v13.40.3

.gitea/workflows/release.yml

@@ -30,6 +30,9 @@ jobs:
       - name: Enable corepack
         run: corepack enable
 
+      - name: Configure pnpm registry
+        run: pnpm config set registry https://verdaccio.lossless.digital/
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 

changelog.md

@@ -4,6 +4,119 @@
 
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+## 2026-05-31 - 13.40.3
+
+### Fixes
+
+- bump smartproxy and remoteingress dependencies (deps)
+  - Bumped @push.rocks/smartproxy from ^27.12.1 to ^27.12.2
+  - Bumped @serve.zone/remoteingress from ^4.22.2 to ^4.22.3
+  - Updated dependency versions in both package.json and deno.json
+
+## 2026-05-31 - 13.40.2
+
+### Fixes
+
+- ensure source profiles fully own route security (routes)
+  - Resolve profile-backed routes by cloning source profile security instead of merging inline route overrides
+  - Clear stale route security when a source profile reference is removed without explicit replacement security
+  - Add a migration to rematerialize persisted profile-backed route security
+
+## 2026-05-31 - 13.40.1
+
+### Fixes
+
+- update smartproxy, remoteingress, and tsdeno dependencies (deps)
+  - Bump @push.rocks/smartproxy to ^27.12.1 in Deno imports
+  - Bump @serve.zone/remoteingress to ^4.22.2 in package and Deno configuration
+  - Bump @git.zone/tsdeno to ^1.5.0
+
+## 2026-05-30 - 13.40.0
+
+### Features
+
+- use active connection snapshots for proxy metrics and RADIUS network secrets (monitoring-opsserver-radius)
+  - Add cached SmartProxy active connection snapshots for connection info and network statistics.
+  - Report ops security active connections from per-connection snapshots with protocol, state, and byte counters.
+  - Configure RADIUS clients through smartradius network secrets, including CIDR ranges, and forward additional RADIUS attributes.
+  - Bump smartproxy to ^27.12.1 and smartradius to ^1.3.0.
+
+## 2026-05-30 - 13.39.0
+
+### Features
+
+- add remote ingress performance overrides and update RADIUS integration (remoteingress,radius)
+  - Persist and propagate optional remote ingress performance overrides through remote ingress create/update APIs, database documents, and hub allowed-edge sync.
+  - Add web UI controls and status display for per-edge maximum connection overrides.
+  - Extend remote ingress performance interfaces with stream payload, timeout, and server-first port settings.
+  - Update RADIUS server integration for smartradius 1.2 request/response handling and client secret resolution, including CIDR matching.
+
+## 2026-05-30 - 13.38.4
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.22.1 (deps)
+  - Updated @serve.zone/remoteingress in package.json and deno.json.
+
+## 2026-05-30 - 13.38.3
+
+### Fixes
+
+- update @serve.zone/remoteingress to ^4.22.0 (deps)
+  - Updated @serve.zone/remoteingress from ^4.21.1 to ^4.22.0 in package.json and deno.json.
+
+## 2026-05-30 - 13.38.2
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.21.1 (deps)
+  - Updated @serve.zone/remoteingress in package.json and deno.json from ^4.21.0 to ^4.21.1.
+
+## 2026-05-30 - 13.38.1
+
+### Fixes
+
+- bump @serve.zone/remoteingress to ^4.21.0 (deps)
+  - Updates @serve.zone/remoteingress from ^4.18.0 to ^4.21.0.
+- update @serve.zone/remoteingress to ^4.21.0 (deps)
+  - Updates the Deno import mapping for @serve.zone/remoteingress from ^4.18.0 to ^4.21.0.
+
+## 2026-05-29 - 13.38.0
+
+### Features
+
+- support explicit DNS bind interface configuration (dns)
+  - Add a dnsBindInterface option to override the embedded DNS UDP bind address.
+  - Read DCROUTER_DNS_BIND_INTERFACE from OCI container configuration and document it in CLI help.
+  - Add test coverage for explicit DNS bind interface handling in OCI config.
+
+## 2026-05-29 - 13.37.2
+
+### Fixes
+
+- exclude assets from compiled and published artifacts (packaging)
+  - Removed assets from the Deno compile include list.
+  - Removed assets from the npm package files list.
+
+## 2026-05-29 - 13.37.1
+
+### Fixes
+
+- configure pnpm registry for release workflow (release)
+  - Sets the pnpm registry before dependency installation so release builds resolve packages from the configured registry.
+
 ## 2026-05-29 - 13.37.0
 
 ### Features

deno.json

@@ -1,11 +1,10 @@
 {
   "name": "@serve.zone/dcrouter",
-  "version": "13.37.0",
+  "version": "13.40.3",
   "exports": "./binary/dcrouter.ts",
   "compile": {
     "include": [
-      "dist_serve",
-      "assets"
+      "dist_serve"
     ]
   },
   "imports": {
@@ -32,7 +31,7 @@
     "@push.rocks/smartnetwork": "npm:@push.rocks/smartnetwork@^4.7.2",
     "@push.rocks/smartpath": "npm:@push.rocks/smartpath@^6.0.0",
     "@push.rocks/smartpromise": "npm:@push.rocks/smartpromise@^4.2.4",
-    "@push.rocks/smartproxy": "npm:@push.rocks/smartproxy@^27.11.1",
+    "@push.rocks/smartproxy": "npm:@push.rocks/smartproxy@^27.12.2",
     "@push.rocks/smartradius": "npm:@push.rocks/smartradius@^1.1.2",
     "@push.rocks/smartrequest": "npm:@push.rocks/smartrequest@^5.0.3",
     "@push.rocks/smartrx": "npm:@push.rocks/smartrx@^3.0.10",
@@ -41,7 +40,7 @@
     "@push.rocks/smartvpn": "npm:@push.rocks/smartvpn@1.20.0",
     "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^8.0.2",
     "@serve.zone/interfaces": "npm:@serve.zone/interfaces@^5.8.0",
-    "@serve.zone/remoteingress": "npm:@serve.zone/remoteingress@^4.18.0",
+    "@serve.zone/remoteingress": "npm:@serve.zone/remoteingress@^4.22.3",
     "@tsclass/tsclass": "npm:@tsclass/tsclass@^9.5.1",
     "lru-cache": "npm:lru-cache@^11.4.0",
     "qrcode": "npm:qrcode@^1.5.4",

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.37.0",
+  "version": "13.40.3",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "bin": {
@@ -29,7 +29,7 @@
     "@git.zone/tsbuild": "^4.4.2",
     "@git.zone/tsbundle": "^2.10.4",
     "@git.zone/tsdocker": "^2.4.0",
-    "@git.zone/tsdeno": "^1.4.0",
+    "@git.zone/tsdeno": "^1.5.0",
     "@git.zone/tsrun": "^2.0.4",
     "@git.zone/tstest": "^3.6.6",
     "@git.zone/tswatch": "^3.3.5",
@@ -61,8 +61,8 @@
     "@push.rocks/smartnetwork": "^4.7.2",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.11.1",
-    "@push.rocks/smartradius": "^1.1.2",
+    "@push.rocks/smartproxy": "^27.12.2",
+    "@push.rocks/smartradius": "^1.3.0",
     "@push.rocks/smartrequest": "^5.0.3",
     "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstate": "^2.3.1",
@@ -71,7 +71,7 @@
     "@push.rocks/taskbuffer": "^8.0.2",
     "@serve.zone/catalog": "^2.12.4",
     "@serve.zone/interfaces": "^5.8.0",
-    "@serve.zone/remoteingress": "^4.18.0",
+    "@serve.zone/remoteingress": "^4.22.3",
     "@tsclass/tsclass": "^9.5.1",
     "@types/qrcode": "^1.5.6",
     "lru-cache": "^11.4.0",
@@ -114,7 +114,6 @@
     "dist_ts/**/*",
     "dist_ts_web/**/*",
     "dist_ts_apiclient/**/*",
-    "assets/**/*",
     "cli.js",
     "cli.ts.js",
     "cli.child.js",

pnpm-lock.yaml

@@ -76,7 +76,7 @@ importers:
         version: 5.3.3
       '@push.rocks/smartnetwork':
         specifier: ^4.7.2
-        version: 4.7.2
+        version: 4.7.3
       '@push.rocks/smartpath':
         specifier: ^6.0.0
         version: 6.0.0
@@ -84,11 +84,11 @@ importers:
         specifier: ^4.2.4
         version: 4.2.4
       '@push.rocks/smartproxy':
-        specifier: ^27.11.1
-        version: 27.11.1
+        specifier: ^27.12.2
+        version: 27.12.2
       '@push.rocks/smartradius':
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.3.0
+        version: 1.3.0
       '@push.rocks/smartrequest':
         specifier: ^5.0.3
         version: 5.0.3
@@ -114,8 +114,8 @@ importers:
         specifier: ^5.8.0
         version: 5.8.0
       '@serve.zone/remoteingress':
-        specifier: ^4.18.0
-        version: 4.18.0
+        specifier: ^4.22.3
+        version: 4.22.3
       '@tsclass/tsclass':
         specifier: ^9.5.1
         version: 9.5.1
@@ -139,8 +139,8 @@ importers:
         specifier: ^2.10.4
         version: 2.10.4
       '@git.zone/tsdeno':
-        specifier: ^1.4.0
-        version: 1.4.0
+        specifier: ^1.5.0
+        version: 1.5.0
       '@git.zone/tsdocker':
         specifier: ^2.4.0
         version: 2.4.0
@@ -729,8 +729,8 @@ packages:
     resolution: {integrity: sha512-/xWOGrnuMaJ/Xo/EasaF9N3N9w1J9LDywZaRTa0UTtzbEtfJP7F2NJ9l4tWCwS+vTKpnqApX7ZueRh1h5MrwPQ==}
     hasBin: true
 
-  '@git.zone/tsdeno@1.4.0':
-    resolution: {integrity: sha512-84kFa/uKPTlzeLxtHoFxefk6O9khsWWQ2PCWNbCNYIUqWHUvN9COpGq0GXWtsoxLWPhTTIeHsOX4+O55uT2MPw==}
+  '@git.zone/tsdeno@1.5.0':
+    resolution: {integrity: sha512-OdGPhnBz6v92OkKKWyswpyGman3m3FOXin+9WRzEBvvwyLAAkc2mKUGViPAIxYkrak4GiglzqjTkSyReDU0QOw==}
     hasBin: true
 
   '@git.zone/tsdocker@2.4.0':
@@ -1402,8 +1402,8 @@ packages:
   '@push.rocks/smartmustache@3.0.2':
     resolution: {integrity: sha512-G3LyRXoJhyM+iQhkvP/MR/2WYMvC9U7zc2J44JxUM5tPdkQ+o3++FbfRtnZj6rz5X/A7q03//vsxPitVQwoi2Q==}
 
-  '@push.rocks/smartnetwork@4.7.2':
-    resolution: {integrity: sha512-OwT8kwQeEO+E3RuCyCfgQEBz+FyydUVaTBivZzzVchdJCUDgoDkXSnRkbIuGoHd1BfRFkUg9DQlSzt0uDfsIbw==}
+  '@push.rocks/smartnetwork@4.7.3':
+    resolution: {integrity: sha512-ecv8aSGbcHUDkE0IJ+/0mRpgQv1fSjQAgcTe1qgBNY1Lk8lQTTaNjpG7g21EdK23seyShewejtGKOcK5o7Rh6A==}
 
   '@push.rocks/smartnftables@1.2.0':
     resolution: {integrity: sha512-VTRHnxHrJj9VOq2MaCOqxiA4JLGRnzEaZ7kXxA7v3ljX+Y2wWK9VYpwKKBEbjgjoTpQyOf+I0gEG9wkR/jtUvQ==}
@@ -1429,14 +1429,14 @@ packages:
   '@push.rocks/smartpromise@4.2.4':
     resolution: {integrity: sha512-8FUyYt94hOIY9mqHjitn4h69u0jbEtTF2RKKw2DpiTVFjpDTk9gXbVHZ/V+xEcBrN4mrzdQES0OiDmkNPoddEQ==}
 
-  '@push.rocks/smartproxy@27.11.1':
-    resolution: {integrity: sha512-29THhFUTr9NtU1/UBqqOgcbsHcUMHj7Dhh2XfXp6NP/rfDGUFiFFmCNcAdC3OJ0n6BgwTBOtOzo+4rJbrGJRpw==}
+  '@push.rocks/smartproxy@27.12.2':
+    resolution: {integrity: sha512-q97n/UAhfvyds6MhTUAhV5OC7x3Eaot+IN25hW6StyvrxR/odg3/g2UDAJmHoD5X0tKwIhouFd/b8Nwx0p94cg==}
 
   '@push.rocks/smartpuppeteer@2.0.6':
     resolution: {integrity: sha512-G+8cyDERvbXQcb9Sd8lnYdWYz8b3Mv2LfFf1ULmucDqQhcRHvxrWX/dKsvBZrwKPR4Wg+795Dyd+E1iOOh3tHw==}
 
-  '@push.rocks/smartradius@1.1.2':
-    resolution: {integrity: sha512-p4fHhMgXZRuyRuMQjFQLVnXBG1Fz2latJ7BGAsfInOuVUaitBr/Wni9mZULAuIIddeWwUx9QvIGlv3tgmFn/ow==}
+  '@push.rocks/smartradius@1.3.0':
+    resolution: {integrity: sha512-97BQhVT5gdDTNfb8LZiqaPddTMlx5Eqpsj7jTBQ2kj4tYpK0YWRiKkpBxxEXTjsIsq7iTxHeNTwc8kMZj+yU3g==}
 
   '@push.rocks/smartrequest@2.1.0':
     resolution: {integrity: sha512-3eHLTRInHA+u+W98TqJwgTES7rRimBAsJC4JxVNQC3UUezmblAhM5/TIQsEBQTsbjAY8SeQKy6NHzW6iTiaD8w==}
@@ -1719,8 +1719,9 @@ packages:
   '@serve.zone/interfaces@5.8.0':
     resolution: {integrity: sha512-0ekSKUL/b44wmmzuCRANzrjaJRAHtkqiL8cPiMASEs7UJBDqbJCrgtrlJK84pz5dxBz3jTcdznNd5qjB8c6H0A==}
 
-  '@serve.zone/remoteingress@4.18.0':
-    resolution: {integrity: sha512-/cW9wb/e57u9+715RzV5d8HCezWtR88LcpistTNSl7GACi5ai+C2tPy7ZQprnnrNhqjfgzWiAH4bKZafwONntg==}
+  '@serve.zone/remoteingress@4.22.3':
+    resolution: {integrity: sha512-VUI2VTMHVjju92FXjPe0EQ7op2EyqCr+JQIIGkjxnvqE9aAV9ZtaNzI7y4WwltYNo9rfaa/Bdd8+2EKUYYCD6g==}
+    hasBin: true
 
   '@smithy/chunked-blob-reader-native@4.2.3':
     resolution: {integrity: sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==}
@@ -5250,7 +5251,7 @@ snapshots:
       - supports-color
       - vue
 
-  '@git.zone/tsdeno@1.4.0':
+  '@git.zone/tsdeno@1.5.0':
     dependencies:
       '@push.rocks/early': 4.0.4
       '@push.rocks/smartcli': 4.0.21
@@ -5326,7 +5327,7 @@ snapshots:
       '@push.rocks/smartjson': 6.0.1
       '@push.rocks/smartlog': 3.2.2
       '@push.rocks/smartmongo': 7.0.0(socks@2.8.8)
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.4
       '@push.rocks/smartrequest': 5.0.3
@@ -6135,7 +6136,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.1.0
       '@push.rocks/smartdns': 7.9.3
       '@push.rocks/smartlog': 3.2.2
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
       '@push.rocks/smartstring': 4.1.1
       '@push.rocks/smarttime': 4.2.3
       '@push.rocks/smartunique': 3.0.9
@@ -6611,7 +6612,7 @@ snapshots:
     dependencies:
       handlebars: 4.7.9
 
-  '@push.rocks/smartnetwork@4.7.2':
+  '@push.rocks/smartnetwork@4.7.3':
     dependencies:
       '@push.rocks/smartdns': 7.9.3
       '@push.rocks/smartrust': 1.4.0
@@ -6674,7 +6675,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.1.0
       '@push.rocks/smartfs': 1.5.1
       '@push.rocks/smartjimp': 1.2.1
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.4
       '@push.rocks/smartpuppeteer': 2.0.6(typescript@6.0.3)
@@ -6695,7 +6696,7 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.4': {}
 
-  '@push.rocks/smartproxy@27.11.1':
+  '@push.rocks/smartproxy@27.12.2':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.2.2
@@ -6719,7 +6720,7 @@ snapshots:
       - typescript
       - utf-8-validate
 
-  '@push.rocks/smartradius@1.1.2':
+  '@push.rocks/smartradius@1.3.0':
     dependencies:
       '@push.rocks/smartdelay': 3.1.0
       '@push.rocks/smartpromise': 4.2.4
@@ -7084,7 +7085,7 @@ snapshots:
       '@push.rocks/smartlog-interfaces': 3.0.2
       '@tsclass/tsclass': 9.5.1
 
-  '@serve.zone/remoteingress@4.18.0':
+  '@serve.zone/remoteingress@4.22.3':
     dependencies:
       '@push.rocks/qenv': 6.1.4
       '@push.rocks/smartnftables': 1.2.0

test/test.metricsmanager.route-keys.node.ts

@@ -14,6 +14,38 @@ const emptyProtocolDistribution = {
   otherTotal: 0,
 };
 
+function createActiveConnectionSnapshots(entries: Array<{
+  count: number;
+  sourceIp?: string;
+  routeId?: string;
+  domain?: string;
+  localPort?: number;
+}>) {
+  const snapshots: any[] = [];
+  let index = 0;
+  for (const entry of entries) {
+    for (let i = 0; i < entry.count; i++) {
+      snapshots.push({
+        id: `test-connection-${index++}`,
+        sourceIp: entry.sourceIp || '192.0.2.10',
+        sourcePort: 40000 + index,
+        localPort: entry.localPort || 443,
+        domain: entry.domain,
+        routeId: entry.routeId,
+        targetHost: '127.0.0.1',
+        targetPort: 8443,
+        protocol: 'https',
+        state: 'active',
+        startedAtMs: Date.now(),
+        ageMs: 0,
+        bytesIn: 0,
+        bytesOut: 0,
+      });
+    }
+  }
+  return snapshots;
+}
+
 function createProxyMetrics(args: {
   connectionsByRoute: Map<string, number>;
   throughputByRoute: Map<string, { in: number; out: number }>;
@@ -90,6 +122,10 @@ tap.test('MetricsManager joins domain activity to id-keyed route metrics', async
 
   const smartProxy = {
     getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+      { count: 3, routeId: 'route-id-only', domain: 'alpha.example.com' },
+      { count: 1, routeId: 'route-id-only', domain: 'beta.example.com' },
+    ]),
     routeManager: {
       getRoutes: () => [
         {
@@ -150,6 +186,9 @@ tap.test('MetricsManager prefers live domain request rates for current activity'
 
   const smartProxy = {
     getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+      { count: 10, routeId: 'route-id-only', domain: 'beta.example.com' },
+    ]),
     routeManager: {
       getRoutes: () => [
         {
@@ -231,6 +270,7 @@ tap.test('MetricsManager does not duplicate backend active counts onto protocol
 
   const smartProxy = {
     getMetrics: () => proxyMetrics,
+    getActiveConnectionSnapshots: () => [],
     routeManager: {
       getRoutes: () => [],
     },
@@ -265,6 +305,10 @@ tap.test('MetricsManager queues IP intelligence without awaiting enrichment', as
   const manager = new MetricsManager({
     smartProxy: {
       getMetrics: () => proxyMetrics,
+      getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+        { count: 4, sourceIp: '8.8.8.8' },
+        { count: 2, sourceIp: '1.1.1.1' },
+      ]),
       routeManager: { getRoutes: () => [] },
     },
     securityPolicyManager: {
@@ -300,6 +344,11 @@ tap.test('MetricsManager aggregates top ASNs from IP intelligence', async () =>
   const manager = new MetricsManager({
     smartProxy: {
       getMetrics: () => proxyMetrics,
+      getActiveConnectionSnapshots: () => createActiveConnectionSnapshots([
+        { count: 4, sourceIp: '8.8.8.8' },
+        { count: 3, sourceIp: '8.8.4.4' },
+        { count: 5, sourceIp: '1.1.1.1' },
+      ]),
       routeManager: { getRoutes: () => [] },
     },
     securityPolicyManager: {

test/test.migrations.node.ts

@@ -12,13 +12,77 @@ function setPath(target: Record<string, any>, path: string, value: unknown): voi
   cursor[parts[parts.length - 1]] = value;
 }
 
+function getPath(target: Record<string, any>, path: string): unknown {
+  let cursor: any = target;
+  for (const part of path.split('.')) {
+    if (cursor === null || cursor === undefined) return undefined;
+    cursor = cursor[part];
+  }
+  return cursor;
+}
+
 function applySet(document: Record<string, any>, set: Record<string, unknown>): void {
   for (const [key, value] of Object.entries(set)) {
     setPath(document, key, value);
   }
 }
 
-function createFakeDb(currentVersion: string) {
+function matchesQuery(document: Record<string, any>, query: Record<string, any>): boolean {
+  for (const [key, expected] of Object.entries(query)) {
+    const actual = getPath(document, key);
+    if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
+      if ('$exists' in expected) {
+        const exists = actual !== undefined;
+        if (exists !== Boolean(expected.$exists)) return false;
+        continue;
+      }
+      if ('$type' in expected) {
+        if (expected.$type === 'string' && typeof actual !== 'string') return false;
+        continue;
+      }
+      if ('$in' in expected) {
+        if (!Array.isArray(expected.$in) || !expected.$in.includes(actual)) return false;
+        continue;
+      }
+    }
+    if (actual !== expected) return false;
+  }
+  return true;
+}
+
+function createFakeCollection(documents: Array<Record<string, any>> = []) {
+  return {
+    find: (query: Record<string, any> = {}) => ({
+      async *[Symbol.asyncIterator]() {
+        for (const document of documents) {
+          if (matchesQuery(document, query)) {
+            yield structuredClone(document);
+          }
+        }
+      },
+    }),
+    updateMany: async (query: Record<string, any>, update: any) => {
+      let modifiedCount = 0;
+      for (const document of documents) {
+        if (!matchesQuery(document, query)) continue;
+        applySet(document, update.$set || {});
+        modifiedCount++;
+      }
+      return { modifiedCount };
+    },
+    updateOne: async (query: Record<string, any>, update: any) => {
+      const document = documents.find((candidate) => matchesQuery(candidate, query));
+      if (!document) return { matchedCount: 0, modifiedCount: 0, upsertedCount: 0 };
+      applySet(document, update.$set || {});
+      return { matchedCount: 1, modifiedCount: 1, upsertedCount: 0 };
+    },
+  };
+}
+
+function createFakeDb(
+  currentVersion: string,
+  collections: Record<string, Array<Record<string, any>>> = {},
+) {
   const ledgerDocument = {
     nameId: 'smartmigration:smartmigration',
     data: {
@@ -29,12 +93,10 @@ function createFakeDb(currentVersion: string) {
     },
   };
 
-  const emptyCollection = {
-    find: () => ({
-      async *[Symbol.asyncIterator]() {},
-    }),
-    updateMany: async () => ({ modifiedCount: 0 }),
-  };
+  const fakeCollections = new Map(
+    Object.entries(collections).map(([name, documents]) => [name, createFakeCollection(documents)]),
+  );
+  const emptyCollection = createFakeCollection();
 
   const ledgerCollection = {
     createIndex: async () => undefined,
@@ -52,18 +114,69 @@ function createFakeDb(currentVersion: string) {
   return {
     mongoDb: {
       collection: (name: string) =>
-        name === 'SmartdataEasyStore' ? ledgerCollection : emptyCollection,
+        name === 'SmartdataEasyStore'
+          ? ledgerCollection
+          : fakeCollections.get(name) || emptyCollection,
     },
   };
 }
 
-tap.test('migration runner bridges old package-version targets without real schema steps', async () => {
-  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.31.0');
+tap.test('migration runner applies schema steps through the current target', async () => {
+  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.40.2');
   const result = await runner.run();
 
   expect(result.currentVersionBefore).toEqual('13.16.0');
-  expect(result.currentVersionAfter).toEqual('13.31.0');
+  expect(result.currentVersionAfter).toEqual('13.40.2');
   expect(result.stepsApplied).toHaveLength(3);
 });
 
+tap.test('migration runner rematerializes source-profile-backed route security', async () => {
+  const profiles: Array<Record<string, any>> = [
+    {
+      _id: 'profile-doc-1',
+      id: 'standard-profile',
+      name: 'Standard',
+      security: {
+        ipAllowList: ['192.168.*', '127.0.0.1'],
+        maxConnections: 1000,
+      },
+    },
+  ];
+  const routes: Array<Record<string, any>> = [
+    {
+      _id: 'route-doc-1',
+      id: 'route-1',
+      route: {
+        name: 'Public service domains',
+        match: { ports: 443, domains: ['code.foss.global'] },
+        action: { type: 'forward', targets: [{ host: '192.168.5.247', port: 443 }] },
+        security: {
+          ipAllowList: ['192.168.*', '*'],
+          maxConnections: 1000,
+        },
+      },
+      metadata: {
+        sourceProfileRef: 'standard-profile',
+        sourceProfileName: 'Standard',
+      },
+      updatedAt: 1,
+    },
+  ];
+
+  const runner = await createMigrationRunner(
+    createFakeDb('13.40.1', {
+      SourceProfileDoc: profiles,
+      RouteDoc: routes,
+    }),
+    '13.40.2',
+  );
+  const result = await runner.run();
+
+  expect(result.stepsApplied).toHaveLength(1);
+  expect(routes[0].route.security.ipAllowList.includes('*')).toBeFalse();
+  expect(routes[0].route.security.ipAllowList).toContain('192.168.*');
+  expect(routes[0].route.security.maxConnections).toEqual(1000);
+  expect(routes[0].metadata.lastResolvedAt).toBeTruthy();
+});
+
 export default tap.start();

test/test.oci-config.node.ts

@@ -0,0 +1,20 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { getOciContainerConfig } from '../ts_oci_container/index.js';
+
+tap.test('OCI config should accept explicit DNS bind interface', async () => {
+  const previousValue = process.env.DCROUTER_DNS_BIND_INTERFACE;
+  process.env.DCROUTER_DNS_BIND_INTERFACE = '192.168.190.3';
+
+  try {
+    const config = getOciContainerConfig();
+    expect(config.dnsBindInterface).toEqual('192.168.190.3');
+  } finally {
+    if (previousValue === undefined) {
+      delete process.env.DCROUTER_DNS_BIND_INTERFACE;
+    } else {
+      process.env.DCROUTER_DNS_BIND_INTERFACE = previousValue;
+    }
+  }
+});
+
+export default tap.start();

test/test.reference-resolver.ts

@@ -91,7 +91,7 @@ tap.test('should resolve source profile onto a route', async () => {
   expect(result.metadata.lastResolvedAt).toBeTruthy();
 });
 
-tap.test('should merge inline route security with profile security', async () => {
+tap.test('should replace inline route security when source profile is selected', async () => {
   const route = makeRoute({
     security: {
       ipAllowList: ['127.0.0.1'],
@@ -102,13 +102,26 @@ tap.test('should merge inline route security with profile security', async () =>
 
   const result = resolver.resolveRoute(route, metadata);
 
-  // IP lists are unioned
   expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
   expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.ipAllowList).toContain('127.0.0.1');
+  expect(result.route.security!.ipAllowList!.includes('127.0.0.1')).toBeFalse();
+  expect(result.route.security!.maxConnections).toEqual(1000);
+});
 
-  // Inline maxConnections overrides profile
-  expect(result.route.security!.maxConnections).toEqual(5000);
+tap.test('should remove stale wildcard security from a profile-backed route', async () => {
+  const route = makeRoute({
+    security: {
+      ipAllowList: ['*'],
+      maxConnections: 5000,
+    },
+  });
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  expect(result.route.security!.ipAllowList!.includes('*')).toBeFalse();
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.maxConnections).toEqual(1000);
 });
 
 tap.test('should deduplicate IP lists during merge', async () => {

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.37.0',
+  version: '13.40.3',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -93,6 +93,9 @@ export interface IDcRouterOptions {
    * Email domains with `internal-dns` mode must be included here
    */
   dnsScopes?: string[];
+
+  /** Explicit UDP bind address for the embedded DNS server. Defaults to auto-detection. */
+  dnsBindInterface?: string;
   
   /**
    * IPs of proxies that forward traffic to your server (optional)
@@ -1875,16 +1878,21 @@ export class DcRouter {
     logger.log('info', `Setting up DNS server with primary nameserver: ${primaryNameserver}`);
     
     // Get VM IP address for UDP binding
-    const networkInterfaces = plugins.os.networkInterfaces();
-    let vmIpAddress = '0.0.0.0'; // Default to all interfaces
-    
-    // Try to find the VM's internal IP address
-    for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
-      if (interfaces) {
-        for (const iface of interfaces) {
-          if (!iface.internal && iface.family === 'IPv4') {
-            vmIpAddress = iface.address;
-            break;
+    const networkInterfaces = plugins.os.networkInterfaces() as Record<
+      string,
+      Array<{ internal: boolean; family: string; address: string }> | undefined
+    >;
+    let vmIpAddress = this.options.dnsBindInterface || '0.0.0.0'; // Default to all interfaces
+
+    // Try to find the VM's internal IP address when no explicit bind address is configured.
+    if (!this.options.dnsBindInterface) {
+      interfaceLoop: for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
+        if (interfaces) {
+          for (const iface of interfaces) {
+            if (!iface.internal && iface.family === 'IPv4') {
+              vmIpAddress = iface.address;
+              break interfaceLoop;
+            }
           }
         }
       }

ts/config/classes.reference-resolver.ts

@@ -281,6 +281,7 @@ export class ReferenceResolver {
   /**
    * Resolve references for a single route.
    * Materializes source profile and/or network target into the route's fields.
+   * When a source profile is selected, it owns the route security fully.
    * Returns the resolved route and updated metadata.
    */
   public resolveRoute(
@@ -293,10 +294,9 @@ export class ReferenceResolver {
       const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
       if (resolvedSecurity) {
         const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
-        // Merge: profile provides base, route's inline values override
         route = {
           ...route,
-          security: this.mergeSecurityFields(resolvedSecurity, route.security),
+          security: this.cloneSecurityFields(resolvedSecurity),
         };
         resolvedMetadata.sourceProfileName = profile?.name;
         resolvedMetadata.lastResolvedAt = Date.now();
@@ -445,10 +445,15 @@ export class ReferenceResolver {
     if (override.authentication !== undefined) merged.authentication = override.authentication;
     if (override.basicAuth !== undefined) merged.basicAuth = override.basicAuth;
     if (override.jwtAuth !== undefined) merged.jwtAuth = override.jwtAuth;
+    if (override.vpn !== undefined) merged.vpn = override.vpn;
 
     return merged;
   }
 
+  private cloneSecurityFields(security: IRouteSecurity): IRouteSecurity {
+    return structuredClone(security);
+  }
+
   // =========================================================================
   // Private: persistence
   // =========================================================================

ts/config/classes.route-config-manager.ts

@@ -175,6 +175,8 @@ export class RouteConfigManager {
       return { success: false, message: 'Route not found' };
     }
 
+    const previousSourceProfileRef = stored.metadata?.sourceProfileRef;
+
     const isToggleOnlyPatch = patch.enabled !== undefined
       && patch.route === undefined
       && patch.metadata === undefined;
@@ -216,6 +218,13 @@ export class RouteConfigManager {
         ...stored.metadata,
         ...patch.metadata,
       });
+      if (
+        previousSourceProfileRef
+        && !stored.metadata?.sourceProfileRef
+        && !patch.route?.security
+      ) {
+        delete stored.route.security;
+      }
     }
 
     // Re-resolve if metadata refs exist and resolver is available

ts/db/documents/classes.remote-ingress-edge.doc.ts

@@ -1,5 +1,6 @@
 import * as plugins from '../../plugins.js';
 import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IRemoteIngressPerformanceConfig } from '../../../ts_interfaces/data/remoteingress.js';
 
 const getDb = () => DcRouterDb.getInstance().getDb();
 
@@ -27,6 +28,9 @@ export class RemoteIngressEdgeDoc extends plugins.smartdata.SmartDataDbDoc<Remot
   @plugins.smartdata.svDb()
   public autoDerivePorts!: boolean;
 
+  @plugins.smartdata.svDb()
+  public performance?: IRemoteIngressPerformanceConfig;
+
   @plugins.smartdata.svDb()
   public tags!: string[];
 

ts/http3/http3-route-augmentation.ts

@@ -1,4 +1,4 @@
-import type * as plugins from '../plugins.js';
+import * as plugins from '../plugins.js';
 
 /**
  * Configuration for HTTP/3 (QUIC) route augmentation.
@@ -36,22 +36,6 @@ export interface IHttp3Config {
   };
 }
 
-type TPortRange = plugins.smartproxy.IRouteConfig['match']['ports'];
-
-/**
- * Check whether a TPortRange includes port 443.
- */
-function portRangeIncludes443(ports: TPortRange): boolean {
-  if (typeof ports === 'number') return ports === 443;
-  if (Array.isArray(ports)) {
-    return ports.some((p) => {
-      if (typeof p === 'number') return p === 443;
-      return p.from <= 443 && p.to >= 443;
-    });
-  }
-  return false;
-}
-
 /**
  * Check if a route name indicates an email route that should not get HTTP/3.
  */
@@ -85,7 +69,7 @@ export function routeQualifiesForHttp3(
   if (route.action.type !== 'forward') return false;
 
   // Must include port 443
-  if (!portRangeIncludes443(route.match.ports)) return false;
+  if (!plugins.smartproxy.portRangeIncludes(route.match.ports, 443)) return false;
 
   // Must have TLS
   if (!route.action.tls) return false;

ts/index.ts

@@ -36,6 +36,7 @@ Usage:
 
 Environment:
   DCROUTER_MODE=OCI_CONTAINER   Start with OCI container configuration
+  DCROUTER_DNS_BIND_INTERFACE   Override the embedded DNS UDP bind address
   DATA_DIR=<path>               Override the writable dcrouter data directory
 `);
     return;

ts/monitoring/classes.metricsmanager.ts

@@ -143,8 +143,9 @@ export class MetricsManager {
   public async getServerStats() {
     return this.metricsCache.get('serverStats', async () => {
       const smartMetricsData = await this.smartMetrics.getMetrics();
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
-      const proxyStats = this.dcRouter.smartProxy ? await this.dcRouter.smartProxy.getStatistics() : null;
+      const smartProxy = this.dcRouter.smartProxy;
+      const proxyMetrics = smartProxy ? smartProxy.getMetrics() : null;
+      const proxyStats = smartProxy ? await smartProxy.getStatistics() : null;
       const { heapUsed, heapTotal, external, rss } = process.memoryUsage();
 
       return {
@@ -291,27 +292,44 @@ export class MetricsManager {
     });
   }
   
+  public async getActiveConnectionSnapshots(
+    options: plugins.smartproxy.IActiveConnectionSnapshotOptions = {},
+  ): Promise<plugins.smartproxy.IActiveConnectionSnapshot[]> {
+    const cacheKey = `activeConnectionSnapshots:${options.limit ?? 1000}:${options.routeId ?? ''}`;
+    return await this.metricsCache.get<plugins.smartproxy.IActiveConnectionSnapshot[]>(cacheKey, async () => {
+      if (!this.dcRouter.smartProxy) {
+        return [];
+      }
+      return this.dcRouter.smartProxy.getActiveConnectionSnapshots(options);
+    }, 500);
+  }
+
   // Get connection info from SmartProxy
   public async getConnectionInfo() {
-    return this.metricsCache.get('connectionInfo', () => {
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
-      
-      if (!proxyMetrics) {
-        return [] as Array<{ type: string; count: number; source: string; lastActivity: Date }>;
+    return this.metricsCache.get('connectionInfo', async () => {
+      const snapshots = await this.getActiveConnectionSnapshots({ limit: 10000 });
+      const connectionsByRoute = new Map<string, { count: number; lastActivity: Date }>();
+
+      for (const snapshot of snapshots) {
+        const source = snapshot.routeId || snapshot.domain || `${snapshot.protocol || 'connection'}:${snapshot.localPort}`;
+        const existing = connectionsByRoute.get(source) || { count: 0, lastActivity: new Date(snapshot.startedAtMs) };
+        existing.count++;
+        if (snapshot.startedAtMs > existing.lastActivity.getTime()) {
+          existing.lastActivity = new Date(snapshot.startedAtMs);
+        }
+        connectionsByRoute.set(source, existing);
       }
 
-      const connectionsByRoute = proxyMetrics.connections.byRoute();
       const connectionInfo: Array<{ type: string; count: number; source: string; lastActivity: Date }> = [];
-      
-      for (const [routeName, count] of connectionsByRoute) {
+      for (const [source, info] of connectionsByRoute) {
         connectionInfo.push({
           type: 'https',
-          count,
-          source: routeName,
-          lastActivity: new Date(),
+          count: info.count,
+          source,
+          lastActivity: info.lastActivity,
         });
       }
-      
+
       return connectionInfo;
     });
   }
@@ -547,7 +565,8 @@ export class MetricsManager {
   public async getNetworkStats() {
     // Use shorter cache TTL for network stats to ensure real-time updates
     return this.metricsCache.get('networkStats', async () => {
-      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
+      const smartProxy = this.dcRouter.smartProxy;
+      const proxyMetrics = smartProxy ? smartProxy.getMetrics() : null;
 
       if (!proxyMetrics) {
         return {
@@ -568,8 +587,22 @@ export class MetricsManager {
         };
       }
 
-      // Get metrics using the new API
-      const connectionsByIP = proxyMetrics.connections.byIP();
+      const activeConnectionSnapshots = await this.getActiveConnectionSnapshots({ limit: 10000 });
+
+      const connectionsByIP = new Map<string, number>();
+      const connectionsByRoute = new Map<string, number>();
+      const activeConnectionsByDomain = new Map<string, number>();
+
+      for (const snapshot of activeConnectionSnapshots) {
+        connectionsByIP.set(snapshot.sourceIp, (connectionsByIP.get(snapshot.sourceIp) || 0) + 1);
+        if (snapshot.routeId) {
+          connectionsByRoute.set(snapshot.routeId, (connectionsByRoute.get(snapshot.routeId) || 0) + 1);
+        }
+        if (snapshot.domain) {
+          activeConnectionsByDomain.set(snapshot.domain, (activeConnectionsByDomain.get(snapshot.domain) || 0) + 1);
+        }
+      }
+
       const instantThroughput = proxyMetrics.throughput.instant();
 
       // Get throughput rate
@@ -578,8 +611,11 @@ export class MetricsManager {
         bytesOutPerSecond: instantThroughput.out
       };
 
-      // Get top IPs by connection count
-      const topIPs = proxyMetrics.connections.topIPs(10);
+      // Get top IPs by active connection count
+      const topIPs = Array.from(connectionsByIP.entries())
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 10)
+        .map(([ip, count]) => ({ ip, count }));
 
       // Get total data transferred
       const totalDataTransferred = {
@@ -738,7 +774,6 @@ export class MetricsManager {
       const topASNs = await this.buildTopASNs(observedIps, allIPData);
 
       // Build domain activity using per-IP domain request counts from Rust engine
-      const connectionsByRoute = proxyMetrics.connections.byRoute();
       const throughputByRoute = proxyMetrics.throughput.byRoute();
 
       // Aggregate per-IP domain request counts into per-domain totals
@@ -773,6 +808,9 @@ export class MetricsManager {
       for (const entry of protocolCache) {
         if (entry.domain) allKnownDomains.add(entry.domain);
       }
+      for (const snapshot of activeConnectionSnapshots) {
+        if (snapshot.domain) allKnownDomains.add(snapshot.domain);
+      }
 
       // Build reverse map: concrete domain → canonical route key(s)
       const domainToRoutes = new Map<string, string[]>();
@@ -844,7 +882,7 @@ export class MetricsManager {
         }
 
         domainAgg.set(domain, {
-          activeConnections: Math.round(totalConns),
+          activeConnections: activeConnectionsByDomain.get(domain) ?? Math.round(totalConns),
           bytesInPerSec: totalIn,
           bytesOutPerSec: totalOut,
           routeCount: routeKeys.length,

ts/opsserver/handlers/remoteingress.handler.ts

@@ -67,6 +67,7 @@ export class RemoteIngressHandler {
             dataArg.listenPorts || [],
             dataArg.tags,
             dataArg.autoDerivePorts ?? true,
+            dataArg.performance,
           );
 
           // Sync allowed edges with the hub
@@ -129,6 +130,7 @@ export class RemoteIngressHandler {
             listenPorts: dataArg.listenPorts,
             autoDerivePorts: dataArg.autoDerivePorts,
             enabled: dataArg.enabled,
+            performance: dataArg.performance,
             tags: dataArg.tags,
           });
 

ts/opsserver/handlers/security.handler.ts

@@ -1,7 +1,6 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
-import { MetricsManager } from '../../monitoring/index.js';
 import { requireOpsAuth } from '../helpers/auth.js';
 
 export class SecurityHandler {
@@ -46,18 +45,7 @@ export class SecurityHandler {
         'getActiveConnections',
         async (dataArg, toolsArg) => {
           await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
-          const connections = await this.getActiveConnections(dataArg.protocol, dataArg.state);
-          const connectionInfos: interfaces.data.IConnectionInfo[] = connections.map(conn => ({
-            id: conn.id,
-            remoteAddress: conn.source.ip,
-            localAddress: conn.destination.ip,
-            startTime: conn.startTime,
-            protocol: conn.type === 'http' ? 'https' : conn.type as any,
-            state: conn.status === 'active' ? 'connected' : conn.status as any,
-            bytesReceived: (conn as any)._throughputIn || 0,
-            bytesSent: (conn as any)._throughputOut || 0,
-            connectionCount: conn.bytesTransferred || 1,
-          }));
+          const connectionInfos = await this.getActiveConnections(dataArg.protocol, dataArg.state);
           const totalConnections = connectionInfos.reduce((sum, conn) => sum + (conn.connectionCount || 1), 0);
           
           const summary = {
@@ -362,106 +350,66 @@ export class SecurityHandler {
   private async getActiveConnections(
     protocol?: 'http' | 'https' | 'smtp' | 'smtps',
     state?: string
-  ): Promise<Array<{
-    id: string;
-    type: 'http' | 'smtp' | 'dns';
-    source: {
-      ip: string;
-      port: number;
-      country?: string;
-    };
-    destination: {
-      ip: string;
-      port: number;
-      service?: string;
-    };
-    startTime: number;
-    bytesTransferred: number;
-    status: 'active' | 'idle' | 'closing';
-  }>> {
-    const connections: Array<{
-      id: string;
-      type: 'http' | 'smtp' | 'dns';
-      source: {
-        ip: string;
-        port: number;
-        country?: string;
-      };
-      destination: {
-        ip: string;
-        port: number;
-        service?: string;
-      };
-      startTime: number;
-      bytesTransferred: number;
-      status: 'active' | 'idle' | 'closing';
-    }> = [];
-    
-    // Get connection info and network stats from MetricsManager if available
-    if (this.opsServerRef.dcRouterRef.metricsManager) {
-      const connectionInfo = await this.opsServerRef.dcRouterRef.metricsManager.getConnectionInfo();
-      const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
-      
-      // One aggregate row per IP with real throughput data
-      if (networkStats.connectionsByIP && networkStats.connectionsByIP.size > 0) {
-        let connIndex = 0;
-        const publicIp = this.opsServerRef.dcRouterRef.options.publicIp || 'server';
+  ): Promise<interfaces.data.IConnectionInfo[]> {
+    const metricsManager = this.opsServerRef.dcRouterRef.metricsManager;
+    if (!metricsManager) {
+      return [];
+    }
 
-        for (const [ip, count] of networkStats.connectionsByIP) {
-          const tp = networkStats.throughputByIP?.get(ip);
-          connections.push({
-            id: `ip-${connIndex++}`,
-            type: 'http',
-            source: {
-              ip: ip,
-              port: 0,
-            },
-            destination: {
-              ip: publicIp,
-              port: 443,
-              service: 'proxy',
-            },
-            startTime: 0,
-            bytesTransferred: count, // Store connection count here
-            status: 'active',
-            // Attach real throughput for the handler mapping
-            ...(tp ? { _throughputIn: tp.in, _throughputOut: tp.out } : {}),
-          } as any);
-        }
-      } else if (connectionInfo.length > 0) {
-        // Fallback to route-based connection info if no IP data available
-        connectionInfo.forEach((info, index) => {
-          connections.push({
-            id: `conn-${index}`,
-            type: 'http',
-            source: {
-              ip: 'unknown',
-              port: 0,
-            },
-            destination: {
-              ip: this.opsServerRef.dcRouterRef.options.publicIp || 'server',
-              port: 443,
-              service: info.source,
-            },
-            startTime: info.lastActivity.getTime(),
-            bytesTransferred: 0,
-            status: 'active',
-          });
-        });
+    const snapshots = await metricsManager.getActiveConnectionSnapshots({ limit: 10000 });
+    const connections = snapshots.map((snapshot): interfaces.data.IConnectionInfo => ({
+      id: String(snapshot.id),
+      remoteAddress: snapshot.sourcePort === null
+        ? snapshot.sourceIp
+        : `${snapshot.sourceIp}:${snapshot.sourcePort}`,
+      localAddress: snapshot.targetHost
+        ? `${snapshot.targetHost}:${snapshot.targetPort ?? snapshot.localPort}`
+        : `${this.opsServerRef.dcRouterRef.options.publicIp || 'server'}:${snapshot.localPort}`,
+      startTime: snapshot.startedAtMs,
+      protocol: this.mapSnapshotProtocol(snapshot),
+      state: this.mapSnapshotState(snapshot.state),
+      bytesReceived: snapshot.bytesIn,
+      bytesSent: snapshot.bytesOut,
+    }));
+
+    return connections.filter((connection) => {
+      if (protocol && connection.protocol !== protocol) {
+        return false;
       }
+      if (state && connection.state !== state) {
+        return false;
+      }
+      return true;
+    });
+  }
+
+  private mapSnapshotProtocol(
+    snapshot: plugins.smartproxy.IActiveConnectionSnapshot,
+  ): interfaces.data.IConnectionInfo['protocol'] {
+    if (snapshot.localPort === 465) {
+      return 'smtps';
     }
-    
-    // Filter by protocol if specified
-    if (protocol) {
-      return connections.filter(conn => {
-        if (protocol === 'https' || protocol === 'http') {
-          return conn.type === 'http';
-        }
-        return conn.type === protocol.replace('s', ''); // smtp/smtps -> smtp
-      });
+    if ([25, 587, 2525].includes(snapshot.localPort)) {
+      return 'smtp';
     }
-    
-    return connections;
+
+    switch (snapshot.protocol) {
+      case 'http':
+        return 'http';
+      case 'https':
+      case 'tls':
+      case 'tls-passthrough':
+      case 'tls-reencrypt':
+      case 'tls-socket-handler':
+      case 'quic':
+        return 'https';
+      default:
+        return snapshot.localPort === 80 ? 'http' : 'https';
+    }
+  }
+
+  private mapSnapshotState(state: string): interfaces.data.IConnectionInfo['state'] {
+    return state === 'closing' ? 'closing' : 'connected';
   }
   
   private async getRateLimitStatus(

ts/radius/classes.radius.server.ts

@@ -91,7 +91,6 @@ export class RadiusServer {
   private vlanManager: VlanManager;
   private accountingManager: AccountingManager;
   private config: IRadiusServerConfig;
-  private clientSecrets: Map<string, string> = new Map();
   private running: boolean = false;
 
   // Statistics
@@ -138,24 +137,18 @@ export class RadiusServer {
       await this.vlanManager.importMappings(this.config.vlanAssignment.mappings);
     }
 
-    // Build client secrets map
-    this.buildClientSecretsMap();
+    const cidrSecrets = this.buildClientSecretsMap();
 
     // Create the RADIUS server
     this.radiusServer = new plugins.smartradius.RadiusServer({
       authPort: this.config.authPort,
       acctPort: this.config.acctPort,
       bindAddress: this.config.bindAddress,
-      defaultSecret: this.getDefaultSecret(),
+      cidrSecrets,
       authenticationHandler: this.handleAuthentication.bind(this),
       accountingHandler: this.handleAccounting.bind(this),
     });
 
-    // Configure per-client secrets
-    for (const [ip, secret] of this.clientSecrets) {
-      this.radiusServer.setClientSecret(ip, secret);
-    }
-
     // Start the server
     await this.radiusServer.start();
 
@@ -189,19 +182,22 @@ export class RadiusServer {
   /**
    * Handle authentication request
    */
-  private async handleAuthentication(request: any): Promise<any> {
+  private async handleAuthentication(
+    request: plugins.smartradius.IAuthenticationRequest,
+  ): Promise<plugins.smartradius.IAuthenticationResponse> {
     this.stats.authRequests++;
 
     const authData: IAuthRequestData = {
-      username: request.attributes?.UserName || '',
-      password: request.attributes?.UserPassword,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      password: request.password,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
+      framedMtu: request.framedMtu,
     };
 
     logger.log('debug', `RADIUS Auth Request: user=${authData.username}, NAS=${authData.nasIpAddress}`);
@@ -215,15 +211,15 @@ export class RadiusServer {
       logger.log('info', `RADIUS Auth Accept: user=${authData.username}, VLAN=${result.vlanId}`);
 
       // Build response with VLAN attributes
-      const response: any = {
+      const response: plugins.smartradius.IAuthenticationResponse = {
         code: plugins.smartradius.ERadiusCode.AccessAccept,
         replyMessage: result.replyMessage,
       };
 
       // Add VLAN attributes if assigned
       if (result.vlanId !== undefined) {
-        response.tunnelType = 13; // VLAN
-        response.tunnelMediumType = 6; // IEEE 802
+        response.tunnelType = plugins.smartradius.ETunnelType.Vlan;
+        response.tunnelMediumType = plugins.smartradius.ETunnelMediumType.Ieee802;
         response.tunnelPrivateGroupId = String(result.vlanId);
       }
 
@@ -257,34 +253,37 @@ export class RadiusServer {
   /**
    * Handle accounting request
    */
-  private async handleAccounting(request: any): Promise<any> {
+  private async handleAccounting(
+    request: plugins.smartradius.IAccountingRequest,
+  ): Promise<plugins.smartradius.IAccountingResponse> {
     this.stats.accountingRequests++;
 
     if (!this.config.accounting?.enabled) {
       // Still respond even if not tracking
-      return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+      return { success: true };
     }
 
-    const statusType = request.attributes?.AcctStatusType;
-    const sessionId = request.attributes?.AcctSessionId || '';
+    const statusType = request.statusType;
+    const sessionId = request.sessionId || '';
 
     const accountingData = {
       sessionId,
-      username: request.attributes?.UserName || '',
-      macAddress: request.attributes?.CallingStationId,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      inputOctets: request.attributes?.AcctInputOctets,
-      outputOctets: request.attributes?.AcctOutputOctets,
-      inputPackets: request.attributes?.AcctInputPackets,
-      outputPackets: request.attributes?.AcctOutputPackets,
-      sessionTime: request.attributes?.AcctSessionTime,
-      terminateCause: request.attributes?.AcctTerminateCause,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      macAddress: request.callingStationId,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      inputOctets: request.inputOctets,
+      outputOctets: request.outputOctets,
+      inputPackets: request.inputPackets,
+      outputPackets: request.outputPackets,
+      sessionTime: request.sessionTime,
+      terminateCause: request.terminateCause !== undefined ? String(request.terminateCause) : undefined,
+      framedIpAddress: request.framedIpAddress,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
     };
 
     try {
@@ -311,7 +310,7 @@ export class RadiusServer {
       logger.log('error', `RADIUS accounting error: ${(error as Error).message}`);
     }
 
-    return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+    return { success: true };
   }
 
   /**
@@ -391,37 +390,18 @@ export class RadiusServer {
   /**
    * Build client secrets map from configuration
    */
-  private buildClientSecretsMap(): void {
-    this.clientSecrets.clear();
+  private buildClientSecretsMap(): Record<string, string> {
+    const cidrSecrets: Record<string, string> = {};
 
     for (const client of this.config.clients) {
       if (!client.enabled) {
         continue;
       }
 
-      // Handle CIDR ranges
-      if (client.ipRange.includes('/')) {
-        // For CIDR ranges, we'll use the network address as key
-        // In practice, smartradius may handle this differently
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.clientSecrets.set(client.ipRange, client.secret);
-      }
+      cidrSecrets[client.ipRange] = client.secret;
     }
-  }
 
-  /**
-   * Get default secret for unknown clients
-   */
-  private getDefaultSecret(): string {
-    // Use first enabled client's secret as default, or a random one
-    for (const client of this.config.clients) {
-      if (client.enabled) {
-        return client.secret;
-      }
-    }
-    return plugins.crypto.randomBytes(16).toString('hex');
+    return cidrSecrets;
   }
 
   /**
@@ -430,21 +410,19 @@ export class RadiusServer {
   async addClient(client: IRadiusClient): Promise<void> {
     // Check if client already exists
     const existingIndex = this.config.clients.findIndex(c => c.name === client.name);
+    const previousClient = existingIndex >= 0 ? this.config.clients[existingIndex] : undefined;
     if (existingIndex >= 0) {
       this.config.clients[existingIndex] = client;
     } else {
       this.config.clients.push(client);
     }
 
-    // Update client secrets if running
-    if (this.running && this.radiusServer && client.enabled) {
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.radiusServer.setClientSecret(network, client.secret);
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.radiusServer.setClientSecret(client.ipRange, client.secret);
-        this.clientSecrets.set(client.ipRange, client.secret);
+    if (this.running && this.radiusServer) {
+      if (previousClient) {
+        this.radiusServer.removeNetworkSecret(previousClient.ipRange);
+      }
+      if (client.enabled) {
+        this.radiusServer.setNetworkSecret(client.ipRange, client.secret);
       }
     }
 
@@ -460,12 +438,8 @@ export class RadiusServer {
       const client = this.config.clients[index];
       this.config.clients.splice(index, 1);
 
-      // Remove from secrets map
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.delete(network);
-      } else {
-        this.clientSecrets.delete(client.ipRange);
+      if (this.radiusServer) {
+        this.radiusServer.removeNetworkSecret(client.ipRange);
       }
 
       logger.log('info', `RADIUS client removed: ${name}`);

ts/remoteingress/classes.remoteingress-manager.ts

@@ -1,29 +1,13 @@
 import * as plugins from '../plugins.js';
-import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { IRemoteIngress, IRemoteIngressPerformanceConfig, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import { RemoteIngressEdgeDoc } from '../db/index.js';
 
 interface IRemoteIngressFirewallConfig {
   blockedIps?: string[];
 }
 
-/**
- * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
- */
-function extractPorts(portRange: number | Array<number | { from: number; to: number }>): number[] {
-  const ports = new Set<number>();
-  if (typeof portRange === 'number') {
-    ports.add(portRange);
-  } else if (Array.isArray(portRange)) {
-    for (const entry of portRange) {
-      if (typeof entry === 'number') {
-        ports.add(entry);
-      } else if (typeof entry === 'object' && 'from' in entry && 'to' in entry) {
-        for (let p = entry.from; p <= entry.to; p++) {
-          ports.add(p);
-        }
-      }
-    }
-  }
+function extractPorts(portRange: plugins.smartproxy.IRouteConfig['match']['ports']): number[] {
+  const ports = new Set<number>(plugins.smartproxy.expandPortRange(portRange) as number[]);
   return [...ports].sort((a, b) => a - b);
 }
 
@@ -59,6 +43,7 @@ export class RemoteIngressManager {
         listenPortsUdp: doc.listenPortsUdp,
         enabled: doc.enabled,
         autoDerivePorts: doc.autoDerivePorts,
+        performance: doc.performance,
         tags: doc.tags,
         createdAt: doc.createdAt,
         updatedAt: doc.updatedAt,
@@ -189,6 +174,7 @@ export class RemoteIngressManager {
     listenPorts: number[] = [],
     tags?: string[],
     autoDerivePorts: boolean = true,
+    performance?: IRemoteIngressPerformanceConfig,
   ): Promise<IRemoteIngress> {
     const id = plugins.uuid.v4();
     const secret = plugins.crypto.randomBytes(32).toString('hex');
@@ -201,6 +187,7 @@ export class RemoteIngressManager {
       listenPorts,
       enabled: true,
       autoDerivePorts,
+      performance,
       tags: tags || [],
       createdAt: now,
       updatedAt: now,
@@ -237,6 +224,7 @@ export class RemoteIngressManager {
       listenPorts?: number[];
       autoDerivePorts?: boolean;
       enabled?: boolean;
+      performance?: IRemoteIngressPerformanceConfig;
       tags?: string[];
     },
   ): Promise<IRemoteIngress | null> {
@@ -249,6 +237,7 @@ export class RemoteIngressManager {
     if (updates.listenPorts !== undefined) edge.listenPorts = updates.listenPorts;
     if (updates.autoDerivePorts !== undefined) edge.autoDerivePorts = updates.autoDerivePorts;
     if (updates.enabled !== undefined) edge.enabled = updates.enabled;
+    if (updates.performance !== undefined) edge.performance = updates.performance;
     if (updates.tags !== undefined) edge.tags = updates.tags;
     edge.updatedAt = Date.now();
 
@@ -317,17 +306,19 @@ export class RemoteIngressManager {
    * Get the list of allowed edges (enabled only) for the Rust hub.
    * Includes listenPortsUdp when routes with transport 'udp' or 'all' are present.
    */
-  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> {
-    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> = [];
     for (const edge of this.edges.values()) {
       if (edge.enabled) {
         const listenPortsUdp = this.getEffectiveListenPortsUdp(edge);
+        const performance = edge.performance && Object.keys(edge.performance).length > 0 ? edge.performance : undefined;
         result.push({
           id: edge.id,
           secret: edge.secret,
           listenPorts: this.getEffectiveListenPorts(edge),
           ...(listenPortsUdp.length > 0 ? { listenPortsUdp } : {}),
           ...(this.firewallConfig ? { firewallConfig: this.firewallConfig } : {}),
+          ...(performance ? { performance } : {}),
         });
       }
     }

ts_interfaces/data/remoteingress.ts

@@ -13,6 +13,8 @@ export interface IRemoteIngress {
   enabled: boolean;
   /** Whether to auto-derive ports from remoteIngress-tagged routes. Defaults to true. */
   autoDerivePorts: boolean;
+  /** Optional per-edge performance overrides. */
+  performance?: IRemoteIngressPerformanceConfig;
   tags?: string[];
   createdAt: number;
   updatedAt: number;
@@ -55,6 +57,10 @@ export interface IRemoteIngressPerformanceConfig {
   maxStreamWindowBytes?: number;
   sustainedStreamWindowBytes?: number;
   quicDatagramReceiveBufferBytes?: number;
+  streamFramePayloadBytes?: number;
+  firstDataConnectTimeoutMs?: number;
+  clientWriteTimeoutMs?: number;
+  serverFirstPorts?: number[];
 }
 
 export interface IRemoteIngressPerformanceEffective {
@@ -65,6 +71,10 @@ export interface IRemoteIngressPerformanceEffective {
   maxStreamWindowBytes: number;
   sustainedStreamWindowBytes: number;
   quicDatagramReceiveBufferBytes: number;
+  streamFramePayloadBytes: number;
+  firstDataConnectTimeoutMs: number;
+  clientWriteTimeoutMs: number;
+  serverFirstPorts: number[];
 }
 
 export interface IRemoteIngressFlowControlStatus {

ts_interfaces/requests/remoteingress.ts

@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
-import type { IRemoteIngress, IRemoteIngressStatus } from '../data/remoteingress.js';
+import type { IRemoteIngress, IRemoteIngressPerformanceConfig, IRemoteIngressStatus } from '../data/remoteingress.js';
 
 // ============================================================================
 // Remote Ingress Edge Management
@@ -20,6 +20,7 @@ export interface IReq_CreateRemoteIngress extends plugins.typedrequestInterfaces
     name: string;
     listenPorts?: number[];
     autoDerivePorts?: boolean;
+    performance?: IRemoteIngressPerformanceConfig;
     tags?: string[];
   };
   response: {
@@ -63,6 +64,7 @@ export interface IReq_UpdateRemoteIngress extends plugins.typedrequestInterfaces
     listenPorts?: number[];
     autoDerivePorts?: boolean;
     enabled?: boolean;
+    performance?: IRemoteIngressPerformanceConfig;
     tags?: string[];
   };
   response: {

ts_migrations/index.ts

@@ -19,6 +19,131 @@ export interface IMigrationRunner {
   run(): Promise<IMigrationRunResult>;
 }
 
+type TMigrationSecurity = Record<string, any>;
+
+function mergeMigrationSecurityFields(
+  base: TMigrationSecurity | undefined,
+  override: TMigrationSecurity | undefined,
+): TMigrationSecurity {
+  if (!base && !override) return {};
+  if (!base) return structuredClone(override || {});
+  if (!override) return structuredClone(base || {});
+
+  const merged: TMigrationSecurity = structuredClone(base);
+
+  if (override.ipAllowList || base.ipAllowList) {
+    merged.ipAllowList = [
+      ...new Set([
+        ...(base.ipAllowList || []),
+        ...(override.ipAllowList || []),
+      ]),
+    ];
+  }
+
+  if (override.ipBlockList || base.ipBlockList) {
+    merged.ipBlockList = [
+      ...new Set([
+        ...(base.ipBlockList || []),
+        ...(override.ipBlockList || []),
+      ]),
+    ];
+  }
+
+  for (const key of ['maxConnections', 'rateLimit', 'authentication', 'basicAuth', 'jwtAuth', 'vpn']) {
+    if (override[key] !== undefined) {
+      merged[key] = structuredClone(override[key]);
+    }
+  }
+
+  return merged;
+}
+
+function resolveMigrationSourceProfileSecurity(
+  profileId: string,
+  profiles: Map<string, any>,
+  visited = new Set<string>(),
+  depth = 0,
+): TMigrationSecurity | null {
+  if (depth > 5 || visited.has(profileId)) return null;
+
+  const profile = profiles.get(profileId);
+  if (!profile) return null;
+
+  visited.add(profileId);
+  let baseSecurity: TMigrationSecurity = {};
+  const extendsProfiles = Array.isArray(profile.extendsProfiles) ? profile.extendsProfiles : [];
+  for (const parentId of extendsProfiles) {
+    if (typeof parentId !== 'string') continue;
+    const parentSecurity = resolveMigrationSourceProfileSecurity(
+      parentId,
+      profiles,
+      new Set(visited),
+      depth + 1,
+    );
+    if (parentSecurity) {
+      baseSecurity = mergeMigrationSecurityFields(baseSecurity, parentSecurity);
+    }
+  }
+
+  return mergeMigrationSecurityFields(baseSecurity, profile.security || {});
+}
+
+async function rematerializeSourceProfileRouteSecurity(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const profileCollection = ctx.mongo!.collection('SourceProfileDoc');
+  const routeCollection = ctx.mongo!.collection('RouteDoc');
+  const profiles = new Map<string, any>();
+
+  for await (const profile of profileCollection.find({})) {
+    if (typeof (profile as any).id === 'string') {
+      profiles.set((profile as any).id, profile);
+    }
+  }
+
+  let inspected = 0;
+  let migrated = 0;
+  let skippedMissingProfile = 0;
+  const now = Date.now();
+
+  for await (const routeDoc of routeCollection.find({})) {
+    const sourceProfileRef = (routeDoc as any).metadata?.sourceProfileRef;
+    if (typeof sourceProfileRef !== 'string' || sourceProfileRef.trim() === '') continue;
+    inspected++;
+
+    const resolvedSecurity = resolveMigrationSourceProfileSecurity(sourceProfileRef, profiles);
+    const profile = profiles.get(sourceProfileRef);
+    if (!resolvedSecurity || !profile) {
+      skippedMissingProfile++;
+      continue;
+    }
+
+    const currentSecurity = (routeDoc as any).route?.security || {};
+    const securityChanged = JSON.stringify(currentSecurity) !== JSON.stringify(resolvedSecurity);
+    const profileNameChanged = (routeDoc as any).metadata?.sourceProfileName !== profile.name;
+    if (!securityChanged && !profileNameChanged) continue;
+
+    const query = (routeDoc as any)._id
+      ? { _id: (routeDoc as any)._id }
+      : { id: (routeDoc as any).id };
+    await routeCollection.updateOne(query, {
+      $set: {
+        'route.security': structuredClone(resolvedSecurity),
+        'metadata.sourceProfileName': profile.name,
+        'metadata.lastResolvedAt': now,
+        updatedAt: now,
+      },
+    });
+    migrated++;
+  }
+
+  ctx.log.log(
+    'info',
+    `rematerialize-source-profile-route-security: migrated ${migrated}/${inspected} route(s), skipped ${skippedMissingProfile} missing profile ref(s)`,
+  );
+}
+
 async function migrateTargetProfileTargetHosts(ctx: {
   mongo?: { collection: (name: string) => any };
   log: { log: (level: 'info', message: string) => void };
@@ -167,6 +292,12 @@ export async function createMigrationRunner(
     .description('Backfill RouteDoc.systemKey for persisted config/email/dns routes')
     .up(async (ctx) => {
       await backfillSystemRouteKeys(ctx);
+    })
+    .step('rematerialize-source-profile-route-security')
+    .from('13.18.0').to('13.40.2')
+    .description('Replace stale route security with resolved source profile security')
+    .up(async (ctx) => {
+      await rematerializeSourceProfileRouteSecurity(ctx);
     });
 
   return migration;

ts_oci_container/index.ts

@@ -74,6 +74,10 @@ export function getOciContainerConfig(): IDcRouterOptions {
     options.dnsScopes = dnsScopes;
   }
 
+  if (process.env.DCROUTER_DNS_BIND_INTERFACE) {
+    options.dnsBindInterface = process.env.DCROUTER_DNS_BIND_INTERFACE;
+  }
+
   // Email config
   const emailHostname = process.env.DCROUTER_EMAIL_HOSTNAME;
   const emailPorts = parseCommaSeparatedNumbers(process.env.DCROUTER_EMAIL_PORTS);

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.37.0',
+  version: '13.40.3',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -1120,6 +1120,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
   name: string;
   listenPorts?: number[];
   autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
   tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
   const context = getActionContext();
@@ -1135,6 +1136,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
       name: dataArg.name,
       listenPorts: dataArg.listenPorts,
       autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
       tags: dataArg.tags,
     });
 
@@ -1187,6 +1189,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
   name?: string;
   listenPorts?: number[];
   autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
   tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
   const context = getActionContext();
@@ -1203,6 +1206,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
       name: dataArg.name,
       listenPorts: dataArg.listenPorts,
       autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
       tags: dataArg.tags,
     });
 

ts_web/elements/network/ops-view-remoteingress.ts

@@ -242,6 +242,7 @@ export class OpsViewRemoteIngress extends DeesElement {
             publicIp: this.getEdgePublicIp(edge.id),
             ports: this.getPortsHtml(edge),
             tunnels: this.getEdgeTunnelCount(edge.id),
+            maxConnections: this.getMaxConnectionsHtml(edge),
             window: this.getWindowHtml(edge.id),
             queues: this.getQueuesHtml(edge.id),
             traffic: this.getTrafficHtml(edge.id),
@@ -261,6 +262,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                       <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
                       <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers, optional'}></dees-input-text>
                       <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${true}></dees-input-checkbox>
+                      <dees-input-text .key=${'maxStreamsPerEdge'} .label=${'Max Connections'} .description=${'Optional maximum concurrent client connections for this edge. Leave empty to use the hub default.'}></dees-input-text>
                       <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated, optional'}></dees-input-text>
                     </dees-form>
                   `,
@@ -284,12 +286,20 @@ export class OpsViewRemoteIngress extends DeesElement {
                           ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
                           : undefined;
                         const autoDerivePorts = formData.autoDerivePorts !== false;
+                        let performance: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+                        try {
+                          performance = this.collectPerformanceOverride(formData);
+                        } catch (err: unknown) {
+                          const { DeesToast } = await import('@design.estate/dees-catalog');
+                          DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+                          return;
+                        }
                         const tags = formData.tags
                           ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
                           : undefined;
                         await appstate.remoteIngressStatePart.dispatchAction(
                           appstate.createRemoteIngressAction,
-                          { name, listenPorts, autoDerivePorts, tags },
+                          { name, listenPorts, autoDerivePorts, performance, tags },
                         );
                         await modalArg.destroy();
                       },
@@ -338,6 +348,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                       <dees-input-text .key=${'name'} .label=${'Name'} .value=${edge.name}></dees-input-text>
                       <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports'} .description=${'Comma-separated port numbers'} .value=${(edge.listenPorts || []).join(', ')}></dees-input-text>
                       <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${edge.autoDerivePorts !== false}></dees-input-checkbox>
+                      <dees-input-text .key=${'maxStreamsPerEdge'} .label=${'Max Connections'} .description=${'Optional maximum concurrent client connections for this edge. Leave empty to use the hub default.'} .value=${edge.performance?.maxStreamsPerEdge?.toString() || ''}></dees-input-text>
                       <dees-input-text .key=${'tags'} .label=${'Tags'} .description=${'Comma-separated'} .value=${(edge.tags || []).join(', ')}></dees-input-text>
                     </dees-form>
                   `,
@@ -359,6 +370,14 @@ export class OpsViewRemoteIngress extends DeesElement {
                           ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
                           : [];
                         const autoDerivePorts = formData.autoDerivePorts !== false;
+                        let performance: interfaces.data.IRemoteIngressPerformanceConfig | undefined;
+                        try {
+                          performance = this.collectPerformanceOverride(formData, edge.performance);
+                        } catch (err: unknown) {
+                          const { DeesToast } = await import('@design.estate/dees-catalog');
+                          DeesToast.show({ message: (err as Error).message, type: 'error', duration: 4000 });
+                          return;
+                        }
                         const tags = formData.tags
                           ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
                           : [];
@@ -369,6 +388,7 @@ export class OpsViewRemoteIngress extends DeesElement {
                             name: formData.name || edge.name,
                             listenPorts,
                             autoDerivePorts,
+                            performance,
                             tags,
                           },
                         );
@@ -475,6 +495,19 @@ export class OpsViewRemoteIngress extends DeesElement {
     return status?.activeTunnels || 0;
   }
 
+  private getMaxConnectionsHtml(edge: interfaces.data.IRemoteIngress): TemplateResult | string {
+    const status = this.getEdgeStatus(edge.id);
+    const override = edge.performance?.maxStreamsPerEdge;
+    const effective = status?.performance?.maxStreamsPerEdge;
+    if (!override && !effective) return '-';
+    return html`
+      <div class="metricStack">
+        <span>${override || effective}</span>
+        <span class="metricMuted">${override ? 'edge override' : 'hub default'}</span>
+      </div>
+    `;
+  }
+
   private getTransportHtml(edgeId: string): TemplateResult | string {
     const status = this.getEdgeStatus(edgeId);
     if (!status?.connected) return '-';
@@ -535,4 +568,27 @@ export class OpsViewRemoteIngress extends DeesElement {
     }
     return `${value >= 10 || unitIndex === 0 ? value.toFixed(0) : value.toFixed(1)} ${units[unitIndex]}`;
   }
+
+  private collectPerformanceOverride(
+    formData: Record<string, any>,
+    base?: interfaces.data.IRemoteIngressPerformanceConfig,
+  ): interfaces.data.IRemoteIngressPerformanceConfig | undefined {
+    const next: interfaces.data.IRemoteIngressPerformanceConfig = { ...(base || {}) };
+    const maxStreamsText = `${formData.maxStreamsPerEdge || ''}`.trim();
+    if (maxStreamsText) {
+      const maxStreamsPerEdge = Number.parseInt(maxStreamsText, 10);
+      if (!Number.isInteger(maxStreamsPerEdge) || maxStreamsPerEdge < 1) {
+        throw new Error('Max Connections must be a positive integer');
+      }
+      next.maxStreamsPerEdge = maxStreamsPerEdge;
+    } else {
+      delete next.maxStreamsPerEdge;
+    }
+
+    if (Object.keys(next).length > 0) {
+      return next;
+    }
+
+    return base ? {} : undefined;
+  }
 }

ts_web/elements/overview/ops-view-config.ts

@@ -304,6 +304,16 @@ export class OpsViewConfig extends DeesElement {
       { key: 'Connected Edge IPs', value: ri.connectedEdgeIps?.length > 0 ? ri.connectedEdgeIps : null, type: 'pills' },
     ];
 
+    if (ri.performance) {
+      fields.push(
+        { key: 'Performance Profile', value: ri.performance.profile || null, type: 'badge' },
+        { key: 'Max Connections / Edge', value: ri.performance.maxStreamsPerEdge ?? null },
+        { key: 'Client Write Timeout', value: ri.performance.clientWriteTimeoutMs ? `${ri.performance.clientWriteTimeoutMs} ms` : null },
+        { key: 'First Data Timeout', value: ri.performance.firstDataConnectTimeoutMs ? `${ri.performance.firstDataConnectTimeoutMs} ms` : null },
+        { key: 'Server-first Ports', value: ri.performance.serverFirstPorts?.length ? ri.performance.serverFirstPorts.map(String) : null, type: 'pills' },
+      );
+    }
+
     const actions: IConfigSectionAction[] = [
       { label: 'View Remote Ingress', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'network', subview: 'remoteingress' } },
     ];