v13.40.3

changelog.md

@@ -13,6 +13,36 @@
 
 
 
+
+
+
+## 2026-05-31 - 13.40.3
+
+### Fixes
+
+- bump smartproxy and remoteingress dependencies (deps)
+  - Bumped @push.rocks/smartproxy from ^27.12.1 to ^27.12.2
+  - Bumped @serve.zone/remoteingress from ^4.22.2 to ^4.22.3
+  - Updated dependency versions in both package.json and deno.json
+
+## 2026-05-31 - 13.40.2
+
+### Fixes
+
+- ensure source profiles fully own route security (routes)
+  - Resolve profile-backed routes by cloning source profile security instead of merging inline route overrides
+  - Clear stale route security when a source profile reference is removed without explicit replacement security
+  - Add a migration to rematerialize persisted profile-backed route security
+
+## 2026-05-31 - 13.40.1
+
+### Fixes
+
+- update smartproxy, remoteingress, and tsdeno dependencies (deps)
+  - Bump @push.rocks/smartproxy to ^27.12.1 in Deno imports
+  - Bump @serve.zone/remoteingress to ^4.22.2 in package and Deno configuration
+  - Bump @git.zone/tsdeno to ^1.5.0
+
 ## 2026-05-30 - 13.40.0
 
 ### Features

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@serve.zone/dcrouter",
-  "version": "13.40.0",
+  "version": "13.40.3",
   "exports": "./binary/dcrouter.ts",
   "compile": {
     "include": [
@@ -31,7 +31,7 @@
     "@push.rocks/smartnetwork": "npm:@push.rocks/smartnetwork@^4.7.2",
     "@push.rocks/smartpath": "npm:@push.rocks/smartpath@^6.0.0",
     "@push.rocks/smartpromise": "npm:@push.rocks/smartpromise@^4.2.4",
-    "@push.rocks/smartproxy": "npm:@push.rocks/smartproxy@^27.11.1",
+    "@push.rocks/smartproxy": "npm:@push.rocks/smartproxy@^27.12.2",
     "@push.rocks/smartradius": "npm:@push.rocks/smartradius@^1.1.2",
     "@push.rocks/smartrequest": "npm:@push.rocks/smartrequest@^5.0.3",
     "@push.rocks/smartrx": "npm:@push.rocks/smartrx@^3.0.10",
@@ -40,7 +40,7 @@
     "@push.rocks/smartvpn": "npm:@push.rocks/smartvpn@1.20.0",
     "@push.rocks/taskbuffer": "npm:@push.rocks/taskbuffer@^8.0.2",
     "@serve.zone/interfaces": "npm:@serve.zone/interfaces@^5.8.0",
-    "@serve.zone/remoteingress": "npm:@serve.zone/remoteingress@^4.22.1",
+    "@serve.zone/remoteingress": "npm:@serve.zone/remoteingress@^4.22.3",
     "@tsclass/tsclass": "npm:@tsclass/tsclass@^9.5.1",
     "lru-cache": "npm:lru-cache@^11.4.0",
     "qrcode": "npm:qrcode@^1.5.4",

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "13.40.0",
+  "version": "13.40.3",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "bin": {
@@ -29,7 +29,7 @@
     "@git.zone/tsbuild": "^4.4.2",
     "@git.zone/tsbundle": "^2.10.4",
     "@git.zone/tsdocker": "^2.4.0",
-    "@git.zone/tsdeno": "^1.4.0",
+    "@git.zone/tsdeno": "^1.5.0",
     "@git.zone/tsrun": "^2.0.4",
     "@git.zone/tstest": "^3.6.6",
     "@git.zone/tswatch": "^3.3.5",
@@ -61,7 +61,7 @@
     "@push.rocks/smartnetwork": "^4.7.2",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.12.1",
+    "@push.rocks/smartproxy": "^27.12.2",
     "@push.rocks/smartradius": "^1.3.0",
     "@push.rocks/smartrequest": "^5.0.3",
     "@push.rocks/smartrx": "^3.0.10",
@@ -71,7 +71,7 @@
     "@push.rocks/taskbuffer": "^8.0.2",
     "@serve.zone/catalog": "^2.12.4",
     "@serve.zone/interfaces": "^5.8.0",
-    "@serve.zone/remoteingress": "^4.22.1",
+    "@serve.zone/remoteingress": "^4.22.3",
     "@tsclass/tsclass": "^9.5.1",
     "@types/qrcode": "^1.5.6",
     "lru-cache": "^11.4.0",

pnpm-lock.yaml

@@ -76,7 +76,7 @@ importers:
         version: 5.3.3
       '@push.rocks/smartnetwork':
         specifier: ^4.7.2
-        version: 4.7.2
+        version: 4.7.3
       '@push.rocks/smartpath':
         specifier: ^6.0.0
         version: 6.0.0
@@ -84,8 +84,8 @@ importers:
         specifier: ^4.2.4
         version: 4.2.4
       '@push.rocks/smartproxy':
-        specifier: ^27.12.1
-        version: 27.12.1
+        specifier: ^27.12.2
+        version: 27.12.2
       '@push.rocks/smartradius':
         specifier: ^1.3.0
         version: 1.3.0
@@ -114,8 +114,8 @@ importers:
         specifier: ^5.8.0
         version: 5.8.0
       '@serve.zone/remoteingress':
-        specifier: ^4.22.1
-        version: 4.22.1
+        specifier: ^4.22.3
+        version: 4.22.3
       '@tsclass/tsclass':
         specifier: ^9.5.1
         version: 9.5.1
@@ -139,8 +139,8 @@ importers:
         specifier: ^2.10.4
         version: 2.10.4
       '@git.zone/tsdeno':
-        specifier: ^1.4.0
-        version: 1.4.0
+        specifier: ^1.5.0
+        version: 1.5.0
       '@git.zone/tsdocker':
         specifier: ^2.4.0
         version: 2.4.0
@@ -729,8 +729,8 @@ packages:
     resolution: {integrity: sha512-/xWOGrnuMaJ/Xo/EasaF9N3N9w1J9LDywZaRTa0UTtzbEtfJP7F2NJ9l4tWCwS+vTKpnqApX7ZueRh1h5MrwPQ==}
     hasBin: true
 
-  '@git.zone/tsdeno@1.4.0':
-    resolution: {integrity: sha512-84kFa/uKPTlzeLxtHoFxefk6O9khsWWQ2PCWNbCNYIUqWHUvN9COpGq0GXWtsoxLWPhTTIeHsOX4+O55uT2MPw==}
+  '@git.zone/tsdeno@1.5.0':
+    resolution: {integrity: sha512-OdGPhnBz6v92OkKKWyswpyGman3m3FOXin+9WRzEBvvwyLAAkc2mKUGViPAIxYkrak4GiglzqjTkSyReDU0QOw==}
     hasBin: true
 
   '@git.zone/tsdocker@2.4.0':
@@ -1402,8 +1402,8 @@ packages:
   '@push.rocks/smartmustache@3.0.2':
     resolution: {integrity: sha512-G3LyRXoJhyM+iQhkvP/MR/2WYMvC9U7zc2J44JxUM5tPdkQ+o3++FbfRtnZj6rz5X/A7q03//vsxPitVQwoi2Q==}
 
-  '@push.rocks/smartnetwork@4.7.2':
-    resolution: {integrity: sha512-OwT8kwQeEO+E3RuCyCfgQEBz+FyydUVaTBivZzzVchdJCUDgoDkXSnRkbIuGoHd1BfRFkUg9DQlSzt0uDfsIbw==}
+  '@push.rocks/smartnetwork@4.7.3':
+    resolution: {integrity: sha512-ecv8aSGbcHUDkE0IJ+/0mRpgQv1fSjQAgcTe1qgBNY1Lk8lQTTaNjpG7g21EdK23seyShewejtGKOcK5o7Rh6A==}
 
   '@push.rocks/smartnftables@1.2.0':
     resolution: {integrity: sha512-VTRHnxHrJj9VOq2MaCOqxiA4JLGRnzEaZ7kXxA7v3ljX+Y2wWK9VYpwKKBEbjgjoTpQyOf+I0gEG9wkR/jtUvQ==}
@@ -1429,8 +1429,8 @@ packages:
   '@push.rocks/smartpromise@4.2.4':
     resolution: {integrity: sha512-8FUyYt94hOIY9mqHjitn4h69u0jbEtTF2RKKw2DpiTVFjpDTk9gXbVHZ/V+xEcBrN4mrzdQES0OiDmkNPoddEQ==}
 
-  '@push.rocks/smartproxy@27.12.1':
-    resolution: {integrity: sha512-B1QNyGzwFea8fE2vvXO0iDzYrTfe3HcEnhPhNi6hVnmdSPe1yhNYUu5tm1CKLeCoXu/EVkAUkEFv/+d7gKa9EA==}
+  '@push.rocks/smartproxy@27.12.2':
+    resolution: {integrity: sha512-q97n/UAhfvyds6MhTUAhV5OC7x3Eaot+IN25hW6StyvrxR/odg3/g2UDAJmHoD5X0tKwIhouFd/b8Nwx0p94cg==}
 
   '@push.rocks/smartpuppeteer@2.0.6':
     resolution: {integrity: sha512-G+8cyDERvbXQcb9Sd8lnYdWYz8b3Mv2LfFf1ULmucDqQhcRHvxrWX/dKsvBZrwKPR4Wg+795Dyd+E1iOOh3tHw==}
@@ -1719,8 +1719,8 @@ packages:
   '@serve.zone/interfaces@5.8.0':
     resolution: {integrity: sha512-0ekSKUL/b44wmmzuCRANzrjaJRAHtkqiL8cPiMASEs7UJBDqbJCrgtrlJK84pz5dxBz3jTcdznNd5qjB8c6H0A==}
 
-  '@serve.zone/remoteingress@4.22.1':
-    resolution: {integrity: sha512-SkpP9VeC30A6HyonlLLE8rZVNWAPjw5NeY3pU+CWRJ0Si+hJX3FkyI4IFbOOBE+PE4JbxdIjwMNzvpxuXqZeUQ==}
+  '@serve.zone/remoteingress@4.22.3':
+    resolution: {integrity: sha512-VUI2VTMHVjju92FXjPe0EQ7op2EyqCr+JQIIGkjxnvqE9aAV9ZtaNzI7y4WwltYNo9rfaa/Bdd8+2EKUYYCD6g==}
     hasBin: true
 
   '@smithy/chunked-blob-reader-native@4.2.3':
@@ -5251,7 +5251,7 @@ snapshots:
       - supports-color
       - vue
 
-  '@git.zone/tsdeno@1.4.0':
+  '@git.zone/tsdeno@1.5.0':
     dependencies:
       '@push.rocks/early': 4.0.4
       '@push.rocks/smartcli': 4.0.21
@@ -5327,7 +5327,7 @@ snapshots:
       '@push.rocks/smartjson': 6.0.1
       '@push.rocks/smartlog': 3.2.2
       '@push.rocks/smartmongo': 7.0.0(socks@2.8.8)
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.4
       '@push.rocks/smartrequest': 5.0.3
@@ -6136,7 +6136,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.1.0
       '@push.rocks/smartdns': 7.9.3
       '@push.rocks/smartlog': 3.2.2
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
       '@push.rocks/smartstring': 4.1.1
       '@push.rocks/smarttime': 4.2.3
       '@push.rocks/smartunique': 3.0.9
@@ -6612,7 +6612,7 @@ snapshots:
     dependencies:
       handlebars: 4.7.9
 
-  '@push.rocks/smartnetwork@4.7.2':
+  '@push.rocks/smartnetwork@4.7.3':
     dependencies:
       '@push.rocks/smartdns': 7.9.3
       '@push.rocks/smartrust': 1.4.0
@@ -6675,7 +6675,7 @@ snapshots:
       '@push.rocks/smartdelay': 3.1.0
       '@push.rocks/smartfs': 1.5.1
       '@push.rocks/smartjimp': 1.2.1
-      '@push.rocks/smartnetwork': 4.7.2
+      '@push.rocks/smartnetwork': 4.7.3
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartpromise': 4.2.4
       '@push.rocks/smartpuppeteer': 2.0.6(typescript@6.0.3)
@@ -6696,7 +6696,7 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.4': {}
 
-  '@push.rocks/smartproxy@27.12.1':
+  '@push.rocks/smartproxy@27.12.2':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.2.2
@@ -7085,7 +7085,7 @@ snapshots:
       '@push.rocks/smartlog-interfaces': 3.0.2
       '@tsclass/tsclass': 9.5.1
 
-  '@serve.zone/remoteingress@4.22.1':
+  '@serve.zone/remoteingress@4.22.3':
     dependencies:
       '@push.rocks/qenv': 6.1.4
       '@push.rocks/smartnftables': 1.2.0

test/test.migrations.node.ts

@@ -12,13 +12,77 @@ function setPath(target: Record<string, any>, path: string, value: unknown): voi
   cursor[parts[parts.length - 1]] = value;
 }
 
+function getPath(target: Record<string, any>, path: string): unknown {
+  let cursor: any = target;
+  for (const part of path.split('.')) {
+    if (cursor === null || cursor === undefined) return undefined;
+    cursor = cursor[part];
+  }
+  return cursor;
+}
+
 function applySet(document: Record<string, any>, set: Record<string, unknown>): void {
   for (const [key, value] of Object.entries(set)) {
     setPath(document, key, value);
   }
 }
 
-function createFakeDb(currentVersion: string) {
+function matchesQuery(document: Record<string, any>, query: Record<string, any>): boolean {
+  for (const [key, expected] of Object.entries(query)) {
+    const actual = getPath(document, key);
+    if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
+      if ('$exists' in expected) {
+        const exists = actual !== undefined;
+        if (exists !== Boolean(expected.$exists)) return false;
+        continue;
+      }
+      if ('$type' in expected) {
+        if (expected.$type === 'string' && typeof actual !== 'string') return false;
+        continue;
+      }
+      if ('$in' in expected) {
+        if (!Array.isArray(expected.$in) || !expected.$in.includes(actual)) return false;
+        continue;
+      }
+    }
+    if (actual !== expected) return false;
+  }
+  return true;
+}
+
+function createFakeCollection(documents: Array<Record<string, any>> = []) {
+  return {
+    find: (query: Record<string, any> = {}) => ({
+      async *[Symbol.asyncIterator]() {
+        for (const document of documents) {
+          if (matchesQuery(document, query)) {
+            yield structuredClone(document);
+          }
+        }
+      },
+    }),
+    updateMany: async (query: Record<string, any>, update: any) => {
+      let modifiedCount = 0;
+      for (const document of documents) {
+        if (!matchesQuery(document, query)) continue;
+        applySet(document, update.$set || {});
+        modifiedCount++;
+      }
+      return { modifiedCount };
+    },
+    updateOne: async (query: Record<string, any>, update: any) => {
+      const document = documents.find((candidate) => matchesQuery(candidate, query));
+      if (!document) return { matchedCount: 0, modifiedCount: 0, upsertedCount: 0 };
+      applySet(document, update.$set || {});
+      return { matchedCount: 1, modifiedCount: 1, upsertedCount: 0 };
+    },
+  };
+}
+
+function createFakeDb(
+  currentVersion: string,
+  collections: Record<string, Array<Record<string, any>>> = {},
+) {
   const ledgerDocument = {
     nameId: 'smartmigration:smartmigration',
     data: {
@@ -29,12 +93,10 @@ function createFakeDb(currentVersion: string) {
     },
   };
 
-  const emptyCollection = {
-    find: () => ({
-      async *[Symbol.asyncIterator]() {},
-    }),
-    updateMany: async () => ({ modifiedCount: 0 }),
-  };
+  const fakeCollections = new Map(
+    Object.entries(collections).map(([name, documents]) => [name, createFakeCollection(documents)]),
+  );
+  const emptyCollection = createFakeCollection();
 
   const ledgerCollection = {
     createIndex: async () => undefined,
@@ -52,18 +114,69 @@ function createFakeDb(currentVersion: string) {
   return {
     mongoDb: {
       collection: (name: string) =>
-        name === 'SmartdataEasyStore' ? ledgerCollection : emptyCollection,
+        name === 'SmartdataEasyStore'
+          ? ledgerCollection
+          : fakeCollections.get(name) || emptyCollection,
     },
   };
 }
 
-tap.test('migration runner bridges old package-version targets without real schema steps', async () => {
-  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.31.0');
+tap.test('migration runner applies schema steps through the current target', async () => {
+  const runner = await createMigrationRunner(createFakeDb('13.16.0'), '13.40.2');
   const result = await runner.run();
 
   expect(result.currentVersionBefore).toEqual('13.16.0');
-  expect(result.currentVersionAfter).toEqual('13.31.0');
+  expect(result.currentVersionAfter).toEqual('13.40.2');
   expect(result.stepsApplied).toHaveLength(3);
 });
 
+tap.test('migration runner rematerializes source-profile-backed route security', async () => {
+  const profiles: Array<Record<string, any>> = [
+    {
+      _id: 'profile-doc-1',
+      id: 'standard-profile',
+      name: 'Standard',
+      security: {
+        ipAllowList: ['192.168.*', '127.0.0.1'],
+        maxConnections: 1000,
+      },
+    },
+  ];
+  const routes: Array<Record<string, any>> = [
+    {
+      _id: 'route-doc-1',
+      id: 'route-1',
+      route: {
+        name: 'Public service domains',
+        match: { ports: 443, domains: ['code.foss.global'] },
+        action: { type: 'forward', targets: [{ host: '192.168.5.247', port: 443 }] },
+        security: {
+          ipAllowList: ['192.168.*', '*'],
+          maxConnections: 1000,
+        },
+      },
+      metadata: {
+        sourceProfileRef: 'standard-profile',
+        sourceProfileName: 'Standard',
+      },
+      updatedAt: 1,
+    },
+  ];
+
+  const runner = await createMigrationRunner(
+    createFakeDb('13.40.1', {
+      SourceProfileDoc: profiles,
+      RouteDoc: routes,
+    }),
+    '13.40.2',
+  );
+  const result = await runner.run();
+
+  expect(result.stepsApplied).toHaveLength(1);
+  expect(routes[0].route.security.ipAllowList.includes('*')).toBeFalse();
+  expect(routes[0].route.security.ipAllowList).toContain('192.168.*');
+  expect(routes[0].route.security.maxConnections).toEqual(1000);
+  expect(routes[0].metadata.lastResolvedAt).toBeTruthy();
+});
+
 export default tap.start();

test/test.reference-resolver.ts

@@ -91,7 +91,7 @@ tap.test('should resolve source profile onto a route', async () => {
   expect(result.metadata.lastResolvedAt).toBeTruthy();
 });
 
-tap.test('should merge inline route security with profile security', async () => {
+tap.test('should replace inline route security when source profile is selected', async () => {
   const route = makeRoute({
     security: {
       ipAllowList: ['127.0.0.1'],
@@ -102,13 +102,26 @@ tap.test('should merge inline route security with profile security', async () =>
 
   const result = resolver.resolveRoute(route, metadata);
 
-  // IP lists are unioned
   expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
   expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
-  expect(result.route.security!.ipAllowList).toContain('127.0.0.1');
+  expect(result.route.security!.ipAllowList!.includes('127.0.0.1')).toBeFalse();
+  expect(result.route.security!.maxConnections).toEqual(1000);
+});
 
-  // Inline maxConnections overrides profile
-  expect(result.route.security!.maxConnections).toEqual(5000);
+tap.test('should remove stale wildcard security from a profile-backed route', async () => {
+  const route = makeRoute({
+    security: {
+      ipAllowList: ['*'],
+      maxConnections: 5000,
+    },
+  });
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  expect(result.route.security!.ipAllowList!.includes('*')).toBeFalse();
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.maxConnections).toEqual(1000);
 });
 
 tap.test('should deduplicate IP lists during merge', async () => {

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.40.0',
+  version: '13.40.3',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/config/classes.reference-resolver.ts

@@ -281,6 +281,7 @@ export class ReferenceResolver {
   /**
    * Resolve references for a single route.
    * Materializes source profile and/or network target into the route's fields.
+   * When a source profile is selected, it owns the route security fully.
    * Returns the resolved route and updated metadata.
    */
   public resolveRoute(
@@ -293,10 +294,9 @@ export class ReferenceResolver {
       const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
       if (resolvedSecurity) {
         const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
-        // Merge: profile provides base, route's inline values override
         route = {
           ...route,
-          security: this.mergeSecurityFields(resolvedSecurity, route.security),
+          security: this.cloneSecurityFields(resolvedSecurity),
         };
         resolvedMetadata.sourceProfileName = profile?.name;
         resolvedMetadata.lastResolvedAt = Date.now();
@@ -445,10 +445,15 @@ export class ReferenceResolver {
     if (override.authentication !== undefined) merged.authentication = override.authentication;
     if (override.basicAuth !== undefined) merged.basicAuth = override.basicAuth;
     if (override.jwtAuth !== undefined) merged.jwtAuth = override.jwtAuth;
+    if (override.vpn !== undefined) merged.vpn = override.vpn;
 
     return merged;
   }
 
+  private cloneSecurityFields(security: IRouteSecurity): IRouteSecurity {
+    return structuredClone(security);
+  }
+
   // =========================================================================
   // Private: persistence
   // =========================================================================

ts/config/classes.route-config-manager.ts

@@ -175,6 +175,8 @@ export class RouteConfigManager {
       return { success: false, message: 'Route not found' };
     }
 
+    const previousSourceProfileRef = stored.metadata?.sourceProfileRef;
+
     const isToggleOnlyPatch = patch.enabled !== undefined
       && patch.route === undefined
       && patch.metadata === undefined;
@@ -216,6 +218,13 @@ export class RouteConfigManager {
         ...stored.metadata,
         ...patch.metadata,
       });
+      if (
+        previousSourceProfileRef
+        && !stored.metadata?.sourceProfileRef
+        && !patch.route?.security
+      ) {
+        delete stored.route.security;
+      }
     }
 
     // Re-resolve if metadata refs exist and resolver is available

ts_migrations/index.ts

@@ -19,6 +19,131 @@ export interface IMigrationRunner {
   run(): Promise<IMigrationRunResult>;
 }
 
+type TMigrationSecurity = Record<string, any>;
+
+function mergeMigrationSecurityFields(
+  base: TMigrationSecurity | undefined,
+  override: TMigrationSecurity | undefined,
+): TMigrationSecurity {
+  if (!base && !override) return {};
+  if (!base) return structuredClone(override || {});
+  if (!override) return structuredClone(base || {});
+
+  const merged: TMigrationSecurity = structuredClone(base);
+
+  if (override.ipAllowList || base.ipAllowList) {
+    merged.ipAllowList = [
+      ...new Set([
+        ...(base.ipAllowList || []),
+        ...(override.ipAllowList || []),
+      ]),
+    ];
+  }
+
+  if (override.ipBlockList || base.ipBlockList) {
+    merged.ipBlockList = [
+      ...new Set([
+        ...(base.ipBlockList || []),
+        ...(override.ipBlockList || []),
+      ]),
+    ];
+  }
+
+  for (const key of ['maxConnections', 'rateLimit', 'authentication', 'basicAuth', 'jwtAuth', 'vpn']) {
+    if (override[key] !== undefined) {
+      merged[key] = structuredClone(override[key]);
+    }
+  }
+
+  return merged;
+}
+
+function resolveMigrationSourceProfileSecurity(
+  profileId: string,
+  profiles: Map<string, any>,
+  visited = new Set<string>(),
+  depth = 0,
+): TMigrationSecurity | null {
+  if (depth > 5 || visited.has(profileId)) return null;
+
+  const profile = profiles.get(profileId);
+  if (!profile) return null;
+
+  visited.add(profileId);
+  let baseSecurity: TMigrationSecurity = {};
+  const extendsProfiles = Array.isArray(profile.extendsProfiles) ? profile.extendsProfiles : [];
+  for (const parentId of extendsProfiles) {
+    if (typeof parentId !== 'string') continue;
+    const parentSecurity = resolveMigrationSourceProfileSecurity(
+      parentId,
+      profiles,
+      new Set(visited),
+      depth + 1,
+    );
+    if (parentSecurity) {
+      baseSecurity = mergeMigrationSecurityFields(baseSecurity, parentSecurity);
+    }
+  }
+
+  return mergeMigrationSecurityFields(baseSecurity, profile.security || {});
+}
+
+async function rematerializeSourceProfileRouteSecurity(ctx: {
+  mongo?: { collection: (name: string) => any };
+  log: { log: (level: 'info', message: string) => void };
+}): Promise<void> {
+  const profileCollection = ctx.mongo!.collection('SourceProfileDoc');
+  const routeCollection = ctx.mongo!.collection('RouteDoc');
+  const profiles = new Map<string, any>();
+
+  for await (const profile of profileCollection.find({})) {
+    if (typeof (profile as any).id === 'string') {
+      profiles.set((profile as any).id, profile);
+    }
+  }
+
+  let inspected = 0;
+  let migrated = 0;
+  let skippedMissingProfile = 0;
+  const now = Date.now();
+
+  for await (const routeDoc of routeCollection.find({})) {
+    const sourceProfileRef = (routeDoc as any).metadata?.sourceProfileRef;
+    if (typeof sourceProfileRef !== 'string' || sourceProfileRef.trim() === '') continue;
+    inspected++;
+
+    const resolvedSecurity = resolveMigrationSourceProfileSecurity(sourceProfileRef, profiles);
+    const profile = profiles.get(sourceProfileRef);
+    if (!resolvedSecurity || !profile) {
+      skippedMissingProfile++;
+      continue;
+    }
+
+    const currentSecurity = (routeDoc as any).route?.security || {};
+    const securityChanged = JSON.stringify(currentSecurity) !== JSON.stringify(resolvedSecurity);
+    const profileNameChanged = (routeDoc as any).metadata?.sourceProfileName !== profile.name;
+    if (!securityChanged && !profileNameChanged) continue;
+
+    const query = (routeDoc as any)._id
+      ? { _id: (routeDoc as any)._id }
+      : { id: (routeDoc as any).id };
+    await routeCollection.updateOne(query, {
+      $set: {
+        'route.security': structuredClone(resolvedSecurity),
+        'metadata.sourceProfileName': profile.name,
+        'metadata.lastResolvedAt': now,
+        updatedAt: now,
+      },
+    });
+    migrated++;
+  }
+
+  ctx.log.log(
+    'info',
+    `rematerialize-source-profile-route-security: migrated ${migrated}/${inspected} route(s), skipped ${skippedMissingProfile} missing profile ref(s)`,
+  );
+}
+
 async function migrateTargetProfileTargetHosts(ctx: {
   mongo?: { collection: (name: string) => any };
   log: { log: (level: 'info', message: string) => void };
@@ -167,6 +292,12 @@ export async function createMigrationRunner(
     .description('Backfill RouteDoc.systemKey for persisted config/email/dns routes')
     .up(async (ctx) => {
       await backfillSystemRouteKeys(ctx);
+    })
+    .step('rematerialize-source-profile-route-security')
+    .from('13.18.0').to('13.40.2')
+    .description('Replace stale route security with resolved source profile security')
+    .up(async (ctx) => {
+      await rematerializeSourceProfileRouteSecurity(ctx);
     });
 
   return migration;

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.40.0',
+  version: '13.40.3',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }