunnelPort: riCfg.tunnelPort ?? 8443,
+      targetHost: '127.0.0.1',
+      tls: tlsConfig,
+      performance: manager.getHubPerformanceConfig(),
+    });
+    try {
+      await tunnelManager.start();
+    } catch (err) {
+      await tunnelManager.stop().catch(() => {});
+      throw err;
+    }
+
+    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
+      await tunnelManager.stop();
+      return;
+    }
+    this.tunnelManager = tunnelManager;
+  }
+
+  private async resolveRemoteIngressTlsConfig(
+    riCfg: NonNullable<IDcRouterOptions['remoteIngressConfig']>,
+  ): Promise<{ certPem: string; keyPem: string } | undefined> {
+    // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
    let tlsConfig: { certPem: string; keyPem: string } | undefined;

    // Priority 1: Explicit cert/key file paths
@@ -2383,17 +2646,7 @@ export class DcRouter {
      logger.log('info', 'No TLS cert configured for RemoteIngress tunnel — using auto-generated self-signed');
    }

-    // Create and start the tunnel manager
-    this.tunnelManager = new TunnelManager(this.remoteIngressManager, {
-      tunnelPort: riCfg.tunnelPort ?? 8443,
-      targetHost: '127.0.0.1',
-      tls: tlsConfig,
-      performance: riCfg.performance,
-    });
-    await this.tunnelManager.start();
-
-    const edgeCount = this.remoteIngressManager.getAllEdges().length;
-    logger.log('info', `Remote Ingress hub started on port ${this.options.remoteIngressConfig.tunnelPort || 8443} with ${edgeCount} registered edge(s)`);
+    return tlsConfig;
  }

  /**
@@ -68,11 +68,38 @@ export class DbSeeder {
 }

 const DEFAULT_PROFILES: Array<NonNullable<ISeedData['profiles']>[number]> = [
+  {
+    name: 'TRUSTED NETWORKS',
+    description: 'Trusted office, VPN, localhost, and private-network sources with high connection allowance',
+    security: {
+      ipAllowList: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', '127.0.0.1', '::1'],
+      maxConnections: 5000,
+    },
+  },
+  {
+    name: 'AI CRAWLERS',
+    description: 'Add verified crawler CIDRs before assigning this profile in a source policy',
+    security: {
+      ipAllowList: [],
+      rateLimit: {
+        enabled: true,
+        maxRequests: 30,
+        window: 60,
+        keyBy: 'ip',
+      },
+    },
+  },
  {
    name: 'PUBLIC',
-    description: 'Allow all traffic — no IP restrictions',
+    description: 'Public fallback source profile with per-IP request limiting',
    security: {
      ipAllowList: ['*'],
+      rateLimit: {
+        enabled: true,
+        maxRequests: 120,
+        window: 60,
+        keyBy: 'ip',
+      },
    },
  },
  {
@@ -7,6 +7,7 @@ import type {
  IRouteMetadata,
  IRoute,
  IRouteSecurity,
+  IRouteSourcePolicy,
 } from '../../ts_interfaces/data/route-management.js';

 const MAX_INHERITANCE_DEPTH = 5;
@@ -107,7 +108,7 @@ export class ReferenceResolver {

    // If force-deleting with referencing routes, clear refs but keep resolved values
    if (affectedIds.length > 0) {
-      await this.clearProfileRefsOnRoutes(affectedIds);
+      await this.clearProfileRefsOnRoutes(id, affectedIds, storedRoutes);
      logger.log('warn', `Force-deleted profile '${profile.name}'; cleared refs on ${affectedIds.length} route(s)`);
    } else {
      logger.log('info', `Deleted source profile '${profile.name}' (${id})`);
@@ -131,15 +132,22 @@ export class ReferenceResolver {
    return [...this.profiles.values()];
  }

+  public resolveSourceProfileSecurity(profileId: string): IRouteSecurity | null {
+    const resolvedSecurity = this.resolveSourceProfile(profileId);
+    return resolvedSecurity ? this.cloneSecurityFields(resolvedSecurity) : null;
+  }
+
  public getProfileUsage(storedRoutes: Map<string, IRoute>): Map<string, Array<{ id: string; routeName: string }>> {
    const usage = new Map<string, Array<{ id: string; routeName: string }>>();
    for (const profile of this.profiles.values()) {
      usage.set(profile.id, []);
    }
    for (const [routeId, stored] of storedRoutes) {
-      const ref = stored.metadata?.sourceProfileRef;
-      if (ref && usage.has(ref)) {
-        usage.get(ref)!.push({ id: routeId, routeName: stored.route.name || routeId });
+      const refs = this.getSourceProfileRefsFromMetadata(stored.metadata);
+      for (const ref of refs) {
+        if (usage.has(ref)) {
+          usage.get(ref)!.push({ id: routeId, routeName: stored.route.name || routeId });
+        }
      }
    }
    return usage;
@@ -151,7 +159,7 @@ export class ReferenceResolver {
  ): Array<{ id: string; routeName: string }> {
    const routes: Array<{ id: string; routeName: string }> = [];
    for (const [routeId, stored] of storedRoutes) {
-      if (stored.metadata?.sourceProfileRef === profileId) {
+      if (this.metadataUsesSourceProfile(stored.metadata, profileId)) {
        routes.push({ id: routeId, routeName: stored.route.name || routeId });
      }
    }
@@ -281,6 +289,7 @@ export class ReferenceResolver {
  /**
   * Resolve references for a single route.
   * Materializes source profile and/or network target into the route's fields.
+   * When a source profile is selected, it owns the route security fully.
   * Returns the resolved route and updated metadata.
   */
  public resolveRoute(
@@ -289,14 +298,21 @@ export class ReferenceResolver {
  ): { route: plugins.smartproxy.IRouteConfig; metadata: IRouteMetadata } {
    const resolvedMetadata: IRouteMetadata = { ...metadata };

-    if (resolvedMetadata.sourceProfileRef) {
+    if (resolvedMetadata.sourcePolicy?.bindings.length) {
+      const resolvedSourcePolicy = this.resolveRouteSourcePolicy(resolvedMetadata.sourcePolicy);
+      if (resolvedSourcePolicy) {
+        resolvedMetadata.sourcePolicy = resolvedSourcePolicy;
+        resolvedMetadata.sourceProfileRef = undefined;
+        resolvedMetadata.sourceProfileName = undefined;
+        resolvedMetadata.lastResolvedAt = Date.now();
+      }
+    } else if (resolvedMetadata.sourceProfileRef) {
      const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
      if (resolvedSecurity) {
        const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
-        // Merge: profile provides base, route's inline values override
        route = {
          ...route,
-          security: this.mergeSecurityFields(resolvedSecurity, route.security),
+          security: this.cloneSecurityFields(resolvedSecurity),
        };
        resolvedMetadata.sourceProfileName = profile?.name;
        resolvedMetadata.lastResolvedAt = Date.now();
@@ -336,7 +352,7 @@ export class ReferenceResolver {
  public async findRoutesByProfileRef(profileId: string): Promise<string[]> {
    const docs = await RouteDoc.findAll();
    return docs
-      .filter((doc) => doc.metadata?.sourceProfileRef === profileId)
+      .filter((doc) => this.metadataUsesSourceProfile(doc.metadata, profileId))
      .map((doc) => doc.id);
  }

@@ -350,7 +366,7 @@ export class ReferenceResolver {
  public findRoutesByProfileRefSync(profileId: string, storedRoutes: Map<string, IRoute>): string[] {
    const ids: string[] = [];
    for (const [routeId, stored] of storedRoutes) {
-      if (stored.metadata?.sourceProfileRef === profileId) {
+      if (this.metadataUsesSourceProfile(stored.metadata, profileId)) {
        ids.push(routeId);
      }
    }
@@ -371,6 +387,41 @@ export class ReferenceResolver {
  // Private: source profile resolution with inheritance
  // =========================================================================

+  private resolveRouteSourcePolicy(sourcePolicy: IRouteSourcePolicy): IRouteSourcePolicy | undefined {
+    const bindings = sourcePolicy.bindings
+      .map((binding) => {
+        const profile = this.profiles.get(binding.sourceProfileRef);
+        if (!profile) {
+          logger.log('warn', `Source profile '${binding.sourceProfileRef}' not found during source policy resolution`);
+          return binding;
+        }
+        return {
+          ...binding,
+          sourceProfileName: profile.name,
+        };
+      })
+      .filter((binding) => binding.sourceProfileRef);
+
+    return bindings.length > 0 ? { bindings } : undefined;
+  }
+
+  private metadataUsesSourceProfile(metadata: IRouteMetadata | undefined, profileId: string): boolean {
+    return this.getSourceProfileRefsFromMetadata(metadata).includes(profileId);
+  }
+
+  private getSourceProfileRefsFromMetadata(metadata: IRouteMetadata | undefined): string[] {
+    const refs = new Set<string>();
+    if (metadata?.sourceProfileRef) {
+      refs.add(metadata.sourceProfileRef);
+    }
+    for (const binding of metadata?.sourcePolicy?.bindings || []) {
+      if (binding.sourceProfileRef) {
+        refs.add(binding.sourceProfileRef);
+      }
+    }
+    return [...refs];
+  }
+
  private resolveSourceProfile(
    profileId: string,
    visited: Set<string> = new Set(),
@@ -445,10 +496,15 @@ export class ReferenceResolver {
    if (override.authentication !== undefined) merged.authentication = override.authentication;
    if (override.basicAuth !== undefined) merged.basicAuth = override.basicAuth;
    if (override.jwtAuth !== undefined) merged.jwtAuth = override.jwtAuth;
+    if (override.vpn !== undefined) merged.vpn = override.vpn;

    return merged;
  }

+  private cloneSecurityFields(security: IRouteSecurity): IRouteSecurity {
+    return structuredClone(security);
+  }
+
  // =========================================================================
  // Private: persistence
  // =========================================================================
@@ -545,21 +601,50 @@ export class ReferenceResolver {
  // Private: ref cleanup on force-delete
  // =========================================================================

-  private async clearProfileRefsOnRoutes(routeIds: string[]): Promise<void> {
+  private async clearProfileRefsOnRoutes(
+    profileId: string,
+    routeIds: string[],
+    storedRoutes?: Map<string, IRoute>,
+  ): Promise<void> {
    for (const routeId of routeIds) {
      const doc = await RouteDoc.findById(routeId);
      if (doc?.metadata) {
-        doc.metadata = {
-          ...doc.metadata,
-          sourceProfileRef: undefined,
-          sourceProfileName: undefined,
-        };
+        doc.metadata = this.clearSourceProfileFromMetadata(doc.metadata, profileId);
        doc.updatedAt = Date.now();
        await doc.save();
      }
+
+      const storedRoute = storedRoutes?.get(routeId);
+      if (storedRoute?.metadata) {
+        storedRoute.metadata = this.clearSourceProfileFromMetadata(storedRoute.metadata, profileId);
+        storedRoute.updatedAt = Date.now();
+      }
    }
  }

+  private clearSourceProfileFromMetadata(metadata: IRouteMetadata, profileId: string): IRouteMetadata {
+    const sourcePolicy = metadata.sourcePolicy?.bindings?.length
+      ? {
+          bindings: metadata.sourcePolicy.bindings.filter(
+            (binding) => binding.sourceProfileRef !== profileId,
+          ),
+        }
+      : undefined;
+
+    const nextMetadata: IRouteMetadata = {
+      ...metadata,
+      sourceProfileRef: metadata.sourceProfileRef === profileId ? undefined : metadata.sourceProfileRef,
+      sourceProfileName: metadata.sourceProfileRef === profileId ? undefined : metadata.sourceProfileName,
+      sourcePolicy: sourcePolicy?.bindings.length ? sourcePolicy : undefined,
+    };
+
+    if (!nextMetadata.sourceProfileRef && !nextMetadata.sourcePolicy && !nextMetadata.networkTargetRef) {
+      nextMetadata.lastResolvedAt = undefined;
+    }
+
+    return nextMetadata;
+  }
+
  private async clearTargetRefsOnRoutes(routeIds: string[]): Promise<void> {
    for (const routeId of routeIds) {
      const doc = await RouteDoc.findById(routeId);
@@ -1,15 +1,20 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
 import { RouteDoc } from '../db/index.js';
+import { routePathClasses } from '../../ts_interfaces/data/route-management.js';
 import type {
  IRoute,
  IMergedRoute,
  IRouteWarning,
  IRouteMetadata,
+  IRoutePathPolicyBinding,
+  IRouteSourcePolicy,
+  IRouteSecurity,
 } from '../../ts_interfaces/data/route-management.js';
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import { type IHttp3Config, augmentRouteWithHttp3 } from '../http3/index.js';
 import type { ReferenceResolver } from './classes.reference-resolver.js';
+import { SourcePolicyCompiler } from './classes.source-policy-compiler.js';

 export type TVpnClientAllowEntry = string | { clientId: string; domains: string[] };

@@ -131,6 +136,10 @@ export class RouteConfigManager {
  ): Promise<string> {
    const id = plugins.uuid.v4();
    const now = Date.now();
+    const sourcePolicyPayloadError = SourcePolicyCompiler.validateSourcePolicyPayload(metadata?.sourcePolicy);
+    if (sourcePolicyPayloadError) {
+      throw new Error(sourcePolicyPayloadError);
+    }

    // Ensure route has a name
    if (!route.name) {
@@ -144,6 +153,10 @@ export class RouteConfigManager {
      route = resolved.route;
      resolvedMetadata = this.normalizeRouteMetadata(resolved.metadata);
    }
+    const sourcePolicyValidationError = this.validateSourcePolicy(resolvedMetadata?.sourcePolicy, route);
+    if (sourcePolicyValidationError) {
+      throw new Error(sourcePolicyValidationError);
+    }

    const stored: IRoute = {
      id,
@@ -174,6 +187,15 @@ export class RouteConfigManager {
    if (!stored) {
      return { success: false, message: 'Route not found' };
    }
+    const sourcePolicyPayloadError = SourcePolicyCompiler.validateSourcePolicyPayload(patch.metadata?.sourcePolicy);
+    if (sourcePolicyPayloadError) {
+      return { success: false, message: sourcePolicyPayloadError };
+    }
+
+    const previousSourceProfileRef = stored.metadata?.sourceProfileRef;
+    const previousRoute = structuredClone(stored.route);
+    const previousMetadata = structuredClone(stored.metadata);
+    const previousEnabled = stored.enabled;

    const isToggleOnlyPatch = patch.enabled !== undefined
      && patch.route === undefined
@@ -216,6 +238,13 @@ export class RouteConfigManager {
        ...stored.metadata,
        ...patch.metadata,
      });
+      if (
+        previousSourceProfileRef
+        && !stored.metadata?.sourceProfileRef
+        && !patch.route?.security
+      ) {
+        delete stored.route.security;
+      }
    }

    // Re-resolve if metadata refs exist and resolver is available
@@ -225,6 +254,14 @@ export class RouteConfigManager {
      stored.metadata = this.normalizeRouteMetadata(resolved.metadata);
    }

+    const sourcePolicyValidationError = this.validateSourcePolicy(stored.metadata?.sourcePolicy, stored.route);
+    if (sourcePolicyValidationError) {
+      stored.route = previousRoute;
+      stored.metadata = previousMetadata;
+      stored.enabled = previousEnabled;
+      return { success: false, message: sourcePolicyValidationError };
+    }
+
    stored.updatedAt = Date.now();

    await this.persistRoute(stored);
@@ -445,6 +482,7 @@ export class RouteConfigManager {

    const normalized: IRouteMetadata = {
      sourceProfileRef: normalizeString(metadata.sourceProfileRef),
+      sourcePolicy: this.normalizeSourcePolicy(metadata.sourcePolicy),
      networkTargetRef: normalizeString(metadata.networkTargetRef),
      sourceProfileName: normalizeString(metadata.sourceProfileName),
      networkTargetName: normalizeString(metadata.networkTargetName),
@@ -473,7 +511,7 @@ export class RouteConfigManager {
    if (!normalized.networkTargetRef) {
      normalized.networkTargetName = undefined;
    }
-    if (!normalized.sourceProfileRef && !normalized.networkTargetRef) {
+    if (!normalized.sourceProfileRef && !normalized.sourcePolicy && !normalized.networkTargetRef) {
      normalized.lastResolvedAt = undefined;
    }
    if (normalized.ownerType !== 'gatewayClient' && normalized.ownerType !== 'workhoster') {
@@ -498,6 +536,128 @@ export class RouteConfigManager {
    return normalized;
  }

+  private normalizeSourcePolicy(sourcePolicy?: Partial<IRouteSourcePolicy>): IRouteSourcePolicy | undefined {
+    const bindings = sourcePolicy?.bindings;
+    if (!Array.isArray(bindings)) {
+      return undefined;
+    }
+
+    const normalizedBindings: IRouteSourcePolicy['bindings'] = [];
+    for (const binding of bindings) {
+      const sourceProfileRef = typeof binding.sourceProfileRef === 'string'
+        ? binding.sourceProfileRef.trim()
+        : '';
+      if (!sourceProfileRef) {
+        continue;
+      }
+      const normalizedRateLimit = this.normalizeRateLimit(binding.rateLimit);
+      const normalizedPathPolicies = this.normalizePathPolicies(binding.pathPolicies);
+
+      normalizedBindings.push({
+        ...(typeof binding.id === 'string' && binding.id.trim() ? { id: binding.id.trim() } : {}),
+        sourceProfileRef,
+        ...(typeof binding.sourceProfileName === 'string' && binding.sourceProfileName.trim()
+          ? { sourceProfileName: binding.sourceProfileName.trim() }
+          : {}),
+        ...(normalizedRateLimit ? { rateLimit: normalizedRateLimit } : {}),
+        ...(typeof binding.maxConnections === 'number' && Number.isFinite(binding.maxConnections) && binding.maxConnections >= 0
+          ? { maxConnections: binding.maxConnections }
+          : {}),
+        ...(binding.onExceeded?.type === '429'
+          ? {
+              onExceeded: {
+                type: '429' as const,
+                ...(typeof binding.onExceeded.errorMessage === 'string' && binding.onExceeded.errorMessage.trim()
+                  ? { errorMessage: binding.onExceeded.errorMessage.trim() }
+                  : {}),
+              },
+            }
+          : {}),
+        ...(normalizedPathPolicies ? { pathPolicies: normalizedPathPolicies } : {}),
+      });
+    }
+
+    return normalizedBindings.length > 0 ? { bindings: normalizedBindings } : undefined;
+  }
+
+  private normalizePathPolicies(
+    pathPolicies?: IRoutePathPolicyBinding[],
+  ): IRoutePathPolicyBinding[] | undefined {
+    if (!Array.isArray(pathPolicies)) {
+      return undefined;
+    }
+
+    const validClasses = new Set<string>(routePathClasses);
+    const normalizedPathPolicies: IRoutePathPolicyBinding[] = [];
+    for (const pathPolicy of pathPolicies) {
+      if (!validClasses.has(pathPolicy.pathClass)) {
+        continue;
+      }
+
+      const normalizedRateLimit = this.normalizeRateLimit(pathPolicy.rateLimit);
+      const pathPatterns = Array.isArray(pathPolicy.pathPatterns)
+        ? [...new Set(pathPolicy.pathPatterns
+            .map((pattern) => typeof pattern === 'string' ? pattern.trim() : '')
+            .filter(Boolean))]
+        : undefined;
+
+      normalizedPathPolicies.push({
+        ...(typeof pathPolicy.id === 'string' && pathPolicy.id.trim() ? { id: pathPolicy.id.trim() } : {}),
+        pathClass: pathPolicy.pathClass,
+        ...(pathPatterns?.length ? { pathPatterns } : {}),
+        ...(normalizedRateLimit ? { rateLimit: normalizedRateLimit } : {}),
+        ...(typeof pathPolicy.maxConnections === 'number' && Number.isFinite(pathPolicy.maxConnections) && pathPolicy.maxConnections >= 0
+          ? { maxConnections: pathPolicy.maxConnections }
+          : {}),
+        ...(pathPolicy.onExceeded?.type === '429'
+          ? {
+              onExceeded: {
+                type: '429' as const,
+                ...(typeof pathPolicy.onExceeded.errorMessage === 'string' && pathPolicy.onExceeded.errorMessage.trim()
+                  ? { errorMessage: pathPolicy.onExceeded.errorMessage.trim() }
+                  : {}),
+              },
+            }
+          : {}),
+      });
+    }
+
+    return normalizedPathPolicies.length > 0 ? normalizedPathPolicies : undefined;
+  }
+
+  private validateSourcePolicy(
+    sourcePolicy: IRouteSourcePolicy | undefined,
+    route: IDcRouterRouteConfig,
+  ): string | undefined {
+    const shapeError = SourcePolicyCompiler.validateSourcePolicyShape(sourcePolicy, route);
+    if (shapeError) {
+      return shapeError;
+    }
+    return SourcePolicyCompiler.validateResolvedSourcePolicy(sourcePolicy, this.referenceResolver);
+  }
+
+  private normalizeRateLimit(rateLimit?: IRouteSecurity['rateLimit']): IRouteSecurity['rateLimit'] | undefined {
+    if (!rateLimit || typeof rateLimit !== 'object') {
+      return undefined;
+    }
+
+    const maxRequests = Number(rateLimit.maxRequests);
+    const window = Number(rateLimit.window);
+    if (!Number.isFinite(maxRequests) || maxRequests < 0 || !Number.isFinite(window) || window < 0) {
+      return undefined;
+    }
+
+    return {
+      enabled: rateLimit.enabled !== false,
+      maxRequests,
+      window,
+      keyBy: 'ip',
+      ...(typeof rateLimit.errorMessage === 'string' && rateLimit.errorMessage.trim()
+        ? { errorMessage: rateLimit.errorMessage.trim() }
+        : {}),
+    };
+  }
+
  // =========================================================================
  // Private: warnings
  // =========================================================================
@@ -560,10 +720,10 @@ export class RouteConfigManager {

      const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];

-      // Add all enabled routes with HTTP/3 and VPN augmentation
+      // Add all enabled routes with HTTP/3, VPN, and source-policy augmentation
      for (const route of this.routes.values()) {
        if (route.enabled) {
-          enabledRoutes.push(this.prepareStoredRouteForApply(route));
+          enabledRoutes.push(...this.prepareStoredRoutesForApply(route));
        }
      }

@@ -583,9 +743,15 @@ export class RouteConfigManager {
    });
  }

-  private prepareStoredRouteForApply(storedRoute: IRoute): plugins.smartproxy.IRouteConfig {
+  private prepareStoredRoutesForApply(storedRoute: IRoute): plugins.smartproxy.IRouteConfig[] {
    const hydratedRoute = this.hydrateStoredRoute?.(storedRoute);
-    return this.prepareRouteForApply(hydratedRoute || storedRoute.route, storedRoute.id);
+    const sourcePolicyRoutes = SourcePolicyCompiler.compileRoute(
+      hydratedRoute || storedRoute.route,
+      storedRoute.metadata,
+      this.referenceResolver,
+      storedRoute.id,
+    );
+    return sourcePolicyRoutes.map((route) => this.prepareRouteForApply(route, storedRoute.id));
  }

  private prepareRouteForApply(
@@ -0,0 +1,614 @@
+import * as plugins from '../plugins.js';
+import {
+  giteaRoutePathClassLabels,
+  giteaRoutePathClassPatterns,
+  routePathClasses,
+} from '../../ts_interfaces/data/route-management.js';
+import type {
+  IRoutePathPolicyBinding,
+  IRouteMetadata,
+  IRouteSecurity,
+  IRouteSourcePolicy,
+  IRouteSourcePolicyBinding,
+} from '../../ts_interfaces/data/route-management.js';
+import type { ReferenceResolver } from './classes.reference-resolver.js';
+
+const MIN_ROUTE_PRIORITY = 0;
+const MAX_ROUTE_PRIORITY = 10000;
+const SOURCE_PRIORITY_BAND = 0.0008;
+const PATH_PRIORITY_BAND = 0.0001;
+
+export const sourcePolicyLimits = {
+  maxBindings: 16,
+  maxPathPoliciesPerBinding: 12,
+  maxPathPatternsPerPolicy: 64,
+  maxPathPatternLength: 256,
+  maxPathPatternWildcards: 8,
+  maxSourceProfileRefLength: 256,
+  maxIdLength: 128,
+  maxExceededMessageLength: 512,
+  maxCompiledVariantsPerRoute: 512,
+} as const;
+
+export class SourcePolicyCompiler {
+  public static compileRoute(
+    route: plugins.smartproxy.IRouteConfig,
+    metadata: IRouteMetadata | undefined,
+    referenceResolver: ReferenceResolver | undefined,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig[] {
+    const bindings = metadata?.sourcePolicy?.bindings || [];
+    if (bindings.length === 0) {
+      return [route];
+    }
+    if (this.validateSourcePolicyShape(metadata?.sourcePolicy, route)) {
+      return [];
+    }
+    if (!referenceResolver) {
+      return [];
+    }
+    if (this.validateResolvedSourcePolicy(metadata?.sourcePolicy, referenceResolver)) {
+      return [];
+    }
+
+    const compiledRoutes: plugins.smartproxy.IRouteConfig[] = [];
+    const basePriority = route.priority ?? 0;
+
+    bindings.forEach((binding, index) => {
+      const profile = referenceResolver.getProfile(binding.sourceProfileRef);
+      const profileSecurity = referenceResolver.resolveSourceProfileSecurity(binding.sourceProfileRef);
+      if (!profile || !profileSecurity) {
+        return;
+      }
+
+      const sourceMatches = this.getSourceMatchEntries(profileSecurity);
+      if (sourceMatches.length === 0) {
+        return;
+      }
+      const sourcePriority = this.calculateSourcePriority(basePriority, index, bindings.length);
+      const sourceMatch = this.matchesAllSources(sourceMatches)
+        ? { ...route.match }
+        : { ...route.match, clientIp: sourceMatches };
+      const pathPolicies = binding.pathPolicies || [];
+
+      if (pathPolicies.length === 0) {
+        compiledRoutes.push(this.buildCompiledRoute({
+          route,
+          sourceMatch,
+          profileName: profile.name,
+          profileSecurity,
+          binding,
+          sourcePriority,
+          routeId,
+          sourceIndex: index,
+        }));
+        return;
+      }
+
+      let hasSourceFallback = false;
+      pathPolicies.forEach((pathPolicy, pathIndex) => {
+        const pathPatterns = this.getPathPatterns(pathPolicy);
+        if (pathPatterns.length === 0) {
+          hasSourceFallback = true;
+          compiledRoutes.push(this.buildCompiledRoute({
+            route,
+            sourceMatch,
+            profileName: profile.name,
+            profileSecurity,
+            binding,
+            pathPolicy,
+            sourcePriority,
+            routeId,
+            sourceIndex: index,
+            pathIndex,
+            pathPolicyCount: pathPolicies.length,
+          }));
+          return;
+        }
+
+        pathPatterns.forEach((pathPattern, pathPatternIndex) => {
+          compiledRoutes.push(this.buildCompiledRoute({
+            route,
+            sourceMatch,
+            profileName: profile.name,
+            profileSecurity,
+            binding,
+            pathPolicy,
+            pathPattern,
+            sourcePriority,
+            routeId,
+            sourceIndex: index,
+            pathIndex,
+            pathPolicyCount: pathPolicies.length,
+            pathPatternIndex,
+            pathPatternCount: pathPatterns.length,
+          }));
+        });
+      });
+
+      if (!hasSourceFallback) {
+        compiledRoutes.push(this.buildCompiledRoute({
+          route,
+          sourceMatch,
+          profileName: profile.name,
+          profileSecurity,
+          binding,
+          sourcePriority,
+          routeId,
+          sourceIndex: index,
+        }));
+      }
+    });
+
+    return compiledRoutes;
+  }
+
+  public static validateSourcePolicyPayload(sourcePolicy?: Partial<IRouteSourcePolicy>): string | undefined {
+    if (!sourcePolicy) {
+      return undefined;
+    }
+    if (!Array.isArray(sourcePolicy.bindings)) {
+      return 'Source policy bindings must be an array';
+    }
+    if (sourcePolicy.bindings.length === 0) {
+      return undefined;
+    }
+    if (sourcePolicy.bindings.length > sourcePolicyLimits.maxBindings) {
+      return `Source policy exceeds ${sourcePolicyLimits.maxBindings} bindings`;
+    }
+
+    const validClasses = new Set<string>(routePathClasses);
+    for (const binding of sourcePolicy.bindings) {
+      if (!binding || typeof binding !== 'object') {
+        return 'Source policy binding must be an object';
+      }
+      if (typeof binding.sourceProfileRef !== 'string') {
+        return 'Source policy binding requires a source profile';
+      }
+      if (binding.sourceProfileRef.length > sourcePolicyLimits.maxSourceProfileRefLength) {
+        return `Source policy source profile ref exceeds ${sourcePolicyLimits.maxSourceProfileRefLength} characters`;
+      }
+      if (binding.sourceProfileRef.trim().length === 0) {
+        return 'Source policy binding requires a source profile';
+      }
+      if (typeof binding.id === 'string' && binding.id.length > sourcePolicyLimits.maxIdLength) {
+        return `Source policy binding id exceeds ${sourcePolicyLimits.maxIdLength} characters`;
+      }
+      if (typeof binding.maxConnections === 'number' && binding.maxConnections < 0) {
+        return 'Source policy maxConnections must be non-negative';
+      }
+      const bindingRateLimitError = this.validateRateLimitPayload(binding.rateLimit);
+      if (bindingRateLimitError) {
+        return bindingRateLimitError;
+      }
+      const bindingMessage = binding.onExceeded?.errorMessage;
+      if (typeof bindingMessage === 'string' && bindingMessage.length > sourcePolicyLimits.maxExceededMessageLength) {
+        return `Source policy exceeded message exceeds ${sourcePolicyLimits.maxExceededMessageLength} characters`;
+      }
+
+      const pathPolicies = binding.pathPolicies;
+      if (pathPolicies === undefined) {
+        continue;
+      }
+      if (!Array.isArray(pathPolicies)) {
+        return 'Source policy path policies must be an array';
+      }
+      if (pathPolicies.length > sourcePolicyLimits.maxPathPoliciesPerBinding) {
+        return `Source policy binding exceeds ${sourcePolicyLimits.maxPathPoliciesPerBinding} path policies`;
+      }
+
+      for (const pathPolicy of pathPolicies) {
+        if (!pathPolicy || typeof pathPolicy !== 'object') {
+          return 'Source policy path policy must be an object';
+        }
+        if (!validClasses.has(pathPolicy.pathClass)) {
+          return 'Source policy path policy uses an unsupported path class';
+        }
+        if (typeof pathPolicy.id === 'string' && pathPolicy.id.length > sourcePolicyLimits.maxIdLength) {
+          return `Source policy path policy id exceeds ${sourcePolicyLimits.maxIdLength} characters`;
+        }
+        if (typeof pathPolicy.maxConnections === 'number' && pathPolicy.maxConnections < 0) {
+          return 'Source policy path policy maxConnections must be non-negative';
+        }
+        const pathRateLimitError = this.validateRateLimitPayload(pathPolicy.rateLimit);
+        if (pathRateLimitError) {
+          return pathRateLimitError;
+        }
+        const pathMessage = pathPolicy.onExceeded?.errorMessage;
+        if (typeof pathMessage === 'string' && pathMessage.length > sourcePolicyLimits.maxExceededMessageLength) {
+          return `Source policy exceeded message exceeds ${sourcePolicyLimits.maxExceededMessageLength} characters`;
+        }
+
+        const pathPatterns = pathPolicy.pathPatterns;
+        if (pathPatterns === undefined) {
+          continue;
+        }
+        if (!Array.isArray(pathPatterns)) {
+          return 'Source policy path patterns must be an array';
+        }
+        if (pathPatterns.length > sourcePolicyLimits.maxPathPatternsPerPolicy) {
+          return `Source policy path class exceeds ${sourcePolicyLimits.maxPathPatternsPerPolicy} path patterns`;
+        }
+        for (const pattern of pathPatterns) {
+          if (typeof pattern !== 'string') {
+            return 'Source policy path pattern must be a string';
+          }
+          if (pattern.length > sourcePolicyLimits.maxPathPatternLength) {
+            return `Source policy path pattern exceeds ${sourcePolicyLimits.maxPathPatternLength} characters`;
+          }
+          const wildcardCount = pattern.split('*').length - 1;
+          if (wildcardCount > sourcePolicyLimits.maxPathPatternWildcards) {
+            return `Source policy path pattern exceeds ${sourcePolicyLimits.maxPathPatternWildcards} wildcards`;
+          }
+        }
+      }
+    }
+
+    return undefined;
+  }
+
+  private static validateRateLimitPayload(rateLimit: IRouteSecurity['rateLimit'] | undefined): string | undefined {
+    if (!rateLimit || typeof rateLimit !== 'object') {
+      return undefined;
+    }
+    const rawRateLimit = rateLimit as unknown as Record<string, unknown>;
+    for (const key of ['maxRequests', 'window'] as const) {
+      const value = rawRateLimit[key];
+      if (typeof value === 'string' && value.length > 32) {
+        return `Source policy rate limit ${key} exceeds 32 characters`;
+      }
+    }
+    if (
+      typeof rateLimit.errorMessage === 'string'
+      && rateLimit.errorMessage.length > sourcePolicyLimits.maxExceededMessageLength
+    ) {
+      return `Source policy rate limit error message exceeds ${sourcePolicyLimits.maxExceededMessageLength} characters`;
+    }
+    return undefined;
+  }
+
+  public static validateSourcePolicyShape(
+    sourcePolicy?: IRouteSourcePolicy,
+    route?: plugins.smartproxy.IRouteConfig,
+  ): string | undefined {
+    const payloadError = this.validateSourcePolicyPayload(sourcePolicy);
+    if (payloadError) {
+      return payloadError;
+    }
+    const bindings = sourcePolicy?.bindings || [];
+    if (bindings.length === 0) {
+      return undefined;
+    }
+
+    let estimatedCompiledRoutes = 0;
+    for (const binding of bindings) {
+      const pathPolicies = binding.pathPolicies || [];
+
+      if (pathPolicies.length === 0) {
+        estimatedCompiledRoutes++;
+      } else {
+        let hasSourceFallback = false;
+        for (const pathPolicy of pathPolicies) {
+          const pathPatterns = this.getPathPatterns(pathPolicy);
+          if (pathPatterns.length > sourcePolicyLimits.maxPathPatternsPerPolicy) {
+            return `Source policy path class expands beyond ${sourcePolicyLimits.maxPathPatternsPerPolicy} path patterns`;
+          }
+          if (pathPatterns.length === 0) {
+            hasSourceFallback = true;
+            estimatedCompiledRoutes++;
+          } else {
+            estimatedCompiledRoutes += pathPatterns.length;
+          }
+        }
+        if (!hasSourceFallback) {
+          estimatedCompiledRoutes++;
+        }
+      }
+
+      if (estimatedCompiledRoutes > sourcePolicyLimits.maxCompiledVariantsPerRoute) {
+        return `Source policy exceeds ${sourcePolicyLimits.maxCompiledVariantsPerRoute} compiled route variants`;
+      }
+    }
+
+    const expandedPortCount = route ? this.getExpandedPortCount(route.match?.ports) : 1;
+    if (estimatedCompiledRoutes * expandedPortCount > sourcePolicyLimits.maxCompiledVariantsPerRoute) {
+      return `Source policy exceeds ${sourcePolicyLimits.maxCompiledVariantsPerRoute} compiled route-port variants`;
+    }
+
+    return undefined;
+  }
+
+  public static validateResolvedSourcePolicy(
+    sourcePolicy: IRouteSourcePolicy | undefined,
+    referenceResolver: ReferenceResolver | undefined,
+  ): string | undefined {
+    const bindings = sourcePolicy?.bindings || [];
+    if (bindings.length === 0) {
+      return undefined;
+    }
+    if (!referenceResolver) {
+      return 'Source policy requires source profile resolution';
+    }
+
+    for (let index = 0; index < bindings.length; index++) {
+      const binding = bindings[index];
+      const profile = referenceResolver.getProfile(binding.sourceProfileRef);
+      if (!profile) {
+        return `Source profile '${binding.sourceProfileRef}' not found`;
+      }
+      const profileSecurity = referenceResolver.resolveSourceProfileSecurity(binding.sourceProfileRef);
+      if (!profileSecurity) {
+        return `Source profile '${profile.name}' could not be resolved`;
+      }
+      const sourceMatches = this.getSourceMatchEntries(profileSecurity);
+      if (sourceMatches.length === 0) {
+        return `Source profile '${profile.name}' has no source matches`;
+      }
+      const matchesAllSources = this.matchesAllSources(sourceMatches);
+      if (matchesAllSources && index < bindings.length - 1) {
+        return 'Wildcard source profile bindings must be last in a source policy';
+      }
+      if (index === bindings.length - 1 && !matchesAllSources) {
+        return 'Source policy must end with an all-source fallback profile';
+      }
+    }
+
+    return undefined;
+  }
+
+  private static buildCompiledRoute(options: {
+    route: plugins.smartproxy.IRouteConfig;
+    sourceMatch: plugins.smartproxy.IRouteConfig['match'];
+    profileName: string;
+    profileSecurity: IRouteSecurity;
+    binding: IRouteSourcePolicyBinding;
+    pathPolicy?: IRoutePathPolicyBinding;
+    pathPattern?: string;
+    sourcePriority: number;
+    routeId?: string;
+    sourceIndex: number;
+    pathIndex?: number;
+    pathPolicyCount?: number;
+    pathPatternIndex?: number;
+    pathPatternCount?: number;
+  }): plugins.smartproxy.IRouteConfig {
+    const routeKey = options.route.id || options.routeId || options.route.name || 'route';
+    const bindingKey = options.binding.id || options.binding.sourceProfileRef || String(options.sourceIndex + 1);
+    const pathPolicyKey = options.pathPolicy
+      ? options.pathPolicy.id || options.pathPolicy.pathClass
+      : undefined;
+    const pathLabel = options.pathPolicy
+      ? giteaRoutePathClassLabels[options.pathPolicy.pathClass]
+      : undefined;
+    const pathPatternSuffix = options.pathPatternCount && options.pathPatternCount > 1
+      ? `:${(options.pathPatternIndex || 0) + 1}`
+      : '';
+    const pathPriority = options.pathPolicy
+      ? this.calculatePathPriorityOffset(
+          options.pathPattern,
+          options.pathIndex || 0,
+          options.pathPolicyCount || 1,
+          options.pathPatternIndex || 0,
+          options.pathPatternCount || 1,
+        )
+      : 0;
+
+    return {
+      ...options.route,
+      id: pathPolicyKey
+        ? `${routeKey}:source:${bindingKey}:path:${pathPolicyKey}${pathPatternSuffix}`
+        : `${routeKey}:source:${bindingKey}`,
+      name: pathLabel
+        ? `${options.route.name || routeKey}:source:${options.profileName}:path:${pathLabel}${pathPatternSuffix}`
+        : `${options.route.name || routeKey}:source:${options.profileName}`,
+      match: options.pathPattern
+        ? { ...options.sourceMatch, path: options.pathPattern }
+        : { ...options.sourceMatch },
+      priority: this.clampPriority(options.sourcePriority + pathPriority),
+      security: this.buildBindingSecurity(
+        options.route.security,
+        options.profileSecurity,
+        options.binding,
+        options.pathPolicy,
+      ),
+    };
+  }
+
+  private static getPathPatterns(pathPolicy: IRoutePathPolicyBinding): string[] {
+    const patterns: string[] = pathPolicy.pathPatterns?.length
+      ? pathPolicy.pathPatterns
+      : giteaRoutePathClassPatterns[pathPolicy.pathClass];
+    return [...new Set(patterns.map((pattern) => pattern.trim()).filter(Boolean))];
+  }
+
+  private static calculatePathPriorityOffset(
+    pathPattern: string | undefined,
+    pathIndex: number,
+    pathPolicyCount: number,
+    pathPatternIndex: number,
+    pathPatternCount: number,
+  ): number {
+    if (!pathPattern) {
+      return 0;
+    }
+    const pathPolicyOffset = ((pathPolicyCount - pathIndex) / (pathPolicyCount + 1))
+      * (PATH_PRIORITY_BAND * 0.9);
+    const pathPatternOffset = ((pathPatternCount - pathPatternIndex) / (pathPatternCount + 1))
+      * (PATH_PRIORITY_BAND * 0.1 / (pathPolicyCount + 1));
+    return pathPolicyOffset + pathPatternOffset;
+  }
+
+  private static calculateSourcePriority(
+    basePriority: number,
+    sourceIndex: number,
+    sourceCount: number,
+  ): number {
+    const safeBasePriority = this.clampPriority(
+      basePriority,
+      MIN_ROUTE_PRIORITY,
+      MAX_ROUTE_PRIORITY - SOURCE_PRIORITY_BAND - PATH_PRIORITY_BAND,
+    );
+    const sourceStep = SOURCE_PRIORITY_BAND / (sourceCount + 1);
+    return safeBasePriority + ((sourceCount - sourceIndex) * sourceStep);
+  }
+
+  private static clampPriority(
+    priority: number,
+    min = MIN_ROUTE_PRIORITY,
+    max = MAX_ROUTE_PRIORITY,
+  ): number {
+    if (!Number.isFinite(priority)) {
+      return min;
+    }
+    return Math.min(max, Math.max(min, priority));
+  }
+
+  private static getExpandedPortCount(portRange: plugins.smartproxy.IRouteConfig['match']['ports'] | undefined): number {
+    if (portRange === undefined) {
+      return 1;
+    }
+    if (typeof portRange === 'number') {
+      return Number.isFinite(portRange) ? 1 : sourcePolicyLimits.maxCompiledVariantsPerRoute + 1;
+    }
+    if (!Array.isArray(portRange)) {
+      return sourcePolicyLimits.maxCompiledVariantsPerRoute + 1;
+    }
+
+    let count = 0;
+    for (const portEntry of portRange) {
+      if (typeof portEntry === 'number') {
+        if (!Number.isFinite(portEntry)) {
+          return sourcePolicyLimits.maxCompiledVariantsPerRoute + 1;
+        }
+        count++;
+      } else if (
+        portEntry
+        && typeof portEntry === 'object'
+        && Number.isFinite(portEntry.from)
+        && Number.isFinite(portEntry.to)
+        && portEntry.from <= portEntry.to
+      ) {
+        count += Math.floor(portEntry.to) - Math.floor(portEntry.from) + 1;
+      } else {
+        return sourcePolicyLimits.maxCompiledVariantsPerRoute + 1;
+      }
+      if (count > sourcePolicyLimits.maxCompiledVariantsPerRoute) {
+        return count;
+      }
+    }
+
+    return Math.max(1, count);
+  }
+
+  private static normalizeMaxConnections(value: IRouteSecurity['maxConnections']): number | undefined {
+    return typeof value === 'number' && Number.isFinite(value) && value >= 0 ? value : undefined;
+  }
+
+  private static forceIpRateLimit(
+    rateLimit: IRouteSecurity['rateLimit'] | undefined,
+  ): IRouteSecurity['rateLimit'] | undefined {
+    if (!rateLimit) {
+      return undefined;
+    }
+    const { headerName: _headerName, ...rest } = structuredClone(rateLimit as Record<string, any>);
+    return {
+      ...rest,
+      keyBy: 'ip',
+    } as IRouteSecurity['rateLimit'];
+  }
+
+  private static sanitizeSourcePolicySecurity(security: IRouteSecurity): IRouteSecurity {
+    const sanitized = structuredClone(security);
+    const maxConnections = this.normalizeMaxConnections(sanitized.maxConnections);
+    if (maxConnections === undefined) {
+      delete sanitized.maxConnections;
+    } else {
+      sanitized.maxConnections = maxConnections;
+    }
+    if (sanitized.rateLimit) {
+      sanitized.rateLimit = this.forceIpRateLimit(sanitized.rateLimit);
+    }
+    return sanitized;
+  }
+
+  private static isEmptySecurity(security: IRouteSecurity): boolean {
+    return Object.keys(security).length === 0;
+  }
+
+  private static getSourceMatchEntries(security: IRouteSecurity): string[] {
+    const entries = security.ipAllowList || [];
+    const normalizedEntries: string[] = [];
+    for (const entry of entries) {
+      const rawEntry = typeof entry === 'string' ? entry : entry.ip;
+      if (typeof rawEntry !== 'string') continue;
+      const normalizedEntry = rawEntry.trim();
+      if (normalizedEntry) {
+        normalizedEntries.push(normalizedEntry);
+      }
+    }
+    return [...new Set(normalizedEntries)];
+  }
+
+  private static matchesAllSources(sourceMatches: string[]): boolean {
+    return sourceMatches.includes('*')
+      || (sourceMatches.includes('0.0.0.0/0') && sourceMatches.includes('::/0'));
+  }
+
+  private static buildBindingSecurity(
+    routeSecurity: IRouteSecurity | undefined,
+    profileSecurity: IRouteSecurity,
+    binding: IRouteSourcePolicyBinding,
+    pathPolicy?: IRoutePathPolicyBinding,
+  ): IRouteSecurity | undefined {
+    const baseSecurity = this.omitSourceMatchFields(routeSecurity || {});
+    const sourceSecurity = this.omitSourceMatchFields(profileSecurity);
+
+    if (binding.rateLimit !== undefined) {
+      sourceSecurity.rateLimit = this.forceIpRateLimit(binding.rateLimit);
+    }
+    if (binding.maxConnections !== undefined) {
+      const maxConnections = this.normalizeMaxConnections(binding.maxConnections);
+      if (maxConnections === undefined) {
+        delete sourceSecurity.maxConnections;
+      } else {
+        sourceSecurity.maxConnections = maxConnections;
+      }
+    }
+    if (binding.onExceeded?.errorMessage && sourceSecurity.rateLimit) {
+      sourceSecurity.rateLimit = {
+        ...sourceSecurity.rateLimit,
+        errorMessage: binding.onExceeded.errorMessage,
+      };
+    }
+
+    if (pathPolicy?.rateLimit !== undefined) {
+      sourceSecurity.rateLimit = this.forceIpRateLimit(pathPolicy.rateLimit);
+    }
+    if (pathPolicy?.maxConnections !== undefined) {
+      const maxConnections = this.normalizeMaxConnections(pathPolicy.maxConnections);
+      if (maxConnections === undefined) {
+        delete sourceSecurity.maxConnections;
+      } else {
+        sourceSecurity.maxConnections = maxConnections;
+      }
+    }
+    if (pathPolicy?.onExceeded?.errorMessage && sourceSecurity.rateLimit) {
+      sourceSecurity.rateLimit = {
+        ...sourceSecurity.rateLimit,
+        errorMessage: pathPolicy.onExceeded.errorMessage,
+      };
+    }
+
+    const mergedSecurity = this.sanitizeSourcePolicySecurity({
+      ...baseSecurity,
+      ...sourceSecurity,
+    });
+
+    return this.isEmptySecurity(mergedSecurity) ? undefined : mergedSecurity;
+  }
+
+  private static omitSourceMatchFields(security: IRouteSecurity): IRouteSecurity {
+    const { ipAllowList: _ipAllowList, ...controls } = security;
+    return this.sanitizeSourcePolicySecurity(controls);
+  }
+}
@@ -4,5 +4,6 @@ export { RouteConfigManager } from './classes.route-config-manager.js';
 export { ApiTokenManager } from './classes.api-token-manager.js';
 export { GatewayClientManager } from './classes.gateway-client-manager.js';
 export { ReferenceResolver } from './classes.reference-resolver.js';
+export { SourcePolicyCompiler } from './classes.source-policy-compiler.js';
 export { DbSeeder } from './classes.db-seeder.js';
 export { TargetProfileManager } from './classes.target-profile-manager.js';
@@ -1,5 +1,6 @@
 import * as plugins from '../../plugins.js';
 import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IRemoteIngressPerformanceConfig } from '../../../ts_interfaces/data/remoteingress.js';

 const getDb = () => DcRouterDb.getInstance().getDb();

@@ -27,6 +28,9 @@ export class RemoteIngressEdgeDoc extends plugins.smartdata.SmartDataDbDoc<Remot
  @plugins.smartdata.svDb()
  public autoDerivePorts!: boolean;

+  @plugins.smartdata.svDb()
+  public performance?: IRemoteIngressPerformanceConfig;
+
  @plugins.smartdata.svDb()
  public tags!: string[];

@@ -0,0 +1,29 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IRemoteIngressPerformanceConfig } from '../../../ts_interfaces/data/remoteingress.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class RemoteIngressHubSettingsDoc extends plugins.smartdata.SmartDataDbDoc<RemoteIngressHubSettingsDoc, RemoteIngressHubSettingsDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public settingsId: string = 'remote-ingress-hub-settings';
+
+  @plugins.smartdata.svDb()
+  public performance?: IRemoteIngressPerformanceConfig;
+
+  @plugins.smartdata.svDb()
+  public updatedAt: number = 0;
+
+  @plugins.smartdata.svDb()
+  public updatedBy: string = '';
+
+  constructor() {
+    super();
+  }
+
+  public static async load(): Promise<RemoteIngressHubSettingsDoc | null> {
+    return await RemoteIngressHubSettingsDoc.getInstance({ settingsId: 'remote-ingress-hub-settings' });
+  }
+}
@@ -24,6 +24,7 @@ export * from './classes.cert-backoff.doc.js';

 // Remote ingress document classes
 export * from './classes.remote-ingress-edge.doc.js';
+export * from './classes.remote-ingress-hub-settings.doc.js';

 // RADIUS document classes
 export * from './classes.vlan-mappings.doc.js';
@@ -209,9 +209,9 @@ export class DnsManager {
  private registerRecordWithDnsServer(rec: DnsRecordDoc): void {
    if (!this.dnsServer) return;
    this.dnsServer.registerHandler(rec.name, [rec.type], (question) => {
-      if (question.name === rec.name && question.type === rec.type) {
+      if (question.name.toLowerCase() === rec.name.toLowerCase() && question.type.toUpperCase() === rec.type) {
        return {
-          name: rec.name,
+          name: question.name,
          type: rec.type,
          class: 'IN',
          ttl: rec.ttl,
@@ -313,17 +313,23 @@ export class DnsManager {
  }

  /**
-   * Delete all DNS records matching a name and type under a domain.
-   * Used for ACME challenge cleanup (may have multiple TXT records at the same name).
+   * Delete DNS records matching a name and type under a domain.
+   * When value is provided, only that exact record is removed so parallel ACME
+   * challenges for the same host can coexist.
   */
  public async deleteRecordsByNameAndType(
    domainId: string,
    name: string,
    type: TDnsRecordType,
+    value?: string,
  ): Promise<void> {
    const records = await DnsRecordDoc.findByDomainId(domainId);
    for (const rec of records) {
-      if (rec.name.toLowerCase() === name.toLowerCase() && rec.type === type) {
+      if (
+        rec.name.toLowerCase() === name.toLowerCase()
+        && rec.type === type
+        && (value === undefined || rec.value === value)
+      ) {
        await this.deleteRecord(rec.id);
      }
    }
@@ -358,9 +364,15 @@ export class DnsManager {
              'Add the domain in Domains before issuing certificates.',
          );
        }
-        // Clean leftover challenge records first to avoid duplicates.
+        // Clean only the same challenge value. Exact + wildcard SAN orders can
+        // legitimately need multiple TXT records at the same name.
        try {
-          await self.deleteRecordsByNameAndType(domainDoc.id, dnsChallenge.hostName, 'TXT');
+          await self.deleteRecordsByNameAndType(
+            domainDoc.id,
+            dnsChallenge.hostName,
+            'TXT',
+            dnsChallenge.challenge,
+          );
        } catch (err: unknown) {
          logger.log('warn', `DnsManager: failed to clean existing TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
        }
@@ -381,7 +393,12 @@ export class DnsManager {
          return;
        }
        try {
-          await self.deleteRecordsByNameAndType(domainDoc.id, dnsChallenge.hostName, 'TXT');
+          await self.deleteRecordsByNameAndType(
+            domainDoc.id,
+            dnsChallenge.hostName,
+            'TXT',
+            dnsChallenge.challenge,
+          );
        } catch (err: unknown) {
          logger.log('warn', `DnsManager: failed to remove TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
        }
@@ -1,4 +1,4 @@
-import type * as plugins from '../plugins.js';
+import * as plugins from '../plugins.js';

 /**
 * Configuration for HTTP/3 (QUIC) route augmentation.
@@ -36,22 +36,6 @@ export interface IHttp3Config {
  };
 }

-type TPortRange = plugins.smartproxy.IRouteConfig['match']['ports'];
-
-/**
- * Check whether a TPortRange includes port 443.
- */
-function portRangeIncludes443(ports: TPortRange): boolean {
-  if (typeof ports === 'number') return ports === 443;
-  if (Array.isArray(ports)) {
-    return ports.some((p) => {
-      if (typeof p === 'number') return p === 443;
-      return p.from <= 443 && p.to >= 443;
-    });
-  }
-  return false;
-}
-
 /**
 * Check if a route name indicates an email route that should not get HTTP/3.
 */
@@ -85,7 +69,7 @@ export function routeQualifiesForHttp3(
  if (route.action.type !== 'forward') return false;

  // Must include port 443
-  if (!portRangeIncludes443(route.match.ports)) return false;
+  if (!plugins.smartproxy.portRangeIncludes(route.match.ports, 443)) return false;

  // Must have TLS
  if (!route.action.tls) return false;
@@ -1,3 +1,4 @@
+import { commitinfo } from './00_commitinfo_data.js';
 export * from './00_commitinfo_data.js';

 // Re-export smartmta (excluding commitinfo to avoid naming conflict)
@@ -18,6 +19,29 @@ export * from './remoteingress/index.js';
 export type { IHttp3Config } from './http3/index.js';

 export const runCli = async () => {
+  const args = process.argv.slice(2);
+
+  if (args.includes('--version') || args.includes('version')) {
+    console.log(commitinfo.version);
+    return;
+  }
+
+  if (args.includes('--help') || args.includes('-h') || args.includes('help')) {
+    console.log(`dcrouter ${commitinfo.version}
+
+Usage:
+  dcrouter
+  dcrouter --version
+  dcrouter --help
+
+Environment:
+  DCROUTER_MODE=OCI_CONTAINER   Start with OCI container configuration
+  DCROUTER_DNS_BIND_INTERFACE   Override the embedded DNS UDP bind address
+  DATA_DIR=<path>               Override the writable dcrouter data directory
+`);
+    return;
+  }
+
  let options: import('./classes.dcrouter.js').IDcRouterOptions = {};

  if (process.env.DCROUTER_MODE === 'OCI_CONTAINER') {
@@ -143,8 +143,9 @@ export class MetricsManager {
  public async getServerStats() {
    return this.metricsCache.get('serverStats', async () => {
      const smartMetricsData = await this.smartMetrics.getMetrics();
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
-      const proxyStats = this.dcRouter.smartProxy ? await this.dcRouter.smartProxy.getStatistics() : null;
+      const smartProxy = this.dcRouter.smartProxy;
+      const proxyMetrics = smartProxy ? smartProxy.getMetrics() : null;
+      const proxyStats = smartProxy ? await smartProxy.getStatistics() : null;
      const { heapUsed, heapTotal, external, rss } = process.memoryUsage();

      return {
@@ -291,27 +292,44 @@ export class MetricsManager {
    });
  }
  
+  public async getActiveConnectionSnapshots(
+    options: plugins.smartproxy.IActiveConnectionSnapshotOptions = {},
+  ): Promise<plugins.smartproxy.IActiveConnectionSnapshot[]> {
+    const cacheKey = `activeConnectionSnapshots:${options.limit ?? 1000}:${options.routeId ?? ''}`;
+    return await this.metricsCache.get<plugins.smartproxy.IActiveConnectionSnapshot[]>(cacheKey, async () => {
+      if (!this.dcRouter.smartProxy) {
+        return [];
+      }
+      return this.dcRouter.smartProxy.getActiveConnectionSnapshots(options);
+    }, 500);
+  }
+
  // Get connection info from SmartProxy
  public async getConnectionInfo() {
-    return this.metricsCache.get('connectionInfo', () => {
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
-      
-      if (!proxyMetrics) {
-        return [] as Array<{ type: string; count: number; source: string; lastActivity: Date }>;
+    return this.metricsCache.get('connectionInfo', async () => {
+      const snapshots = await this.getActiveConnectionSnapshots({ limit: 10000 });
+      const connectionsByRoute = new Map<string, { count: number; lastActivity: Date }>();
+
+      for (const snapshot of snapshots) {
+        const source = snapshot.routeId || snapshot.domain || `${snapshot.protocol || 'connection'}:${snapshot.localPort}`;
+        const existing = connectionsByRoute.get(source) || { count: 0, lastActivity: new Date(snapshot.startedAtMs) };
+        existing.count++;
+        if (snapshot.startedAtMs > existing.lastActivity.getTime()) {
+          existing.lastActivity = new Date(snapshot.startedAtMs);
+        }
+        connectionsByRoute.set(source, existing);
      }

-      const connectionsByRoute = proxyMetrics.connections.byRoute();
      const connectionInfo: Array<{ type: string; count: number; source: string; lastActivity: Date }> = [];
-      
-      for (const [routeName, count] of connectionsByRoute) {
+      for (const [source, info] of connectionsByRoute) {
        connectionInfo.push({
          type: 'https',
-          count,
-          source: routeName,
-          lastActivity: new Date(),
+          count: info.count,
+          source,
+          lastActivity: info.lastActivity,
        });
      }
-      
+
      return connectionInfo;
    });
  }
@@ -547,7 +565,8 @@ export class MetricsManager {
  public async getNetworkStats() {
    // Use shorter cache TTL for network stats to ensure real-time updates
    return this.metricsCache.get('networkStats', async () => {
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
+      const smartProxy = this.dcRouter.smartProxy;
+      const proxyMetrics = smartProxy ? smartProxy.getMetrics() : null;

      if (!proxyMetrics) {
        return {
@@ -568,8 +587,22 @@ export class MetricsManager {
        };
      }

-      // Get metrics using the new API
-      const connectionsByIP = proxyMetrics.connections.byIP();
+      const activeConnectionSnapshots = await this.getActiveConnectionSnapshots({ limit: 10000 });
+
+      const connectionsByIP = new Map<string, number>();
+      const connectionsByRoute = new Map<string, number>();
+      const activeConnectionsByDomain = new Map<string, number>();
+
+      for (const snapshot of activeConnectionSnapshots) {
+        connectionsByIP.set(snapshot.sourceIp, (connectionsByIP.get(snapshot.sourceIp) || 0) + 1);
+        if (snapshot.routeId) {
+          connectionsByRoute.set(snapshot.routeId, (connectionsByRoute.get(snapshot.routeId) || 0) + 1);
+        }
+        if (snapshot.domain) {
+          activeConnectionsByDomain.set(snapshot.domain, (activeConnectionsByDomain.get(snapshot.domain) || 0) + 1);
+        }
+      }
+
      const instantThroughput = proxyMetrics.throughput.instant();

      // Get throughput rate
@@ -578,8 +611,11 @@ export class MetricsManager {
        bytesOutPerSecond: instantThroughput.out
      };

-      // Get top IPs by connection count
-      const topIPs = proxyMetrics.connections.topIPs(10);
+      // Get top IPs by active connection count
+      const topIPs = Array.from(connectionsByIP.entries())
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 10)
+        .map(([ip, count]) => ({ ip, count }));

      // Get total data transferred
      const totalDataTransferred = {
@@ -738,7 +774,6 @@ export class MetricsManager {
      const topASNs = await this.buildTopASNs(observedIps, allIPData);

      // Build domain activity using per-IP domain request counts from Rust engine
-      const connectionsByRoute = proxyMetrics.connections.byRoute();
      const throughputByRoute = proxyMetrics.throughput.byRoute();

      // Aggregate per-IP domain request counts into per-domain totals
@@ -773,6 +808,9 @@ export class MetricsManager {
      for (const entry of protocolCache) {
        if (entry.domain) allKnownDomains.add(entry.domain);
      }
+      for (const snapshot of activeConnectionSnapshots) {
+        if (snapshot.domain) allKnownDomains.add(snapshot.domain);
+      }

      // Build reverse map: concrete domain → canonical route key(s)
      const domainToRoutes = new Map<string, string[]>();
@@ -844,7 +882,7 @@ export class MetricsManager {
        }

        domainAgg.set(domain, {
-          activeConnections: Math.round(totalConns),
+          activeConnections: activeConnectionsByDomain.get(domain) ?? Math.round(totalConns),
          bytesInPerSec: totalIn,
          bytesOutPerSec: totalOut,
          routeCount: routeKeys.length,
@@ -208,7 +208,7 @@ export class ConfigHandler {
      hubDomain: riCfg?.hubDomain || null,
      tlsMode,
      connectedEdgeIps,
-      performance: riCfg?.performance,
+      performance: dcRouter.remoteIngressManager?.getHubPerformanceConfig() || riCfg?.performance,
    };

    return {
@@ -52,29 +52,21 @@ export class RemoteIngressHandler {
            scope: 'remote-ingress:write',
            requireAdminIdentity: true,
          });
-          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
-          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
-
-          if (!manager) {
+          try {
+            const edge = await this.opsServerRef.dcRouterRef.mutateRemoteIngressEdges((manager) => manager.createEdge(
+              dataArg.name,
+              dataArg.listenPorts || [],
+              dataArg.tags,
+              dataArg.autoDerivePorts ?? true,
+              dataArg.performance,
+            ));
+            return { success: true, edge };
+          } catch (err: unknown) {
            return {
              success: false,
              edge: null as any,
            };
          }
-
-          const edge = await manager.createEdge(
-            dataArg.name,
-            dataArg.listenPorts || [],
-            dataArg.tags,
-            dataArg.autoDerivePorts ?? true,
-          );
-
-          // Sync allowed edges with the hub
-          if (tunnelManager) {
-            await tunnelManager.syncAllowedEdges();
-          }
-
-          return { success: true, edge };
        },
      ),
    );
@@ -88,21 +80,18 @@ export class RemoteIngressHandler {
            scope: 'remote-ingress:write',
            requireAdminIdentity: true,
          });
-          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
-          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
-
-          if (!manager) {
-            return { success: false, message: 'RemoteIngress not configured' };
-          }
-
-          const deleted = await manager.deleteEdge(dataArg.id);
-          if (deleted && tunnelManager) {
-            await tunnelManager.syncAllowedEdges();
-          }
+          const deleted = await this.opsServerRef.dcRouterRef.mutateRemoteIngressEdges(
+            (manager) => manager.deleteEdge(dataArg.id),
+          ).catch((err: unknown) => {
+            if ((err as Error).message.includes('RemoteIngress')) {
+              return false;
+            }
+            throw err;
+          });

          return {
            success: deleted,
-            message: deleted ? undefined : 'Edge not found',
+            message: deleted ? undefined : 'Edge not found or RemoteIngress not configured',
          };
        },
      ),
@@ -117,41 +106,42 @@ export class RemoteIngressHandler {
            scope: 'remote-ingress:write',
            requireAdminIdentity: true,
          });
-          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
-          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
+          const result = await this.opsServerRef.dcRouterRef.mutateRemoteIngressEdges(async (manager) => {
+            const edge = await manager.updateEdge(dataArg.id, {
+              name: dataArg.name,
+              listenPorts: dataArg.listenPorts,
+              autoDerivePorts: dataArg.autoDerivePorts,
+              enabled: dataArg.enabled,
+              performance: dataArg.performance,
+              tags: dataArg.tags,
+            });

-          if (!manager) {
-            return { success: false, edge: null as any };
-          }
+            if (!edge) {
+              return null;
+            }

-          const edge = await manager.updateEdge(dataArg.id, {
-            name: dataArg.name,
-            listenPorts: dataArg.listenPorts,
-            autoDerivePorts: dataArg.autoDerivePorts,
-            enabled: dataArg.enabled,
-            tags: dataArg.tags,
-          });
-
-          if (!edge) {
-            return { success: false, edge: null as any };
-          }
-
-          // Sync allowed edges — ports, tags, or enabled may have changed
-          if (tunnelManager) {
-            await tunnelManager.syncAllowedEdges();
-          }
-
-          const breakdown = manager.getPortBreakdown(edge);
-          return {
-            success: true,
-            edge: {
+            const breakdown = manager.getPortBreakdown(edge);
+            return {
              ...edge,
              secret: '********',
              effectiveListenPorts: manager.getEffectiveListenPorts(edge),
              effectiveListenPortsUdp: manager.getEffectiveListenPortsUdp(edge),
              manualPorts: breakdown.manual,
              derivedPorts: breakdown.derived,
-            },
+            };
+          }).catch((err: unknown) => {
+            if ((err as Error).message.includes('RemoteIngress')) {
+              return null;
+            }
+            throw err;
+          });
+
+          if (!result) {
+            return { success: false, edge: null as any };
+          }
+          return {
+            success: true,
+            edge: result,
          };
        },
      ),
@@ -166,23 +156,18 @@ export class RemoteIngressHandler {
            scope: 'remote-ingress:write',
            requireAdminIdentity: true,
          });
-          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
-          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
-
-          if (!manager) {
-            return { success: false, secret: '' };
-          }
-
-          const secret = await manager.regenerateSecret(dataArg.id);
+          const secret = await this.opsServerRef.dcRouterRef.mutateRemoteIngressEdges(
+            (manager) => manager.regenerateSecret(dataArg.id),
+          ).catch((err: unknown) => {
+            if ((err as Error).message.includes('RemoteIngress')) {
+              return null;
+            }
+            throw err;
+          });
          if (!secret) {
            return { success: false, secret: '' };
          }

-          // Sync allowed edges since secret changed
-          if (tunnelManager) {
-            await tunnelManager.syncAllowedEdges();
-          }
-
          return { success: true, secret };
        },
      ),
@@ -203,6 +188,46 @@ export class RemoteIngressHandler {
      ),
    );

+    // Get hub-level settings (read)
+    viewRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressHubSettings>(
+        'getRemoteIngressHubSettings',
+        async (dataArg, toolsArg) => {
+          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'remote-ingress:read' });
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          return {
+            settings: manager?.getHubSettings() || {
+              updatedAt: 0,
+              updatedBy: 'default',
+            },
+          };
+        },
+      ),
+    );
+
+    // Update hub-level settings (write)
+    adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateRemoteIngressHubSettings>(
+        'updateRemoteIngressHubSettings',
+        async (dataArg, toolsArg) => {
+          const auth = await requireOpsAuth(this.opsServerRef, dataArg, {
+            scope: 'remote-ingress:write',
+            requireAdminIdentity: true,
+          });
+
+          try {
+            const settings = await this.opsServerRef.dcRouterRef.updateRemoteIngressHubSettings(
+              { performance: dataArg.performance },
+              auth.userId,
+            );
+            return { success: true, settings };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
    // Get a connection token for an edge (write — exposes secret)
    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressConnectionToken>(
@@ -1,7 +1,6 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
-import { MetricsManager } from '../../monitoring/index.js';
 import { requireOpsAuth } from '../helpers/auth.js';

 export class SecurityHandler {
@@ -46,18 +45,7 @@ export class SecurityHandler {
        'getActiveConnections',
        async (dataArg, toolsArg) => {
          await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
-          const connections = await this.getActiveConnections(dataArg.protocol, dataArg.state);
-          const connectionInfos: interfaces.data.IConnectionInfo[] = connections.map(conn => ({
-            id: conn.id,
-            remoteAddress: conn.source.ip,
-            localAddress: conn.destination.ip,
-            startTime: conn.startTime,
-            protocol: conn.type === 'http' ? 'https' : conn.type as any,
-            state: conn.status === 'active' ? 'connected' : conn.status as any,
-            bytesReceived: (conn as any)._throughputIn || 0,
-            bytesSent: (conn as any)._throughputOut || 0,
-            connectionCount: conn.bytesTransferred || 1,
-          }));
+          const connectionInfos = await this.getActiveConnections(dataArg.protocol, dataArg.state);
          const totalConnections = connectionInfos.reduce((sum, conn) => sum + (conn.connectionCount || 1), 0);
          
          const summary = {
@@ -362,106 +350,66 @@ export class SecurityHandler {
  private async getActiveConnections(
    protocol?: 'http' | 'https' | 'smtp' | 'smtps',
    state?: string
-  ): Promise<Array<{
-    id: string;
-    type: 'http' | 'smtp' | 'dns';
-    source: {
-      ip: string;
-      port: number;
-      country?: string;
-    };
-    destination: {
-      ip: string;
-      port: number;
-      service?: string;
-    };
-    startTime: number;
-    bytesTransferred: number;
-    status: 'active' | 'idle' | 'closing';
-  }>> {
-    const connections: Array<{
-      id: string;
-      type: 'http' | 'smtp' | 'dns';
-      source: {
-        ip: string;
-        port: number;
-        country?: string;
-      };
-      destination: {
-        ip: string;
-        port: number;
-        service?: string;
-      };
-      startTime: number;
-      bytesTransferred: number;
-      status: 'active' | 'idle' | 'closing';
-    }> = [];
-    
-    // Get connection info and network stats from MetricsManager if available
-    if (this.opsServerRef.dcRouterRef.metricsManager) {
-      const connectionInfo = await this.opsServerRef.dcRouterRef.metricsManager.getConnectionInfo();
-      const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
-      
-      // One aggregate row per IP with real throughput data
-      if (networkStats.connectionsByIP && networkStats.connectionsByIP.size > 0) {
-        let connIndex = 0;
-        const publicIp = this.opsServerRef.dcRouterRef.options.publicIp || 'server';
+  ): Promise<interfaces.data.IConnectionInfo[]> {
+    const metricsManager = this.opsServerRef.dcRouterRef.metricsManager;
+    if (!metricsManager) {
+      return [];
+    }

-        for (const [ip, count] of networkStats.connectionsByIP) {
-          const tp = networkStats.throughputByIP?.get(ip);
-          connections.push({
-            id: `ip-${connIndex++}`,
-            type: 'http',
-            source: {
-              ip: ip,
-              port: 0,
-            },
-            destination: {
-              ip: publicIp,
-              port: 443,
-              service: 'proxy',
-            },
-            startTime: 0,
-            bytesTransferred: count, // Store connection count here
-            status: 'active',
-            // Attach real throughput for the handler mapping
-            ...(tp ? { _throughputIn: tp.in, _throughputOut: tp.out } : {}),
-          } as any);
-        }
-      } else if (connectionInfo.length > 0) {
-        // Fallback to route-based connection info if no IP data available
-        connectionInfo.forEach((info, index) => {
-          connections.push({
-            id: `conn-${index}`,
-            type: 'http',
-            source: {
-              ip: 'unknown',
-              port: 0,
-            },
-            destination: {
-              ip: this.opsServerRef.dcRouterRef.options.publicIp || 'server',
-              port: 443,
-              service: info.source,
-            },
-            startTime: info.lastActivity.getTime(),
-            bytesTransferred: 0,
-            status: 'active',
-          });
-        });
+    const snapshots = await metricsManager.getActiveConnectionSnapshots({ limit: 10000 });
+    const connections = snapshots.map((snapshot): interfaces.data.IConnectionInfo => ({
+      id: String(snapshot.id),
+      remoteAddress: snapshot.sourcePort === null
+        ? snapshot.sourceIp
+        : `${snapshot.sourceIp}:${snapshot.sourcePort}`,
+      localAddress: snapshot.targetHost
+        ? `${snapshot.targetHost}:${snapshot.targetPort ?? snapshot.localPort}`
+        : `${this.opsServerRef.dcRouterRef.options.publicIp || 'server'}:${snapshot.localPort}`,
+      startTime: snapshot.startedAtMs,
+      protocol: this.mapSnapshotProtocol(snapshot),
+      state: this.mapSnapshotState(snapshot.state),
+      bytesReceived: snapshot.bytesIn,
+      bytesSent: snapshot.bytesOut,
+    }));
+
+    return connections.filter((connection) => {
+      if (protocol && connection.protocol !== protocol) {
+        return false;
      }
+      if (state && connection.state !== state) {
+        return false;
+      }
+      return true;
+    });
+  }
+
+  private mapSnapshotProtocol(
+    snapshot: plugins.smartproxy.IActiveConnectionSnapshot,
+  ): interfaces.data.IConnectionInfo['protocol'] {
+    if (snapshot.localPort === 465) {
+      return 'smtps';
    }
-    
-    // Filter by protocol if specified
-    if (protocol) {
-      return connections.filter(conn => {
-        if (protocol === 'https' || protocol === 'http') {
-          return conn.type === 'http';
-        }
-        return conn.type === protocol.replace('s', ''); // smtp/smtps -> smtp
-      });
+    if ([25, 587, 2525].includes(snapshot.localPort)) {
+      return 'smtp';
    }
-    
-    return connections;
+
+    switch (snapshot.protocol) {
+      case 'http':
+        return 'http';
+      case 'https':
+      case 'tls':
+      case 'tls-passthrough':
+      case 'tls-reencrypt':
+      case 'tls-socket-handler':
+      case 'quic':
+        return 'https';
+      default:
+        return snapshot.localPort === 80 ? 'http' : 'https';
+    }
+  }
+
+  private mapSnapshotState(state: string): interfaces.data.IConnectionInfo['state'] {
+    return state === 'closing' ? 'closing' : 'connected';
  }
  
  private async getRateLimitStatus(
@@ -1,13 +1,13 @@
 // node native
-import * as dns from 'dns';
-import * as fs from 'fs';
-import * as crypto from 'crypto';
-import * as http from 'http';
-import * as net from 'net';
-import * as os from 'os';
-import * as path from 'path';
-import * as tls from 'tls';
-import * as util from 'util';
+import * as dns from 'node:dns';
+import * as fs from 'node:fs';
+import * as crypto from 'node:crypto';
+import * as http from 'node:http';
+import * as net from 'node:net';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import * as tls from 'node:tls';
+import * as util from 'node:util';

 export {
  dns,
@@ -91,7 +91,6 @@ export class RadiusServer {
  private vlanManager: VlanManager;
  private accountingManager: AccountingManager;
  private config: IRadiusServerConfig;
-  private clientSecrets: Map<string, string> = new Map();
  private running: boolean = false;

  // Statistics
@@ -138,24 +137,18 @@ export class RadiusServer {
      await this.vlanManager.importMappings(this.config.vlanAssignment.mappings);
    }

-    // Build client secrets map
-    this.buildClientSecretsMap();
+    const cidrSecrets = this.buildClientSecretsMap();

    // Create the RADIUS server
    this.radiusServer = new plugins.smartradius.RadiusServer({
      authPort: this.config.authPort,
      acctPort: this.config.acctPort,
      bindAddress: this.config.bindAddress,
-      defaultSecret: this.getDefaultSecret(),
+      cidrSecrets,
      authenticationHandler: this.handleAuthentication.bind(this),
      accountingHandler: this.handleAccounting.bind(this),
    });

-    // Configure per-client secrets
-    for (const [ip, secret] of this.clientSecrets) {
-      this.radiusServer.setClientSecret(ip, secret);
-    }
-
    // Start the server
    await this.radiusServer.start();

@@ -189,19 +182,22 @@ export class RadiusServer {
  /**
   * Handle authentication request
   */
-  private async handleAuthentication(request: any): Promise<any> {
+  private async handleAuthentication(
+    request: plugins.smartradius.IAuthenticationRequest,
+  ): Promise<plugins.smartradius.IAuthenticationResponse> {
    this.stats.authRequests++;

    const authData: IAuthRequestData = {
-      username: request.attributes?.UserName || '',
-      password: request.attributes?.UserPassword,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      password: request.password,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
+      framedMtu: request.framedMtu,
    };

    logger.log('debug', `RADIUS Auth Request: user=${authData.username}, NAS=${authData.nasIpAddress}`);
@@ -215,15 +211,15 @@ export class RadiusServer {
      logger.log('info', `RADIUS Auth Accept: user=${authData.username}, VLAN=${result.vlanId}`);

      // Build response with VLAN attributes
-      const response: any = {
+      const response: plugins.smartradius.IAuthenticationResponse = {
        code: plugins.smartradius.ERadiusCode.AccessAccept,
        replyMessage: result.replyMessage,
      };

      // Add VLAN attributes if assigned
      if (result.vlanId !== undefined) {
-        response.tunnelType = 13; // VLAN
-        response.tunnelMediumType = 6; // IEEE 802
+        response.tunnelType = plugins.smartradius.ETunnelType.Vlan;
+        response.tunnelMediumType = plugins.smartradius.ETunnelMediumType.Ieee802;
        response.tunnelPrivateGroupId = String(result.vlanId);
      }

@@ -257,34 +253,37 @@ export class RadiusServer {
  /**
   * Handle accounting request
   */
-  private async handleAccounting(request: any): Promise<any> {
+  private async handleAccounting(
+    request: plugins.smartradius.IAccountingRequest,
+  ): Promise<plugins.smartradius.IAccountingResponse> {
    this.stats.accountingRequests++;

    if (!this.config.accounting?.enabled) {
      // Still respond even if not tracking
-      return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+      return { success: true };
    }

-    const statusType = request.attributes?.AcctStatusType;
-    const sessionId = request.attributes?.AcctSessionId || '';
+    const statusType = request.statusType;
+    const sessionId = request.sessionId || '';

    const accountingData = {
      sessionId,
-      username: request.attributes?.UserName || '',
-      macAddress: request.attributes?.CallingStationId,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      inputOctets: request.attributes?.AcctInputOctets,
-      outputOctets: request.attributes?.AcctOutputOctets,
-      inputPackets: request.attributes?.AcctInputPackets,
-      outputPackets: request.attributes?.AcctOutputPackets,
-      sessionTime: request.attributes?.AcctSessionTime,
-      terminateCause: request.attributes?.AcctTerminateCause,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      macAddress: request.callingStationId,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      inputOctets: request.inputOctets,
+      outputOctets: request.outputOctets,
+      inputPackets: request.inputPackets,
+      outputPackets: request.outputPackets,
+      sessionTime: request.sessionTime,
+      terminateCause: request.terminateCause !== undefined ? String(request.terminateCause) : undefined,
+      framedIpAddress: request.framedIpAddress,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
    };

    try {
@@ -311,7 +310,7 @@ export class RadiusServer {
      logger.log('error', `RADIUS accounting error: ${(error as Error).message}`);
    }

-    return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+    return { success: true };
  }

  /**
@@ -391,37 +390,18 @@ export class RadiusServer {
  /**
   * Build client secrets map from configuration
   */
-  private buildClientSecretsMap(): void {
-    this.clientSecrets.clear();
+  private buildClientSecretsMap(): Record<string, string> {
+    const cidrSecrets: Record<string, string> = {};

    for (const client of this.config.clients) {
      if (!client.enabled) {
        continue;
      }

-      // Handle CIDR ranges
-      if (client.ipRange.includes('/')) {
-        // For CIDR ranges, we'll use the network address as key
-        // In practice, smartradius may handle this differently
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.clientSecrets.set(client.ipRange, client.secret);
-      }
+      cidrSecrets[client.ipRange] = client.secret;
    }
-  }

-  /**
-   * Get default secret for unknown clients
-   */
-  private getDefaultSecret(): string {
-    // Use first enabled client's secret as default, or a random one
-    for (const client of this.config.clients) {
-      if (client.enabled) {
-        return client.secret;
-      }
-    }
-    return plugins.crypto.randomBytes(16).toString('hex');
+    return cidrSecrets;
  }

  /**
@@ -430,21 +410,19 @@ export class RadiusServer {
  async addClient(client: IRadiusClient): Promise<void> {
    // Check if client already exists
    const existingIndex = this.config.clients.findIndex(c => c.name === client.name);
+    const previousClient = existingIndex >= 0 ? this.config.clients[existingIndex] : undefined;
    if (existingIndex >= 0) {
      this.config.clients[existingIndex] = client;
    } else {
      this.config.clients.push(client);
    }

-    // Update client secrets if running
-    if (this.running && this.radiusServer && client.enabled) {
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.radiusServer.setClientSecret(network, client.secret);
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.radiusServer.setClientSecret(client.ipRange, client.secret);
-        this.clientSecrets.set(client.ipRange, client.secret);
+    if (this.running && this.radiusServer) {
+      if (previousClient) {
+        this.radiusServer.removeNetworkSecret(previousClient.ipRange);
+      }
+      if (client.enabled) {
+        this.radiusServer.setNetworkSecret(client.ipRange, client.secret);
      }
    }

@@ -460,12 +438,8 @@ export class RadiusServer {
      const client = this.config.clients[index];
      this.config.clients.splice(index, 1);

-      // Remove from secrets map
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.delete(network);
-      } else {
-        this.clientSecrets.delete(client.ipRange);
+      if (this.radiusServer) {
+        this.radiusServer.removeNetworkSecret(client.ipRange);
      }

      logger.log('info', `RADIUS client removed: ${name}`);
@@ -66,7 +66,7 @@ await router.start();
 - System routes from config, email, and DNS are persisted with stable ownership and are toggle-only.
 - API-created routes are the only routes intended for full CRUD from the dashboard or client SDK.
 - Qualifying HTTPS forward routes on port `443` get HTTP/3 augmentation by default.
- `runCli()` is the supported code-level bootstrap entrypoint; the package does not expose a separate npm `bin` command.
+- The published package exposes the `dcrouter` npm bin through `./cli.js`; `runCli()` is the supported code-level bootstrap entrypoint.

 ## Use Another Module When...

@@ -1,29 +1,38 @@
 import * as plugins from '../plugins.js';
-import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
-import { RemoteIngressEdgeDoc } from '../db/index.js';
+import type { IDcRouterRouteConfig, IRemoteIngress, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, TRemoteIngressPerformanceProfile } from '../../ts_interfaces/data/remoteingress.js';
+import { RemoteIngressEdgeDoc, RemoteIngressHubSettingsDoc } from '../db/index.js';

 interface IRemoteIngressFirewallConfig {
  blockedIps?: string[];
 }

-/**
- * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
- */
-function extractPorts(portRange: number | Array<number | { from: number; to: number }>): number[] {
-  const ports = new Set<number>();
-  if (typeof portRange === 'number') {
-    ports.add(portRange);
-  } else if (Array.isArray(portRange)) {
-    for (const entry of portRange) {
-      if (typeof entry === 'number') {
-        ports.add(entry);
-      } else if (typeof entry === 'object' && 'from' in entry && 'to' in entry) {
-        for (let p = entry.from; p <= entry.to; p++) {
-          ports.add(p);
-        }
-      }
-    }
-  }
+type TPerformanceIntegerField =
+  | 'maxStreamsPerEdge'
+  | 'totalWindowBudgetBytes'
+  | 'minStreamWindowBytes'
+  | 'maxStreamWindowBytes'
+  | 'sustainedStreamWindowBytes'
+  | 'quicDatagramReceiveBufferBytes'
+  | 'streamFramePayloadBytes'
+  | 'firstDataConnectTimeoutMs'
+  | 'clientWriteTimeoutMs';
+
+const performanceIntegerMaxByField: Record<TPerformanceIntegerField, number> = {
+  maxStreamsPerEdge: 100_000,
+  totalWindowBudgetBytes: 1_073_741_824,
+  minStreamWindowBytes: 16_777_216,
+  maxStreamWindowBytes: 134_217_728,
+  sustainedStreamWindowBytes: 134_217_728,
+  quicDatagramReceiveBufferBytes: 67_108_864,
+  streamFramePayloadBytes: 16_777_216,
+  firstDataConnectTimeoutMs: 3_600_000,
+  clientWriteTimeoutMs: 3_600_000,
+};
+
+const maxServerFirstPorts = 128;
+
+function extractPorts(portRange: plugins.smartproxy.IRouteConfig['match']['ports']): number[] {
+  const ports = new Set<number>(plugins.smartproxy.expandPortRange(portRange) as number[]);
  return [...ports].sort((a, b) => a - b);
 }

@@ -36,8 +45,12 @@ export class RemoteIngressManager {
  private edges: Map<string, IRemoteIngress> = new Map();
  private routes: IDcRouterRouteConfig[] = [];
  private firewallConfig?: IRemoteIngressFirewallConfig;
+  private hubSettings: IRemoteIngressHubSettings = {
+    updatedAt: 0,
+    updatedBy: 'default',
+  };

-  constructor() {
+  constructor(private seedHubPerformance?: IRemoteIngressPerformanceConfig) {
  }

  /**
@@ -59,12 +72,35 @@ export class RemoteIngressManager {
        listenPortsUdp: doc.listenPortsUdp,
        enabled: doc.enabled,
        autoDerivePorts: doc.autoDerivePorts,
+        performance: doc.performance,
        tags: doc.tags,
        createdAt: doc.createdAt,
        updatedAt: doc.updatedAt,
      };
      this.edges.set(edge.id, edge);
    }
+
+    await this.initializeHubSettings();
+  }
+
+  private async initializeHubSettings(): Promise<void> {
+    let doc = await RemoteIngressHubSettingsDoc.load();
+    if (!doc) {
+      const seedPerformance = this.normalizePerformanceConfig(this.seedHubPerformance);
+      if (seedPerformance) {
+        doc = new RemoteIngressHubSettingsDoc();
+        doc.settingsId = 'remote-ingress-hub-settings';
+        doc.performance = seedPerformance;
+        doc.updatedAt = Date.now();
+        doc.updatedBy = 'seed';
+        await doc.save();
+      }
+    }
+
+    this.hubSettings = doc ? this.toHubSettings(doc) : {
+      updatedAt: 0,
+      updatedBy: 'default',
+    };
  }

  /**
@@ -81,6 +117,38 @@ export class RemoteIngressManager {
    this.firewallConfig = firewallConfig;
  }

+  public getHubSettings(): IRemoteIngressHubSettings {
+    return {
+      ...this.hubSettings,
+      performance: this.hubSettings.performance ? { ...this.hubSettings.performance } : undefined,
+    };
+  }
+
+  public getHubPerformanceConfig(): IRemoteIngressPerformanceConfig | undefined {
+    return this.hubSettings.performance && Object.keys(this.hubSettings.performance).length > 0
+      ? { ...this.hubSettings.performance }
+      : undefined;
+  }
+
+  public async updateHubSettings(
+    updates: { performance?: IRemoteIngressPerformanceConfig },
+    updatedBy: string,
+  ): Promise<IRemoteIngressHubSettings> {
+    let doc = await RemoteIngressHubSettingsDoc.load();
+    if (!doc) {
+      doc = new RemoteIngressHubSettingsDoc();
+      doc.settingsId = 'remote-ingress-hub-settings';
+    }
+
+    doc.performance = this.normalizePerformanceConfig(updates.performance);
+    doc.updatedAt = Date.now();
+    doc.updatedBy = updatedBy;
+    await doc.save();
+
+    this.hubSettings = this.toHubSettings(doc);
+    return this.getHubSettings();
+  }
+
  /**
   * Derive listen ports for an edge from routes tagged with remoteIngress.enabled.
   * When a route specifies edgeFilter, only edges whose id or tags match get that route's ports.
@@ -189,6 +257,7 @@ export class RemoteIngressManager {
    listenPorts: number[] = [],
    tags?: string[],
    autoDerivePorts: boolean = true,
+    performance?: IRemoteIngressPerformanceConfig,
  ): Promise<IRemoteIngress> {
    const id = plugins.uuid.v4();
    const secret = plugins.crypto.randomBytes(32).toString('hex');
@@ -201,6 +270,7 @@ export class RemoteIngressManager {
      listenPorts,
      enabled: true,
      autoDerivePorts,
+      performance,
      tags: tags || [],
      createdAt: now,
      updatedAt: now,
@@ -237,6 +307,7 @@ export class RemoteIngressManager {
      listenPorts?: number[];
      autoDerivePorts?: boolean;
      enabled?: boolean;
+      performance?: IRemoteIngressPerformanceConfig;
      tags?: string[];
    },
  ): Promise<IRemoteIngress | null> {
@@ -249,6 +320,7 @@ export class RemoteIngressManager {
    if (updates.listenPorts !== undefined) edge.listenPorts = updates.listenPorts;
    if (updates.autoDerivePorts !== undefined) edge.autoDerivePorts = updates.autoDerivePorts;
    if (updates.enabled !== undefined) edge.enabled = updates.enabled;
+    if (updates.performance !== undefined) edge.performance = updates.performance;
    if (updates.tags !== undefined) edge.tags = updates.tags;
    edge.updatedAt = Date.now();

@@ -317,20 +389,108 @@ export class RemoteIngressManager {
   * Get the list of allowed edges (enabled only) for the Rust hub.
   * Includes listenPortsUdp when routes with transport 'udp' or 'all' are present.
   */
-  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> {
-    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> = [];
    for (const edge of this.edges.values()) {
      if (edge.enabled) {
        const listenPortsUdp = this.getEffectiveListenPortsUdp(edge);
+        const performance = edge.performance && Object.keys(edge.performance).length > 0 ? edge.performance : undefined;
        result.push({
          id: edge.id,
          secret: edge.secret,
          listenPorts: this.getEffectiveListenPorts(edge),
          ...(listenPortsUdp.length > 0 ? { listenPortsUdp } : {}),
          ...(this.firewallConfig ? { firewallConfig: this.firewallConfig } : {}),
+          ...(performance ? { performance } : {}),
        });
      }
    }
    return result;
  }
+
+  private normalizePerformanceConfig(
+    performance?: IRemoteIngressPerformanceConfig,
+  ): IRemoteIngressPerformanceConfig | undefined {
+    if (!performance) {
+      return undefined;
+    }
+
+    const next: IRemoteIngressPerformanceConfig = {};
+    const validProfiles: TRemoteIngressPerformanceProfile[] = ['balanced', 'throughput', 'highConcurrency'];
+    if (performance.profile !== undefined) {
+      if (!validProfiles.includes(performance.profile)) {
+        throw new Error('Invalid RemoteIngress performance profile');
+      }
+      next.profile = performance.profile;
+    }
+
+    const assignPositiveInteger = (field: TPerformanceIntegerField) => {
+      const value = performance[field];
+      if (value === undefined) {
+        return;
+      }
+      const maxValue = performanceIntegerMaxByField[field];
+      if (!Number.isSafeInteger(value) || value < 1 || value > maxValue) {
+        throw new Error(`${field} must be a positive safe integer no greater than ${maxValue}`);
+      }
+      (next as Record<string, number>)[field] = value;
+    };
+
+    assignPositiveInteger('maxStreamsPerEdge');
+    assignPositiveInteger('totalWindowBudgetBytes');
+    assignPositiveInteger('minStreamWindowBytes');
+    assignPositiveInteger('maxStreamWindowBytes');
+    assignPositiveInteger('sustainedStreamWindowBytes');
+    assignPositiveInteger('quicDatagramReceiveBufferBytes');
+    assignPositiveInteger('streamFramePayloadBytes');
+    assignPositiveInteger('firstDataConnectTimeoutMs');
+    assignPositiveInteger('clientWriteTimeoutMs');
+
+    if (
+      next.minStreamWindowBytes !== undefined
+      && next.maxStreamWindowBytes !== undefined
+      && next.minStreamWindowBytes > next.maxStreamWindowBytes
+    ) {
+      throw new Error('minStreamWindowBytes must not exceed maxStreamWindowBytes');
+    }
+    if (
+      next.sustainedStreamWindowBytes !== undefined
+      && next.maxStreamWindowBytes !== undefined
+      && next.sustainedStreamWindowBytes > next.maxStreamWindowBytes
+    ) {
+      throw new Error('sustainedStreamWindowBytes must not exceed maxStreamWindowBytes');
+    }
+
+    const configuredServerFirstPorts = performance.serverFirstPorts;
+    if (configuredServerFirstPorts !== undefined) {
+      if (!Array.isArray(configuredServerFirstPorts)) {
+        throw new Error('serverFirstPorts must contain valid port numbers');
+      }
+      if (configuredServerFirstPorts.length > maxServerFirstPorts) {
+        throw new Error(`serverFirstPorts must contain at most ${maxServerFirstPorts} ports`);
+      }
+      const serverFirstPorts = [...new Set(configuredServerFirstPorts.map((port) => Number(port)))].sort((a, b) => a - b);
+      for (const port of serverFirstPorts) {
+        if (!Number.isInteger(port) || port < 1 || port > 65535) {
+          throw new Error('serverFirstPorts must contain valid port numbers');
+        }
+        if (port === 443) {
+          throw new Error('Port 443 is client-first TLS and must not be listed as server-first');
+        }
+      }
+      if (serverFirstPorts.length > 0) {
+        next.serverFirstPorts = serverFirstPorts;
+      }
+    }
+
+    return Object.keys(next).length > 0 ? next : undefined;
+  }
+
+  private toHubSettings(doc: RemoteIngressHubSettingsDoc): IRemoteIngressHubSettings {
+    return {
+      performance: doc.performance,
+      updatedAt: doc.updatedAt,
+      updatedBy: doc.updatedBy,
+    };
+  }
 }
@@ -22,6 +22,8 @@ export class TunnelManager {
  private edgeStatuses: Map<string, IRemoteIngressStatus> = new Map();
  private reconcileInterval: ReturnType<typeof setInterval> | null = null;
  private syncChain: Promise<void> = Promise.resolve();
+  private reconcileChain: Promise<void> = Promise.resolve();
+  private stopped = true;

  constructor(manager: RemoteIngressManager, config: ITunnelManagerConfig = {}) {
    this.manager = manager;
@@ -64,30 +66,51 @@ export class TunnelManager {
   * Start the tunnel hub and load allowed edges.
   */
  public async start(): Promise<void> {
-    await this.hub.start({
-      tunnelPort: this.config.tunnelPort ?? 8443,
-      targetHost: this.config.targetHost ?? '127.0.0.1',
-      tls: this.config.tls,
-      ...(this.config.performance ? { performance: this.config.performance } : {}),
-    } as any);
+    this.stopped = false;
+    try {
+      await this.hub.start({
+        tunnelPort: this.config.tunnelPort ?? 8443,
+        targetHost: this.config.targetHost ?? '127.0.0.1',
+        tls: this.config.tls,
+        ...(this.config.performance ? { performance: this.config.performance } : {}),
+      } as any);

-    // Send allowed edges to the hub
-    await this.syncAllowedEdges();
+      if (this.stopped) return;

-    // Periodically reconcile with authoritative Rust hub status
-    this.reconcileInterval = setInterval(() => {
-      this.reconcile().catch(() => {});
-    }, 15_000);
+      // Send allowed edges to the hub
+      await this.syncAllowedEdges();
+
+      if (this.stopped) return;
+
+      // Periodically reconcile with authoritative Rust hub status
+      this.reconcileInterval = setInterval(() => {
+        this.reconcileChain = this.reconcileChain
+          .catch(() => {})
+          .then(() => this.reconcile());
+        this.reconcileChain.catch(() => {});
+      }, 15_000);
+    } catch (err) {
+      await this.stop();
+      throw err;
+    }
  }

  /**
   * Stop the tunnel hub.
   */
  public async stop(): Promise<void> {
+    if (this.stopped) {
+      return;
+    }
+    this.stopped = true;
    if (this.reconcileInterval) {
      clearInterval(this.reconcileInterval);
      this.reconcileInterval = null;
    }
+    await Promise.all([
+      this.syncChain.catch(() => {}),
+      this.reconcileChain.catch(() => {}),
+    ]);
    // Remove event listeners before stopping to prevent leaks
    this.hub.removeAllListeners();
    await this.hub.stop();
@@ -99,7 +122,9 @@ export class TunnelManager {
   * Overwrites event-derived activeTunnels with the real activeStreams count.
   */
  private async reconcile(): Promise<void> {
+    if (this.stopped) return;
    const hubStatus = await this.hub.getStatus();
+    if (this.stopped) return;
    if (!hubStatus || !hubStatus.connectedEdges) return;

    const rustEdgeIds = new Set<string>();
@@ -144,7 +169,9 @@ export class TunnelManager {
   */
  public async syncAllowedEdges(): Promise<void> {
    const run = this.syncChain.catch(() => {}).then(async () => {
+      if (this.stopped) return;
      const edges = this.manager.getAllowedEdges();
+      if (this.stopped) return;
      await this.hub.updateAllowedEdges(edges as any);
    });
    this.syncChain = run;
@@ -13,6 +13,8 @@ export interface IRemoteIngress {
  enabled: boolean;
  /** Whether to auto-derive ports from remoteIngress-tagged routes. Defaults to true. */
  autoDerivePorts: boolean;
+  /** Optional per-edge performance overrides. */
+  performance?: IRemoteIngressPerformanceConfig;
  tags?: string[];
  createdAt: number;
  updatedAt: number;
@@ -55,6 +57,16 @@ export interface IRemoteIngressPerformanceConfig {
  maxStreamWindowBytes?: number;
  sustainedStreamWindowBytes?: number;
  quicDatagramReceiveBufferBytes?: number;
+  streamFramePayloadBytes?: number;
+  firstDataConnectTimeoutMs?: number;
+  clientWriteTimeoutMs?: number;
+  serverFirstPorts?: number[];
+}
+
+export interface IRemoteIngressHubSettings {
+  performance?: IRemoteIngressPerformanceConfig;
+  updatedAt: number;
+  updatedBy: string;
 }

 export interface IRemoteIngressPerformanceEffective {
@@ -65,6 +77,10 @@ export interface IRemoteIngressPerformanceEffective {
  maxStreamWindowBytes: number;
  sustainedStreamWindowBytes: number;
  quicDatagramReceiveBufferBytes: number;
+  streamFramePayloadBytes: number;
+  firstDataConnectTimeoutMs: number;
+  clientWriteTimeoutMs: number;
+  serverFirstPorts: number[];
 }

 export interface IRemoteIngressFlowControlStatus {
@@ -104,6 +104,112 @@ export interface ISourceProfile {
  createdBy: string;
 }

+export interface IRouteSourcePolicyExceededAction {
+  type: '429';
+  errorMessage?: string;
+}
+
+export const routePathClasses = [
+  'git-smart-http',
+  'static',
+  'normal-html',
+  'expensive-html',
+  'raw',
+  'archive',
+] as const;
+
+export type TRoutePathClass = typeof routePathClasses[number];
+
+export const giteaRoutePathClassLabels: Record<TRoutePathClass, string> = {
+  'git-smart-http': 'Git Smart HTTP',
+  static: 'Static Assets',
+  'normal-html': 'Normal HTML',
+  'expensive-html': 'Expensive HTML',
+  raw: 'Raw Files',
+  archive: 'Archives',
+};
+
+export const giteaRoutePathClassPatterns: Record<TRoutePathClass, string[]> = {
+  'git-smart-http': [
+    '/*/*.git/info/refs',
+    '/*/*.git/git-upload-pack',
+    '/*/*.git/git-receive-pack',
+    '/*/*.git/info/lfs',
+    '/*/*.git/info/lfs/*',
+  ],
+  static: [
+    '/assets/*',
+    '/avatars/*',
+    '/repo-avatars/*',
+    '/user/avatar/*',
+    '/img/*',
+    '/css/*',
+    '/js/*',
+    '/fonts/*',
+    '/favicon.ico',
+  ],
+  'normal-html': [],
+  'expensive-html': [
+    '/explore/*',
+    '/issues',
+    '/issues/*',
+    '/pulls',
+    '/pulls/*',
+    '/search',
+    '/*/*/commits/*',
+    '/*/*/graph',
+    '/*/*/activity',
+    '/*/*/stars',
+    '/*/*/forks',
+    '/*/*/watchers',
+    '/*/*/issues',
+    '/*/*/pulls',
+    '/*/*/projects',
+    '/*/*/actions',
+    '/*/*/packages',
+  ],
+  raw: [
+    '/*/*/raw/*',
+    '/*/*/src/*',
+  ],
+  archive: [
+    '/*/*/archive/*',
+    '/*/*/releases/download/*',
+  ],
+};
+
+export interface IRoutePathPolicyBinding {
+  id?: string;
+  pathClass: TRoutePathClass;
+  /** Optional custom patterns. When omitted, the Gitea defaults for the class are used. */
+  pathPatterns?: string[];
+  /** Optional path-class override for the source binding's rate limit. */
+  rateLimit?: IRouteSecurity['rateLimit'];
+  /** Optional path-class override for the source binding's connection limit. */
+  maxConnections?: IRouteSecurity['maxConnections'];
+  onExceeded?: IRouteSourcePolicyExceededAction;
+}
+
+export interface IRouteSourcePolicyBinding {
+  id?: string;
+  sourceProfileRef: string;
+  /** Snapshot of the profile name at resolution time, for display. */
+  sourceProfileName?: string;
+  /** Optional route-level override for the referenced profile's rate limit. */
+  rateLimit?: IRouteSecurity['rateLimit'];
+  /** Optional route-level override for the referenced profile's connection limit. */
+  maxConnections?: IRouteSecurity['maxConnections'];
+  /** Initial source-policy slice only supports explicit 429 behavior. */
+  onExceeded?: IRouteSourcePolicyExceededAction;
+  /** Optional path-class variants inside this source binding. Path-specific variants win over fallback variants. */
+  pathPolicies?: IRoutePathPolicyBinding[];
+}
+
+export interface IRouteSourcePolicy {
+  /** Ordered source profile bindings. The first matching binding wins. */
+  bindings: IRouteSourcePolicyBinding[];
+}
+
 // ============================================================================
 // Network Target Types
 // ============================================================================
@@ -132,6 +238,8 @@ export interface INetworkTarget {
 export interface IRouteMetadata {
  /** ID of the SourceProfileDoc used to resolve this route's security. */
  sourceProfileRef?: string;
+  /** Ordered source policy. When present, it supersedes sourceProfileRef. */
+  sourcePolicy?: IRouteSourcePolicy;
  /** ID of the NetworkTargetDoc used to resolve this route's targets. */
  networkTargetRef?: string;
  /** Snapshot of the profile name at resolution time, for display. */
@@ -22,7 +22,7 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';

 | Export | Purpose |
 | --- | --- |
-| `data` | Shared runtime-shaped models such as identities, routes, DNS records, domains, email domains, remote ingress edges, VPN objects, stats, and security policy data. |
+| `data` | Shared runtime-shaped models such as identities, routes, route source policies, DNS records, domains, email domains, remote ingress edges, VPN objects, stats, and security policy data. |
 | `requests` | TypedRequest request/response contracts for OpsServer methods. |
 | `typedrequestInterfaces` | Helper types re-exported from `@api.global/typedrequest-interfaces` through `plugins.ts`. |

@@ -31,7 +31,7 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';
 | Area | Examples |
 | --- | --- |
 | Auth | admin login, first-admin bootstrap status/creation, logout, identity verification, users |
-| Routes | merged route listing, API route CRUD, toggles, warnings, ownership metadata |
+| Routes | merged route listing, API route CRUD, toggles, warnings, ownership metadata, ordered source/path policies |
 | Access | API tokens, source profiles, target profiles, network targets |
 | DNS and domains | DNS providers, domains, DNS records, ACME config |
 | Email | email-domain management and email operations |
@@ -39,6 +39,18 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';
 | Observability | stats, combined stats, logs, configuration |
 | WorkHoster | external app/workhoster route ownership contracts |

+## Route Source Policy Contracts
+
+`data/route-management.ts` exports the source-policy contracts used by the dashboard, API client, and route runtime compiler:
+
+- `IRouteSourcePolicy` stores ordered route-level source bindings.
+- `IRouteSourcePolicyBinding` points to a source profile, can override rate limits or connection limits, and can contain path policies.
+- `IRoutePathPolicyBinding` applies path-class-specific overrides within a source binding.
+- `IRouteSourcePolicyExceededAction` describes terminal exceeded-limit behavior, currently explicit `429` handling.
+- `TRoutePathClass` is the string-union type derived from `routePathClasses`.
+- `routePathClasses` lists the supported classes: `git-smart-http`, `static`, `normal-html`, `expensive-html`, `raw`, and `archive`.
+- `giteaRoutePathClassLabels` and `giteaRoutePathClassPatterns` provide the built-in Gitea labels and path patterns, including Git Smart HTTP and Git LFS patterns.
+
 ## Raw TypedRequest Example

 ```typescript
@@ -86,7 +98,7 @@ Useful source entry points:
 - `index.ts` exports `data` and `requests` namespaces.
 - `data/index.ts` groups shared data models.
 - `requests/index.ts` groups TypedRequest contracts.
- `data/route-management.ts` defines route ownership, API token scopes, profiles, and network target shapes.
+- `data/route-management.ts` defines route ownership, source/path policies, API token scopes, profiles, and network target shapes.

 ## License and Legal Information

@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
-import type { IRemoteIngress, IRemoteIngressStatus } from '../data/remoteingress.js';
+import type { IRemoteIngress, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, IRemoteIngressStatus } from '../data/remoteingress.js';

 // ============================================================================
 // Remote Ingress Edge Management
@@ -20,6 +20,7 @@ export interface IReq_CreateRemoteIngress extends plugins.typedrequestInterfaces
    name: string;
    listenPorts?: number[];
    autoDerivePorts?: boolean;
+    performance?: IRemoteIngressPerformanceConfig;
    tags?: string[];
  };
  response: {
@@ -63,6 +64,7 @@ export interface IReq_UpdateRemoteIngress extends plugins.typedrequestInterfaces
    listenPorts?: number[];
    autoDerivePorts?: boolean;
    enabled?: boolean;
+    performance?: IRemoteIngressPerformanceConfig;
    tags?: string[];
  };
  response: {
@@ -145,3 +147,40 @@ export interface IReq_GetRemoteIngressConnectionToken extends plugins.typedreque
    message?: string;
  };
 }
+
+/**
+ * Get hub-level RemoteIngress settings.
+ */
+export interface IReq_GetRemoteIngressHubSettings extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetRemoteIngressHubSettings
+> {
+  method: 'getRemoteIngressHubSettings';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    settings: IRemoteIngressHubSettings;
+  };
+}
+
+/**
+ * Update hub-level RemoteIngress settings.
+ */
+export interface IReq_UpdateRemoteIngressHubSettings extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateRemoteIngressHubSettings
+> {
+  method: 'updateRemoteIngressHubSettings';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    performance?: IRemoteIngressPerformanceConfig;
+  };
+  response: {
+    success: boolean;
+    settings?: IRemoteIngressHubSettings;
+    message?: string;
+  };
+}
@@ -19,6 +19,172 @@ export interface IMigrationRunner {
  run(): Promise<IMigrationRunResult>;
 }

+type TMigrationSecurity = Record<string, any>;
+
+const DEFAULT_SOURCE_PROFILES: Array<{
+  name: string;
+  description: string;
+  security: TMigrationSecurity;
+}> = [
+  {
+    name: 'TRUSTED NETWORKS',
+    description: 'Trusted office, VPN, localhost, and private-network sources with high connection allowance',
+    security: {
+      ipAllowList: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', '127.0.0.1', '::1'],
+      maxConnections: 5000,
+    },
+  },
+  {
+    name: 'AI CRAWLERS',
+    description: 'Add verified crawler CIDRs before assigning this profile in a source policy',
+    security: {
+      ipAllowList: [],
+      rateLimit: {
+        enabled: true,
+        maxRequests: 30,
+        window: 60,
+        keyBy: 'ip',
+      },
+    },
+  },
+  {
+    name: 'PUBLIC',
+    description: 'Public fallback source profile with per-IP request limiting',
+    security: {
+      ipAllowList: ['*'],
+      rateLimit: {
+        enabled: true,
+        maxRequests: 120,
+        window: 60,
+        keyBy: 'ip',
+      },
+    },
+  },
+];
+
+function mergeMigrationSecurityFields(
+  base: TMigrationSecurity | undefined,
+  override: TMigrationSecurity | undefined,
+): TMigrationSecurity {
+  if (!base && !override) return {};
+  if (!base) return structuredClone(override || {});
+  if (!override) return structuredClone(base || {});
+
+  const merged: TMigrationSecurity = structuredClone(base);
+
+  if (override.ipAllowList || base.ipAllowList) {
+    merged.ipAllowList = [
+      ...new Set([
+        ...(base.ipAllowList || []),
+        ...(override.ipAllowList || []),
+      ]),
+    ];
+  }
+
+  if (override.ipBlockList || base.ipBlockList) {
+    merged.ipBlockList = [
+      ...new Set([
+        ...(base.ipBlockList || []),
+        ...(override.ipBlockList || []),
+      ]),
+    ];
+  }
+
+  for (const key of ['maxConnections', 'rateLimit', 'authentication', 'basicAuth', 'jwtAuth', 'vpn']) {
+    if (override[key] !== undefined) {
+      merged[key] = structuredClone(override[key]);
+    }
+  }
+
+  return merged;
+}
+
+function resolveMigrationSourceProfileSecurity(
+  profileId: string,
+  profiles: Map<string, any>,
+  visited = new Set<string>(),
+  depth = 0,
+): TMigrationSecurity | null {
+  if (depth > 5 || visited.has(profileId)) return null;
+
+  const profile = profiles.get(profileId);
+  if (!profile) return null;
+
+  visited.add(profileId);
+  let baseSecurity: TMigrationSecurity = {};
+  const extendsProfiles = Array.isArray(profile.extendsProfiles) ? profile.extendsProfiles : [];
+  for (const parentId of extendsProfiles) {
+    if (typeof parentId !== 'string') continue;
+    const parentSecurity = resolveMigrationSourceProfileSecurity(
+      parentId,
+      profiles,
+      new Set(visited),
+      depth + 1,
+    );
+    if (parentSecurity) {
+      baseSecurity = mergeMigrationSecurityFields(baseSecurity, parentSecurity);
+    }
+  }
+
+  return mergeMigrationSecurityFields(baseSecurity, profile.security || {});
+}
+
+async function rematerializeSourceProfileRouteSecurity(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const profileCollection = ctx.mongo!.collection('SourceProfileDoc');
+  const routeCollection = ctx.mongo!.collection('RouteDoc');
+  const profiles = new Map<string, any>();
+
+  for await (const profile of profileCollection.find({})) {
+    if (typeof (profile as any).id === 'string') {
+      profiles.set((profile as any).id, profile);
+    }
+  }
+
+  let inspected = 0;
+  let migrated = 0;
+  let skippedMissingProfile = 0;
+  const now = Date.now();
+
+  for await (const routeDoc of routeCollection.find({})) {
+    const sourceProfileRef = (routeDoc as any).metadata?.sourceProfileRef;
+    if (typeof sourceProfileRef !== 'string' || sourceProfileRef.trim() === '') continue;
+    inspected++;
+
+    const resolvedSecurity = resolveMigrationSourceProfileSecurity(sourceProfileRef, profiles);
+    const profile = profiles.get(sourceProfileRef);
+    if (!resolvedSecurity || !profile) {
+      skippedMissingProfile++;
+      continue;
+    }
+
+    const currentSecurity = (routeDoc as any).route?.security || {};
+    const securityChanged = JSON.stringify(currentSecurity) !== JSON.stringify(resolvedSecurity);
+    const profileNameChanged = (routeDoc as any).metadata?.sourceProfileName !== profile.name;
+    if (!securityChanged && !profileNameChanged) continue;
+
+    const query = (routeDoc as any)._id
+      ? { _id: (routeDoc as any)._id }
+      : { id: (routeDoc as any).id };
+    await routeCollection.updateOne(query, {
+      $set: {
+        'route.security': structuredClone(resolvedSecurity),
+        'metadata.sourceProfileName': profile.name,
+        'metadata.lastResolvedAt': now,
+        updatedAt: now,
+      },
+    });
+    migrated++;
+  }
+
+  ctx.log.log(
+    'info',
+    `rematerialize-source-profile-route-security: migrated ${migrated}/${inspected} route(s), skipped ${skippedMissingProfile} missing profile ref(s)`,
+  );
+}
+
 async function migrateTargetProfileTargetHosts(ctx: {
  mongo?: { collection: (name: string) => any };
  log: { log: (level: 'info', message: string) => void };
@@ -70,6 +236,40 @@ async function backfillSystemRouteKeys(ctx: {
  ctx.log.log('info', `backfill-system-route-keys: migrated ${migrated} route(s)`);
 }

+async function seedMissingDefaultSourceProfiles(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const collection = ctx.mongo!.collection('SourceProfileDoc');
+  const now = Date.now();
+  let inserted = 0;
+  let existing = 0;
+
+  for (const profile of DEFAULT_SOURCE_PROFILES) {
+    const existingProfile = await collection.findOne({ name: profile.name });
+    if (existingProfile) {
+      existing++;
+      continue;
+    }
+
+    await collection.insertOne({
+      id: globalThis.crypto.randomUUID(),
+      name: profile.name,
+      description: profile.description,
+      security: structuredClone(profile.security),
+      createdAt: now,
+      updatedAt: now,
+      createdBy: 'system',
+    });
+    inserted++;
+  }
+
+  ctx.log.log(
+    'info',
+    `seed-missing-default-source-profiles: inserted ${inserted}, already present ${existing}`,
+  );
+}
+
 /**
 * Create a configured SmartMigration runner with all dcrouter migration steps registered.
 *
@@ -167,6 +367,18 @@ export async function createMigrationRunner(
    .description('Backfill RouteDoc.systemKey for persisted config/email/dns routes')
    .up(async (ctx) => {
      await backfillSystemRouteKeys(ctx);
+    })
+    .step('rematerialize-source-profile-route-security')
+    .from('13.18.0').to('13.40.2')
+    .description('Replace stale route security with resolved source profile security')
+    .up(async (ctx) => {
+      await rematerializeSourceProfileRouteSecurity(ctx);
+    })
+    .step('seed-missing-default-source-profiles')
+    .from('13.40.2').to('13.42.0')
+    .description('Seed missing default source profiles for source-policy presets')
+    .up(async (ctx) => {
+      await seedMissingDefaultSourceProfiles(ctx);
    });

  return migration;
@@ -25,7 +25,7 @@ If you boot `DcRouter`, you usually do not install or call this package directly
 ```typescript
 import { createMigrationRunner } from '@serve.zone/dcrouter-migrations';

-const migration = await createMigrationRunner(db, '13.25.0');
+const migration = await createMigrationRunner(db, '<current-version>');
 const result = await migration.run();

 console.log(result.currentVersionBefore, result.currentVersionAfter);
@@ -41,6 +41,8 @@ The current migration chain covers:
 - route collection unification from `StoredRouteDoc` to `RouteDoc`
 - route `origin` backfill for migrated API routes
 - `systemKey` backfill for persisted config, email, and DNS routes
+- source-profile route-security rematerialization for routes with legacy `metadata.sourceProfileRef`
+- `seed-missing-default-source-profiles` from `13.40.2` to `13.42.0`, which inserts missing `TRUSTED NETWORKS`, `AI CRAWLERS`, and `PUBLIC` source profiles by name without mutating existing profiles

 ## Migration Rules

@@ -74,6 +74,10 @@ export function getOciContainerConfig(): IDcRouterOptions {
    options.dnsScopes = dnsScopes;
  }

+  if (process.env.DCROUTER_DNS_BIND_INTERFACE) {
+    options.dnsBindInterface = process.env.DCROUTER_DNS_BIND_INTERFACE;
+  }
+
  // Email config
  const emailHostname = process.env.DCROUTER_EMAIL_HOSTNAME;
  const emailPorts = parseCommaSeparatedNumbers(process.env.DCROUTER_EMAIL_PORTS);
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '13.36.1',
+  version: '13.42.2',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
@@ -260,6 +260,7 @@ export const acmeConfigStatePart = await appState.getStatePart<IAcmeConfigState>
 export interface IRemoteIngressState {
  edges: interfaces.data.IRemoteIngress[];
  statuses: interfaces.data.IRemoteIngressStatus[];
+  hubSettings: interfaces.data.IRemoteIngressHubSettings | null;
  selectedEdgeId: string | null;
  newEdgeId: string | null;
  isLoading: boolean;
@@ -272,6 +273,7 @@ export const remoteIngressStatePart = await appState.getStatePart<IRemoteIngress
  {
    edges: [],
    statuses: [],
+    hubSettings: null,
    selectedEdgeId: null,
    newEdgeId: null,
    isLoading: false,
@@ -1094,15 +1096,21 @@ export const fetchRemoteIngressAction = remoteIngressStatePart.createAction(asyn
      interfaces.requests.IReq_GetRemoteIngressStatus
    >('/typedrequest', 'getRemoteIngressStatus');

-    const [edgesResponse, statusResponse] = await Promise.all([
+    const hubSettingsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetRemoteIngressHubSettings
+    >('/typedrequest', 'getRemoteIngressHubSettings');
+
+    const [edgesResponse, statusResponse, hubSettingsResponse] = await Promise.all([
      edgesRequest.fire({ identity: context.identity }),
      statusRequest.fire({ identity: context.identity }),
+      hubSettingsRequest.fire({ identity: context.identity }),
    ]);

    return {
      ...currentState,
      edges: edgesResponse.edges,
      statuses: statusResponse.statuses,
+      hubSettings: hubSettingsResponse.settings,
      isLoading: false,
      error: null,
      lastUpdated: Date.now(),
@@ -1120,6 +1128,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
  name: string;
  listenPorts?: number[];
  autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
  tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
  const context = getActionContext();
@@ -1135,6 +1144,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
      name: dataArg.name,
      listenPorts: dataArg.listenPorts,
      autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
      tags: dataArg.tags,
    });

@@ -1187,6 +1197,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
  name?: string;
  listenPorts?: number[];
  autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
  tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
  const context = getActionContext();
@@ -1203,6 +1214,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
      name: dataArg.name,
      listenPorts: dataArg.listenPorts,
      autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
      tags: dataArg.tags,
    });

@@ -1215,6 +1227,38 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
  }
 });

+export const updateRemoteIngressHubSettingsAction = remoteIngressStatePart.createAction<{
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
+}>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateRemoteIngressHubSettings
+    >('/typedrequest', 'updateRemoteIngressHubSettings');
+
+    const response = await request.fire({
+      identity: context.identity!,
+      performance: dataArg.performance,
+    });
+
+    if (!response.success) {
+      return {
+        ...currentState,
+        error: response.message || 'Failed to update RemoteIngress hub settings',
+      };
+    }
+
+    return await actionContext!.dispatch(fetchRemoteIngressAction, null);
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update RemoteIngress hub settings',
+    };
+  }
+});
+
 export const regenerateRemoteIngressSecretAction = remoteIngressStatePart.createAction<string>(
  async (statePartArg, edgeId): Promise<IRemoteIngressState> => {
    const context = getActionContext();
@@ -12,6 +12,17 @@ import * as interfaces from '../../../dist_ts_interfaces/index.js';
 import { viewHostCss } from '../shared/css.js';
 import { type IStatsTile } from '@design.estate/dees-catalog';

+const performanceProfileOptions = [
+  { key: '', option: 'Default' },
+  { key: 'balanced', option: 'Balanced' },
+  { key: 'throughput', option: 'Throughput' },
+  { key: 'highConcurrency', option: 'High concurrency' },
+];
+
+function getDropdownKey(value: any): string {
+  return typeof value === 'string' ? value : value?.key || '';
+}
+
 declare global {
  interface HTMLElementTagNameMap {
    'ops-view-remoteingress': OpsViewRemoteIngress;
@@ -137,6 +148,13 @@ export class OpsViewRemoteIngress extends DeesElement {
      .metricMuted {
        color: var(--text-muted, #6b7280);
      }
+
+      .settingsNote {
+        margin: 12px 0 0;
+        font-size: 12px;
+        line-height: 1.5;
+        color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};
+      }
    `,
  ];

@@ -242,6 +260,7 @@ export class OpsViewRemoteIngress extends DeesElement {
            publicIp: this.getEdgePublicIp(edge.id),
            ports: this.getPortsHtml(edge),
            tunnels: this.getEdgeTunnelCount(edge.id),
+            maxConnections: this.getMaxConnectionsHtml(edge),
            window: this.getWindowHtml(edge.id),
            queues: this.getQueuesHtml(edge.id),
            traffic: this.getTrafficHtml(edge.id),
@@ -261,6 +280,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                      <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers, optional'}></dees-input-text>
                      <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${true}></dees-input-checkbox>
+                      <dees-input-text .key=${'maxStreamsPerEdge'} .label=${'Max Connections'} .description=${'Optional maximum concurrent client connections for this edge. Leave empty to use the hub default.'}></dees-input-text>
                      <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated, optional'}></dees-input-text>
                    </dees-form>
                  `,
@@ -284,12 +304,20 @@ export class OpsViewRemoteIngress extends DeesElement {
                          ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
                          : undefined;
                        const autoDerivePorts = formData.autoDerivePorts !== false;
+                        let performance: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+                        try {
+                          performance = this.collectPerformanceOverride(formData);
+                        } catch (err: unknown) {
+                          const { DeesToast } = await import('@design.estate/dees-catalog');
+                          DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+                          return;
+                        }
                        const tags = formData.tags
                          ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
                          : undefined;
                        await appstate.remoteIngressStatePart.dispatchAction(
                          appstate.createRemoteIngressAction,
-                          { name, listenPorts, autoDerivePorts, tags },
+                          { name, listenPorts, autoDerivePorts, performance, tags },
                        );
                        await modalArg.destroy();
                      },
@@ -298,6 +326,14 @@ export class OpsViewRemoteIngress extends DeesElement {
                });
              },
            },
+            {
+              name: 'Hub Settings',
+              iconName: 'lucide:slidersHorizontal',
+              type: ['header' as const],
+              actionFunc: async () => {
+                await this.showHubSettingsDialog();
+              },
+            },
            {
              name: 'Enable',
              iconName: 'lucide:play',
@@ -338,6 +374,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                      <dees-input-text .key=${'name'} .label=${'Name'} .value=${edge.name}></dees-input-text>
                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers'} .value=${(edge.listenPorts || []).join(', ')}></dees-input-text>
                      <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${edge.autoDerivePorts !== false}></dees-input-checkbox>
+                      <dees-input-text .key=${'maxStreamsPerEdge'} .label=${'Max Connections'} .description=${'Optional maximum concurrent client connections for this edge. Leave empty to use the hub default.'} .value=${edge.performance?.maxStreamsPerEdge?.toString() || ''}></dees-input-text>
                      <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated'} .value=${(edge.tags || []).join(', ')}></dees-input-text>
                    </dees-form>
                  `,
@@ -359,6 +396,14 @@ export class OpsViewRemoteIngress extends DeesElement {
                          ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
                          : [];
                        const autoDerivePorts = formData.autoDerivePorts !== false;
+                        let performance: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+                        try {
+                          performance = this.collectPerformanceOverride(formData, edge.performance);
+                        } catch (err: unknown) {
+                          const { DeesToast } = await import('@design.estate/dees-catalog');
+                          DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+                          return;
+                        }
                        const tags = formData.tags
                          ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
                          : [];
@@ -369,6 +414,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                            name: formData.name || edge.name,
                            listenPorts,
                            autoDerivePorts,
+                            performance,
                            tags,
                          },
                        );
@@ -475,6 +521,19 @@ export class OpsViewRemoteIngress extends DeesElement {
    return status?.activeTunnels || 0;
  }

+  private getMaxConnectionsHtml(edge: interfaces.data.IRemoteIngress): TemplateResult | string {
+    const status = this.getEdgeStatus(edge.id);
+    const override = edge.performance?.maxStreamsPerEdge;
+    const effective = status?.performance?.maxStreamsPerEdge;
+    if (!override && !effective) return '-';
+    return html`
+      <div class="metricStack">
+        <span>${override || effective}</span>
+        <span class="metricMuted">${override ? 'edge override' : 'hub default'}</span>
+      </div>
+    `;
+  }
+
  private getTransportHtml(edgeId: string): TemplateResult | string {
    const status = this.getEdgeStatus(edgeId);
    if (!status?.connected) return '-';
@@ -535,4 +594,165 @@ export class OpsViewRemoteIngress extends DeesElement {
    }
    return `${value >= 10 || unitIndex === 0 ? value.toFixed(0) : value.toFixed(1)} ${units[unitIndex]}`;
  }
+
+  private collectPerformanceOverride(
+    formData: Record<string, any>,
+    base?: interfaces.data.IRemoteIngressPerformanceConfig,
+  ): interfaces.data.IRemoteIngressPerformanceConfig | undefined {
+    const next: interfaces.data.IRemoteIngressPerformanceConfig = { ...(base || {}) };
+    const maxStreamsText = `${formData.maxStreamsPerEdge || ''}`.trim();
+    if (maxStreamsText) {
+      const maxStreamsPerEdge = Number.parseInt(maxStreamsText, 10);
+      if (!Number.isInteger(maxStreamsPerEdge) || maxStreamsPerEdge < 1) {
+        throw new Error('Max Connections must be a positive integer');
+      }
+      next.maxStreamsPerEdge = maxStreamsPerEdge;
+    } else {
+      delete next.maxStreamsPerEdge;
+    }
+
+    if (Object.keys(next).length > 0) {
+      return next;
+    }
+
+    return base ? {} : undefined;
+  }
+
+  private async showHubSettingsDialog(): Promise<void> {
+    const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+    const performance = this.riState.hubSettings?.performance || {};
+    const selectedProfile = performanceProfileOptions.find((option) => option.key === (performance.profile || '')) || performanceProfileOptions[0];
+    const updatedAt = this.riState.hubSettings?.updatedAt
+      ? new Date(this.riState.hubSettings.updatedAt).toLocaleString()
+      : 'not persisted yet';
+
+    await DeesModal.createAndShow({
+      heading: 'RemoteIngress Hub Settings',
+      content: html`
+        <dees-form>
+          <dees-input-dropdown
+            .key=${'profile'}
+            .label=${'Performance Profile'}
+            .options=${performanceProfileOptions}
+            .selectedOption=${selectedProfile}
+          ></dees-input-dropdown>
+          <dees-input-text
+            .key=${'maxStreamsPerEdge'}
+            .label=${'Max Connections / Edge'}
+            .description=${'Maximum concurrent client streams per edge. Leave empty for RemoteIngress defaults.'}
+            .value=${performance.maxStreamsPerEdge?.toString() || ''}
+          ></dees-input-text>
+          <dees-input-text
+            .key=${'clientWriteTimeoutMs'}
+            .label=${'Client Write Timeout'}
+            .description=${'Milliseconds before idle client writes are timed out. Leave empty for default.'}
+            .value=${performance.clientWriteTimeoutMs?.toString() || ''}
+          ></dees-input-text>
+          <dees-input-text
+            .key=${'firstDataConnectTimeoutMs'}
+            .label=${'First Data Timeout'}
+            .description=${'Milliseconds to wait for initial client data before connecting upstream. Leave empty for default.'}
+            .value=${performance.firstDataConnectTimeoutMs?.toString() || ''}
+          ></dees-input-text>
+          <dees-input-text
+            .key=${'serverFirstPorts'}
+            .label=${'Server-first Ports'}
+            .description=${'Comma-separated ports such as 21, 22, 25, 110, 143, 587. Do not include 443.'}
+            .value=${(performance.serverFirstPorts || []).join(', ')}
+          ></dees-input-text>
+        </dees-form>
+        <p class="settingsNote">
+          Saving restarts the RemoteIngress hub so connected edges reconnect and pick up the new defaults.
+          Last updated: ${updatedAt} by ${this.riState.hubSettings?.updatedBy || 'default'}.
+        </p>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Save',
+          iconName: 'lucide:check',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const formData = await form.collectFormData();
+            let performanceSettings: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+            try {
+              performanceSettings = this.collectHubPerformanceSettings(formData);
+            } catch (err: unknown) {
+              DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+              return;
+            }
+
+            const nextState = await appstate.remoteIngressStatePart.dispatchAction(
+              appstate.updateRemoteIngressHubSettingsAction,
+              { performance: performanceSettings },
+            );
+            if (nextState.error) {
+              DeesToast.show({ message: nextState.error, type: 'error', duration: 4000 });
+              return;
+            }
+            await modalArg.destroy();
+            DeesToast.show({ message: 'RemoteIngress hub settings saved', type: 'success', duration: 3000 });
+          },
+        },
+      ],
+    });
+  }
+
+  private collectHubPerformanceSettings(formData: Record<string, any>): interfaces.data.IRemoteIngressPerformanceConfig | undefined {
+    const next: interfaces.data.IRemoteIngressPerformanceConfig = {};
+    const profile = getDropdownKey(formData.profile) as interfaces.data.TRemoteIngressPerformanceProfile | '';
+    if (profile) {
+      next.profile = profile;
+    }
+
+    this.assignPositiveIntegerSetting(next, 'maxStreamsPerEdge', formData.maxStreamsPerEdge, 'Max Connections / Edge');
+    this.assignPositiveIntegerSetting(next, 'clientWriteTimeoutMs', formData.clientWriteTimeoutMs, 'Client Write Timeout');
+    this.assignPositiveIntegerSetting(next, 'firstDataConnectTimeoutMs', formData.firstDataConnectTimeoutMs, 'First Data Timeout');
+
+    const serverFirstPorts = this.parsePortList(formData.serverFirstPorts, 'Server-first Ports');
+    if (serverFirstPorts.length > 0) {
+      if (serverFirstPorts.includes(443)) {
+        throw new Error('Port 443 is client-first TLS and must not be listed as server-first');
+      }
+      next.serverFirstPorts = serverFirstPorts;
+    }
+
+    return Object.keys(next).length > 0 ? next : undefined;
+  }
+
+  private assignPositiveIntegerSetting(
+    target: interfaces.data.IRemoteIngressPerformanceConfig,
+    key: 'maxStreamsPerEdge' | 'clientWriteTimeoutMs' | 'firstDataConnectTimeoutMs',
+    value: any,
+    label: string,
+  ): void {
+    const text = `${value || ''}`.trim();
+    if (!text) {
+      return;
+    }
+    const parsed = Number.parseInt(text, 10);
+    if (!Number.isInteger(parsed) || parsed < 1) {
+      throw new Error(`${label} must be a positive integer`);
+    }
+    target[key] = parsed;
+  }
+
+  private parsePortList(value: any, label: string): number[] {
+    const text = `${value || ''}`.trim();
+    if (!text) {
+      return [];
+    }
+    const ports = text.split(',').map((part) => Number.parseInt(part.trim(), 10));
+    for (const port of ports) {
+      if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error(`${label} must contain valid port numbers`);
+      }
+    }
+    return [...new Set(ports)].sort((a, b) => a - b);
+  }
 }
@@ -24,11 +24,176 @@ const tlsCertOptions = [
  { key: 'auto', option: 'Auto (ACME/Let\'s Encrypt)' },
  { key: 'custom', option: 'Custom certificate' },
 ];
+const sourcePolicyPresetOptions = [
+  { key: 'manual', option: 'Manual source policy' },
+  { key: 'gitea', option: 'Gitea bot protection' },
+];
+const giteaSourcePolicyProfileNames = ['TRUSTED NETWORKS', 'AI CRAWLERS', 'PUBLIC'] as const;
+
+function rateLimit(maxRequests: number): interfaces.data.IRouteSecurity['rateLimit'] {
+  return { enabled: true, maxRequests, window: 60, keyBy: 'ip' };
+}

 function getDropdownKey(value: any): string {
  return typeof value === 'string' ? value : value?.key || '';
 }

+function getSourcePolicyRefsFromFormData(formData: Record<string, any>): string[] {
+  const refs: string[] = [];
+  for (let index = 0; index < 4; index++) {
+    const ref = getDropdownKey(formData[`sourcePolicyProfileRef${index}`]);
+    if (ref && !refs.includes(ref)) {
+      refs.push(ref);
+    }
+  }
+  return refs;
+}
+
+function buildSourcePolicyMetadata(
+  profileRefs: string[],
+  existingSourcePolicy?: interfaces.data.IRouteSourcePolicy,
+): interfaces.data.IRouteSourcePolicy {
+  return {
+    bindings: profileRefs.map((sourceProfileRef) => {
+      const existingBinding = existingSourcePolicy?.bindings.find((binding) => binding.sourceProfileRef === sourceProfileRef);
+      return existingBinding
+        ? {
+            ...existingBinding,
+            sourceProfileRef,
+            onExceeded: existingBinding.onExceeded || { type: '429' as const },
+          }
+        : {
+            sourceProfileRef,
+            onExceeded: { type: '429' as const },
+          };
+    }),
+  };
+}
+
+function getGiteaPresetProfileRefs(profiles: interfaces.data.ISourceProfile[]): {
+  refs: string[];
+  missingNames: string[];
+} {
+  const refs: string[] = [];
+  const missingNames: string[] = [];
+  for (const profileName of giteaSourcePolicyProfileNames) {
+    const profile = profiles.find((item) => item.name.trim().toUpperCase() === profileName);
+    if (profile) {
+      refs.push(profile.id);
+    } else {
+      missingNames.push(profileName);
+    }
+  }
+  return { refs, missingNames };
+}
+
+function buildGiteaSourcePolicyMetadata(profileRefs: string[]): interfaces.data.IRouteSourcePolicy {
+  const [trustedRef, aiRef, publicRef] = profileRefs;
+  return {
+    bindings: [
+      {
+        sourceProfileRef: trustedRef,
+        onExceeded: { type: '429' as const },
+      },
+      {
+        sourceProfileRef: aiRef,
+        onExceeded: { type: '429' as const },
+        pathPolicies: [
+          { pathClass: 'git-smart-http', rateLimit: rateLimit(1200) },
+          { pathClass: 'static', rateLimit: rateLimit(240) },
+          { pathClass: 'raw', rateLimit: rateLimit(20) },
+          { pathClass: 'archive', rateLimit: rateLimit(6) },
+          { pathClass: 'expensive-html', rateLimit: rateLimit(6) },
+          { pathClass: 'normal-html', rateLimit: rateLimit(20) },
+        ],
+      },
+      {
+        sourceProfileRef: publicRef,
+        onExceeded: { type: '429' as const },
+        pathPolicies: [
+          { pathClass: 'git-smart-http', rateLimit: rateLimit(1200) },
+          { pathClass: 'static', rateLimit: rateLimit(600) },
+          { pathClass: 'raw', rateLimit: rateLimit(120) },
+          { pathClass: 'archive', rateLimit: rateLimit(30) },
+          { pathClass: 'expensive-html', rateLimit: rateLimit(30) },
+          { pathClass: 'normal-html', rateLimit: rateLimit(120) },
+        ],
+      },
+    ],
+  };
+}
+
+function getGiteaPresetSourcePolicy(profiles: interfaces.data.ISourceProfile[]): interfaces.data.IRouteSourcePolicy | null {
+  const { refs, missingNames } = getGiteaPresetProfileRefs(profiles);
+  if (missingNames.length > 0) {
+    alert(`Gitea source-policy preset needs these seeded profiles: ${missingNames.join(', ')}`);
+    return null;
+  }
+  if (!validateSourcePolicySelection(refs, profiles)) {
+    return null;
+  }
+  return buildGiteaSourcePolicyMetadata(refs);
+}
+
+function metadataUsesPathPolicies(metadata?: interfaces.data.IRouteMetadata): boolean {
+  return Boolean(metadata?.sourcePolicy?.bindings.some((binding) => binding.pathPolicies?.length));
+}
+
+function sourceProfileMatchesAll(profile: interfaces.data.ISourceProfile): boolean {
+  return (profile.security?.ipAllowList || []).some((entry) => {
+    const source = typeof entry === 'string' ? entry : entry.ip;
+    return ['*', '0.0.0.0/0', '::/0'].includes(source.trim());
+  });
+}
+
+function sourceProfileHasSourceMatches(profile: interfaces.data.ISourceProfile): boolean {
+  return (profile.security?.ipAllowList || []).some((entry) => {
+    const source = typeof entry === 'string' ? entry : entry.ip;
+    return source.trim().length > 0;
+  });
+}
+
+function validateSourcePolicySelection(
+  profileRefs: string[],
+  profiles: interfaces.data.ISourceProfile[],
+): boolean {
+  if (profileRefs.length === 0) {
+    return true;
+  }
+
+  const selectedProfiles = profileRefs
+    .map((profileRef) => profiles.find((profile) => profile.id === profileRef))
+    .filter(Boolean) as interfaces.data.ISourceProfile[];
+
+  if (selectedProfiles.length !== profileRefs.length) {
+    alert('One or more selected source profiles could not be found. Refresh profiles and try again.');
+    return false;
+  }
+
+  const profilesWithoutMatches = selectedProfiles.filter((profile) => !sourceProfileHasSourceMatches(profile));
+  if (profilesWithoutMatches.length > 0) {
+    alert(`Source profiles need IP/CIDR match entries before use: ${profilesWithoutMatches.map((profile) => profile.name).join(', ')}`);
+    return false;
+  }
+
+  const fallbackProfile = selectedProfiles[selectedProfiles.length - 1];
+  if (!sourceProfileMatchesAll(fallbackProfile)) {
+    alert('Source policy needs an explicit public/wildcard fallback profile as the last binding. Add a profile with IP Allow List "*".');
+    return false;
+  }
+
+  if (selectedProfiles.slice(0, -1).some((profile) => sourceProfileMatchesAll(profile))) {
+    alert('Wildcard source profiles must be last. Earlier wildcard profiles would shadow all following profiles.');
+    return false;
+  }
+
+  if (fallbackProfile.security?.rateLimit?.enabled !== true) {
+    return confirm(`The fallback profile "${fallbackProfile.name}" has no enabled rate limit. Save anyway?`);
+  }
+
+  return true;
+}
+
 function parseTargetPort(value: any): number | undefined {
  const parsed = typeof value === 'number'
    ? value
@@ -355,6 +520,7 @@ export class OpsViewRoutes extends DeesElement {

    const meta = merged.metadata;
    const isSystemManaged = this.isSystemManagedRoute(merged);
+    const sourcePolicySummary = this.describeSourcePolicy(meta);
    await DeesModal.createAndShow({
      heading: `Route: ${merged.route.name}`,
      content: html`
@@ -364,7 +530,7 @@ export class OpsViewRoutes extends DeesElement {
          ${merged.route.vpnOnly ? html`<p>Access: <strong style="color: #22c55e;">VPN only</strong></p>` : ''}
          <p>ID: <code style="color: #888;">${merged.id}</code></p>
          ${isSystemManaged ? html`<p>This route is system-managed. Change its source config to modify it directly.</p>` : ''}
-          ${meta?.sourceProfileName ? html`<p>Source Profile: <strong style="color: #a78bfa;">${meta.sourceProfileName}</strong></p>` : ''}
+          ${sourcePolicySummary ? html`<p>Source Policy: <strong style="color: #a78bfa;">${sourcePolicySummary}</strong></p>` : ''}
          ${meta?.networkTargetName ? html`<p>Network Target: <strong style="color: #a78bfa;">${meta.networkTargetName}</strong></p>` : ''}
        </div>
      `,
@@ -496,6 +662,8 @@ export class OpsViewRoutes extends DeesElement {
    const currentVpnOnly = route.vpnOnly === true;
    const currentRemoteIngressEnabled = route.remoteIngress?.enabled === true;
    const currentEdgeFilter = route.remoteIngress?.edgeFilter || [];
+    const currentSourcePolicyRefs = this.getSourcePolicyRefs(merged.metadata);
+    const currentSourcePolicyPreset = metadataUsesPathPolicies(merged.metadata) ? 'gitea' : 'manual';

    // Compute current TLS state for pre-population
    const currentTls = (route.action as any).tls;
@@ -516,7 +684,25 @@ export class OpsViewRoutes extends DeesElement {
          <dees-input-text .key=${'ports'} .label=${'Ports'} .description=${'Comma-separated, e.g. 80, 443'} .value=${currentPorts} .required=${true}></dees-input-text>
          <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'} .value=${currentDomains}></dees-input-list>
          <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'} .value=${route.priority != null ? String(route.priority) : ''}></dees-input-text>
-          <dees-input-dropdown .key=${'sourceProfileRef'} .label=${'Source Profile'} .options=${profileOptions} .selectedOption=${profileOptions.find((o) => o.key === (merged.metadata?.sourceProfileRef || '')) || null}></dees-input-dropdown>
+          <div class="sourcePolicyGroup" style="display: flex; flex-direction: column; gap: 12px; padding: 12px; border: 1px solid rgba(255,255,255,0.12); border-radius: 8px;">
+            <strong>Source Policy</strong>
+            <small>First matching profile wins. Exceeded limits return 429 and do not fall through.</small>
+            <dees-input-dropdown
+              .key=${'sourcePolicyPreset'}
+              .label=${'Source Policy Preset'}
+              .options=${sourcePolicyPresetOptions}
+              .selectedOption=${sourcePolicyPresetOptions.find((o) => o.key === currentSourcePolicyPreset) || sourcePolicyPresetOptions[0]}
+            ></dees-input-dropdown>
+            <small>Gitea preset uses TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and applies path-class limits.</small>
+            ${[0, 1, 2, 3].map((index) => html`
+              <dees-input-dropdown
+                .key=${`sourcePolicyProfileRef${index}`}
+                .label=${`Source Profile ${index + 1}`}
+                .options=${profileOptions}
+                .selectedOption=${profileOptions.find((o) => o.key === (currentSourcePolicyRefs[index] || '')) || profileOptions[0]}
+              ></dees-input-dropdown>
+            `)}
+          </div>
          <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions} .selectedOption=${targetOptions.find((o) => o.key === (merged.metadata?.networkTargetRef || '')) || null}></dees-input-dropdown>
          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${currentTargetHost}></dees-input-text>
          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'} .value=${currentTargetPort}></dees-input-text>
@@ -557,7 +743,11 @@ export class OpsViewRoutes extends DeesElement {
              : [];
            const priority = formData.priority ? parseInt(formData.priority, 10) : undefined;

-            const profileKey = getDropdownKey(formData.sourceProfileRef);
+            const sourcePolicyPreset = getDropdownKey(formData.sourcePolicyPreset) || 'manual';
+            const sourcePolicyRefs = sourcePolicyPreset === 'gitea'
+              ? []
+              : getSourcePolicyRefsFromFormData(formData);
+            if (sourcePolicyPreset !== 'gitea' && !validateSourcePolicySelection(sourcePolicyRefs, profiles)) return;
            const targetKey = getDropdownKey(formData.networkTargetRef);
            const preserveMatchPort = !targetKey && Boolean(formData.preserveMatchPort);
            const targetPort = preserveMatchPort
@@ -621,9 +811,18 @@ export class OpsViewRoutes extends DeesElement {
            }

            const metadata: any = {};
-            if (profileKey) {
-              metadata.sourceProfileRef = profileKey;
-            } else if (merged.metadata?.sourceProfileRef) {
+            if (sourcePolicyPreset === 'gitea') {
+              const sourcePolicy = getGiteaPresetSourcePolicy(profiles);
+              if (!sourcePolicy) return;
+              metadata.sourcePolicy = sourcePolicy;
+              metadata.sourceProfileRef = '';
+              metadata.sourceProfileName = '';
+            } else if (sourcePolicyRefs.length > 0) {
+              metadata.sourcePolicy = buildSourcePolicyMetadata(sourcePolicyRefs, merged.metadata?.sourcePolicy);
+              metadata.sourceProfileRef = '';
+              metadata.sourceProfileName = '';
+            } else if (merged.metadata?.sourcePolicy || merged.metadata?.sourceProfileRef) {
+              metadata.sourcePolicy = { bindings: [] };
              metadata.sourceProfileRef = '';
              metadata.sourceProfileName = '';
            }
@@ -685,7 +884,25 @@ export class OpsViewRoutes extends DeesElement {
          <dees-input-text .key=${'ports'} .label=${'Ports'} .description=${'Comma-separated, e.g. 80, 443'} .required=${true}></dees-input-text>
          <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'}></dees-input-list>
          <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'}></dees-input-text>
-          <dees-input-dropdown .key=${'sourceProfileRef'} .label=${'Source Profile'} .options=${profileOptions}></dees-input-dropdown>
+          <div class="sourcePolicyGroup" style="display: flex; flex-direction: column; gap: 12px; padding: 12px; border: 1px solid rgba(255,255,255,0.12); border-radius: 8px;">
+            <strong>Source Policy</strong>
+            <small>First matching profile wins. Exceeded limits return 429 and do not fall through.</small>
+            <dees-input-dropdown
+              .key=${'sourcePolicyPreset'}
+              .label=${'Source Policy Preset'}
+              .options=${sourcePolicyPresetOptions}
+              .selectedOption=${sourcePolicyPresetOptions[0]}
+            ></dees-input-dropdown>
+            <small>Gitea preset uses TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and applies path-class limits.</small>
+            ${[0, 1, 2, 3].map((index) => html`
+              <dees-input-dropdown
+                .key=${`sourcePolicyProfileRef${index}`}
+                .label=${`Source Profile ${index + 1}`}
+                .options=${profileOptions}
+                .selectedOption=${profileOptions[0]}
+              ></dees-input-dropdown>
+            `)}
+          </div>
          <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions}></dees-input-dropdown>
          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${'localhost'}></dees-input-text>
          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'}></dees-input-text>
@@ -726,7 +943,11 @@ export class OpsViewRoutes extends DeesElement {
              : [];
            const priority = formData.priority ? parseInt(formData.priority, 10) : undefined;

-            const profileKey = getDropdownKey(formData.sourceProfileRef);
+            const sourcePolicyPreset = getDropdownKey(formData.sourcePolicyPreset) || 'manual';
+            const sourcePolicyRefs = sourcePolicyPreset === 'gitea'
+              ? []
+              : getSourcePolicyRefsFromFormData(formData);
+            if (sourcePolicyPreset !== 'gitea' && !validateSourcePolicySelection(sourcePolicyRefs, profiles)) return;
            const targetKey = getDropdownKey(formData.networkTargetRef);
            const preserveMatchPort = !targetKey && Boolean(formData.preserveMatchPort);
            const targetPort = preserveMatchPort
@@ -791,8 +1012,12 @@ export class OpsViewRoutes extends DeesElement {

            // Build metadata if profile/target selected
            const metadata: any = {};
-            if (profileKey) {
-              metadata.sourceProfileRef = profileKey;
+            if (sourcePolicyPreset === 'gitea') {
+              const sourcePolicy = getGiteaPresetSourcePolicy(profiles);
+              if (!sourcePolicy) return;
+              metadata.sourcePolicy = sourcePolicy;
+            } else if (sourcePolicyRefs.length > 0) {
+              metadata.sourcePolicy = buildSourcePolicyMetadata(sourcePolicyRefs);
            }
            if (targetKey) {
              metadata.networkTargetRef = targetKey;
@@ -823,6 +1048,28 @@ export class OpsViewRoutes extends DeesElement {
    appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
  }

+  private getSourcePolicyRefs(metadata?: interfaces.data.IRouteMetadata): string[] {
+    const policyRefs = metadata?.sourcePolicy?.bindings
+      ?.map((binding) => binding.sourceProfileRef)
+      .filter(Boolean) || [];
+    if (policyRefs.length > 0) {
+      return policyRefs;
+    }
+    return metadata?.sourceProfileRef ? [metadata.sourceProfileRef] : [];
+  }
+
+  private describeSourcePolicy(metadata?: interfaces.data.IRouteMetadata): string {
+    const refs = this.getSourcePolicyRefs(metadata);
+    if (refs.length === 0) {
+      return '';
+    }
+    return refs.map((ref) => {
+      const binding = metadata?.sourcePolicy?.bindings?.find((item) => item.sourceProfileRef === ref);
+      const profile = this.profilesTargetsState.profiles.find((item) => item.id === ref);
+      return binding?.sourceProfileName || profile?.name || ref.slice(0, 8);
+    }).join(' → ');
+  }
+
  private findMergedRoute(clickedRoute: { id?: string; name?: string }): interfaces.data.IMergedRoute | undefined {
    if (clickedRoute.id) {
      const routeById = this.routeState.mergedRoutes.find((mr) => mr.id === clickedRoute.id);
@@ -12,6 +12,33 @@ import * as interfaces from '../../../dist_ts_interfaces/index.js';
 import { viewHostCss } from '../shared/css.js';
 import { type IStatsTile } from '@design.estate/dees-catalog';

+function parseOptionalPositiveInteger(value: unknown): number | undefined {
+  const parsed = typeof value === 'number'
+    ? value
+    : typeof value === 'string'
+      ? parseInt(value.trim(), 10)
+      : Number.NaN;
+  return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
+}
+
+function buildRateLimitFromFormData(data: Record<string, any>) {
+  if (!Boolean(data.rateLimitEnabled)) {
+    return undefined;
+  }
+  const maxRequests = parseOptionalPositiveInteger(data.rateLimitMaxRequests);
+  const window = parseOptionalPositiveInteger(data.rateLimitWindow);
+  if (!maxRequests || !window) {
+    alert('Rate limit requires positive Max Requests and Window values.');
+    return null;
+  }
+  return {
+    enabled: true,
+    maxRequests,
+    window,
+    keyBy: 'ip' as const,
+  };
+}
+
 declare global {
  interface HTMLElementTagNameMap {
    'ops-view-sourceprofiles': OpsViewSourceProfiles;
@@ -138,6 +165,9 @@ export class OpsViewSourceProfiles extends DeesElement {
          <dees-input-list .key=${'ipAllowList'} .label=${'IP Allow List'} .placeholder=${'Add IP or CIDR...'}></dees-input-list>
          <dees-input-list .key=${'ipBlockList'} .label=${'IP Block List'} .placeholder=${'Add IP or CIDR...'}></dees-input-list>
          <dees-input-text .key=${'maxConnections'} .label=${'Max Connections'}></dees-input-text>
+          <dees-input-checkbox .key=${'rateLimitEnabled'} .label=${'Enable Rate Limit'} .description=${'Per source IP. Exceeded requests receive 429.'} .value=${false}></dees-input-checkbox>
+          <dees-input-text .key=${'rateLimitMaxRequests'} .label=${'Max Requests'} .description=${'Requests per source IP'}></dees-input-text>
+          <dees-input-text .key=${'rateLimitWindow'} .label=${'Window Seconds'}></dees-input-text>
        </dees-form>
      `,
      menuOptions: [
@@ -150,8 +180,9 @@ export class OpsViewSourceProfiles extends DeesElement {
            const data = await form.collectFormData();
            const ipAllowList: string[] = Array.isArray(data.ipAllowList) ? data.ipAllowList : [];
            const ipBlockList: string[] = Array.isArray(data.ipBlockList) ? data.ipBlockList : [];
-            const parsed = data.maxConnections ? parseInt(String(data.maxConnections), 10) : NaN;
-            const maxConnections = Number.isNaN(parsed) ? undefined : parsed;
+            const maxConnections = parseOptionalPositiveInteger(data.maxConnections);
+            const rateLimit = buildRateLimitFromFormData(data);
+            if (rateLimit === null) return;

            await appstate.profilesTargetsStatePart.dispatchAction(appstate.createProfileAction, {
              name: String(data.name),
@@ -160,6 +191,7 @@ export class OpsViewSourceProfiles extends DeesElement {
                ...(ipAllowList.length > 0 ? { ipAllowList } : {}),
                ...(ipBlockList.length > 0 ? { ipBlockList } : {}),
                ...(maxConnections ? { maxConnections } : {}),
+                ...(rateLimit ? { rateLimit } : {}),
              },
            });
            modalArg.destroy();
@@ -180,6 +212,9 @@ export class OpsViewSourceProfiles extends DeesElement {
          <dees-input-list .key=${'ipAllowList'} .label=${'IP Allow List'} .placeholder=${'Add IP or CIDR...'} .value=${profile.security?.ipAllowList || []}></dees-input-list>
          <dees-input-list .key=${'ipBlockList'} .label=${'IP Block List'} .placeholder=${'Add IP or CIDR...'} .value=${profile.security?.ipBlockList || []}></dees-input-list>
          <dees-input-text .key=${'maxConnections'} .label=${'Max Connections'} .value=${String(profile.security?.maxConnections || '')}></dees-input-text>
+          <dees-input-checkbox .key=${'rateLimitEnabled'} .label=${'Enable Rate Limit'} .description=${'Per source IP. Exceeded requests receive 429.'} .value=${profile.security?.rateLimit?.enabled === true}></dees-input-checkbox>
+          <dees-input-text .key=${'rateLimitMaxRequests'} .label=${'Max Requests'} .description=${'Requests per source IP'} .value=${String(profile.security?.rateLimit?.maxRequests || '')}></dees-input-text>
+          <dees-input-text .key=${'rateLimitWindow'} .label=${'Window Seconds'} .value=${String(profile.security?.rateLimit?.window || '')}></dees-input-text>
        </dees-form>
      `,
      menuOptions: [
@@ -192,8 +227,9 @@ export class OpsViewSourceProfiles extends DeesElement {
            const data = await form.collectFormData();
            const ipAllowList: string[] = Array.isArray(data.ipAllowList) ? data.ipAllowList : [];
            const ipBlockList: string[] = Array.isArray(data.ipBlockList) ? data.ipBlockList : [];
-            const parsed = data.maxConnections ? parseInt(String(data.maxConnections), 10) : NaN;
-            const maxConnections = Number.isNaN(parsed) ? undefined : parsed;
+            const maxConnections = parseOptionalPositiveInteger(data.maxConnections);
+            const rateLimit = buildRateLimitFromFormData(data);
+            if (rateLimit === null) return;

            await appstate.profilesTargetsStatePart.dispatchAction(appstate.updateProfileAction, {
              id: profile.id,
@@ -203,6 +239,7 @@ export class OpsViewSourceProfiles extends DeesElement {
                ipAllowList,
                ipBlockList,
                ...(maxConnections ? { maxConnections } : {}),
+                ...(rateLimit ? { rateLimit } : {}),
              },
            });
            modalArg.destroy();
@@ -304,6 +304,16 @@ export class OpsViewConfig extends DeesElement {
      { key: 'Connected Edge IPs', value: ri.connectedEdgeIps?.length > 0 ? ri.connectedEdgeIps : null, type: 'pills' },
    ];

+    if (ri.performance) {
+      fields.push(
+        { key: 'Performance Profile', value: ri.performance.profile || null, type: 'badge' },
+        { key: 'Max Connections / Edge', value: ri.performance.maxStreamsPerEdge ?? null },
+        { key: 'Client Write Timeout', value: ri.performance.clientWriteTimeoutMs ? `${ri.performance.clientWriteTimeoutMs} ms` : null },
+        { key: 'First Data Timeout', value: ri.performance.firstDataConnectTimeoutMs ? `${ri.performance.firstDataConnectTimeoutMs} ms` : null },
+        { key: 'Server-first Ports', value: ri.performance.serverFirstPorts?.length ? ri.performance.serverFirstPorts.map(String) : null, type: 'pills' },
+      );
+    }
+
    const actions: IConfigSectionAction[] = [
      { label: 'View Remote Ingress', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'network', subview: 'remoteingress' } },
    ];
Author	SHA1	Message	Date
jkunz	b55d2ac61d	v13.42.2 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m1s Details	2026-06-02 14:11:18 +00:00
jkunz	c88e8e1758	fix(dev-deps): bump @git.zone/tsdocker to ^2.4.1	2026-06-02 14:10:49 +00:00
jkunz	6ee716e4ef	v13.42.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 6m6s Details	2026-06-02 12:48:16 +00:00
jkunz	1d4ed9af2c	fix(deps): bump @serve.zone/remoteingress to ^4.22.5	2026-06-02 12:47:53 +00:00
jkunz	d2331fdcbe	v13.42.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m27s Details	2026-06-02 00:29:38 +00:00
jkunz	0e7765c740	feat(source-policy): add ordered route source policies with Gitea preset support	2026-06-02 00:29:13 +00:00
jkunz	1a381df937	v13.41.2 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 5m57s Details	2026-06-01 14:49:38 +00:00
jkunz	38e2f3cee1	fix(deps): update smartproxy and remoteingress	2026-06-01 14:38:34 +00:00
jkunz	4a47460bf1	v13.41.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 6m50s Details	2026-05-31 21:06:24 +00:00
jkunz	3679cba3a4	fix(smartacme): prevent SmartAcme startup from blocking router startup	2026-05-31 21:05:34 +00:00
jkunz	3dc0371f7e	v13.41.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m5s Details	2026-05-31 19:42:51 +00:00
jkunz	b212662764	feat(remoteingress): add RemoteIngress hub settings management	2026-05-31 19:42:17 +00:00
jkunz	776c65a18c	v13.40.3 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m44s Details	2026-05-31 16:23:56 +00:00
jkunz	5f6ec63770	fix(deps): bump smartproxy and remoteingress dependencies	2026-05-31 16:23:48 +00:00
jkunz	1b4cc0567f	v13.40.2 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m0s Details	2026-05-31 15:26:43 +00:00
jkunz	22de50b544	fix(routes): ensure source profiles fully own route security	2026-05-31 15:26:18 +00:00
jkunz	2e3bead40c	v13.40.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 19m10s Details	2026-05-31 11:50:08 +00:00
jkunz	85065b05c8	fix(deps): update smartproxy, remoteingress, and tsdeno dependencies	2026-05-31 11:49:25 +00:00
jkunz	7f7a26fb38	v13.40.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 8m31s Details	2026-05-30 19:57:32 +00:00
jkunz	a089b681c4	feat(monitoring-opsserver-radius): use active connection snapshots for proxy metrics and RADIUS network secrets	2026-05-30 19:57:09 +00:00
jkunz	3e71301bf5	v13.39.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m54s Details	2026-05-30 18:09:42 +00:00
jkunz	58cc8c0753	feat(remoteingress,radius): add remote ingress performance overrides and update RADIUS integration	2026-05-30 18:09:18 +00:00
jkunz	e279814803	v13.38.4 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m11s Details	2026-05-30 15:05:32 +00:00
jkunz	6bee2eb172	fix(deps): bump @serve.zone/remoteingress to ^4.22.1	2026-05-30 15:05:16 +00:00
jkunz	db8ea99e88	v13.38.3 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m19s Details	2026-05-30 13:19:15 +00:00
jkunz	98ccf82af0	fix(deps): update @serve.zone/remoteingress to ^4.22.0	2026-05-30 13:18:48 +00:00
jkunz	0f99525612	v13.38.2 Docker (tags) / release (push) Failing after 16m7s Details Release / build-and-release (push) Failing after 14m45s Details	2026-05-30 11:40:28 +00:00
jkunz	8e707d9c4d	fix(deps): bump @serve.zone/remoteingress to ^4.21.1	2026-05-30 11:40:00 +00:00
jkunz	418c825b01	v13.38.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 8m58s Details	2026-05-30 10:35:31 +00:00
jkunz	75f29af27f	fix(deps): update @serve.zone/remoteingress to ^4.21.0	2026-05-30 10:35:02 +00:00
jkunz	4467fe629a	fix(deps): bump @serve.zone/remoteingress to ^4.21.0	2026-05-30 10:31:37 +00:00
jkunz	1912feffe5	v13.38.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m45s Details	2026-05-29 17:57:08 +00:00
jkunz	9077b3dad6	feat(dns): support explicit DNS bind interface configuration	2026-05-29 17:56:33 +00:00
jkunz	d09ac51c5b	v13.37.2 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Successful in 7m10s Details	2026-05-29 15:21:54 +00:00
jkunz	9d7975721d	fix(packaging): exclude assets from compiled and published artifacts	2026-05-29 15:21:22 +00:00
jkunz	667d62b456	v13.37.1 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 4m28s Details	2026-05-29 14:52:42 +00:00
jkunz	90b1ca8de3	fix(release): configure pnpm registry for release workflow	2026-05-29 14:45:22 +00:00
jkunz	17d824d718	v13.37.0 Docker (tags) / release (push) Failing after 1s Details Release / build-and-release (push) Failing after 20s Details	2026-05-29 14:05:26 +00:00
jkunz	06a8636aee	feat(distribution): add binary installer	2026-05-29 13:58:05 +00:00
jkunz	4bf08c1fc3	fix(distribution): sync Deno binary import map	2026-05-29 10:43:12 +00:00
jkunz	7e721c54d0	feat(distribution): add CLI binary distribution and improve DNS challenge handling	2026-05-29 10:38:54 +00:00
jkunz	e6aa5a1dd2	v13.36.3 Docker (tags) / release (push) Failing after 1s Details	2026-05-29 08:42:32 +00:00
jkunz	bbe18e1413	fix(deps): bump smartproxy to keep idle WebSocket tunnels on dedicated lifecycle timeouts	2026-05-29 08:42:14 +00:00
jkunz	e2a10bdc3c	v13.36.2 Docker (tags) / release (push) Failing after 1s Details	2026-05-29 04:00:16 +00:00
jkunz	42a5f6df7b	fix(dns): preserve parallel ACME TXT challenges and mixed-case DNS queries	2026-05-29 03:59:59 +00:00