v11.0.26

fix(devDependencies): bump @git.zone/tsbuild devDependency to ^4.1.15
v11.0.25
2026-03-05 14:28:36 +00:00 · 2026-03-05 14:28:36 +00:00 · 2026-03-05 14:13:58 +00:00 · 2026-03-05 14:13:58 +00:00 · 2026-03-05 14:08:29 +00:00 · 2026-03-05 14:08:29 +00:00
68 changed files with 6949 additions and 4472 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -21,3 +21,4 @@ dist_*/
 **/.claude/settings.local.json
 .nogit/data/
 readme.plan.md
+.playwright-mcp/
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,501 @@
 # Changelog

+## 2026-03-05 - 11.0.26 - fix(devDependencies)
+bump @git.zone/tsbuild devDependency to ^4.1.15
+
+- Updated devDependency @git.zone/tsbuild from ^4.1.14 to ^4.1.15 in package.json
+- No runtime changes; development tooling update only
+
+## 2026-03-05 - 11.0.25 - fix(logger)
+remove build verification comment from logger export
+
+- Removed parenthetical '(build verification)' from export comment in ts/logger.ts
+- No functional changes — this is a comment-only cleanup
+
+## 2026-03-05 - 11.0.24 - fix(dcrouter)
+no changes detected — no release necessary
+
+- No files changed in the provided diff; no code, docs, or dependency updates to release.
+
+## 2026-03-05 - 11.0.23 - fix(deps)
+bump @git.zone/tsbuild devDependency to ^4.1.14
+
+- Updated devDependency @git.zone/tsbuild from ^4.1.13 to ^4.1.14 in package.json
+- Change affects build tooling only (devDependencies); no production code changes
+
+## 2026-03-05 - 11.0.22 - fix(deps)
+bump @git.zone/tsbuild devDependency to ^4.1.13
+
+- Updated @git.zone/tsbuild from ^4.1.9 to ^4.1.13 in devDependencies
+- No runtime code changes; build/dev dependency update only
+
+## 2026-03-05 - 11.0.21 - fix()
+no changes detected
+
+- No files changed in this diff; no release required.
+
+## 2026-03-05 - 11.0.20 - fix(logger)
+annotate singleton logger export comment for build verification
+
+- Changed comment in ts/logger.ts to add '(build verification)'
+- No functional code changes; only a comment update
+- Intended to mark the export for build verification purposes
+
+## 2026-03-05 - 11.0.19 - fix(dcrouter)
+no changes
+
+- No files changed in this commit.
+- Package version remains 11.0.18.
+
+## 2026-03-05 - 11.0.18 - fix(dcrouter)
+no changes detected; no version bump required
+
+- Git diff contains no changes — nothing to release
+
+## 2026-03-05 - 11.0.17 - fix(dcrouter)
+no changes detected in diff; no code or documentation updates
+
+- No files changed in this diff
+- No code, tests, or documentation modified; no release required
+
+## 2026-03-05 - 11.0.16 - fix(dcrouter)
+noop commit: no changes detected
+
+- No files changed in this diff.
+- No code or configuration modifications detected.
+
+## 2026-03-05 - 11.0.15 - fix()
+no changes detected; no version bump necessary
+
+- Diff contains no changes; no files were modified
+
+## 2026-03-05 - 11.0.14 - fix(dcrouter)
+no changes detected
+
+- Provided git diff contains no changes; nothing to release or bump
+- Create a commit only if an empty/placeholder commit is intentionally required
+
+## 2026-03-05 - 11.0.13 - fix()
+no code changes
+
+- No files were changed in this commit.
+
+## 2026-03-05 - 11.0.12 - fix(dcrouter)
+no changes detected — nothing to commit
+
+- Diff reported: No changes
+- No files were modified or staged; no functional or documentation changes to release
+
+## 2026-03-05 - 11.0.11 - fix(deps)
+bump @git.zone/tsbuild devDependency to ^4.1.9
+
+- Updated @git.zone/tsbuild from ^4.1.4 to ^4.1.9 in package.json
+
+## 2026-03-05 - 11.0.10 - fix(playwright-mcp)
+remove committed Playwright artifacts and add .playwright-mcp/ to .gitignore
+
+- Added .playwright-mcp/ to .gitignore to avoid committing transient Playwright outputs
+- Removed many Playwright-generated logs, screenshots and console dumps under .playwright-mcp/ to reduce repository noise/size
+- Prevents accidental check-in of large test artifacts generated by Playwright runs
+
+## 2026-03-05 - 11.0.9 - fix(devDependencies)
+bump @git.zone/tsbuild devDependency to ^4.1.4
+
+- package.json: Updated @git.zone/tsbuild from ^4.1.3 to ^4.1.4
+
+## 2026-03-05 - 11.0.8 - fix()
+no changes detected
+
+- No files changed in this commit
+- No version bump recommended
+
+## 2026-03-05 - 11.0.7 - fix(deps)
+bump @git.zone/tsbuild to ^4.1.3 and @push.rocks/lik to ^6.3.1
+
+- Updated devDependency @git.zone/tsbuild from ^4.1.2 to ^4.1.3 in package.json
+- Updated dependency @push.rocks/lik from ^6.2.2 to ^6.3.1 in package.json
+- Changes are non-breaking dependency bumps; no source code changes
+
+## 2026-03-04 - 11.0.5 - fix(none)
+no changes detected; nothing to release
+
+- Diff contained no changes
+- No files modified; no version bump required
+
+## 2026-03-04 - 11.0.4 - fix()
+no changes
+
+- No files changed in the provided diff; no release or version bump required.
+
+## 2026-03-04 - 11.0.3 - fix()
+no changes detected
+
+- Diff shows no file changes; no code changes to release.
+
+## 2026-03-04 - 11.0.2 - fix(dcrouter)
+no changes detected; no files were modified
+
+- diff was empty
+- no source or package changes detected
+
+## 2026-03-04 - 11.0.1 - fix(auth)
+treat expired JWTs as no identity, improve logout and token verification flow, and bump deps
+
+- App: getActionContext now treats expired JWTs as null to avoid using stale identities for requests.
+- Logout action always clears local login state; server-side adminLogout is attempted only when a valid identity exists.
+- Dashboard: verify persisted JWT with server (verifyIdentity) on startup; if verification fails, clear state and show login.
+- Auto-refresh: on combined refresh failure, detect auth-related errors (invalid/unauthorized/401), dispatch logout and reload to force re-login.
+- Deps: bumped devDependencies @git.zone/tstest (^3.2.0) and @git.zone/tswatch (^3.2.5); added runtime dependency @push.rocks/lik (^6.2.2).
+- Tests/artifacts: added Playwright console logs and page screenshots (test artifacts) to the commit.
+
+## 2026-03-03 - 11.0.0 - BREAKING CHANGE(opsserver)
+Require authentication for OpsServer endpoints, split handlers into authenticated view/admin routers, and make identity required on many TypedRequest interfaces
+
+- Added viewRouter and adminRouter to OpsServer and wired middleware to enforce identity/admin checks (requireValidIdentity, requireAdminIdentity).
+- Moved handlers to appropriate routers (viewRouter for read endpoints, adminRouter for write/admin endpoints) instead of registering on the unauthenticated main typedrouter.
+- Made identity a required field on numerous ts_interfaces request types (breaking change to request typings).
+- Refactored ApiTokenHandler to register directly on adminRouter and use dataArg.identity.userId (no per-handler admin checks needed thanks to middleware).
+- Updated tests: added admin login to obtain identity, adjusted protected endpoint tests to expect rejection when unauthenticated, and adapted other tests to pass identity where required.
+- Added IReq_GetNetworkStats request/response typings to ts_interfaces/requests/stats.ts.
+- Bumped dependencies: @api.global/typedrequest ^3.3.0 and @api.global/typedserver ^8.4.2.
+
+## 2026-03-03 - 10.1.9 - fix(deps)
+bump @push.rocks/smartproxy to ^25.9.1
+
+- Updated package.json dependency @push.rocks/smartproxy from ^25.9.0 to ^25.9.1
+- No other code changes; current package version is 10.1.8, recommend a patch release
+
+## 2026-03-03 - 10.1.8 - fix(deps)
+bump dependencies: @push.rocks/smartmetrics to ^3.0.2, @push.rocks/smartproxy to ^25.9.0, @serve.zone/remoteingress to ^4.4.0
+
+- @push.rocks/smartmetrics: 3.0.1 -> 3.0.2 (patch)
+- @push.rocks/smartproxy: 25.8.5 -> 25.9.0 (minor)
+- @serve.zone/remoteingress: 4.3.0 -> 4.4.0 (minor)
+
+## 2026-03-03 - 10.1.7 - fix(ops-view-apitokens)
+use correct lucide icon name for roll/rotate actions in API tokens view
+
+- Updated iconName from 'lucide:rotate-cw' to 'lucide:rotateCw' in ts_web/elements/ops-view-apitokens.ts (two occurrences) to match lucide icon naming and ensure icons render correctly
+- Non-functional UI fix; no API or behavior changes
+
+## 2026-03-02 - 10.1.6 - fix(ts_web)
+use actionContext for dispatches in web state actions and bump @push.rocks/smartstate to ^2.2.0
+
+- Action handlers in ts_web/appstate.ts now accept an actionContext parameter and call await actionContext.dispatch(...) instead of using statePartArg.dispatchAction(...).
+- Handlers return the awaited dispatch result (ensuring callers receive refreshed state) instead of returning the previous statePartArg.getState().
+- Dependency bumped in package.json: @push.rocks/smartstate from ^2.1.1 to ^2.2.0.
+- Playwright artifacts (logs and page screenshots) were added under .playwright-mcp.
+
+## 2026-03-02 - 10.1.5 - fix(monitoring)
+use a per-second ring buffer for DNS query metrics, improve DNS logging rate limiting and security event aggregation, and bump smartmta dependency
+
+- Replace unbounded query timestamp array with a fixed-size per-second Int32Array ring buffer (300s) to calculate queries-per-second with O(1) updates and bounded memory
+- Add incrementQueryRing and getQueryRingSum helpers to correctly zero stale slots and sum recent seconds
+- Change metrics cache interval from 200ms to 1000ms to better match dashboard polling and reduce update frequency
+- Refactor DNS adaptive logging to use per-second counters (dnsLogWindowSecond / dnsLogWindowCount) instead of timestamp arrays to avoid per-query array filtering and improve rate limiting accuracy; reset counters on flush
+- Security logger: avoid mutating source when sorting/filtering, and implement single-pass aggregation with optional time-window filtering for byLevel/byType/top lists
+- Bump dependency @push.rocks/smartmta from ^5.3.0 to ^5.3.1
+
+## 2026-03-02 - 10.1.4 - fix(no-changes)
+no changes detected; no version bump required
+
+- package version is 10.1.3
+- git diff contains no changes
+
+## 2026-03-02 - 10.1.3 - fix(deps)
+bump @api.global/typedrequest to ^3.2.7
+
+- Updated @api.global/typedrequest from ^3.2.6 to ^3.2.7 in package.json
+- Dependency patch bump only — no source code changes detected
+- Current package version 10.1.2 -> recommended next version 10.1.3 (patch)
+
+## 2026-03-01 - 10.1.2 - fix(core)
+improve shutdown cleanup, socket/stream robustness, and memory/cache handling
+
+- Reset security singletons and CacheDb on shutdown to allow GC (SecurityLogger, ContentScanner, IPReputationChecker, CacheDb).
+- Add DNS socket 'error' handler and only destroy socket when not already destroyed to avoid uncaught exceptions.
+- Move pruning of dnsMetrics.queryTimestamps to a periodic interval to avoid O(n) work on every query.
+- Debounce IPReputationChecker cache saves (save timer + reset on instance reset) to reduce IO and prevent duplicate saves.
+- Fix virtualStream send timeout handling by keeping/clearing a timeout handle to avoid leaks and hung promises.
+- Add memory store eviction in StorageManager to cap entries (MAX_MEMORY_ENTRIES) and evict oldest entries when exceeded.
+- Add terminal-ready timeout in ops-view-logs to avoid blocking UI initialization if xterm CDN fails to initialize.
+- Bump dev dependency @types/node and push.rocks/smartstate versions.
+
+## 2026-02-27 - 10.1.1 - fix(ops-view-apitokens)
+replace lucide:refresh-cw with lucide:rotate-cw for Roll action icon
+
+- Updated ts_web/elements/ops-view-apitokens.ts: changed iconName in two locations to 'lucide:rotate-cw' for the Roll/Roll Token actions.
+- UI-only change — no functional or API behavior modified.
+- Current package version is 10.1.0; recommended patch bump to 10.1.1. 
+
+## 2026-02-27 - 10.1.0 - feat(api-tokens)
+add ability to roll (regenerate) API token secrets and UI to display the newly generated token once
+
+- Server: added ApiTokenManager.rollToken(id) to regenerate a token secret, update its hash, persist it and log the action.
+- Server: added opsserver handler 'rollApiToken' which requires admin identity and returns the new raw token value (shown once) or error messages.
+- API: added typed request interface IReq_RollApiToken for the rollApiToken RPC.
+- Web: added appstate.rollApiToken wrapper to call the new typed request.
+- UI: ops-view-apitokens updated with a 'Roll' action and a modal flow to confirm rolling, call the API, refresh token list, and present the new token value to copy (token value is shown only once).
+- Security: operation is admin-only and the raw token is returned only once after rolling.
+
+## 2026-02-27 - 10.0.0 - BREAKING CHANGE(remote-ingress)
+replace tlsConfigured boolean with tlsMode ('custom' | 'acme' | 'self-signed') and compute TLS mode server-side
+
+- Server: compute remoteIngress.tlsMode = 'custom' when custom certPath/keyPath provided; else attempt to detect ACME by checking stored certs for hubDomain; default to 'self-signed' as fallback.
+- API: replaced remoteIngress.tlsConfigured:boolean with tlsMode:'custom'|'acme'|'self-signed' — this is a breaking change for consumers of the config API.
+- UI: ops view updated to display TLS Mode as a badge instead of a boolean "TLS Configured" field.
+- Action required: update clients and integrations to read remoteIngress.tlsMode instead of tlsConfigured.
+
+## 2026-02-26 - 9.3.0 - feat(remoteingress)
+add TLS certificate resolution and passthrough for RemoteIngress tunnel
+
+- Resolve TLS certs for the RemoteIngress tunnel with priority: explicit certPath/keyPath files → stored ACME cert for hubDomain → fallback to self-signed
+- Expose tls option on ITunnelManagerConfig and forward certPem/keyPem into hub.start so the hub can use the provided TLS materials
+- Add logging for cert selection and file read failures
+- Bump dependency @serve.zone/remoteingress from ^4.2.0 to ^4.3.0
+
+## 2026-02-26 - 9.2.0 - feat(remoteingress)
+expose connected edge IPs and detected public IP; resolve proxy IPs from SmartProxy and improve ops UI
+
+- Add detectedPublicIp to DC Router and populate it when a configured or auto-discovered public IP is chosen
+- Use dcRouter.detectedPublicIp as a fallback for system.publicIp in the config handler
+- Resolve proxy IPs from SmartProxy runtime settings when opts.proxyIps is not provided
+- TunnelManager: capture peerAddr on edgeConnected and from Rust heartbeats, store per-edge publicIp, and add getConnectedEdgeIps()
+- Expose connectedEdgeIps in the config API and return it in remoteIngress config
+- Ops UI: show Connected Edge IPs, annotate 127.0.0.1 proxy IP as 'Remote Ingress' when applicable, and refresh remote ingress data during combined refresh when viewing remoteingress
+- Bump dependency @serve.zone/remoteingress to ^4.2.0
+
+## 2026-02-26 - 9.1.10 - fix(deps)
+bump @push.rocks/smartproxy to ^25.8.5
+
+- package.json: @push.rocks/smartproxy version updated from ^25.8.4 to ^25.8.5
+- No other files changed
+
+## 2026-02-26 - 9.1.9 - fix(deps(smartmta))
+bump @push.rocks/smartmta to ^5.3.0
+
+- Updated @push.rocks/smartmta from ^5.2.6 to ^5.3.0 in package.json
+- Patch release recommended (no source code changes)
+
+## 2026-02-26 - 9.1.8 - fix(deps)
+bump @serve.zone/remoteingress to ^4.1.0
+
+- Updated dependency @serve.zone/remoteingress from ^4.0.1 to ^4.1.0 in package.json
+- Non-breaking dependency update; recommend patch version bump
+
+## 2026-02-26 - 9.1.7 - fix(dcrouter)
+bump @push.rocks/smartproxy to ^25.8.4 and remove custom smartProxy timeout/connection lifetime settings from dcrouter
+
+- Bumped dependency @push.rocks/smartproxy from ^25.8.3 to ^25.8.4 in package.json
+- Removed explicit smartProxy options: socketTimeout, inactivityTimeout, keepAliveInactivityMultiplier, extendedKeepAliveLifetime, and maxConnectionLifetime from ts/classes.dcrouter.ts
+
+## 2026-02-26 - 9.1.6 - fix(cleanup)
+prevent event listener and log stream leaks, tighten smartProxy connection timeouts, and improve graceful shutdown behavior
+
+- Tightened smartProxy connection timeouts and lifetimes (5m socketTimeout, 10m inactivityTimeout, keep-alive multiplier, 1h extendedKeepAliveLifetime, 4h maxConnectionLifetime).
+- Remove event listeners before stopping services to avoid leaks (smartProxy, emailServer, dnsServer, remote ingress hub).
+- OpsServer.stop now invokes logsHandler.cleanup to tear down active log streams and avoid duplicate push destinations.
+- LogsHandler rewritten to use a module-level singleton push destination, track active stream stop callbacks, add cleanup(), guard against hung VirtualStream.sendData with a 10s timeout, and ensure intervals are cleared on stop.
+- updateSmartProxyConfig removes listeners on the old instance before stopping it.
+- Dependency bumps: @api.global/typedsocket ^4.1.2, @push.rocks/smartdata ^7.1.0, @push.rocks/smartmta ^5.2.6, @push.rocks/smartproxy ^25.8.3.
+
+## 2026-02-26 - 9.1.5 - fix(remoteingress)
+Reconcile tunnel manager edge statuses with authoritative Rust hub periodically; update active tunnel counts and heartbeats, add missed edges, remove stale entries, and clear reconcile interval on stop
+
+- Add reconcile() to sync TS-side edgeStatuses with hub.getStatus and overwrite activeTunnels with the authoritative activeStreams.
+- Start a periodic reconcile (setInterval every 15s) and store the interval handle on the tunnel manager.
+- Clear the reconcile interval in stop() to avoid background timers; remove edgeStatuses entries that are no longer connected in Rust.
+- Bump dependency @serve.zone/remoteingress from ^4.0.0 to ^4.0.1.
+
+## 2026-02-25 - 9.1.4 - fix(deps)
+bump @push.rocks/smartproxy to ^25.8.1
+
+- Updated package.json dependency @push.rocks/smartproxy from ^25.8.0 to ^25.8.1
+
+## 2026-02-24 - 9.1.3 - fix(deps)
+bump @api.global/typedserver to ^8.4.0 and @push.rocks/smartproxy to ^25.8.0
+
+- Updated @api.global/typedserver from ^8.3.1 to ^8.4.0
+- Updated @push.rocks/smartproxy from ^25.7.9 to ^25.8.0
+
+## 2026-02-24 - 9.1.2 - fix(deps)
+bump dependency versions for build and runtime packages
+
+- @git.zone/tsbundle: ^2.8.3 -> ^2.9.0
+- @git.zone/tswatch: ^3.1.0 -> ^3.2.0
+- @api.global/typedserver: ^8.3.0 -> ^8.3.1
+- @design.estate/dees-catalog: ^3.43.2 -> ^3.43.3
+
+## 2026-02-23 - 9.1.1 - fix(dcrouter)
+no changes detected — no files modified, no release necessary
+
+- Git diff contained no changes
+- No files added, modified, or deleted
+
+## 2026-02-23 - 9.1.0 - feat(ops-dashboard)
+add lucide icons to Ops dashboard view tabs
+
+- Added iconName property to 10 view tabs in ts_web/elements/ops-dashboard.ts to enable icons in the UI
+- Icon mappings: Overview -> lucide:layoutDashboard, Configuration -> lucide:settings, Network -> lucide:network, Emails -> lucide:mail, Logs -> lucide:scrollText, Routes -> lucide:route, ApiTokens -> lucide:key, Security -> lucide:shield, Certificates -> lucide:badgeCheck, RemoteIngress -> lucide:globe
+- Improves visual clarity of dashboard navigation
+
+## 2026-02-23 - 9.0.0 - BREAKING CHANGE(opsserver)
+Return structured configuration (IConfigData) from opsserver and update UI to render detailed config sections
+
+- Introduce IConfigData interface with typed sections: system, smartProxy, email, dns, tls, cache, radius, remoteIngress.
+- Replace ConfigHandler.getConfiguration implementation to assemble and return IConfigData (changes API response shape for getConfiguration).
+- Refactor frontend: update appstate types and ops-view-config to render the new config sections, use @serve.zone/catalog IConfigField/IConfigSectionAction, add uptime formatting and remote ingress UI.
+- Fix ops-view-apitokens form handling to correctly read dees-input-tags values.
+- Update tests to expect new configuration fields.
+- Bump dependency @serve.zone/catalog to ^2.5.0.
+
+## 2026-02-23 - 8.1.0 - feat(route-management)
+add programmatic route management API with API tokens and admin UI
+
+- Introduce RouteConfigManager to persist and manage programmatic routes and hardcoded-route overrides
+- Add ApiTokenManager to create, validate, list, toggle and revoke API tokens (stored hashed)
+- New OpsServer TypedRequest handlers: RouteManagementHandler (getMergedRoutes, create/update/delete/toggle routes, set/remove overrides) and ApiTokenHandler (create/list/revoke/toggle tokens)
+- DcRouter integration: initialize routeConfigManager and apiTokenManager, expose getConstructorRoutes and re-apply programmatic routes after SmartProxy restarts
+- Front-end additions: new 'Routes' and 'ApiTokens' views and UI components (ops-view-routes, ops-view-apitokens), router and appstate actions to fetch/manage routes and tokens
+- New TS interfaces and request types for route-management and API tokens, plus storage schemas for persisted routes, overrides and tokens
+- Bump dependency @serve.zone/catalog to ^2.3.0
+
+## 2026-02-22 - 8.0.0 - BREAKING CHANGE(email-ops)
+migrate email operations to catalog-compatible email model and simplify UI/router
+
+- Add @serve.zone/catalog dependency and import (szCatalog) in web plugins
+- Replace queue-based typedrequest methods with catalog APIs: getQueuedEmails / getSentEmails / getFailedEmails => getAllEmails and getEmailDetail (request/response shapes changed)
+- Update TypeScript interfaces: IEmailQueueItem/IBounceRecord/ISecurityIncident etc. replaced by IEmail, IEmailDetail, ISmtpLogEntry, IConnectionInfo, IAuthenticationResults (breaking type changes)
+- Frontend state and actions consolidated: emailOps state now holds emails array; multiple fetch actions removed and replaced by fetchAllEmailsAction and getEmailDetail usage
+- UI components updated: ops-view-emails switched to list/detail view and now requests email detail via new API; router no longer exposes email folder routes and email-folder navigation removed
+- Ops server handler refactored to return catalog-style emails and email detail; added status mapping and size formatting helpers
+
+## 2026-02-21 - 7.4.3 - fix(logging)
+add adaptive rate-limited DNS query logging, flush pending DNS logs on shutdown, and enhance email delivery logging
+
+- Introduce adaptive DNS logging: allow up to 2 individual DNS query logs per second, then aggregate further queries and emit a batched summary (dnsLogWindow, dnsBatchCount, dnsBatchTimer) with a 5s flush.
+- Flush pending DNS batch on stop() and log final DNS batch count during shutdown.
+- Enhance email observability by logging deliveryStart, deliverySuccess, deliveryFailed and bounceProcessed events alongside existing MetricsManager tracking.
+- Dependency bump: @design.estate/dees-catalog updated from ^3.43.1 to ^3.43.2.
+- Non-breaking change; intended as a patch release.
+
+## 2026-02-21 - 7.4.2 - fix(monitoring,remoteingress,web)
+Prune old metrics buckets periodically, clear metrics caches on shutdown, simplify edge disconnect handling, and optimize network view data updates
+
+- Call pruneOldBuckets() each minute to proactively remove stale time-series buckets in MetricsManager
+- Clear metricsCache, emailMinuteBuckets and dnsMinuteBuckets when MetricsManager stops to avoid stale state on shutdown
+- On edgeDisconnected remove the edgeStatuses entry instead of mutating an existing record (more explicit cleanup)
+- Remove unused traffic-timer variables and move requestsPerSec history updates from render() into updateNetworkData() to avoid unnecessary re-renders
+- Optimize traffic data array updates by shifting in-place then reassigning arrays to preserve Lit reactivity and reduce intermediate allocations
+
+## 2026-02-21 - 7.4.1 - fix(dcrouter)
+replace console logging with structured logger, improve metrics logging, add terminal-ready wait in ops UI, bump dees-catalog patch
+
+- Replace console.log/console.error calls in classes.dcrouter.ts with structured logger.log (info/debug/error) including contextual data and stringified errors
+- MetricsManager: create a dedicated Smartlog instance (metricsLogger) for SmartMetrics and use shared logger for lifecycle events (start/stop)
+- SmartProxy/ACME: convert startup/stop/cert events and error logging to structured logs; include generated route and cert metadata where relevant
+- Shutdown/startup flows: unify service start/stop/error messages through logger to provide consistent, structured output
+- UI change: ops-view-logs now waits for xterm terminalReady before pushing initial logs to avoid race conditions
+- Bump dependency @design.estate/dees-catalog from 3.43.0 to 3.43.1
+
+## 2026-02-21 - 7.4.0 - feat(opsserver)
+add real-time log push to ops dashboard and recent DNS query tracking
+
+- Export baseLogger and add a log destination that pushes log entries to connected ops_dashboard TypedSocket clients (ts/opsserver/handlers/logs.handler.ts, ts/logger.ts).
+- Introduce a new TypedRequest (pushLogEntry) interface for server→client log pushes (ts_interfaces/requests/logs.ts) and wire client handling in the web UI (ts_web/appstate.ts, ts_web/plugins.ts).
+- Add TypedSocket client connection lifecycle to the web app, stream pushed log entries into app state and update log views incrementally (ts_web/appstate.ts, ts_web/elements/ops-view-logs.ts).
+- MetricsManager now records recent DNS queries (timestamp, domain, type, answered, responseTimeMs) and exposes them via stats endpoints for display in the UI (ts/monitoring/classes.metricsmanager.ts, ts/opsserver/handlers/stats.handler.ts, ts_interfaces/data/stats.ts).
+- UI overview now displays DNS query entries and uses answered flag to set log level (ts_web/elements/ops-view-overview.ts).
+- Add import/export for typedsocket in web plugins to enable real-time push (ts_web/plugins.ts).
+- Bump dependency @push.rocks/smartproxy patch version ^25.7.8 → ^25.7.9 (package.json).
+
+## 2026-02-20 - 7.3.0 - feat(dcrouter)
+Wire DNS server 'query' events to MetricsManager for time-series tracking and bump @push.rocks/smartdns to ^7.9.0
+
+- Add dnsServer 'query' event listener that iterates event.questions and calls metricsManager.trackDnsQuery(question.type, question.name, false, event.responseTimeMs).
+- Listener is guarded by a metricsManager existence check to avoid runtime errors when metrics are not configured.
+- Bump dependency @push.rocks/smartdns from ^7.8.1 to ^7.9.0 in package.json.
+
+## 2026-02-20 - 7.2.0 - feat(logs)
+replace custom logs list with dees-chart-log component and push logs to chart, add log mapping and lifecycle sync, and bump smartlog dependency
+
+- Replaced the legacy in-component log list and styling with a dees-chart-log element to render application logs.
+- Added updated() lifecycle handler to push new logs to the chart and new helper methods pushLogsToChart() and getMappedLogEntries() to map log entries to the chart's expected format.
+- Removed the streaming toggle, getActiveFilters(), legacy CSS for the log list, and the old per-entry rendering markup.
+- Added explicit typing for dropdown @selectedOption handlers (e: any).
+- Bumped dependency @push.rocks/smartlog from ^3.2.0 to ^3.2.1 in package.json.
+
+## 2026-02-19 - 7.1.0 - feat(ops/monitoring)
+add in-memory log buffer, metrics time-series and ops UI integration
+
+- bump @push.rocks/smartlog to ^3.2.0
+- introduce SmartlogDestinationBuffer (logBuffer) and wire it into the base logger to provide an in-memory log store for the Ops UI
+- implement minute-resolution time-series buckets in MetricsManager with increment/prune helpers and new APIs getEmailTimeSeries and getDnsTimeSeries
+- sync security counters from SecurityLogger and expose recent security events via StatsHandler
+- wire email delivery lifecycle events and bounce processing to MetricsManager for tracking sent/received/failed metrics
+- LogsHandler now queries the in-memory log buffer, maps smartlog levels/categories, supports search/level/time-range filtering and pagination
+- UI updates: ops-view-overview, ops-view-logs and ops-view-security consume time-series and recent events to render charts, tables and filters
+
+## 2026-02-19 - 7.0.1 - fix(monitoring)
+Use smartMetrics cpuPercentage for cpuUsage.user and update smartmetrics and smartproxy dependencies
+
+- Switch cpuUsage.user from parseFloat(smartMetricsData.cpuUsageText) to smartMetricsData.cpuPercentage to align with smartmetrics v3 API
+- Bump @push.rocks/smartmetrics from ^2.0.10 to ^3.0.1
+- Bump @push.rocks/smartproxy from ^25.7.6 to ^25.7.8
+
+## 2026-02-19 - 7.0.0 - BREAKING CHANGE(deps)
+bump dependencies: @serve.zone/remoteingress to ^4.0.0 (breaking), @push.rocks/smartproxy to ^25.7.6, @types/node to ^25.3.0
+
+- Updated @serve.zone/remoteingress from ^3.3.0 to ^4.0.0 — major breaking change; may require code changes to adapt to new API.
+- Updated @push.rocks/smartproxy from ^25.7.3 to ^25.7.6 — patch update (non-breaking).
+- Updated @types/node from ^25.2.3 to ^25.3.0 — patch update (non-breaking).
+- Current package version is 6.13.2; recommend bumping to 7.0.0 due to the breaking dependency upgrade.
+
+## 2026-02-19 - 6.13.2 - fix(runtime)
+prevent memory leaks and improve shutdown/stream handling across services
+
+- Add CertProvisionScheduler.clear() to reset in-memory backoff cache and call it during DcRouter shutdown
+- Stop any existing SmartAcme instance before creating a new one (await stop and log errors) to avoid duplicate running instances
+- Null out many DcRouter service references and clear certificateStatusMap on shutdown to allow GC of stopped services
+- Cap emailMetrics.recipients map size and trim to ~80% of MAX_TOP_DOMAINS to prevent unbounded growth
+- Await virtualStream.sendData in logs follow handler and clear the interval if the stream errors/closes to avoid interval leaks
+- Limit normalizedMacCache size and evict oldest entries when it exceeds 10000 to prevent unbounded cache growth
+
+## 2026-02-18 - 6.13.1 - fix(dcrouter)
+enable PROXY protocol v1 handling for SmartProxy when remoteIngress is enabled to preserve client IPs
+
+- Set smartProxyConfig.acceptProxyProtocol = true when options.remoteIngressConfig.enabled
+- Whitelist loopback address by setting smartProxyConfig.proxyIPs = ['127.0.0.1']
+- Only applies when remoteIngress is enabled; used to accept tunneled connections forwarded by the hub to preserve original client IPs
+
+## 2026-02-18 - 6.13.0 - feat(remoteingress)
+include listenPorts for allowed edges sent to the Rust hub and always resync allowed edges when edge properties change
+
+- getAllowedEdges now returns listenPorts for each allowed edge (uses getEffectiveListenPorts)
+- remoteingress handler now calls tunnelManager.syncAllowedEdges() whenever tunnelManager exists so ports/tags/enabled changes are propagated
+- Improves Rust hub routing by providing per-edge listening ports and ensuring allowed-edge list is kept up-to-date
+
+## 2026-02-18 - 6.12.0 - feat(remote-ingress)
+add Remote Ingress hub integration, OpsServer UI, APIs, and docs
+
+- Integrates RemoteIngress (hub/tunnel) into DcRouter: runtime manager, tunnel manager and Rust data plane references added
+- Bumps dependency @serve.zone/remoteingress to ^3.3.0
+- Adds configuration defaults and IDcRouterOptions.remoteIngressConfig with tunnelPort/hubDomain/tls fields
+- Introduces OpsServer API endpoints and TypedRequest methods for remote ingress: getRemoteIngresses, createRemoteIngress, updateRemoteIngress, deleteRemoteIngress, regenerateRemoteIngressSecret, getRemoteIngressStatus, getRemoteIngressConnectionToken
+- UI updates: new Remote Ingress dashboard view, connection token generation & copy (clipboard API + fallback), auto-derived ports display, and toast notifications
+- State/API rename: newEdgeSecret -> newEdgeId and clearNewEdgeIdAction; appstate fetchConnectionToken usage
+- Documentation: README, ts/ and ts_web readmes, and ts_interfaces updated with interfaces and examples for Remote Ingress
+- Minor UI icon updates (search -> fa:magnifyingGlass, clipboard icon casing) and other doc/README improvements
+
+## 2026-02-18 - 6.11.0 - feat(remoteingress)
+add ability to generate remote ingress connection tokens and UI copy action; add hubDomain config option; update remoteingress dependency to ^3.1.1
+
+- Add server typed handler 'getRemoteIngressConnectionToken' to generate an encoded connection token containing hubHost, hubPort, edgeId and secret.
+- Add request interface IReq_GetRemoteIngressConnectionToken for typed requests.
+- Add fetchConnectionToken helper in web appstate and a 'Copy Token' action in ops-view-remoteingress to copy tokens to the clipboard with toast feedback.
+- Add hubDomain option to remoteIngressConfig in dcrouter options so an external hostname can be embedded in connection tokens.
+- Bump dependency @serve.zone/remoteingress from ^3.0.4 to ^3.1.1 in package.json.
+
 ## 2026-02-17 - 6.10.0 - feat(ops-view-certificates)
 Make Export and Delete actions available inline (inRow) as well as in the context menu; bump @design.estate/dees-catalog to ^3.43.0

--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "@serve.zone/dcrouter",
  "private": false,
-  "version": "6.10.0",
+  "version": "11.0.26",
  "description": "A multifaceted routing service handling mail and SMS delivery functions.",
  "type": "module",
  "exports": {
@@ -19,44 +19,46 @@
    "watch": "tswatch"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^4.1.2",
-    "@git.zone/tsbundle": "^2.8.3",
+    "@git.zone/tsbuild": "^4.1.15",
+    "@git.zone/tsbundle": "^2.9.0",
    "@git.zone/tsrun": "^2.0.1",
-    "@git.zone/tstest": "^3.1.8",
-    "@git.zone/tswatch": "^3.1.0",
-    "@types/node": "^25.2.3"
+    "@git.zone/tstest": "^3.2.0",
+    "@git.zone/tswatch": "^3.2.5",
+    "@types/node": "^25.3.3"
  },
  "dependencies": {
-    "@api.global/typedrequest": "^3.2.6",
+    "@api.global/typedrequest": "^3.3.0",
    "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^8.3.0",
-    "@api.global/typedsocket": "^4.1.0",
+    "@api.global/typedserver": "^8.4.2",
+    "@api.global/typedsocket": "^4.1.2",
    "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.43.0",
+    "@design.estate/dees-catalog": "^3.43.3",
    "@design.estate/dees-element": "^2.1.6",
+    "@push.rocks/lik": "^6.3.1",
    "@push.rocks/projectinfo": "^5.0.2",
    "@push.rocks/qenv": "^6.1.3",
    "@push.rocks/smartacme": "^9.1.3",
-    "@push.rocks/smartdata": "^7.0.15",
-    "@push.rocks/smartdns": "^7.8.1",
+    "@push.rocks/smartdata": "^7.1.0",
+    "@push.rocks/smartdns": "^7.9.0",
    "@push.rocks/smartfile": "^13.1.2",
    "@push.rocks/smartguard": "^3.1.0",
    "@push.rocks/smartjwt": "^2.2.1",
-    "@push.rocks/smartlog": "^3.1.11",
-    "@push.rocks/smartmetrics": "^2.0.10",
+    "@push.rocks/smartlog": "^3.2.1",
+    "@push.rocks/smartmetrics": "^3.0.2",
    "@push.rocks/smartmongo": "^5.1.0",
-    "@push.rocks/smartmta": "^5.2.2",
+    "@push.rocks/smartmta": "^5.3.1",
    "@push.rocks/smartnetwork": "^4.4.0",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.7.3",
+    "@push.rocks/smartproxy": "^25.9.1",
    "@push.rocks/smartradius": "^1.1.1",
    "@push.rocks/smartrequest": "^5.0.1",
    "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.0.30",
+    "@push.rocks/smartstate": "^2.2.0",
    "@push.rocks/smartunique": "^3.0.9",
+    "@serve.zone/catalog": "^2.5.0",
    "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^3.0.4",
+    "@serve.zone/remoteingress": "^4.4.0",
    "@tsclass/tsclass": "^9.3.0",
    "lru-cache": "^11.2.6",
    "uuid": "^13.0.0"
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/readme.md
+++ b/readme.md
@@ -4,7 +4,7 @@

 **dcrouter: The all-in-one gateway for your datacenter.** 🚀

-A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, and RADIUS protocols. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, and enterprise-grade email infrastructure — all from a single process.
+A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, RADIUS, and remote edge ingress — all from a single process. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, distributed edge networking, and enterprise-grade email infrastructure.

 ## Issue Reporting and Security

@@ -21,6 +21,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - [Email System](#email-system)
 - [DNS Server](#dns-server)
 - [RADIUS Server](#radius-server)
+- [Remote Ingress](#remote-ingress)
 - [Certificate Management](#certificate-management)
 - [Storage & Caching](#storage--caching)
 - [Security Features](#security-features)
@@ -60,6 +61,14 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **RADIUS accounting** for session tracking, traffic metering, and billing
 - **Real-time management** via OpsServer API

+### 🌍 Remote Ingress (powered by [remoteingress](https://code.foss.global/serve.zone/remoteingress))
+- **Distributed edge networking** — accept traffic at remote edge nodes and tunnel it to the hub
+- **Edge registration CRUD** with secret-based authentication
+- **Auto-derived ports** — edges automatically pick up ports from routes tagged with `remoteIngress.enabled`
+- **Connection tokens** — generate a single opaque base64url token containing hubHost, hubPort, edgeId, and secret for easy edge provisioning
+- **Real-time status monitoring** — connected/disconnected state, public IP, active tunnels, heartbeat tracking
+- **OpsServer dashboard** with enable/disable, edit, secret regeneration, token copy, and delete actions
+
 ### ⚡ High Performance
 - **Rust-powered proxy engine** via SmartProxy for maximum throughput
 - **Rust-powered MTA engine** via smartmta (TypeScript + Rust hybrid) for reliable email delivery
@@ -76,8 +85,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ### 🖥️ OpsServer Dashboard
 - **Web-based management interface** with real-time monitoring
 - **JWT authentication** with session persistence
- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, and security events
+- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, remote ingress edges, and security events
 - **Domain-centric certificate overview** with backoff status and one-click reprovisioning
+- **Remote ingress management** with connection token generation and one-click copy
 - **Read-only configuration display** — DcRouter is configured through code

 ## Installation
@@ -219,6 +229,13 @@ const router = new DcRouter({
    accounting: { enabled: true, retentionDays: 30 }
  },

+  // Remote Ingress — edge nodes tunnel traffic to this hub
+  remoteIngressConfig: {
+    enabled: true,
+    tunnelPort: 8443,
+    hubDomain: 'hub.example.com',
+  },
+
  // Persistent storage
  storage: { fsPath: '/var/lib/dcrouter/data' },

@@ -246,6 +263,7 @@ graph TB
        TCP[TCP Clients]
        DNS[DNS Queries]
        RAD[RADIUS Clients]
+        EDGE[Edge Nodes]
    end

    subgraph "DcRouter Core"
@@ -254,6 +272,7 @@ graph TB
        ES[smartmta Email Server<br/><i>TypeScript + Rust</i>]
        DS[SmartDNS Server<br/><i>Rust-powered</i>]
        RS[SmartRadius Server]
+        RI[RemoteIngress Hub<br/><i>Rust data plane</i>]
        CM[Certificate Manager<br/><i>smartacme v9</i>]
        OS[OpsServer Dashboard]
        MM[Metrics Manager]
@@ -273,11 +292,13 @@ graph TB
    SMTP --> ES
    DNS --> DS
    RAD --> RS
+    EDGE --> RI

    DC --> SP
    DC --> ES
    DC --> DS
    DC --> RS
+    DC --> RI
    DC --> CM
    DC --> OS
    DC --> MM
@@ -288,6 +309,7 @@ graph TB
    SP --> API
    ES --> MAIL
    ES --> DB
+    RI --> SP

    CM -.-> SP
    CM -.-> ES
@@ -303,6 +325,7 @@ graph TB
 | **DNS Server** | `@push.rocks/smartdns` | Authoritative DNS with dynamic records and DKIM TXT auto-generation (Rust engine) |
 | **SmartAcme** | `@push.rocks/smartacme` | ACME certificate management with per-domain dedup, concurrency control, and rate limiting |
 | **RADIUS Server** | `@push.rocks/smartradius` | Network authentication with MAB, VLAN assignment, and accounting |
+| **RemoteIngress** | `@serve.zone/remoteingress` | Distributed edge tunneling with Rust data plane and TS management |
 | **OpsServer** | `@api.global/typedserver` | Web dashboard + TypedRequest API for monitoring and management |
 | **MetricsManager** | `@push.rocks/smartmetrics` | Real-time metrics collection (CPU, memory, email, DNS, security) |
 | **StorageManager** | built-in | Pluggable key-value storage (filesystem, custom, or in-memory) |
@@ -312,19 +335,20 @@ graph TB

 DcRouter acts purely as an **orchestrator** — it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:

-1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, and SmartRadius based on which configs are provided.
-2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
+1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, and RemoteIngress based on which configs are provided.
+2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
 3. **On `stop()`**: All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.

 ### Rust-Powered Architecture

-DcRouter itself is a pure TypeScript orchestrator, but three of its core sub-components ship with **compiled Rust binaries** for performance-critical paths. At runtime each package detects the platform, unpacks the correct binary, and communicates with TypeScript over IPC/FFI — so you get the ergonomics of TypeScript with the throughput of native code.
+DcRouter itself is a pure TypeScript orchestrator, but several of its core sub-components ship with **compiled Rust binaries** for performance-critical paths. At runtime each package detects the platform, unpacks the correct binary, and communicates with TypeScript over IPC/FFI — so you get the ergonomics of TypeScript with the throughput of native code.

 | Component | Rust Binary | What It Handles |
 |-----------|-------------|-----------------|
 | **SmartProxy** | `smartproxy-bin` | All TCP/TLS/HTTP proxy networking, NFTables integration, connection metrics |
 | **smartmta** | `mailer-bin` | SMTP server + client, DKIM/SPF/DMARC, content scanning, IP reputation |
 | **SmartDNS** | `smartdns-bin` | DNS server (UDP + DNS-over-HTTPS), DNSSEC, DNS client resolution |
+| **RemoteIngress** | `remoteingress-bin` | Edge tunnel data plane, multiplexed streams, heartbeat management |
 | **SmartRadius** | — | Pure TypeScript (no Rust component) |

 ## Configuration Reference
@@ -333,6 +357,10 @@ DcRouter itself is a pure TypeScript orchestrator, but three of its core sub-com

 ```typescript
 interface IDcRouterOptions {
+  // ── Base ───────────────────────────────────────────────────────
+  /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
+  baseDir?: string;
+
  // ── Traffic Routing ────────────────────────────────────────────
  /** SmartProxy config for HTTP/HTTPS and TCP/SNI routing */
  smartProxyConfig?: ISmartProxyOptions;
@@ -376,6 +404,18 @@ interface IDcRouterOptions {
    accounting?: { enabled: boolean; retentionDays?: number };
  };

+  // ── Remote Ingress ─────────────────────────────────────────────
+  /** Remote Ingress hub for edge tunnel connections */
+  remoteIngressConfig?: {
+    enabled?: boolean;                   // default: false
+    tunnelPort?: number;                 // default: 8443
+    hubDomain?: string;                  // External hostname for connection tokens
+    tls?: {
+      certPath?: string;
+      keyPath?: string;
+    };
+  };
+
  // ── TLS & Certificates ────────────────────────────────────────
  tls?: {
    contactEmail: string;
@@ -701,6 +741,107 @@ RADIUS is fully manageable at runtime via the OpsServer API:
 - Session monitoring and forced disconnects
 - Accounting summaries and statistics

+## Remote Ingress
+
+DcRouter can act as a **hub** for distributed edge nodes using [`@serve.zone/remoteingress`](https://code.foss.global/serve.zone/remoteingress). Edge nodes accept incoming traffic at remote locations and tunnel it back to the hub over a single multiplexed connection. This is ideal for scenarios where you need to accept traffic at multiple geographic locations but process it centrally.
+
+### Enabling Remote Ingress
+
+```typescript
+const router = new DcRouter({
+  remoteIngressConfig: {
+    enabled: true,
+    tunnelPort: 8443,
+    hubDomain: 'hub.example.com',  // Embedded in connection tokens
+  },
+  // Routes tagged with remoteIngress are auto-derived to edge listen ports
+  smartProxyConfig: {
+    routes: [
+      {
+        name: 'web-via-edge',
+        match: { domains: ['app.example.com'], ports: [443] },
+        action: {
+          type: 'forward',
+          targets: [{ host: '192.168.1.10', port: 8080 }],
+          tls: { mode: 'terminate', certificate: 'auto' }
+        },
+        remoteIngress: { enabled: true }  // Edges will listen on port 443
+      }
+    ]
+  }
+});
+
+await router.start();
+```
+
+### Edge Registration
+
+Edges are registered via the OpsServer API (or dashboard UI). Each edge gets a unique ID and secret:
+
+```typescript
+// Via TypedRequest API
+const createReq = new TypedRequest<IReq_CreateRemoteIngress>(
+  'https://hub:3000/typedrequest', 'createRemoteIngress'
+);
+const { edge } = await createReq.fire({
+  identity,
+  name: 'edge-nyc-01',
+  autoDerivePorts: true,
+  tags: ['us-east'],
+});
+// edge.secret is returned only on creation — save it!
+```
+
+### Connection Tokens 🔑
+
+Instead of configuring edges with four separate values (hubHost, hubPort, edgeId, secret), DcRouter can generate a single **connection token** — an opaque base64url string that encodes everything:
+
+```typescript
+// Via TypedRequest API
+const tokenReq = new TypedRequest<IReq_GetRemoteIngressConnectionToken>(
+  'https://hub:3000/typedrequest', 'getRemoteIngressConnectionToken'
+);
+const { token } = await tokenReq.fire({ identity, edgeId: 'edge-uuid' });
+// token = "eyJoIjoiaHViLmV4YW1wbGUuY29tIiwicCI6ODQ0MywiZSI6I..."
+
+// On the edge side, just pass the token:
+const edge = new RemoteIngressEdge({ token });
+await edge.start();
+```
+
+The token is generated using `remoteingress.encodeConnectionToken()` and contains `{ hubHost, hubPort, edgeId, secret }`. The `hubHost` comes from `remoteIngressConfig.hubDomain` (or can be overridden per-request).
+
+In the OpsServer dashboard, click **"Copy Token"** on any edge row to copy the connection token to your clipboard.
+
+### Auto-Derived Ports
+
+When routes have `remoteIngress: { enabled: true }`, edges with `autoDerivePorts: true` (default) automatically pick up those routes' ports. You can also use `edgeFilter` to restrict which edges get which ports:
+
+```typescript
+{
+  name: 'web-route',
+  match: { ports: [443] },
+  action: { /* ... */ },
+  remoteIngress: {
+    enabled: true,
+    edgeFilter: ['us-east', 'edge-uuid-123']  // Only edges with matching id or tags
+  }
+}
+```
+
+### Dashboard Actions
+
+The OpsServer Remote Ingress view provides:
+
+| Action | Description |
+|--------|-------------|
+| **Create Edge Node** | Register a new edge with name, ports, tags |
+| **Enable / Disable** | Toggle an edge on or off |
+| **Edit** | Modify name, manual ports, auto-derive setting, tags |
+| **Regenerate Secret** | Issue a new secret (invalidates the old one) |
+| **Copy Token** | Generate and copy a base64url connection token to clipboard |
+| **Delete** | Remove the edge registration |
+
 ## Certificate Management

 DcRouter uses [`@push.rocks/smartacme`](https://code.foss.global/push.rocks/smartacme) v9 for ACME certificate provisioning. smartacme v9 brings significant improvements over previous versions:
@@ -767,6 +908,7 @@ The OpsServer includes a **Certificates** view showing:
 - Expiry dates and issuer information
 - Backoff status for failed domains
 - One-click reprovisioning per domain
+- Certificate import and export

 ## Storage & Caching

@@ -788,7 +930,7 @@ storage: {
 // Simply omit the storage config
 ```

-Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state.
+Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state, remote ingress edge registrations.

 ### Cache Database

@@ -874,7 +1016,8 @@ The OpsServer provides a web-based management interface served on port 3000. It'
 | 📊 **Overview** | Real-time server stats, CPU/memory, connection counts, email throughput |
 | 🌐 **Network** | Active connections, top IPs, throughput rates, SmartProxy metrics |
 | 📧 **Email** | Queue monitoring (queued/sent/failed), bounce records, security incidents |
-| 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning |
+| 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning, import/export |
+| 🌍 **RemoteIngress** | Edge node management, connection status, token generation, enable/disable |
 | 📜 **Logs** | Real-time log viewer with level filtering and search |
 | ⚙️ **Configuration** | Read-only view of current system configuration |
 | 🛡️ **Security** | IP reputation, rate limit status, blocked connections |
@@ -906,6 +1049,18 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'getCertificateOverview'               // Domain-centric certificate status
 'reprovisionCertificate'               // Reprovision by route name (legacy)
 'reprovisionCertificateDomain'         // Reprovision by domain (preferred)
+'importCertificate'                    // Import a certificate
+'exportCertificate'                    // Export a certificate
+'deleteCertificate'                    // Delete a certificate
+
+// Remote Ingress
+'getRemoteIngresses'                   // List all edge registrations
+'createRemoteIngress'                  // Register a new edge
+'updateRemoteIngress'                  // Update edge settings
+'deleteRemoteIngress'                  // Remove an edge
+'regenerateRemoteIngressSecret'        // Issue a new secret
+'getRemoteIngressStatus'               // Runtime status of all edges
+'getRemoteIngressConnectionToken'      // Generate a connection token for an edge

 // Configuration (read-only)
 'getConfiguration'                     // Current system config
@@ -957,6 +1112,8 @@ const router = new DcRouter(options: IDcRouterOptions);
 | `emailServer` | `UnifiedEmailServer` | Email server instance (from smartmta) |
 | `dnsServer` | `DnsServer` | DNS server instance |
 | `radiusServer` | `RadiusServer` | RADIUS server instance |
+| `remoteIngressManager` | `RemoteIngressManager` | Edge registration CRUD manager |
+| `tunnelManager` | `TunnelManager` | Tunnel lifecycle and status manager |
 | `storageManager` | `StorageManager` | Storage backend |
 | `opsServer` | `OpsServer` | OpsServer/dashboard instance |
 | `metricsManager` | `MetricsManager` | Metrics collector |
@@ -1000,7 +1157,7 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';
 DcRouter includes a comprehensive test suite covering all system components:

 ```bash
-# Run all tests (10 files, 73 tests)
+# Run all tests
 pnpm test

 # Run a specific test file
--- a/test/test.opsserver-api.ts
+++ b/test/test.opsserver-api.ts
@@ -4,27 +4,44 @@ import { TypedRequest } from '@api.global/typedrequest';
 import * as interfaces from '../ts_interfaces/index.js';

 let testDcRouter: DcRouter;
+let adminIdentity: interfaces.data.IIdentity;

 tap.test('should start DCRouter with OpsServer', async () => {
  testDcRouter = new DcRouter({
    // Minimal config for testing
    cacheConfig: { enabled: false },
  });
-  
+
  await testDcRouter.start();
  expect(testDcRouter.opsServer).toBeInstanceOf(Object);
 });

+tap.test('should login as admin', async () => {
+  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+    'http://localhost:3000/typedrequest',
+    'adminLoginWithUsernameAndPassword'
+  );
+
+  const response = await loginRequest.fire({
+    username: 'admin',
+    password: 'admin',
+  });
+
+  expect(response).toHaveProperty('identity');
+  adminIdentity = response.identity;
+});
+
 tap.test('should respond to health status request', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
    'http://localhost:3000/typedrequest',
    'getHealthStatus'
  );
-  
+
  const response = await healthRequest.fire({
-    detailed: false
+    identity: adminIdentity,
+    detailed: false,
  });
-  
+
  expect(response).toHaveProperty('health');
  expect(response.health.healthy).toBeTrue();
  expect(response.health.services).toHaveProperty('OpsServer');
@@ -35,11 +52,12 @@ tap.test('should respond to server statistics request', async () => {
    'http://localhost:3000/typedrequest',
    'getServerStatistics'
  );
-  
+
  const response = await statsRequest.fire({
-    includeHistory: false
+    identity: adminIdentity,
+    includeHistory: false,
  });
-  
+
  expect(response).toHaveProperty('stats');
  expect(response.stats).toHaveProperty('uptime');
  expect(response.stats).toHaveProperty('cpuUsage');
@@ -51,14 +69,20 @@ tap.test('should respond to configuration request', async () => {
    'http://localhost:3000/typedrequest',
    'getConfiguration'
  );
-  
-  const response = await configRequest.fire({});
-  
+
+  const response = await configRequest.fire({
+    identity: adminIdentity,
+  });
+
  expect(response).toHaveProperty('config');
+  expect(response.config).toHaveProperty('system');
+  expect(response.config).toHaveProperty('smartProxy');
  expect(response.config).toHaveProperty('email');
  expect(response.config).toHaveProperty('dns');
-  expect(response.config).toHaveProperty('proxy');
-  expect(response.config).toHaveProperty('security');
+  expect(response.config).toHaveProperty('tls');
+  expect(response.config).toHaveProperty('cache');
+  expect(response.config).toHaveProperty('radius');
+  expect(response.config).toHaveProperty('remoteIngress');
 });

 tap.test('should handle log retrieval request', async () => {
@@ -66,19 +90,34 @@ tap.test('should handle log retrieval request', async () => {
    'http://localhost:3000/typedrequest',
    'getRecentLogs'
  );
-  
+
  const response = await logsRequest.fire({
-    limit: 10
+    identity: adminIdentity,
+    limit: 10,
  });
-  
+
  expect(response).toHaveProperty('logs');
  expect(response).toHaveProperty('total');
  expect(response).toHaveProperty('hasMore');
  expect(response.logs).toBeArray();
 });

+tap.test('should reject unauthenticated requests', async () => {
+  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
+    'http://localhost:3000/typedrequest',
+    'getHealthStatus'
+  );
+
+  try {
+    await healthRequest.fire({} as any);
+    expect(true).toBeFalse(); // Should not reach here
+  } catch (error) {
+    expect(error).toBeTruthy();
+  }
+});
+
 tap.test('should stop DCRouter', async () => {
  await testDcRouter.stop();
 });

-export default tap.start();
+export default tap.start();
--- a/test/test.protected-endpoint.ts
+++ b/test/test.protected-endpoint.ts
@@ -82,35 +82,42 @@ tap.test('should reject verify identity with invalid JWT', async () => {
  }
 });

-tap.test('should allow access to public endpoints without auth', async () => {
+tap.test('should reject protected endpoints without auth', async () => {
  const healthRequest = new TypedRequest<interfaces.requests.IReq_GetHealthStatus>(
    'http://localhost:3000/typedrequest',
    'getHealthStatus'
  );

-  // No identity provided
-  const response = await healthRequest.fire({});
-
-  expect(response).toHaveProperty('health');
-  expect(response.health.healthy).toBeTrue();
-  console.log('Public endpoint accessible without auth');
+  try {
+    // No identity provided — should be rejected
+    await healthRequest.fire({} as any);
+    expect(true).toBeFalse(); // Should not reach here
+  } catch (error) {
+    expect(error).toBeTruthy();
+    console.log('Protected endpoint correctly rejects unauthenticated request');
+  }
 });

-tap.test('should allow read-only config access', async () => {
+tap.test('should allow authenticated access to protected endpoints', async () => {
  const configRequest = new TypedRequest<interfaces.requests.IReq_GetConfiguration>(
    'http://localhost:3000/typedrequest',
    'getConfiguration'
  );

-  // Config is read-only and doesn't require auth
-  const response = await configRequest.fire({});
+  const response = await configRequest.fire({
+    identity: adminIdentity,
+  });

  expect(response).toHaveProperty('config');
+  expect(response.config).toHaveProperty('system');
+  expect(response.config).toHaveProperty('smartProxy');
  expect(response.config).toHaveProperty('email');
  expect(response.config).toHaveProperty('dns');
-  expect(response.config).toHaveProperty('proxy');
-  expect(response.config).toHaveProperty('security');
-  console.log('Configuration read successfully');
+  expect(response.config).toHaveProperty('tls');
+  expect(response.config).toHaveProperty('cache');
+  expect(response.config).toHaveProperty('radius');
+  expect(response.config).toHaveProperty('remoteIngress');
+  console.log('Authenticated access to config successful');
 });

 tap.test('should stop DCRouter', async () => {
--- a/test_watch/devserver.ts
+++ b/test_watch/devserver.ts
@@ -1,21 +1,32 @@
 import { DcRouter } from '../ts/index.js';

 const devRouter = new DcRouter({
-  // Configure services as needed for development
-  // OpsServer always starts on port 3000
-
-  // Example: Add SmartProxy routes
-  // smartProxyConfig: {
-  //   routes: [...]
-  // },
-
-  // Example: Add email configuration
-  // emailConfig: {
-  //   ports: [2525],
-  //   hostname: 'localhost',
-  //   domains: [],
-  //   routes: []
-  // },
+  // SmartProxy routes for development/demo
+  smartProxyConfig: {
+    routes: [
+      {
+        name: 'web-traffic',
+        match: { ports: [18080], domains: ['example.com', '*.example.com'] },
+        action: { type: 'forward', targets: [{ host: 'localhost', port: 3001 }] },
+      },
+      {
+        name: 'api-gateway',
+        match: { ports: [18080], domains: ['api.example.com'], path: '/v1/*' },
+        action: { type: 'forward', targets: [{ host: 'localhost', port: 4000 }] },
+      },
+      {
+        name: 'tls-passthrough',
+        match: { ports: [18443], domains: ['secure.example.com'] },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: 4443 }],
+          tls: { mode: 'passthrough' },
+        },
+      },
+    ],
+  },
+  // Disable cache/mongo for dev
+  cacheConfig: { enabled: false },
 });

 console.log('Starting DcRouter in development mode...');
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '6.10.0',
+  version: '11.0.26',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
--- a/ts/classes.cert-provision-scheduler.ts
+++ b/ts/classes.cert-provision-scheduler.ts
@@ -106,6 +106,13 @@ export class CertProvisionScheduler {
    }
  }

+  /**
+   * Clear all in-memory backoff cache entries
+   */
+  public clear(): void {
+    this.backoffCache.clear();
+  }
+
  /**
   * Get backoff info for UI display
   */
--- a/ts/classes.dcrouter.ts
+++ b/ts/classes.dcrouter.ts
@@ -22,6 +22,8 @@ import { OpsServer } from './opsserver/index.js';
 import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
 import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
+import { RouteConfigManager, ApiTokenManager } from './config/index.js';
+import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';

 export interface IDcRouterOptions {
  /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -166,6 +168,8 @@ export interface IDcRouterOptions {
    enabled?: boolean;
    /** Port for tunnel connections from edge nodes (default: 8443) */
    tunnelPort?: number;
+    /** External hostname of this hub, embedded in connection tokens */
+    hubDomain?: string;
    /** TLS configuration for the tunnel server */
    tls?: {
      certPath?: string;
@@ -210,6 +214,19 @@ export class DcRouter {
  public remoteIngressManager?: RemoteIngressManager;
  public tunnelManager?: TunnelManager;

+  // Programmatic config API
+  public routeConfigManager?: RouteConfigManager;
+  public apiTokenManager?: ApiTokenManager;
+
+  // Auto-discovered public IP (populated by generateAuthoritativeRecords)
+  public detectedPublicIp: string | null = null;
+
+  // DNS query logging rate limiter state
+  private dnsLogWindowSecond: number = 0; // epoch second of current window
+  private dnsLogWindowCount: number = 0;  // queries logged this second
+  private dnsBatchCount: number = 0;
+  private dnsBatchTimer: ReturnType<typeof setTimeout> | null = null;
+
  // Certificate status tracking from SmartProxy events (keyed by domain)
  public certificateStatusMap = new Map<string, {
    status: 'valid' | 'failed';
@@ -226,6 +243,9 @@ export class DcRouter {
  // TypedRouter for API endpoints
  public typedrouter = new plugins.typedrequest.TypedRouter();

+  // Cached constructor routes (computed once during setupSmartProxy, used by RouteConfigManager)
+  private constructorRoutes: plugins.smartproxy.IRouteConfig[] = [];
+
  // Environment access
  private qenv = new plugins.qenv.Qenv('./', '.nogit/');
  
@@ -250,9 +270,7 @@ export class DcRouter {
  }

  public async start() {
-    console.log('╔═══════════════════════════════════════════════════════════════════╗');
-    console.log('║                     Starting DcRouter Services                    ║');
-    console.log('╚═══════════════════════════════════════════════════════════════════╝');
+    logger.log('info', 'Starting DcRouter Services');
    

    this.opsServer = new OpsServer(this);
@@ -270,7 +288,17 @@ export class DcRouter {
      
      // Set up SmartProxy for HTTP/HTTPS and all traffic including email routes
      await this.setupSmartProxy();
-      
+
+      // Initialize programmatic config API managers
+      this.routeConfigManager = new RouteConfigManager(
+        this.storageManager,
+        () => this.getConstructorRoutes(),
+        () => this.smartProxy,
+      );
+      this.apiTokenManager = new ApiTokenManager(this.storageManager);
+      await this.apiTokenManager.initialize();
+      await this.routeConfigManager.initialize();
+
      // Set up unified email handling if configured
      if (this.options.emailConfig) {
        await this.setupUnifiedEmailHandling();
@@ -294,7 +322,7 @@ export class DcRouter {

      this.logStartupSummary();
    } catch (error) {
-      console.error('❌ Error starting DcRouter:', error);
+      logger.log('error', 'Error starting DcRouter', { error: String(error) });
      // Try to clean up any services that may have started
      await this.stop();
      throw error;
@@ -305,104 +333,60 @@ export class DcRouter {
   * Log comprehensive startup summary
   */
  private logStartupSummary(): void {
-    console.log('\n╔═══════════════════════════════════════════════════════════════════╗');
-    console.log('║                    DcRouter Started Successfully                   ║');
-    console.log('╚═══════════════════════════════════════════════════════════════════╝\n');
-    
+    logger.log('info', 'DcRouter Started Successfully');
+
    // Metrics summary
    if (this.metricsManager) {
-      console.log('📊 Metrics Service:');
-      console.log('   ├─ SmartMetrics: Active');
-      console.log('   ├─ SmartProxy Stats: Active');
-      console.log('   └─ Real-time tracking: Enabled');
+      logger.log('info', 'Metrics Service: SmartMetrics active, SmartProxy stats active, real-time tracking enabled');
    }
-    
+
    // SmartProxy summary
    if (this.smartProxy) {
-      console.log('🌐 SmartProxy Service:');
      const routeCount = this.options.smartProxyConfig?.routes?.length || 0;
-      console.log(`   ├─ Routes configured: ${routeCount}`);
-      console.log(`   ├─ ACME enabled: ${this.options.smartProxyConfig?.acme?.enabled || false}`);
-      if (this.options.smartProxyConfig?.acme?.enabled) {
-        console.log(`   ├─ ACME email: ${this.options.smartProxyConfig.acme.email || 'not set'}`);
-        console.log(`   └─ ACME mode: ${this.options.smartProxyConfig.acme.useProduction ? 'production' : 'staging'}`);
-      } else {
-        console.log('   └─ ACME: disabled');
-      }
+      const acmeEnabled = this.options.smartProxyConfig?.acme?.enabled || false;
+      const acmeMode = acmeEnabled
+        ? `email=${this.options.smartProxyConfig!.acme!.email || 'not set'}, mode=${this.options.smartProxyConfig!.acme!.useProduction ? 'production' : 'staging'}`
+        : 'disabled';
+      logger.log('info', `SmartProxy Service: ${routeCount} routes, ACME: ${acmeMode}`);
    }
-    
+
    // Email service summary
    if (this.emailServer && this.options.emailConfig) {
-      console.log('\n📧 Email Service:');
      const ports = this.options.emailConfig.ports || [];
-      console.log(`   ├─ Ports: ${ports.join(', ')}`);
-      console.log(`   ├─ Hostname: ${this.options.emailConfig.hostname || 'localhost'}`);
-      console.log(`   ├─ Domains configured: ${this.options.emailConfig.domains?.length || 0}`);
-      if (this.options.emailConfig.domains && this.options.emailConfig.domains.length > 0) {
-        this.options.emailConfig.domains.forEach((domain, index) => {
-          const isLast = index === this.options.emailConfig!.domains!.length - 1;
-          console.log(`   ${isLast ? '└─' : '├─'} ${domain.domain} (${domain.dnsMode || 'default'})`);
-        });
-      }
-      console.log(`   └─ DKIM: Initialized for all domains`);
+      const domainCount = this.options.emailConfig.domains?.length || 0;
+      const domainNames = this.options.emailConfig.domains?.map(d => `${d.domain} (${d.dnsMode || 'default'})`).join(', ') || 'none';
+      logger.log('info', `Email Service: ports=[${ports.join(', ')}], hostname=${this.options.emailConfig.hostname || 'localhost'}, domains=${domainCount} [${domainNames}], DKIM initialized`);
    }
-    
+
    // DNS service summary
    if (this.dnsServer && this.options.dnsNsDomains && this.options.dnsScopes) {
-      console.log('\n🌍 DNS Service:');
-      console.log(`   ├─ Nameservers: ${this.options.dnsNsDomains.join(', ')}`);
-      console.log(`   ├─ Primary NS: ${this.options.dnsNsDomains[0]}`);
-      console.log(`   ├─ Authoritative for: ${this.options.dnsScopes.length} domains`);
-      console.log(`   ├─ UDP Port: 53`);
-      console.log(`   ├─ DNS-over-HTTPS: Enabled via socket handler`);
-      console.log(`   └─ DNSSEC: ${this.options.dnsNsDomains[0] ? 'Enabled' : 'Disabled'}`);
-      
-      // Show authoritative domains
-      if (this.options.dnsScopes.length > 0) {
-        console.log('\n   Authoritative Domains:');
-        this.options.dnsScopes.forEach((domain, index) => {
-          const isLast = index === this.options.dnsScopes!.length - 1;
-          console.log(`   ${isLast ? '└─' : '├─'} ${domain}`);
-        });
-      }
+      logger.log('info', `DNS Service: nameservers=[${this.options.dnsNsDomains.join(', ')}], authoritative for ${this.options.dnsScopes.length} domains [${this.options.dnsScopes.join(', ')}], UDP:53, DoH enabled`);
    }
-    
+
    // RADIUS service summary
    if (this.radiusServer && this.options.radiusConfig) {
-      console.log('\n🔐 RADIUS Service:');
-      console.log(`   ├─ Auth Port: ${this.options.radiusConfig.authPort || 1812}`);
-      console.log(`   ├─ Acct Port: ${this.options.radiusConfig.acctPort || 1813}`);
-      console.log(`   ├─ Clients configured: ${this.options.radiusConfig.clients?.length || 0}`);
      const vlanStats = this.radiusServer.getVlanManager().getStats();
-      console.log(`   ├─ VLAN mappings: ${vlanStats.totalMappings}`);
-      console.log(`   └─ Accounting: ${this.options.radiusConfig.accounting?.enabled ? 'Enabled' : 'Disabled'}`);
+      logger.log('info', `RADIUS Service: auth=${this.options.radiusConfig.authPort || 1812}, acct=${this.options.radiusConfig.acctPort || 1813}, clients=${this.options.radiusConfig.clients?.length || 0}, VLANs=${vlanStats.totalMappings}, accounting=${this.options.radiusConfig.accounting?.enabled ? 'enabled' : 'disabled'}`);
    }

    // Remote Ingress summary
    if (this.tunnelManager && this.options.remoteIngressConfig?.enabled) {
-      console.log('\n🌐 Remote Ingress:');
-      console.log(`   ├─ Tunnel Port: ${this.options.remoteIngressConfig.tunnelPort || 8443}`);
      const edgeCount = this.remoteIngressManager?.getAllEdges().length || 0;
      const connectedCount = this.tunnelManager.getConnectedCount();
-      console.log(`   ├─ Registered Edges: ${edgeCount}`);
-      console.log(`   └─ Connected Edges: ${connectedCount}`);
+      logger.log('info', `Remote Ingress: tunnel port=${this.options.remoteIngressConfig.tunnelPort || 8443}, edges=${edgeCount} registered/${connectedCount} connected`);
    }

    // Storage summary
    if (this.storageManager && this.options.storage) {
-      console.log('\n💾 Storage:');
-      console.log(`   └─ Path: ${this.options.storage.fsPath || 'default'}`);
+      logger.log('info', `Storage: path=${this.options.storage.fsPath || 'default'}`);
    }

    // Cache database summary
    if (this.cacheDb) {
-      console.log('\n🗄️  Cache Database (smartdata + LocalTsmDb):');
-      console.log(`   ├─ Storage: ${this.cacheDb.getStoragePath()}`);
-      console.log(`   ├─ Database: ${this.cacheDb.getDbName()}`);
-      console.log(`   └─ Cleaner: ${this.cacheCleaner?.isActive() ? 'Active' : 'Inactive'} (${(this.options.cacheConfig?.cleanupIntervalHours || 1)}h interval)`);
+      logger.log('info', `Cache Database: storage=${this.cacheDb.getStoragePath()}, db=${this.cacheDb.getDbName()}, cleaner=${this.cacheCleaner?.isActive() ? 'active' : 'inactive'} (${(this.options.cacheConfig?.cleanupIntervalHours || 1)}h interval)`);
    }

-    console.log('\n✅ All services are running\n');
+    logger.log('info', 'All services are running');
  }
  
  /**
@@ -437,7 +421,7 @@ export class DcRouter {
   * Set up SmartProxy with direct configuration and automatic email routes
   */
  private async setupSmartProxy(): Promise<void> {
-    console.log('[DcRouter] Setting up SmartProxy...');
+    logger.log('info', 'Setting up SmartProxy...');
    let routes: plugins.smartproxy.IRouteConfig[] = [];
    let acmeConfig: plugins.smartproxy.IAcmeOptions | undefined;
    
@@ -445,22 +429,20 @@ export class DcRouter {
    if (this.options.smartProxyConfig) {
      routes = this.options.smartProxyConfig.routes || [];
      acmeConfig = this.options.smartProxyConfig.acme;
-      console.log(`[DcRouter] Found ${routes.length} routes in config`);
-      console.log(`[DcRouter] ACME config present: ${!!acmeConfig}`);
+      logger.log('info', `Found ${routes.length} routes in config, ACME config present: ${!!acmeConfig}`);
    }
    
    // If email config exists, automatically add email routes
    if (this.options.emailConfig) {
      const emailRoutes = this.generateEmailRoutes(this.options.emailConfig);
-      console.log(`Email Routes are:`)
-      console.log(emailRoutes)
+      logger.log('debug', 'Email routes generated', { routes: JSON.stringify(emailRoutes) });
      routes = [...routes, ...emailRoutes]; // Enable email routing through SmartProxy
    }
    
    // If DNS is configured, add DNS routes
    if (this.options.dnsNsDomains && this.options.dnsNsDomains.length > 0) {
      const dnsRoutes = this.generateDnsRoutes();
-      console.log(`DNS Routes for nameservers ${this.options.dnsNsDomains.join(', ')}:`, dnsRoutes);
+      logger.log('debug', `DNS routes for nameservers ${this.options.dnsNsDomains.join(', ')}`, { routes: JSON.stringify(dnsRoutes) });
      routes = [...routes, ...dnsRoutes];
    }
    
@@ -478,15 +460,18 @@ export class DcRouter {
    // Configure DNS challenge if available
    let challengeHandlers: any[] = [];
    if (this.options.dnsChallenge?.cloudflareApiKey) {
-      console.log('Configuring Cloudflare DNS challenge for ACME');
+      logger.log('info', 'Configuring Cloudflare DNS challenge for ACME');
      const cloudflareAccount = new plugins.cloudflare.CloudflareAccount(this.options.dnsChallenge.cloudflareApiKey);
      const dns01Handler = new plugins.smartacme.handlers.Dns01Handler(cloudflareAccount);
      challengeHandlers.push(dns01Handler);
    }
    
+    // Cache constructor routes for RouteConfigManager
+    this.constructorRoutes = [...routes];
+
    // If we have routes or need a basic SmartProxy instance, create it
    if (routes.length > 0 || this.options.smartProxyConfig) {
-      console.log('Setting up SmartProxy with combined configuration');
+      logger.log('info', 'Setting up SmartProxy with combined configuration');

      // Track cert entries loaded from cert store so we can populate certificateStatusMap after start
      const loadedCertEntries: Array<{domain: string; publicKey: string; validUntil?: number; validFrom?: number}> = [];
@@ -532,6 +517,12 @@ export class DcRouter {

      // If we have DNS challenge handlers, create SmartAcme and wire to certProvisionFunction
      if (challengeHandlers.length > 0) {
+        // Stop old SmartAcme if it exists (e.g., during updateSmartProxyConfig)
+        if (this.smartAcme) {
+          await this.smartAcme.stop().catch(err =>
+            logger.log('error', 'Error stopping old SmartAcme', { error: String(err) })
+          );
+        }
        this.smartAcme = new plugins.smartacme.SmartAcme({
          accountEmail: acmeConfig?.accountEmail || this.options.tls?.contactEmail || 'admin@example.com',
          certManager: new StorageBackedCertManager(this.storageManager),
@@ -584,26 +575,27 @@ export class DcRouter {
        };
      }
      
+      // When remoteIngress is enabled, the hub binary forwards tunneled connections
+      // to SmartProxy with PROXY protocol v1 headers to preserve client IPs.
+      if (this.options.remoteIngressConfig?.enabled) {
+        smartProxyConfig.acceptProxyProtocol = true;
+        smartProxyConfig.proxyIPs = ['127.0.0.1'];
+      }
+
      // Create SmartProxy instance
-      console.log('[DcRouter] Creating SmartProxy instance with config:', JSON.stringify({
-        routeCount: smartProxyConfig.routes?.length,
-        acmeEnabled: smartProxyConfig.acme?.enabled,
-        acmeEmail: smartProxyConfig.acme?.email,
-        certProvisionFunction: !!smartProxyConfig.certProvisionFunction
-      }, null, 2));
+      logger.log('info', `Creating SmartProxy instance: routes=${smartProxyConfig.routes?.length}, acme=${smartProxyConfig.acme?.enabled}, certProvisionFunction=${!!smartProxyConfig.certProvisionFunction}`);
      
      this.smartProxy = new plugins.smartproxy.SmartProxy(smartProxyConfig);
      
      // Set up event listeners
      this.smartProxy.on('error', (err) => {
-        console.error('[DcRouter] SmartProxy error:', err);
-        console.error('[DcRouter] Error stack:', err.stack);
+        logger.log('error', `SmartProxy error: ${err.message}`, { stack: err.stack });
      });
      
      // Always listen for certificate events — emitted by both ACME and certProvisionFunction paths
      // Events are keyed by domain for domain-centric certificate tracking
      this.smartProxy.on('certificate-issued', (event: plugins.smartproxy.ICertificateIssuedEvent) => {
-        console.log(`[DcRouter] Certificate issued for ${event.domain} via ${event.source}, expires ${event.expiryDate}`);
+        logger.log('info', `Certificate issued for ${event.domain} via ${event.source}, expires ${event.expiryDate}`);
        const routeNames = this.findRouteNamesForDomain(event.domain);
        this.certificateStatusMap.set(event.domain, {
          status: 'valid', routeNames,
@@ -613,7 +605,7 @@ export class DcRouter {
      });

      this.smartProxy.on('certificate-renewed', (event: plugins.smartproxy.ICertificateIssuedEvent) => {
-        console.log(`[DcRouter] Certificate renewed for ${event.domain} via ${event.source}, expires ${event.expiryDate}`);
+        logger.log('info', `Certificate renewed for ${event.domain} via ${event.source}, expires ${event.expiryDate}`);
        const routeNames = this.findRouteNamesForDomain(event.domain);
        this.certificateStatusMap.set(event.domain, {
          status: 'valid', routeNames,
@@ -623,7 +615,7 @@ export class DcRouter {
      });

      this.smartProxy.on('certificate-failed', (event: plugins.smartproxy.ICertificateFailedEvent) => {
-        console.error(`[DcRouter] Certificate failed for ${event.domain} (${event.source}):`, event.error);
+        logger.log('error', `Certificate failed for ${event.domain} (${event.source}): ${event.error}`);
        const routeNames = this.findRouteNamesForDomain(event.domain);
        this.certificateStatusMap.set(event.domain, {
          status: 'failed', routeNames, error: event.error,
@@ -632,9 +624,9 @@ export class DcRouter {
      });
      
      // Start SmartProxy
-      console.log('[DcRouter] Starting SmartProxy...');
+      logger.log('info', 'Starting SmartProxy...');
      await this.smartProxy.start();
-      console.log('[DcRouter] SmartProxy started successfully');
+      logger.log('info', 'SmartProxy started successfully');

      // Populate certificateStatusMap for certs loaded from store at startup
      for (const entry of loadedCertEntries) {
@@ -686,10 +678,10 @@ export class DcRouter {
        }
      }
      if (loadedCertEntries.length > 0) {
-        console.log(`[DcRouter] Populated certificate status for ${loadedCertEntries.length} store-loaded domain(s)`);
+        logger.log('info', `Populated certificate status for ${loadedCertEntries.length} store-loaded domain(s)`);
      }

-      console.log(`SmartProxy started with ${routes.length} routes`);
+      logger.log('info', `SmartProxy started with ${routes.length} routes`);
    }
  }
  
@@ -891,53 +883,114 @@ export class DcRouter {
    return names;
  }

+  /**
+   * Get the routes derived from constructor config (smartProxy + email + DNS).
+   * Used by RouteConfigManager as the "hardcoded" base.
+   */
+  public getConstructorRoutes(): plugins.smartproxy.IRouteConfig[] {
+    return this.constructorRoutes;
+  }
+
  public async stop() {
-    console.log('Stopping DcRouter services...');
+    logger.log('info', 'Stopping DcRouter services...');
+
+    // Flush pending DNS batch log
+    if (this.dnsBatchTimer) {
+      clearTimeout(this.dnsBatchTimer);
+      if (this.dnsBatchCount > 0) {
+        logger.log('info', `DNS: ${this.dnsBatchCount} queries processed (rate limited, final flush)`, { zone: 'dns' });
+      }
+      this.dnsBatchTimer = null;
+      this.dnsBatchCount = 0;
+      this.dnsLogWindowSecond = 0;
+      this.dnsLogWindowCount = 0;
+    }

    await this.opsServer.stop();

    try {
+      // Remove event listeners before stopping services to prevent leaks
+      if (this.smartProxy) {
+        this.smartProxy.removeAllListeners();
+      }
+      if (this.emailServer) {
+        if ((this.emailServer as any).deliverySystem) {
+          (this.emailServer as any).deliverySystem.removeAllListeners();
+        }
+        this.emailServer.removeAllListeners();
+      }
+      if (this.dnsServer) {
+        this.dnsServer.removeAllListeners();
+      }
+
      // Stop all services in parallel for faster shutdown
      await Promise.all([
        // Stop cache cleaner if running
        this.cacheCleaner ? Promise.resolve(this.cacheCleaner.stop()) : Promise.resolve(),

        // Stop metrics manager if running
-        this.metricsManager ? this.metricsManager.stop().catch(err => console.error('Error stopping MetricsManager:', err)) : Promise.resolve(),
+        this.metricsManager ? this.metricsManager.stop().catch(err => logger.log('error', 'Error stopping MetricsManager', { error: String(err) })) : Promise.resolve(),

        // Stop unified email server if running
-        this.emailServer ? this.emailServer.stop().catch(err => console.error('Error stopping email server:', err)) : Promise.resolve(),
+        this.emailServer ? this.emailServer.stop().catch(err => logger.log('error', 'Error stopping email server', { error: String(err) })) : Promise.resolve(),

        // Stop SmartAcme if running
-        this.smartAcme ? this.smartAcme.stop().catch(err => console.error('Error stopping SmartAcme:', err)) : Promise.resolve(),
+        this.smartAcme ? this.smartAcme.stop().catch(err => logger.log('error', 'Error stopping SmartAcme', { error: String(err) })) : Promise.resolve(),

        // Stop HTTP SmartProxy if running
-        this.smartProxy ? this.smartProxy.stop().catch(err => console.error('Error stopping SmartProxy:', err)) : Promise.resolve(),
+        this.smartProxy ? this.smartProxy.stop().catch(err => logger.log('error', 'Error stopping SmartProxy', { error: String(err) })) : Promise.resolve(),

        // Stop DNS server if running
        this.dnsServer ?
-          this.dnsServer.stop().catch(err => console.error('Error stopping DNS server:', err)) :
+          this.dnsServer.stop().catch(err => logger.log('error', 'Error stopping DNS server', { error: String(err) })) :
          Promise.resolve(),

        // Stop RADIUS server if running
        this.radiusServer ?
-          this.radiusServer.stop().catch(err => console.error('Error stopping RADIUS server:', err)) :
+          this.radiusServer.stop().catch(err => logger.log('error', 'Error stopping RADIUS server', { error: String(err) })) :
          Promise.resolve(),

        // Stop Remote Ingress tunnel manager if running
        this.tunnelManager ?
-          this.tunnelManager.stop().catch(err => console.error('Error stopping TunnelManager:', err)) :
+          this.tunnelManager.stop().catch(err => logger.log('error', 'Error stopping TunnelManager', { error: String(err) })) :
          Promise.resolve()
      ]);

      // Stop cache database after other services (they may need it during shutdown)
      if (this.cacheDb) {
-        await this.cacheDb.stop().catch(err => console.error('Error stopping CacheDb:', err));
+        await this.cacheDb.stop().catch(err => logger.log('error', 'Error stopping CacheDb', { error: String(err) }));
+        CacheDb.resetInstance();
      }

-      console.log('All DcRouter services stopped');
+      // Clear backoff cache in cert scheduler
+      if (this.certProvisionScheduler) {
+        this.certProvisionScheduler.clear();
+      }
+
+      // Allow GC of stopped services by nulling references
+      this.smartProxy = undefined;
+      this.emailServer = undefined;
+      this.dnsServer = undefined;
+      this.metricsManager = undefined;
+      this.cacheCleaner = undefined;
+      this.cacheDb = undefined;
+      this.tunnelManager = undefined;
+      this.radiusServer = undefined;
+      this.smartAcme = undefined;
+      this.certProvisionScheduler = undefined;
+      this.remoteIngressManager = undefined;
+      this.routeConfigManager = undefined;
+      this.apiTokenManager = undefined;
+      this.certificateStatusMap.clear();
+
+      // Reset security singletons to allow GC
+      SecurityLogger.resetInstance();
+      ContentScanner.resetInstance();
+      IPReputationChecker.resetInstance();
+
+      logger.log('info', 'All DcRouter services stopped');
    } catch (error) {
-      console.error('Error during DcRouter shutdown:', error);
+      logger.log('error', 'Error during DcRouter shutdown', { error: String(error) });
      throw error;
    }
  }
@@ -949,10 +1002,11 @@ export class DcRouter {
  public async updateSmartProxyConfig(config: plugins.smartproxy.ISmartProxyOptions): Promise<void> {
    // Stop existing SmartProxy if running
    if (this.smartProxy) {
+      this.smartProxy.removeAllListeners();
      await this.smartProxy.stop();
      this.smartProxy = undefined;
    }
-    
+
    // Update configuration
    this.options.smartProxyConfig = config;

@@ -964,7 +1018,12 @@ export class DcRouter {
    // Start new SmartProxy with updated configuration (will include email routes if configured)
    await this.setupSmartProxy();

-    console.log('SmartProxy configuration updated');
+    // Re-apply programmatic routes and overrides after SmartProxy restart
+    if (this.routeConfigManager) {
+      await this.routeConfigManager.initialize();
+    }
+
+    logger.log('info', 'SmartProxy configuration updated');
  }
  
  
@@ -1021,7 +1080,29 @@ export class DcRouter {
    
    // Start the server
    await this.emailServer.start();
-    
+
+    // Wire delivery events to MetricsManager and logger
+    if (this.metricsManager && this.emailServer.deliverySystem) {
+      this.emailServer.deliverySystem.on('deliveryStart', (item: any) => {
+        this.metricsManager.trackEmailReceived(item?.from);
+        logger.log('info', `Email delivery started: ${item?.from} → ${item?.to}`, { zone: 'email' });
+      });
+      this.emailServer.deliverySystem.on('deliverySuccess', (item: any) => {
+        this.metricsManager.trackEmailSent(item?.to);
+        logger.log('info', `Email delivered to ${item?.to}`, { zone: 'email' });
+      });
+      this.emailServer.deliverySystem.on('deliveryFailed', (item: any, error: any) => {
+        this.metricsManager.trackEmailFailed(item?.to, error?.message);
+        logger.log('warn', `Email delivery failed to ${item?.to}: ${error?.message}`, { zone: 'email' });
+      });
+    }
+    if (this.metricsManager && this.emailServer) {
+      this.emailServer.on('bounceProcessed', () => {
+        this.metricsManager.trackEmailBounced();
+        logger.log('warn', 'Email bounce processed', { zone: 'email' });
+      });
+    }
+
    logger.log('info', `Email server started on ports: ${emailConfig.ports.join(', ')}`);
  }
  
@@ -1039,7 +1120,7 @@ export class DcRouter {
    // Start email handling with new configuration
    await this.setupUnifiedEmailHandling();
    
-    console.log('Unified email configuration updated');
+    logger.log('info', 'Unified email configuration updated');
  }
  
  /**
@@ -1049,6 +1130,11 @@ export class DcRouter {
    try {
      // Stop the unified email server which contains all components
      if (this.emailServer) {
+        // Remove listeners before stopping to prevent leaks on config update cycles
+        if ((this.emailServer as any).deliverySystem) {
+          (this.emailServer as any).deliverySystem.removeAllListeners();
+        }
+        this.emailServer.removeAllListeners();
        await this.emailServer.stop();
        logger.log('info', 'Unified email server stopped');
        this.emailServer = undefined;
@@ -1079,7 +1165,7 @@ export class DcRouter {
      this.emailServer.updateEmailRoutes(routes);
    }
    
-    console.log(`Email routes updated with ${routes.length} routes`);
+    logger.log('info', `Email routes updated with ${routes.length} routes`);
  }
  
  /**
@@ -1204,6 +1290,48 @@ export class DcRouter {
    // Start the DNS server (UDP only)
    await this.dnsServer.start();
    logger.log('info', `DNS server started on UDP ${vmIpAddress}:53`);
+
+    // Wire DNS query events to MetricsManager and logger with adaptive rate limiting
+    if (this.metricsManager && this.dnsServer) {
+      const flushDnsBatch = () => {
+        if (this.dnsBatchCount > 0) {
+          logger.log('info', `DNS: ${this.dnsBatchCount} queries processed (rate limited)`, { zone: 'dns' });
+          this.dnsBatchCount = 0;
+        }
+        this.dnsBatchTimer = null;
+      };
+
+      this.dnsServer.on('query', (event: plugins.smartdns.dnsServerMod.IDnsQueryCompletedEvent) => {
+        // Metrics tracking
+        for (const question of event.questions) {
+          this.metricsManager.trackDnsQuery(
+            question.type,
+            question.name,
+            false,
+            event.responseTimeMs,
+            event.answered,
+          );
+        }
+
+        // Adaptive logging: individual logs up to 2/sec, then batch
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (nowSec !== this.dnsLogWindowSecond) {
+          this.dnsLogWindowSecond = nowSec;
+          this.dnsLogWindowCount = 0;
+        }
+
+        if (this.dnsLogWindowCount < 2) {
+          this.dnsLogWindowCount++;
+          const summary = event.questions.map(q => `${q.type} ${q.name}`).join(', ');
+          logger.log('info', `DNS query: ${summary} (${event.responseTimeMs}ms, ${event.answered ? 'answered' : 'unanswered'})`, { zone: 'dns' });
+        } else {
+          this.dnsBatchCount++;
+          if (!this.dnsBatchTimer) {
+            this.dnsBatchTimer = setTimeout(flushDnsBatch, 5000);
+          }
+        }
+      });
+    }
    
    // Validate DNS configuration
    await this.validateDnsConfiguration();
@@ -1247,15 +1375,25 @@ export class DcRouter {
        return;
      }
      
+      // Prevent uncaught exception from socket 'error' events
+      socket.on('error', (err) => {
+        logger.log('error', `DNS socket error: ${err.message}`);
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
+      });
+
      logger.log('debug', 'DNS socket handler: passing socket to DnsServer');
-      
+
      try {
        // Use the built-in socket handler from smartdns
        // This handles HTTP/2, DoH protocol, etc.
        await (this.dnsServer as any).handleHttpsSocket(socket);
      } catch (error) {
        logger.log('error', `DNS socket handler error: ${error.message}`);
-        socket.destroy();
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
      }
    };
  }
@@ -1461,6 +1599,7 @@ export class DcRouter {
    } else if (this.options.publicIp) {
      // Use explicitly configured public IP
      publicIp = this.options.publicIp;
+      this.detectedPublicIp = publicIp;
      logger.log('info', `Using configured public IP for nameserver A records: ${publicIp}`);
    } else {
      // Auto-discover public IP using smartnetwork
@@ -1471,6 +1610,7 @@ export class DcRouter {
        
        if (publicIps.v4) {
          publicIp = publicIps.v4;
+          this.detectedPublicIp = publicIp;
          logger.log('info', `Auto-discovered public IPv4: ${publicIp}`);
        } else {
          logger.log('warn', 'Could not auto-discover public IPv4 address');
@@ -1596,10 +1736,42 @@ export class DcRouter {
    const currentRoutes = this.options.smartProxyConfig?.routes || [];
    this.remoteIngressManager.setRoutes(currentRoutes as any[]);

+    // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
+    const riCfg = this.options.remoteIngressConfig;
+    let tlsConfig: { certPem: string; keyPem: string } | undefined;
+
+    // Priority 1: Explicit cert/key file paths
+    if (riCfg.tls?.certPath && riCfg.tls?.keyPath) {
+      try {
+        const certPem = plugins.fs.readFileSync(riCfg.tls.certPath, 'utf8');
+        const keyPem = plugins.fs.readFileSync(riCfg.tls.keyPath, 'utf8');
+        tlsConfig = { certPem, keyPem };
+        logger.log('info', 'Using explicit TLS cert/key for RemoteIngress tunnel');
+      } catch (err) {
+        logger.log('warn', `Failed to read RemoteIngress TLS cert/key files: ${err.message}`);
+      }
+    }
+
+    // Priority 2: Existing cert from SmartProxy cert store for hubDomain
+    if (!tlsConfig && riCfg.hubDomain) {
+      try {
+        const stored = await this.storageManager.getJSON(`/proxy-certs/${riCfg.hubDomain}`);
+        if (stored?.publicKey && stored?.privateKey) {
+          tlsConfig = { certPem: stored.publicKey, keyPem: stored.privateKey };
+          logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${riCfg.hubDomain}`);
+        }
+      } catch { /* no stored cert, fall through */ }
+    }
+
+    if (!tlsConfig) {
+      logger.log('info', 'No TLS cert configured for RemoteIngress tunnel — using auto-generated self-signed');
+    }
+
    // Create and start the tunnel manager
    this.tunnelManager = new TunnelManager(this.remoteIngressManager, {
-      tunnelPort: this.options.remoteIngressConfig.tunnelPort ?? 8443,
+      tunnelPort: riCfg.tunnelPort ?? 8443,
      targetHost: '127.0.0.1',
+      tls: tlsConfig,
    });
    await this.tunnelManager.start();

--- a/ts/config/classes.api-token-manager.ts
+++ b/ts/config/classes.api-token-manager.ts
@@ -0,0 +1,173 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import type { StorageManager } from '../storage/index.js';
+import type {
+  IStoredApiToken,
+  IApiTokenInfo,
+  TApiTokenScope,
+} from '../../ts_interfaces/data/route-management.js';
+
+const TOKENS_PREFIX = '/config-api/tokens/';
+const TOKEN_PREFIX_STR = 'dcr_';
+
+export class ApiTokenManager {
+  private tokens = new Map<string, IStoredApiToken>();
+
+  constructor(private storageManager: StorageManager) {}
+
+  public async initialize(): Promise<void> {
+    await this.loadTokens();
+    if (this.tokens.size > 0) {
+      logger.log('info', `Loaded ${this.tokens.size} API token(s) from storage`);
+    }
+  }
+
+  // =========================================================================
+  // Token lifecycle
+  // =========================================================================
+
+  /**
+   * Create a new API token. Returns the raw token value (shown once).
+   */
+  public async createToken(
+    name: string,
+    scopes: TApiTokenScope[],
+    expiresInDays: number | null,
+    createdBy: string,
+  ): Promise<{ id: string; rawToken: string }> {
+    const id = plugins.uuid.v4();
+    const randomBytes = plugins.crypto.randomBytes(32);
+    const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
+    const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
+
+    const tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+
+    const now = Date.now();
+    const stored: IStoredApiToken = {
+      id,
+      name,
+      tokenHash,
+      scopes,
+      createdAt: now,
+      expiresAt: expiresInDays != null ? now + expiresInDays * 86400000 : null,
+      lastUsedAt: null,
+      createdBy,
+      enabled: true,
+    };
+
+    this.tokens.set(id, stored);
+    await this.persistToken(stored);
+    logger.log('info', `API token '${name}' created (id: ${id})`);
+    return { id, rawToken };
+  }
+
+  /**
+   * Validate a raw token string. Returns the stored token if valid, null otherwise.
+   * Also updates lastUsedAt.
+   */
+  public async validateToken(rawToken: string): Promise<IStoredApiToken | null> {
+    if (!rawToken.startsWith(TOKEN_PREFIX_STR)) return null;
+
+    const hash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+
+    for (const stored of this.tokens.values()) {
+      if (stored.tokenHash === hash) {
+        if (!stored.enabled) return null;
+        if (stored.expiresAt !== null && stored.expiresAt < Date.now()) return null;
+
+        // Update lastUsedAt (fire and forget)
+        stored.lastUsedAt = Date.now();
+        this.persistToken(stored).catch(() => {});
+        return stored;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Check if a token has a specific scope.
+   */
+  public hasScope(token: IStoredApiToken, scope: TApiTokenScope): boolean {
+    return token.scopes.includes(scope);
+  }
+
+  /**
+   * List all tokens (safe info only, no hashes).
+   */
+  public listTokens(): IApiTokenInfo[] {
+    const result: IApiTokenInfo[] = [];
+    for (const stored of this.tokens.values()) {
+      result.push({
+        id: stored.id,
+        name: stored.name,
+        scopes: stored.scopes,
+        createdAt: stored.createdAt,
+        expiresAt: stored.expiresAt,
+        lastUsedAt: stored.lastUsedAt,
+        enabled: stored.enabled,
+      });
+    }
+    return result;
+  }
+
+  /**
+   * Revoke (delete) a token.
+   */
+  public async revokeToken(id: string): Promise<boolean> {
+    if (!this.tokens.has(id)) return false;
+    const token = this.tokens.get(id)!;
+    this.tokens.delete(id);
+    await this.storageManager.delete(`${TOKENS_PREFIX}${id}.json`);
+    logger.log('info', `API token '${token.name}' revoked (id: ${id})`);
+    return true;
+  }
+
+  /**
+   * Roll (regenerate) a token's secret while keeping its identity.
+   * Returns the new raw token value (shown once).
+   */
+  public async rollToken(id: string): Promise<{ id: string; rawToken: string } | null> {
+    const stored = this.tokens.get(id);
+    if (!stored) return null;
+
+    const randomBytes = plugins.crypto.randomBytes(32);
+    const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
+    const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
+
+    stored.tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+    await this.persistToken(stored);
+    logger.log('info', `API token '${stored.name}' rolled (id: ${id})`);
+    return { id, rawToken };
+  }
+
+  /**
+   * Enable or disable a token.
+   */
+  public async toggleToken(id: string, enabled: boolean): Promise<boolean> {
+    const stored = this.tokens.get(id);
+    if (!stored) return false;
+    stored.enabled = enabled;
+    await this.persistToken(stored);
+    logger.log('info', `API token '${stored.name}' ${enabled ? 'enabled' : 'disabled'} (id: ${id})`);
+    return true;
+  }
+
+  // =========================================================================
+  // Private
+  // =========================================================================
+
+  private async loadTokens(): Promise<void> {
+    const keys = await this.storageManager.list(TOKENS_PREFIX);
+    for (const key of keys) {
+      if (!key.endsWith('.json')) continue;
+      const stored = await this.storageManager.getJSON<IStoredApiToken>(key);
+      if (stored?.id) {
+        this.tokens.set(stored.id, stored);
+      }
+    }
+  }
+
+  private async persistToken(stored: IStoredApiToken): Promise<void> {
+    await this.storageManager.setJSON(`${TOKENS_PREFIX}${stored.id}.json`, stored);
+  }
+}
--- a/ts/config/classes.route-config-manager.ts
+++ b/ts/config/classes.route-config-manager.ts
@@ -0,0 +1,271 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import type { StorageManager } from '../storage/index.js';
+import type {
+  IStoredRoute,
+  IRouteOverride,
+  IMergedRoute,
+  IRouteWarning,
+} from '../../ts_interfaces/data/route-management.js';
+
+const ROUTES_PREFIX = '/config-api/routes/';
+const OVERRIDES_PREFIX = '/config-api/overrides/';
+
+export class RouteConfigManager {
+  private storedRoutes = new Map<string, IStoredRoute>();
+  private overrides = new Map<string, IRouteOverride>();
+  private warnings: IRouteWarning[] = [];
+
+  constructor(
+    private storageManager: StorageManager,
+    private getHardcodedRoutes: () => plugins.smartproxy.IRouteConfig[],
+    private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
+  ) {}
+
+  /**
+   * Load persisted routes and overrides, compute warnings, apply to SmartProxy.
+   */
+  public async initialize(): Promise<void> {
+    await this.loadStoredRoutes();
+    await this.loadOverrides();
+    this.computeWarnings();
+    this.logWarnings();
+    await this.applyRoutes();
+  }
+
+  // =========================================================================
+  // Merged view
+  // =========================================================================
+
+  public getMergedRoutes(): { routes: IMergedRoute[]; warnings: IRouteWarning[] } {
+    const merged: IMergedRoute[] = [];
+
+    // Hardcoded routes
+    for (const route of this.getHardcodedRoutes()) {
+      const name = route.name || '';
+      const override = this.overrides.get(name);
+      merged.push({
+        route,
+        source: 'hardcoded',
+        enabled: override ? override.enabled : true,
+        overridden: !!override,
+      });
+    }
+
+    // Programmatic routes
+    for (const stored of this.storedRoutes.values()) {
+      merged.push({
+        route: stored.route,
+        source: 'programmatic',
+        enabled: stored.enabled,
+        overridden: false,
+        storedRouteId: stored.id,
+        createdAt: stored.createdAt,
+        updatedAt: stored.updatedAt,
+      });
+    }
+
+    return { routes: merged, warnings: [...this.warnings] };
+  }
+
+  // =========================================================================
+  // Programmatic route CRUD
+  // =========================================================================
+
+  public async createRoute(
+    route: plugins.smartproxy.IRouteConfig,
+    createdBy: string,
+    enabled = true,
+  ): Promise<string> {
+    const id = plugins.uuid.v4();
+    const now = Date.now();
+
+    // Ensure route has a name
+    if (!route.name) {
+      route.name = `programmatic-${id.slice(0, 8)}`;
+    }
+
+    const stored: IStoredRoute = {
+      id,
+      route,
+      enabled,
+      createdAt: now,
+      updatedAt: now,
+      createdBy,
+    };
+
+    this.storedRoutes.set(id, stored);
+    await this.persistRoute(stored);
+    await this.applyRoutes();
+    return id;
+  }
+
+  public async updateRoute(
+    id: string,
+    patch: { route?: Partial<plugins.smartproxy.IRouteConfig>; enabled?: boolean },
+  ): Promise<boolean> {
+    const stored = this.storedRoutes.get(id);
+    if (!stored) return false;
+
+    if (patch.route) {
+      stored.route = { ...stored.route, ...patch.route } as plugins.smartproxy.IRouteConfig;
+    }
+    if (patch.enabled !== undefined) {
+      stored.enabled = patch.enabled;
+    }
+    stored.updatedAt = Date.now();
+
+    await this.persistRoute(stored);
+    await this.applyRoutes();
+    return true;
+  }
+
+  public async deleteRoute(id: string): Promise<boolean> {
+    if (!this.storedRoutes.has(id)) return false;
+    this.storedRoutes.delete(id);
+    await this.storageManager.delete(`${ROUTES_PREFIX}${id}.json`);
+    await this.applyRoutes();
+    return true;
+  }
+
+  public async toggleRoute(id: string, enabled: boolean): Promise<boolean> {
+    return this.updateRoute(id, { enabled });
+  }
+
+  // =========================================================================
+  // Hardcoded route overrides
+  // =========================================================================
+
+  public async setOverride(routeName: string, enabled: boolean, updatedBy: string): Promise<void> {
+    const override: IRouteOverride = {
+      routeName,
+      enabled,
+      updatedAt: Date.now(),
+      updatedBy,
+    };
+    this.overrides.set(routeName, override);
+    await this.storageManager.setJSON(`${OVERRIDES_PREFIX}${routeName}.json`, override);
+    this.computeWarnings();
+    await this.applyRoutes();
+  }
+
+  public async removeOverride(routeName: string): Promise<boolean> {
+    if (!this.overrides.has(routeName)) return false;
+    this.overrides.delete(routeName);
+    await this.storageManager.delete(`${OVERRIDES_PREFIX}${routeName}.json`);
+    this.computeWarnings();
+    await this.applyRoutes();
+    return true;
+  }
+
+  // =========================================================================
+  // Private: persistence
+  // =========================================================================
+
+  private async loadStoredRoutes(): Promise<void> {
+    const keys = await this.storageManager.list(ROUTES_PREFIX);
+    for (const key of keys) {
+      if (!key.endsWith('.json')) continue;
+      const stored = await this.storageManager.getJSON<IStoredRoute>(key);
+      if (stored?.id) {
+        this.storedRoutes.set(stored.id, stored);
+      }
+    }
+    if (this.storedRoutes.size > 0) {
+      logger.log('info', `Loaded ${this.storedRoutes.size} programmatic route(s) from storage`);
+    }
+  }
+
+  private async loadOverrides(): Promise<void> {
+    const keys = await this.storageManager.list(OVERRIDES_PREFIX);
+    for (const key of keys) {
+      if (!key.endsWith('.json')) continue;
+      const override = await this.storageManager.getJSON<IRouteOverride>(key);
+      if (override?.routeName) {
+        this.overrides.set(override.routeName, override);
+      }
+    }
+    if (this.overrides.size > 0) {
+      logger.log('info', `Loaded ${this.overrides.size} route override(s) from storage`);
+    }
+  }
+
+  private async persistRoute(stored: IStoredRoute): Promise<void> {
+    await this.storageManager.setJSON(`${ROUTES_PREFIX}${stored.id}.json`, stored);
+  }
+
+  // =========================================================================
+  // Private: warnings
+  // =========================================================================
+
+  private computeWarnings(): void {
+    this.warnings = [];
+    const hardcodedNames = new Set(this.getHardcodedRoutes().map((r) => r.name || ''));
+
+    // Check overrides
+    for (const [routeName, override] of this.overrides) {
+      if (!hardcodedNames.has(routeName)) {
+        this.warnings.push({
+          type: 'orphaned-override',
+          routeName,
+          message: `Orphaned override for route '${routeName}' — hardcoded route no longer exists`,
+        });
+      } else if (!override.enabled) {
+        this.warnings.push({
+          type: 'disabled-hardcoded',
+          routeName,
+          message: `Route '${routeName}' is disabled via API override`,
+        });
+      }
+    }
+
+    // Check disabled programmatic routes
+    for (const stored of this.storedRoutes.values()) {
+      if (!stored.enabled) {
+        const name = stored.route.name || stored.id;
+        this.warnings.push({
+          type: 'disabled-programmatic',
+          routeName: name,
+          message: `Programmatic route '${name}' (id: ${stored.id}) is disabled`,
+        });
+      }
+    }
+  }
+
+  private logWarnings(): void {
+    for (const w of this.warnings) {
+      logger.log('warn', w.message);
+    }
+  }
+
+  // =========================================================================
+  // Private: apply merged routes to SmartProxy
+  // =========================================================================
+
+  private async applyRoutes(): Promise<void> {
+    const smartProxy = this.getSmartProxy();
+    if (!smartProxy) return;
+
+    const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];
+
+    // Add enabled hardcoded routes (respecting overrides)
+    for (const route of this.getHardcodedRoutes()) {
+      const name = route.name || '';
+      const override = this.overrides.get(name);
+      if (override && !override.enabled) {
+        continue; // Skip disabled hardcoded route
+      }
+      enabledRoutes.push(route);
+    }
+
+    // Add enabled programmatic routes
+    for (const stored of this.storedRoutes.values()) {
+      if (stored.enabled) {
+        enabledRoutes.push(stored.route);
+      }
+    }
+
+    await smartProxy.updateRoutes(enabledRoutes);
+    logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.storedRoutes.size} programmatic, ${this.overrides.size} overrides)`);
+  }
+}
--- a/ts/config/index.ts
+++ b/ts/config/index.ts
@@ -1,2 +1,4 @@
 // Export validation tools only
-export * from './validator.js';
+export * from './validator.js';
+export { RouteConfigManager } from './classes.route-config-manager.js';
+export { ApiTokenManager } from './classes.api-token-manager.js';
--- a/ts/logger.ts
+++ b/ts/logger.ts
@@ -1,5 +1,6 @@
 import * as plugins from './plugins.js';
 import { randomUUID } from 'node:crypto';
+import { SmartlogDestinationBuffer } from '@push.rocks/smartlog/destination-buffer';

 // Map NODE_ENV to valid TEnvironment
 const nodeEnv = process.env.NODE_ENV || 'production';
@@ -10,8 +11,11 @@ const envMap: Record<string, 'local' | 'test' | 'staging' | 'production'> = {
  'production': 'production'
 };

-// Default Smartlog instance
-const baseLogger = new plugins.smartlog.Smartlog({
+// In-memory log buffer for the OpsServer UI
+export const logBuffer = new SmartlogDestinationBuffer({ maxEntries: 2000 });
+
+// Default Smartlog instance (exported so OpsServer can add push destinations)
+export const baseLogger = new plugins.smartlog.Smartlog({
  logContext: {
    environment: envMap[nodeEnv] || 'production',
    runtime: 'node',
@@ -19,6 +23,9 @@ const baseLogger = new plugins.smartlog.Smartlog({
  }
 });

+// Wire the buffer destination so all logs are captured
+baseLogger.addLogDestination(logBuffer);
+
 // Extended logger compatible with the original enhanced logger API
 class StandardLogger {
  private defaultContext: Record<string, any> = {};
--- a/ts/monitoring/classes.metricsmanager.ts
+++ b/ts/monitoring/classes.metricsmanager.ts
@@ -1,9 +1,11 @@
 import * as plugins from '../plugins.js';
 import { DcRouter } from '../classes.dcrouter.js';
 import { MetricsCache } from './classes.metricscache.js';
+import { SecurityLogger, SecurityEventType } from '../security/classes.securitylogger.js';
+import { logger } from '../logger.js';

 export class MetricsManager {
-  private logger: plugins.smartlog.Smartlog;
+  private metricsLogger: plugins.smartlog.Smartlog;
  private smartMetrics: plugins.smartmetrics.SmartMetrics;
  private dcRouter: DcRouter;
  private resetInterval?: NodeJS.Timeout;
@@ -33,10 +35,17 @@ export class MetricsManager {
    queryTypes: {} as Record<string, number>,
    topDomains: new Map<string, number>(),
    lastResetDate: new Date().toDateString(),
-    queryTimestamps: [] as number[], // Track query timestamps for rate calculation
+    // Per-second query count ring buffer (300 entries = 5 minutes)
+    queryRing: new Int32Array(300),
+    queryRingLastSecond: 0, // last epoch second that was written
    responseTimes: [] as number[], // Track response times in ms
+    recentQueries: [] as Array<{ timestamp: number; domain: string; type: string; answered: boolean; responseTimeMs: number }>,
  };
  
+  // Per-minute time-series buckets for charts
+  private emailMinuteBuckets = new Map<number, { sent: number; received: number; failed: number }>();
+  private dnsMinuteBuckets = new Map<number, { queries: number }>();
+
  // Track security-specific metrics
  private securityMetrics = {
    blockedIPs: 0,
@@ -50,15 +59,15 @@ export class MetricsManager {
  
  constructor(dcRouter: DcRouter) {
    this.dcRouter = dcRouter;
-    // Create a new Smartlog instance for metrics
-    this.logger = new plugins.smartlog.Smartlog({
+    // Create a Smartlog instance for SmartMetrics (requires its own instance)
+    this.metricsLogger = new plugins.smartlog.Smartlog({
      logContext: {
        environment: 'production',
        runtime: 'node',
        zone: 'dcrouter-metrics',
      }
    });
-    this.smartMetrics = new plugins.smartmetrics.SmartMetrics(this.logger, 'dcrouter');
+    this.smartMetrics = new plugins.smartmetrics.SmartMetrics(this.metricsLogger, 'dcrouter');
    // Initialize metrics cache with 500ms TTL
    this.metricsCache = new MetricsCache(500);
  }
@@ -88,11 +97,13 @@ export class MetricsManager {
        this.dnsMetrics.cacheMisses = 0;
        this.dnsMetrics.queryTypes = {};
        this.dnsMetrics.topDomains.clear();
-        this.dnsMetrics.queryTimestamps = [];
+        this.dnsMetrics.queryRing.fill(0);
+        this.dnsMetrics.queryRingLastSecond = 0;
        this.dnsMetrics.responseTimes = [];
+        this.dnsMetrics.recentQueries = [];
        this.dnsMetrics.lastResetDate = currentDate;
      }
-      
+
      if (currentDate !== this.securityMetrics.lastResetDate) {
        this.securityMetrics.blockedIPs = 0;
        this.securityMetrics.authFailures = 0;
@@ -102,20 +113,29 @@ export class MetricsManager {
        this.securityMetrics.incidents = [];
        this.securityMetrics.lastResetDate = currentDate;
      }
+
+      // Prune old time-series buckets every minute (don't wait for lazy query)
+      this.pruneOldBuckets();
    }, 60000); // Check every minute
    
-    this.logger.log('info', 'MetricsManager started');
+    logger.log('info', 'MetricsManager started');
  }
-  
+
  public async stop(): Promise<void> {
    // Clear the reset interval
    if (this.resetInterval) {
      clearInterval(this.resetInterval);
      this.resetInterval = undefined;
    }
-    
+
    this.smartMetrics.stop();
-    this.logger.log('info', 'MetricsManager stopped');
+
+    // Clear caches and time-series buckets on shutdown
+    this.metricsCache.clear();
+    this.emailMinuteBuckets.clear();
+    this.dnsMinuteBuckets.clear();
+
+    logger.log('info', 'MetricsManager stopped');
  }
  
  // Get server metrics from SmartMetrics and SmartProxy
@@ -124,23 +144,23 @@ export class MetricsManager {
      const smartMetricsData = await this.smartMetrics.getMetrics();
      const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
      const proxyStats = this.dcRouter.smartProxy ? await this.dcRouter.smartProxy.getStatistics() : null;
+      const { heapUsed, heapTotal, external, rss } = process.memoryUsage();

      return {
        uptime: process.uptime(),
        startTime: Date.now() - (process.uptime() * 1000),
        memoryUsage: {
-          heapUsed: process.memoryUsage().heapUsed,
-          heapTotal: process.memoryUsage().heapTotal,
-          external: process.memoryUsage().external,
-          rss: process.memoryUsage().rss,
-          // Add SmartMetrics memory data
+          heapUsed,
+          heapTotal,
+          external,
+          rss,
          maxMemoryMB: this.smartMetrics.maxMemoryMB,
          actualUsageBytes: smartMetricsData.memoryUsageBytes,
          actualUsagePercentage: smartMetricsData.memoryPercentage,
        },
        cpuUsage: {
-          user: parseFloat(smartMetricsData.cpuUsageText || '0'),
-          system: 0, // SmartMetrics doesn't separate user/system
+          user: smartMetricsData.cpuPercentage,
+          system: 0,
        },
        activeConnections: proxyStats ? proxyStats.activeConnections : 0,
        totalConnections: proxyMetrics ? proxyMetrics.totals.connections() : 0,
@@ -202,11 +222,8 @@ export class MetricsManager {
        .slice(0, 10)
        .map(([domain, count]) => ({ domain, count }));
      
-      // Calculate queries per second from recent timestamps
-      const now = Date.now();
-      const oneMinuteAgo = now - 60000;
-      const recentQueries = this.dnsMetrics.queryTimestamps.filter(ts => ts >= oneMinuteAgo);
-      const queriesPerSecond = recentQueries.length / 60;
+      // Calculate queries per second from ring buffer (sum last 60 seconds)
+      const queriesPerSecond = this.getQueryRingSum(60) / 60;
      
      // Calculate average response time
      const avgResponseTime = this.dnsMetrics.responseTimes.length > 0
@@ -223,24 +240,50 @@ export class MetricsManager {
        queryTypes: this.dnsMetrics.queryTypes,
        averageResponseTime: Math.round(avgResponseTime),
        activeDomains: this.dnsMetrics.topDomains.size,
+        recentQueries: this.dnsMetrics.recentQueries.slice(),
      };
    });
  }
  
+  /**
+   * Sync security metrics from the SecurityLogger singleton (last 24h).
+   * Called before returning security stats so counters reflect real events.
+   */
+  private syncFromSecurityLogger(): void {
+    try {
+      const securityLogger = SecurityLogger.getInstance();
+      const summary = securityLogger.getEventsSummary(86400000); // last 24h
+
+      this.securityMetrics.spamDetected = summary.byType[SecurityEventType.SPAM] || 0;
+      this.securityMetrics.malwareDetected = summary.byType[SecurityEventType.MALWARE] || 0;
+      this.securityMetrics.phishingDetected = summary.byType[SecurityEventType.DMARC] || 0; // phishing via DMARC
+      this.securityMetrics.authFailures =
+        summary.byType[SecurityEventType.AUTHENTICATION] || 0;
+      this.securityMetrics.blockedIPs =
+        (summary.byType[SecurityEventType.IP_REPUTATION] || 0) +
+        (summary.byType[SecurityEventType.REJECTED_CONNECTION] || 0);
+    } catch {
+      // SecurityLogger may not be initialized yet — ignore
+    }
+  }
+
  // Get security metrics
  public async getSecurityStats() {
    return this.metricsCache.get('securityStats', () => {
+      // Sync counters from the real SecurityLogger events
+      this.syncFromSecurityLogger();
+
      // Get recent incidents (last 20)
      const recentIncidents = this.securityMetrics.incidents.slice(-20);
-      
+
      return {
        blockedIPs: this.securityMetrics.blockedIPs,
        authFailures: this.securityMetrics.authFailures,
        spamDetected: this.securityMetrics.spamDetected,
        malwareDetected: this.securityMetrics.malwareDetected,
        phishingDetected: this.securityMetrics.phishingDetected,
-        totalThreatsBlocked: this.securityMetrics.spamDetected + 
-          this.securityMetrics.malwareDetected + 
+        totalThreatsBlocked: this.securityMetrics.spamDetected +
+          this.securityMetrics.malwareDetected +
          this.securityMetrics.phishingDetected,
        recentIncidents,
      };
@@ -275,10 +318,19 @@ export class MetricsManager {
  // Email event tracking methods
  public trackEmailSent(recipient?: string, deliveryTimeMs?: number): void {
    this.emailMetrics.sentToday++;
+    this.incrementEmailBucket('sent');
    
    if (recipient) {
      const count = this.emailMetrics.recipients.get(recipient) || 0;
      this.emailMetrics.recipients.set(recipient, count + 1);
+
+      // Cap recipients map to prevent unbounded growth within a day
+      if (this.emailMetrics.recipients.size > this.MAX_TOP_DOMAINS) {
+        const sorted = Array.from(this.emailMetrics.recipients.entries())
+          .sort((a, b) => b[1] - a[1])
+          .slice(0, Math.floor(this.MAX_TOP_DOMAINS * 0.8));
+        this.emailMetrics.recipients = new Map(sorted);
+      }
    }
    
    if (deliveryTimeMs) {
@@ -303,6 +355,7 @@ export class MetricsManager {
  
  public trackEmailReceived(sender?: string): void {
    this.emailMetrics.receivedToday++;
+    this.incrementEmailBucket('received');
    
    this.emailMetrics.recentActivity.push({
      timestamp: Date.now(),
@@ -318,6 +371,7 @@ export class MetricsManager {
  
  public trackEmailFailed(recipient?: string, reason?: string): void {
    this.emailMetrics.failedToday++;
+    this.incrementEmailBucket('failed');
    
    this.emailMetrics.recentActivity.push({
      timestamp: Date.now(),
@@ -351,8 +405,21 @@ export class MetricsManager {
  }
  
  // DNS event tracking methods
-  public trackDnsQuery(queryType: string, domain: string, cacheHit: boolean, responseTimeMs?: number): void {
+  public trackDnsQuery(queryType: string, domain: string, cacheHit: boolean, responseTimeMs?: number, answered?: boolean): void {
    this.dnsMetrics.totalQueries++;
+    this.incrementDnsBucket();
+
+    // Store recent query entry
+    this.dnsMetrics.recentQueries.push({
+      timestamp: Date.now(),
+      domain,
+      type: queryType,
+      answered: answered ?? true,
+      responseTimeMs: responseTimeMs ?? 0,
+    });
+    if (this.dnsMetrics.recentQueries.length > 100) {
+      this.dnsMetrics.recentQueries.shift();
+    }
    
    if (cacheHit) {
      this.dnsMetrics.cacheHits++;
@@ -360,12 +427,8 @@ export class MetricsManager {
      this.dnsMetrics.cacheMisses++;
    }
    
-    // Track query timestamp
-    this.dnsMetrics.queryTimestamps.push(Date.now());
-    
-    // Keep only timestamps from last 5 minutes
-    const fiveMinutesAgo = Date.now() - 300000;
-    this.dnsMetrics.queryTimestamps = this.dnsMetrics.queryTimestamps.filter(ts => ts >= fiveMinutesAgo);
+    // Increment per-second query counter in ring buffer
+    this.incrementQueryRing();
    
    // Track response time if provided
    if (responseTimeMs) {
@@ -537,6 +600,149 @@ export class MetricsManager {
        requestsPerSecond,
        requestsTotal,
      };
-    }, 200); // Use 200ms cache for more frequent updates
+    }, 1000); // 1s cache — matches typical dashboard poll interval
+  }
+
+  // --- Time-series helpers ---
+
+  private static minuteKey(ts: number = Date.now()): number {
+    return Math.floor(ts / 60000) * 60000;
+  }
+
+  private incrementEmailBucket(field: 'sent' | 'received' | 'failed'): void {
+    const key = MetricsManager.minuteKey();
+    let bucket = this.emailMinuteBuckets.get(key);
+    if (!bucket) {
+      bucket = { sent: 0, received: 0, failed: 0 };
+      this.emailMinuteBuckets.set(key, bucket);
+    }
+    bucket[field]++;
+  }
+
+  private incrementDnsBucket(): void {
+    const key = MetricsManager.minuteKey();
+    let bucket = this.dnsMinuteBuckets.get(key);
+    if (!bucket) {
+      bucket = { queries: 0 };
+      this.dnsMinuteBuckets.set(key, bucket);
+    }
+    bucket.queries++;
+  }
+
+  /**
+   * Increment the per-second query counter in the ring buffer.
+   * Zeros any stale slots between the last write and the current second.
+   */
+  private incrementQueryRing(): void {
+    const currentSecond = Math.floor(Date.now() / 1000);
+    const ring = this.dnsMetrics.queryRing;
+    const last = this.dnsMetrics.queryRingLastSecond;
+
+    if (last === 0) {
+      // First call — zero and anchor
+      ring.fill(0);
+      this.dnsMetrics.queryRingLastSecond = currentSecond;
+      ring[currentSecond % ring.length] = 1;
+      return;
+    }
+
+    const gap = currentSecond - last;
+    if (gap >= ring.length) {
+      // Entire ring is stale — clear all
+      ring.fill(0);
+    } else if (gap > 0) {
+      // Zero slots from (last+1) to currentSecond (inclusive)
+      for (let s = last + 1; s <= currentSecond; s++) {
+        ring[s % ring.length] = 0;
+      }
+    }
+
+    this.dnsMetrics.queryRingLastSecond = currentSecond;
+    ring[currentSecond % ring.length]++;
+  }
+
+  /**
+   * Sum query counts from the ring buffer for the last N seconds.
+   */
+  private getQueryRingSum(seconds: number): number {
+    const currentSecond = Math.floor(Date.now() / 1000);
+    const ring = this.dnsMetrics.queryRing;
+    const last = this.dnsMetrics.queryRingLastSecond;
+
+    if (last === 0) return 0;
+
+    // First, zero stale slots so reads are accurate even without writes
+    const gap = currentSecond - last;
+    if (gap >= ring.length) return 0; // all data is stale
+
+    let sum = 0;
+    const limit = Math.min(seconds, ring.length);
+    for (let i = 0; i < limit; i++) {
+      const sec = currentSecond - i;
+      if (sec < last - (ring.length - 1)) break; // slot is from older cycle
+      if (sec > last) continue; // no writes yet for this second
+      sum += ring[sec % ring.length];
+    }
+    return sum;
+  }
+
+  private pruneOldBuckets(): void {
+    const cutoff = Date.now() - 86400000; // 24h
+    for (const key of this.emailMinuteBuckets.keys()) {
+      if (key < cutoff) this.emailMinuteBuckets.delete(key);
+    }
+    for (const key of this.dnsMinuteBuckets.keys()) {
+      if (key < cutoff) this.dnsMinuteBuckets.delete(key);
+    }
+  }
+
+  /**
+   * Get email time-series data for the last N hours, aggregated per minute.
+   */
+  public getEmailTimeSeries(hours: number = 24): {
+    sent: Array<{ timestamp: number; value: number }>;
+    received: Array<{ timestamp: number; value: number }>;
+    failed: Array<{ timestamp: number; value: number }>;
+  } {
+    this.pruneOldBuckets();
+    const cutoff = Date.now() - hours * 3600000;
+    const sent: Array<{ timestamp: number; value: number }> = [];
+    const received: Array<{ timestamp: number; value: number }> = [];
+    const failed: Array<{ timestamp: number; value: number }> = [];
+
+    const sortedKeys = Array.from(this.emailMinuteBuckets.keys())
+      .filter((k) => k >= cutoff)
+      .sort((a, b) => a - b);
+
+    for (const key of sortedKeys) {
+      const bucket = this.emailMinuteBuckets.get(key)!;
+      sent.push({ timestamp: key, value: bucket.sent });
+      received.push({ timestamp: key, value: bucket.received });
+      failed.push({ timestamp: key, value: bucket.failed });
+    }
+
+    return { sent, received, failed };
+  }
+
+  /**
+   * Get DNS time-series data for the last N hours, aggregated per minute.
+   */
+  public getDnsTimeSeries(hours: number = 24): {
+    queries: Array<{ timestamp: number; value: number }>;
+  } {
+    this.pruneOldBuckets();
+    const cutoff = Date.now() - hours * 3600000;
+    const queries: Array<{ timestamp: number; value: number }> = [];
+
+    const sortedKeys = Array.from(this.dnsMinuteBuckets.keys())
+      .filter((k) => k >= cutoff)
+      .sort((a, b) => a - b);
+
+    for (const key of sortedKeys) {
+      const bucket = this.dnsMinuteBuckets.get(key)!;
+      queries.push({ timestamp: key, value: bucket.queries });
+    }
+
+    return { queries };
  }
 }
--- a/ts/opsserver/classes.opsserver.ts
+++ b/ts/opsserver/classes.opsserver.ts
@@ -2,14 +2,20 @@ import type DcRouter from '../classes.dcrouter.js';
 import * as plugins from '../plugins.js';
 import * as paths from '../paths.js';
 import * as handlers from './handlers/index.js';
+import * as interfaces from '../../ts_interfaces/index.js';
+import { requireValidIdentity, requireAdminIdentity } from './helpers/guards.js';

 export class OpsServer {
  public dcRouterRef: DcRouter;
  public server: plugins.typedserver.utilityservers.UtilityWebsiteServer;
-  
-  // TypedRouter for OpsServer-specific handlers
+
+  // Main TypedRouter — unauthenticated endpoints (login/logout/verify) and own-auth handlers
  public typedrouter = new plugins.typedrequest.TypedRouter();
-  
+
+  // Auth-enforced routers — middleware validates identity before any handler runs
+  public viewRouter = new plugins.typedrequest.TypedRouter<{ request: { identity: interfaces.data.IIdentity } }>();
+  public adminRouter = new plugins.typedrequest.TypedRouter<{ request: { identity: interfaces.data.IIdentity } }>();
+
  // Handler instances
  public adminHandler: handlers.AdminHandler;
  private configHandler: handlers.ConfigHandler;
@@ -20,10 +26,12 @@ export class OpsServer {
  private emailOpsHandler: handlers.EmailOpsHandler;
  private certificateHandler: handlers.CertificateHandler;
  private remoteIngressHandler: handlers.RemoteIngressHandler;
+  private routeManagementHandler: handlers.RouteManagementHandler;
+  private apiTokenHandler: handlers.ApiTokenHandler;

  constructor(dcRouterRefArg: DcRouter) {
    this.dcRouterRef = dcRouterRefArg;
-    
+
    // Add our typedrouter to the dcRouter's main typedrouter
    this.dcRouterRef.typedrouter.addTypedRouter(this.typedrouter);
  }
@@ -49,10 +57,25 @@ export class OpsServer {
   * Set up all TypedRequest handlers
   */
  private async setupHandlers(): Promise<void> {
-    // Instantiate all handlers - they self-register with the typedrouter
+    // AdminHandler must be initialized first (JWT setup needed for guards)
    this.adminHandler = new handlers.AdminHandler(this);
-    await this.adminHandler.initialize(); // JWT needs async initialization
-    
+    await this.adminHandler.initialize();
+
+    // viewRouter middleware: requires valid identity (any logged-in user)
+    this.viewRouter.addMiddleware(async (typedRequest) => {
+      await requireValidIdentity(this.adminHandler, typedRequest.request);
+    });
+
+    // adminRouter middleware: requires admin identity
+    this.adminRouter.addMiddleware(async (typedRequest) => {
+      await requireAdminIdentity(this.adminHandler, typedRequest.request);
+    });
+
+    // Connect auth routers to the main typedrouter
+    this.typedrouter.addTypedRouter(this.viewRouter);
+    this.typedrouter.addTypedRouter(this.adminRouter);
+
+    // Instantiate all handlers — they self-register with the appropriate router
    this.configHandler = new handlers.ConfigHandler(this);
    this.logsHandler = new handlers.LogsHandler(this);
    this.securityHandler = new handlers.SecurityHandler(this);
@@ -61,11 +84,17 @@ export class OpsServer {
    this.emailOpsHandler = new handlers.EmailOpsHandler(this);
    this.certificateHandler = new handlers.CertificateHandler(this);
    this.remoteIngressHandler = new handlers.RemoteIngressHandler(this);
+    this.routeManagementHandler = new handlers.RouteManagementHandler(this);
+    this.apiTokenHandler = new handlers.ApiTokenHandler(this);

    console.log('✅ OpsServer TypedRequest handlers initialized');
  }

  public async stop() {
+    // Clean up log handler streams and push destination before stopping the server
+    if (this.logsHandler) {
+      this.logsHandler.cleanup();
+    }
    if (this.server) {
      await this.server.stop();
    }
--- a/ts/opsserver/handlers/api-token.handler.ts
+++ b/ts/opsserver/handlers/api-token.handler.ts
@@ -0,0 +1,97 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class ApiTokenHandler {
+  constructor(private opsServerRef: OpsServer) {
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // All token management endpoints register directly on adminRouter
+    // (middleware enforces admin JWT check, so no per-handler requireAdmin needed)
+    const router = this.opsServerRef.adminRouter;
+
+    // Create API token
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateApiToken>(
+        'createApiToken',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const result = await manager.createToken(
+            dataArg.name,
+            dataArg.scopes,
+            dataArg.expiresInDays ?? null,
+            dataArg.identity.userId,
+          );
+          return { success: true, tokenId: result.id, tokenValue: result.rawToken };
+        },
+      ),
+    );
+
+    // List API tokens
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListApiTokens>(
+        'listApiTokens',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { tokens: [] };
+          }
+          return { tokens: manager.listTokens() };
+        },
+      ),
+    );
+
+    // Revoke API token
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RevokeApiToken>(
+        'revokeApiToken',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const ok = await manager.revokeToken(dataArg.id);
+          return { success: ok, message: ok ? undefined : 'Token not found' };
+        },
+      ),
+    );
+
+    // Roll API token
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RollApiToken>(
+        'rollApiToken',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const result = await manager.rollToken(dataArg.id);
+          if (!result) {
+            return { success: false, message: 'Token not found' };
+          }
+          return { success: true, tokenValue: result.rawToken };
+        },
+      ),
+    );
+
+    // Toggle API token
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleApiToken>(
+        'toggleApiToken',
+        async (dataArg) => {
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const ok = await manager.toggleToken(dataArg.id, dataArg.enabled);
+          return { success: ok, message: ok ? undefined : 'Token not found' };
+        },
+      ),
+    );
+  }
+}
--- a/ts/opsserver/handlers/certificate.handler.ts
+++ b/ts/opsserver/handlers/certificate.handler.ts
@@ -3,16 +3,18 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';

 export class CertificateHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
  constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }

  private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+
    // Get Certificate Overview
-    this.typedrouter.addTypedHandler(
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCertificateOverview>(
        'getCertificateOverview',
        async (dataArg) => {
@@ -23,8 +25,10 @@ export class CertificateHandler {
      )
    );

+    // ---- Write endpoints (adminRouter — admin identity required via middleware) ----
+
    // Legacy route-based reprovision (backward compat)
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificate>(
        'reprovisionCertificate',
        async (dataArg) => {
@@ -34,7 +38,7 @@ export class CertificateHandler {
    );

    // Domain-based reprovision (preferred)
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificateDomain>(
        'reprovisionCertificateDomain',
        async (dataArg) => {
@@ -44,7 +48,7 @@ export class CertificateHandler {
    );

    // Delete certificate
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteCertificate>(
        'deleteCertificate',
        async (dataArg) => {
@@ -54,7 +58,7 @@ export class CertificateHandler {
    );

    // Export certificate
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportCertificate>(
        'exportCertificate',
        async (dataArg) => {
@@ -64,7 +68,7 @@ export class CertificateHandler {
    );

    // Import certificate
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ImportCertificate>(
        'importCertificate',
        async (dataArg) => {
--- a/ts/opsserver/handlers/config.handler.ts
+++ b/ts/opsserver/handlers/config.handler.ts
@@ -1,23 +1,23 @@
 import * as plugins from '../../plugins.js';
+import * as paths from '../../paths.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';

 export class ConfigHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
  constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }

  private registerHandlers(): void {
+    // Config endpoint registers directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
    // Get Configuration Handler (read-only)
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetConfiguration>(
        'getConfiguration',
        async (dataArg, toolsArg) => {
-          const config = await this.getConfiguration(dataArg.section);
+          const config = await this.getConfiguration();
          return {
            config,
            section: dataArg.section,
@@ -26,83 +26,189 @@ export class ConfigHandler {
      )
    );
  }
-  
-  private async getConfiguration(section?: string): Promise<{
-    email: {
-      enabled: boolean;
-      ports: number[];
-      maxMessageSize: number;
-      rateLimits: {
-        perMinute: number;
-        perHour: number;
-        perDay: number;
-      };
-      domains?: string[];
-    };
-    dns: {
-      enabled: boolean;
-      port: number;
-      nameservers: string[];
-      caching: boolean;
-      ttl: number;
-    };
-    proxy: {
-      enabled: boolean;
-      httpPort: number;
-      httpsPort: number;
-      maxConnections: number;
-    };
-    security: {
-      blockList: string[];
-      rateLimit: boolean;
-      spamDetection: boolean;
-      tlsRequired: boolean;
-    };
-  }> {
+
+  private async getConfiguration(): Promise<interfaces.requests.IConfigData> {
    const dcRouter = this.opsServerRef.dcRouterRef;
-    
-    // Get email domains if email server is configured
+    const opts = dcRouter.options;
+    const resolvedPaths = dcRouter.resolvedPaths;
+
+    // --- System ---
+    const storageBackend: 'filesystem' | 'custom' | 'memory' = opts.storage?.readFunction
+      ? 'custom'
+      : opts.storage?.fsPath
+        ? 'filesystem'
+        : 'memory';
+
+    // Resolve proxy IPs: fall back to SmartProxy's runtime proxyIPs if not in opts
+    let proxyIps = opts.proxyIps || [];
+    if (proxyIps.length === 0 && dcRouter.smartProxy) {
+      const spSettings = (dcRouter.smartProxy as any).settings;
+      if (spSettings?.proxyIPs?.length > 0) {
+        proxyIps = spSettings.proxyIPs;
+      }
+    }
+
+    const system: interfaces.requests.IConfigData['system'] = {
+      baseDir: resolvedPaths.dcrouterHomeDir,
+      dataDir: resolvedPaths.dataDir,
+      publicIp: opts.publicIp || dcRouter.detectedPublicIp || null,
+      proxyIps,
+      uptime: Math.floor(process.uptime()),
+      storageBackend,
+      storagePath: opts.storage?.fsPath || null,
+    };
+
+    // --- SmartProxy ---
+    let acmeInfo: interfaces.requests.IConfigData['smartProxy']['acme'] = null;
+    if (opts.smartProxyConfig?.acme) {
+      const acme = opts.smartProxyConfig.acme;
+      acmeInfo = {
+        enabled: acme.enabled !== false,
+        accountEmail: acme.accountEmail || '',
+        useProduction: acme.useProduction !== false,
+        autoRenew: acme.autoRenew !== false,
+        renewThresholdDays: acme.renewThresholdDays || 30,
+      };
+    }
+
+    let routeCount = 0;
+    if (dcRouter.routeConfigManager) {
+      try {
+        const merged = await dcRouter.routeConfigManager.getMergedRoutes();
+        routeCount = merged.routes.length;
+      } catch {
+        routeCount = opts.smartProxyConfig?.routes?.length || 0;
+      }
+    } else if (opts.smartProxyConfig?.routes) {
+      routeCount = opts.smartProxyConfig.routes.length;
+    }
+
+    const smartProxy: interfaces.requests.IConfigData['smartProxy'] = {
+      enabled: !!dcRouter.smartProxy,
+      routeCount,
+      acme: acmeInfo,
+    };
+
+    // --- Email ---
    let emailDomains: string[] = [];
-    if (dcRouter.emailServer && dcRouter.emailServer.domainRegistry) {
-      emailDomains = dcRouter.emailServer.domainRegistry.getAllDomains();
-    } else if (dcRouter.options.emailConfig?.domains) {
-      // Fallback: get domains from email config options
-      emailDomains = dcRouter.options.emailConfig.domains.map(d => 
+    if (dcRouter.emailServer && (dcRouter.emailServer as any).domainRegistry) {
+      emailDomains = (dcRouter.emailServer as any).domainRegistry.getAllDomains();
+    } else if (opts.emailConfig?.domains) {
+      emailDomains = opts.emailConfig.domains.map((d: any) =>
        typeof d === 'string' ? d : d.domain
      );
    }
-    
+
+    let portMapping: Record<string, number> | null = null;
+    if (opts.emailPortConfig?.portMapping) {
+      portMapping = {};
+      for (const [ext, int] of Object.entries(opts.emailPortConfig.portMapping)) {
+        portMapping[String(ext)] = int as number;
+      }
+    }
+
+    const email: interfaces.requests.IConfigData['email'] = {
+      enabled: !!dcRouter.emailServer,
+      ports: opts.emailConfig?.ports || [],
+      portMapping,
+      hostname: opts.emailConfig?.hostname || null,
+      domains: emailDomains,
+      emailRouteCount: opts.emailConfig?.routes?.length || 0,
+      receivedEmailsPath: opts.emailPortConfig?.receivedEmailsPath || null,
+    };
+
+    // --- DNS ---
+    const dnsRecords = (opts.dnsRecords || []).map(r => ({
+      name: r.name,
+      type: r.type,
+      value: r.value,
+      ttl: r.ttl,
+    }));
+
+    const dns: interfaces.requests.IConfigData['dns'] = {
+      enabled: !!dcRouter.dnsServer,
+      port: 53,
+      nsDomains: opts.dnsNsDomains || [],
+      scopes: opts.dnsScopes || [],
+      recordCount: dnsRecords.length,
+      records: dnsRecords,
+      dnsChallenge: !!opts.dnsChallenge?.cloudflareApiKey,
+    };
+
+    // --- TLS ---
+    let tlsSource: 'acme' | 'static' | 'none' = 'none';
+    if (opts.tls?.certPath && opts.tls?.keyPath) {
+      tlsSource = 'static';
+    } else if (opts.smartProxyConfig?.acme?.enabled !== false && opts.smartProxyConfig?.acme) {
+      tlsSource = 'acme';
+    }
+
+    const tls: interfaces.requests.IConfigData['tls'] = {
+      contactEmail: opts.tls?.contactEmail || opts.smartProxyConfig?.acme?.accountEmail || null,
+      domain: opts.tls?.domain || null,
+      source: tlsSource,
+      certPath: opts.tls?.certPath || null,
+      keyPath: opts.tls?.keyPath || null,
+    };
+
+    // --- Cache ---
+    const cacheConfig = opts.cacheConfig;
+    const cache: interfaces.requests.IConfigData['cache'] = {
+      enabled: cacheConfig?.enabled !== false,
+      storagePath: cacheConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
+      dbName: cacheConfig?.dbName || 'dcrouter',
+      defaultTTLDays: cacheConfig?.defaultTTLDays || 30,
+      cleanupIntervalHours: cacheConfig?.cleanupIntervalHours || 1,
+      ttlConfig: cacheConfig?.ttlConfig ? { ...cacheConfig.ttlConfig } as Record<string, number> : {},
+    };
+
+    // --- RADIUS ---
+    const radiusCfg = opts.radiusConfig;
+    const radius: interfaces.requests.IConfigData['radius'] = {
+      enabled: !!dcRouter.radiusServer,
+      authPort: radiusCfg?.authPort || null,
+      acctPort: radiusCfg?.acctPort || null,
+      bindAddress: radiusCfg?.bindAddress || null,
+      clientCount: radiusCfg?.clients?.length || 0,
+      vlanDefaultVlan: radiusCfg?.vlanAssignment?.defaultVlan ?? null,
+      vlanAllowUnknownMacs: radiusCfg?.vlanAssignment?.allowUnknownMacs ?? null,
+      vlanMappingCount: radiusCfg?.vlanAssignment?.mappings?.length || 0,
+    };
+
+    // --- Remote Ingress ---
+    const riCfg = opts.remoteIngressConfig;
+    const connectedEdgeIps = dcRouter.tunnelManager?.getConnectedEdgeIps() || [];
+
+    // Determine TLS mode: custom certs > ACME from cert store > self-signed fallback
+    let tlsMode: 'custom' | 'acme' | 'self-signed' = 'self-signed';
+    if (riCfg?.tls?.certPath && riCfg?.tls?.keyPath) {
+      tlsMode = 'custom';
+    } else if (riCfg?.hubDomain) {
+      try {
+        const stored = await dcRouter.storageManager.getJSON(`/proxy-certs/${riCfg.hubDomain}`);
+        if (stored?.publicKey && stored?.privateKey) {
+          tlsMode = 'acme';
+        }
+      } catch { /* no stored cert */ }
+    }
+
+    const remoteIngress: interfaces.requests.IConfigData['remoteIngress'] = {
+      enabled: !!dcRouter.remoteIngressManager,
+      tunnelPort: riCfg?.tunnelPort || null,
+      hubDomain: riCfg?.hubDomain || null,
+      tlsMode,
+      connectedEdgeIps,
+    };
+
    return {
-      email: {
-        enabled: !!dcRouter.emailServer,
-        ports: dcRouter.emailServer ? [25, 465, 587, 2525] : [],
-        maxMessageSize: 10 * 1024 * 1024, // 10MB default
-        rateLimits: {
-          perMinute: 10,
-          perHour: 100,
-          perDay: 1000,
-        },
-        domains: emailDomains,
-      },
-      dns: {
-        enabled: !!dcRouter.dnsServer,
-        port: 53,
-        nameservers: dcRouter.options.dnsNsDomains || [],
-        caching: true,
-        ttl: 300,
-      },
-      proxy: {
-        enabled: !!dcRouter.smartProxy,
-        httpPort: 80,
-        httpsPort: 443,
-        maxConnections: 1000,
-      },
-      security: {
-        blockList: [],
-        rateLimit: true,
-        spamDetection: true,
-        tlsRequired: false,
-      },
+      system,
+      smartProxy,
+      email,
+      dns,
+      tls,
+      cache,
+      radius,
+      remoteIngress,
    };
  }
-}
+}
--- a/ts/opsserver/handlers/email-ops.handler.ts
+++ b/ts/opsserver/handlers/email-ops.handler.ts
@@ -1,86 +1,44 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
-import { SecurityLogger } from '../../security/index.js';

 export class EmailOpsHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
  constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }

  private registerHandlers(): void {
-    // Get Queued Emails Handler
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetQueuedEmails>(
-        'getQueuedEmails',
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+
+    // Get All Emails Handler
+    viewRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAllEmails>(
+        'getAllEmails',
        async (dataArg) => {
-          const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-          if (!emailServer?.deliveryQueue) {
-            return { items: [], total: 0 };
-          }
-
-          const queue = emailServer.deliveryQueue;
-          const stats = queue.getStats();
-
-          // Get all queue items and filter by status if provided
-          const items = this.getQueueItems(
-            dataArg.status,
-            dataArg.limit || 50,
-            dataArg.offset || 0
-          );
-
-          return {
-            items,
-            total: stats.queueSize,
-          };
+          const emails = this.getAllQueueEmails();
+          return { emails };
        }
      )
    );

-    // Get Sent Emails Handler
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSentEmails>(
-        'getSentEmails',
+    // Get Email Detail Handler
+    viewRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDetail>(
+        'getEmailDetail',
        async (dataArg) => {
-          const items = this.getQueueItems(
-            'delivered',
-            dataArg.limit || 50,
-            dataArg.offset || 0
-          );
-
-          return {
-            items,
-            total: items.length, // Note: total would ideally come from a counter
-          };
+          const email = this.getEmailDetail(dataArg.emailId);
+          return { email };
        }
      )
    );

-    // Get Failed Emails Handler
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetFailedEmails>(
-        'getFailedEmails',
-        async (dataArg) => {
-          const items = this.getQueueItems(
-            'failed',
-            dataArg.limit || 50,
-            dataArg.offset || 0
-          );
-
-          return {
-            items,
-            total: items.length,
-          };
-        }
-      )
-    );
+    // ---- Write endpoints (adminRouter) ----

    // Resend Failed Email Handler
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ResendEmail>(
        'resendEmail',
        async (dataArg) => {
@@ -101,17 +59,12 @@ export class EmailOpsHandler {
          }

          try {
-            // Re-enqueue the failed email by creating a new queue entry
-            // with the same data but reset attempt count
            const newQueueId = await queue.enqueue(
              item.processingResult,
              item.processingMode,
              item.route
            );
-
-            // Optionally remove the old failed entry
            await queue.removeItem(dataArg.emailId);
-
            return { success: true, newQueueId };
          } catch (error) {
            return {
@@ -122,197 +75,199 @@ export class EmailOpsHandler {
        }
      )
    );
-
-    // Get Security Incidents Handler
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityIncidents>(
-        'getSecurityIncidents',
-        async (dataArg) => {
-          const securityLogger = SecurityLogger.getInstance();
-
-          const filter: {
-            level?: any;
-            type?: any;
-          } = {};
-
-          if (dataArg.level) {
-            filter.level = dataArg.level;
-          }
-
-          if (dataArg.type) {
-            filter.type = dataArg.type;
-          }
-
-          const incidents = securityLogger.getRecentEvents(
-            dataArg.limit || 100,
-            Object.keys(filter).length > 0 ? filter : undefined
-          );
-
-          return {
-            incidents: incidents.map(event => ({
-              timestamp: event.timestamp,
-              level: event.level as interfaces.requests.TSecurityLogLevel,
-              type: event.type as interfaces.requests.TSecurityEventType,
-              message: event.message,
-              details: event.details,
-              ipAddress: event.ipAddress,
-              userId: event.userId,
-              sessionId: event.sessionId,
-              emailId: event.emailId,
-              domain: event.domain,
-              action: event.action,
-              result: event.result,
-              success: event.success,
-            })),
-            total: incidents.length,
-          };
-        }
-      )
-    );
-
-    // Get Bounce Records Handler
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBounceRecords>(
-        'getBounceRecords',
-        async (dataArg) => {
-          const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-
-          if (!emailServer) {
-            return { records: [], suppressionList: [], total: 0 };
-          }
-
-          // Use smartmta's public API for bounce/suppression data
-          const suppressionList = emailServer.getSuppressionList();
-          const hardBouncedAddresses = emailServer.getHardBouncedAddresses();
-
-          // Create bounce records from the available data
-          const records: interfaces.requests.IBounceRecord[] = [];
-
-          for (const email of hardBouncedAddresses) {
-            const bounceInfo = emailServer.getBounceHistory(email);
-            if (bounceInfo) {
-              records.push({
-                id: `bounce-${email}`,
-                recipient: email,
-                sender: '',
-                domain: email.split('@')[1] || '',
-                bounceType: (bounceInfo as any).type as interfaces.requests.TBounceType,
-                bounceCategory: (bounceInfo as any).category as interfaces.requests.TBounceCategory,
-                timestamp: (bounceInfo as any).lastBounce,
-                processed: true,
-              });
-            }
-          }
-
-          // Apply limit and offset
-          const limit = dataArg.limit || 50;
-          const offset = dataArg.offset || 0;
-          const paginatedRecords = records.slice(offset, offset + limit);
-
-          return {
-            records: paginatedRecords,
-            suppressionList,
-            total: records.length,
-          };
-        }
-      )
-    );
-
-    // Remove from Suppression List Handler
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveFromSuppressionList>(
-        'removeFromSuppressionList',
-        async (dataArg) => {
-          const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-
-          if (!emailServer) {
-            return { success: false, error: 'Email server not available' };
-          }
-
-          try {
-            emailServer.removeFromSuppressionList(dataArg.email);
-            return { success: true };
-          } catch (error) {
-            return {
-              success: false,
-              error: error instanceof Error ? error.message : 'Failed to remove from suppression list'
-            };
-          }
-        }
-      )
-    );
  }

  /**
-   * Helper method to get queue items with filtering and pagination
+   * Get all queue items mapped to catalog IEmail format
   */
-  private getQueueItems(
-    status?: interfaces.requests.TEmailQueueStatus,
-    limit: number = 50,
-    offset: number = 0
-  ): interfaces.requests.IEmailQueueItem[] {
+  private getAllQueueEmails(): interfaces.requests.IEmail[] {
    const emailServer = this.opsServerRef.dcRouterRef.emailServer;
    if (!emailServer?.deliveryQueue) {
      return [];
    }

    const queue = emailServer.deliveryQueue;
-    const items: interfaces.requests.IEmailQueueItem[] = [];
-
-    // Access the internal queue map via reflection
-    // This is necessary because the queue doesn't expose iteration methods
    const queueMap = (queue as any).queue as Map<string, any>;

    if (!queueMap) {
      return [];
    }

-    // Filter and convert items
+    const emails: interfaces.requests.IEmail[] = [];
+
    for (const [id, item] of queueMap.entries()) {
-      // Apply status filter if provided
-      if (status && item.status !== status) {
-        continue;
-      }
-
-      // Extract email details from processingResult if available
-      const processingResult = item.processingResult;
-      let from = '';
-      let to: string[] = [];
-      let subject = '';
-
-      if (processingResult) {
-        // Check if it's an Email object or raw email data
-        if (processingResult.email) {
-          from = processingResult.email.from || '';
-          to = processingResult.email.to || [];
-          subject = processingResult.email.subject || '';
-        } else if (processingResult.from) {
-          from = processingResult.from;
-          to = processingResult.to || [];
-          subject = processingResult.subject || '';
-        }
-      }
-
-      items.push({
-        id: item.id,
-        processingMode: item.processingMode,
-        status: item.status,
-        attempts: item.attempts,
-        nextAttempt: item.nextAttempt instanceof Date ? item.nextAttempt.getTime() : item.nextAttempt,
-        lastError: item.lastError,
-        createdAt: item.createdAt instanceof Date ? item.createdAt.getTime() : item.createdAt,
-        updatedAt: item.updatedAt instanceof Date ? item.updatedAt.getTime() : item.updatedAt,
-        deliveredAt: item.deliveredAt instanceof Date ? item.deliveredAt.getTime() : item.deliveredAt,
-        from,
-        to,
-        subject,
-      });
+      emails.push(this.mapQueueItemToEmail(item));
    }

    // Sort by createdAt descending (newest first)
-    items.sort((a, b) => b.createdAt - a.createdAt);
+    emails.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());

-    // Apply pagination
-    return items.slice(offset, offset + limit);
+    return emails;
+  }
+
+  /**
+   * Get a single email detail by ID
+   */
+  private getEmailDetail(emailId: string): interfaces.requests.IEmailDetail | null {
+    const emailServer = this.opsServerRef.dcRouterRef.emailServer;
+    if (!emailServer?.deliveryQueue) {
+      return null;
+    }
+
+    const queue = emailServer.deliveryQueue;
+    const item = queue.getItem(emailId);
+
+    if (!item) {
+      return null;
+    }
+
+    return this.mapQueueItemToEmailDetail(item);
+  }
+
+  /**
+   * Map a queue item to catalog IEmail format
+   */
+  private mapQueueItemToEmail(item: any): interfaces.requests.IEmail {
+    const processingResult = item.processingResult;
+    let from = '';
+    let to = '';
+    let subject = '';
+    let messageId = '';
+    let size = '0 B';
+
+    if (processingResult) {
+      if (processingResult.email) {
+        from = processingResult.email.from || '';
+        to = (processingResult.email.to || [])[0] || '';
+        subject = processingResult.email.subject || '';
+      } else if (processingResult.from) {
+        from = processingResult.from;
+        to = (processingResult.to || [])[0] || '';
+        subject = processingResult.subject || '';
+      }
+
+      // Try to get messageId
+      if (typeof processingResult.getMessageId === 'function') {
+        try {
+          messageId = processingResult.getMessageId() || '';
+        } catch {
+          messageId = '';
+        }
+      }
+
+      // Compute approximate size
+      const textLen = processingResult.text?.length || 0;
+      const htmlLen = processingResult.html?.length || 0;
+      let attachSize = 0;
+      if (typeof processingResult.getAttachmentsSize === 'function') {
+        try {
+          attachSize = processingResult.getAttachmentsSize() || 0;
+        } catch {
+          attachSize = 0;
+        }
+      }
+      size = this.formatSize(textLen + htmlLen + attachSize);
+    }
+
+    // Map queue status to catalog TEmailStatus
+    const status = this.mapStatus(item.status);
+
+    const createdAt = item.createdAt instanceof Date ? item.createdAt.getTime() : item.createdAt;
+
+    return {
+      id: item.id,
+      direction: 'outbound' as interfaces.requests.TEmailDirection,
+      status,
+      from,
+      to,
+      subject,
+      timestamp: new Date(createdAt).toISOString(),
+      messageId,
+      size,
+    };
+  }
+
+  /**
+   * Map a queue item to catalog IEmailDetail format
+   */
+  private mapQueueItemToEmailDetail(item: any): interfaces.requests.IEmailDetail {
+    const base = this.mapQueueItemToEmail(item);
+    const processingResult = item.processingResult;
+
+    let toList: string[] = [];
+    let cc: string[] = [];
+    let headers: Record<string, string> = {};
+    let body = '';
+
+    if (processingResult) {
+      if (processingResult.email) {
+        toList = processingResult.email.to || [];
+        cc = processingResult.email.cc || [];
+      } else {
+        toList = processingResult.to || [];
+        cc = processingResult.cc || [];
+      }
+
+      headers = processingResult.headers || {};
+      body = processingResult.html || processingResult.text || '';
+    }
+
+    return {
+      ...base,
+      toList,
+      cc,
+      smtpLog: [],
+      connectionInfo: {
+        sourceIp: '',
+        sourceHostname: '',
+        destinationIp: '',
+        destinationPort: 0,
+        tlsVersion: '',
+        tlsCipher: '',
+        authenticated: false,
+        authMethod: '',
+        authUser: '',
+      },
+      authenticationResults: {
+        spf: 'none',
+        spfDomain: '',
+        dkim: 'none',
+        dkimDomain: '',
+        dmarc: 'none',
+        dmarcPolicy: '',
+      },
+      rejectionReason: item.status === 'failed' ? item.lastError : undefined,
+      bounceMessage: item.status === 'failed' ? item.lastError : undefined,
+      headers,
+      body,
+    };
+  }
+
+  /**
+   * Map queue status to catalog TEmailStatus
+   */
+  private mapStatus(queueStatus: string): interfaces.requests.TEmailStatus {
+    switch (queueStatus) {
+      case 'pending':
+      case 'processing':
+        return 'pending';
+      case 'delivered':
+        return 'delivered';
+      case 'failed':
+        return 'bounced';
+      case 'deferred':
+        return 'deferred';
+      default:
+        return 'pending';
+    }
+  }
+
+  /**
+   * Format byte size to human-readable string
+   */
+  private formatSize(bytes: number): string {
+    if (bytes < 1024) return `${bytes} B`;
+    if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
  }
 }
--- a/ts/opsserver/handlers/index.ts
+++ b/ts/opsserver/handlers/index.ts
@@ -6,4 +6,6 @@ export * from './stats.handler.js';
 export * from './radius.handler.js';
 export * from './email-ops.handler.js';
 export * from './certificate.handler.js';
-export * from './remoteingress.handler.js';
+export * from './remoteingress.handler.js';
+export * from './route-management.handler.js';
+export * from './api-token.handler.js';
--- a/ts/opsserver/handlers/logs.handler.ts
+++ b/ts/opsserver/handlers/logs.handler.ts
@@ -1,19 +1,42 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { logBuffer, baseLogger } from '../../logger.js';
+
+// Module-level singleton: the log push destination is added once and reuses
+// the current OpsServer reference so it survives OpsServer restarts without
+// accumulating duplicate destinations.
+let logPushDestinationInstalled = false;
+let currentOpsServerRef: OpsServer | null = null;

 export class LogsHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-  
+  private activeStreamStops: Set<() => void> = new Set();
+
  constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
+    this.setupLogPushDestination();
  }
-  
+
+  /**
+   * Clean up all active log streams and deactivate the push destination.
+   * Called when OpsServer stops.
+   */
+  public cleanup(): void {
+    // Stop all active follow-mode log streams
+    for (const stop of this.activeStreamStops) {
+      stop();
+    }
+    this.activeStreamStops.clear();
+    // Deactivate the push destination (it stays registered but becomes a no-op)
+    currentOpsServerRef = null;
+  }
+
  private registerHandlers(): void {
+    // All log endpoints register directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
    // Get Recent Logs Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRecentLogs>(
        'getRecentLogs',
        async (dataArg, toolsArg) => {
@@ -25,24 +48,24 @@ export class LogsHandler {
            dataArg.search,
            dataArg.timeRange
          );
-          
+
          return {
            logs,
-            total: logs.length, // TODO: Implement proper total count
-            hasMore: false, // TODO: Implement proper pagination
+            total: logs.length,
+            hasMore: false,
          };
        }
      )
    );
-    
+
    // Get Log Stream Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetLogStream>(
        'getLogStream',
        async (dataArg, toolsArg) => {
          // Create a virtual stream for log streaming
          const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
-          
+
          // Set up log streaming
          const streamLogs = this.setupLogStream(
            virtualStream,
@@ -50,20 +73,47 @@ export class LogsHandler {
            dataArg.filters?.category,
            dataArg.follow
          );
-          
+
          // Start streaming
          streamLogs.start();
-          
-          // VirtualStream handles cleanup automatically
-          
+
+          // Track the stop function so we can clean up on shutdown
+          this.activeStreamStops.add(streamLogs.stop);
+
          return {
-            logStream: virtualStream as any, // Cast to IVirtualStream interface
+            logStream: virtualStream as any,
          };
        }
      )
    );
  }
-  
+
+  private static mapLogLevel(smartlogLevel: string): 'debug' | 'info' | 'warn' | 'error' {
+    switch (smartlogLevel) {
+      case 'silly':
+      case 'debug':
+        return 'debug';
+      case 'warn':
+        return 'warn';
+      case 'error':
+        return 'error';
+      default:
+        return 'info';
+    }
+  }
+
+  private static deriveCategory(
+    zone?: string,
+    message?: string
+  ): 'smtp' | 'dns' | 'security' | 'system' | 'email' {
+    const msg = (message || '').toLowerCase();
+    if (msg.includes('[security:') || msg.includes('security')) return 'security';
+    if (zone === 'email' || msg.includes('email') || msg.includes('smtp') || msg.includes('mta')) return 'email';
+    if (zone === 'dns' || msg.includes('dns')) return 'dns';
+    if (msg.includes('smtp')) return 'smtp';
+    return 'system';
+  }
+
  private async getRecentLogs(
    level?: 'error' | 'warn' | 'info' | 'debug',
    category?: 'smtp' | 'dns' | 'security' | 'system' | 'email',
@@ -78,44 +128,122 @@ export class LogsHandler {
    message: string;
    metadata?: any;
  }>> {
-    // TODO: Implement actual log retrieval from storage or logger
-    // For now, return mock data
-    const mockLogs: Array<{
+    // Compute a timestamp cutoff from timeRange
+    let since: number | undefined;
+    if (timeRange) {
+      const rangeMs: Record<string, number> = {
+        '1h': 3600000,
+        '6h': 21600000,
+        '24h': 86400000,
+        '7d': 604800000,
+        '30d': 2592000000,
+      };
+      since = Date.now() - (rangeMs[timeRange] || 86400000);
+    }
+
+    // Map the UI level to smartlog levels for filtering
+    const smartlogLevels: string[] | undefined = level
+      ? level === 'debug'
+        ? ['debug', 'silly']
+        : level === 'info'
+          ? ['info', 'ok', 'success', 'note', 'lifecycle']
+          : [level]
+      : undefined;
+
+    // Fetch a larger batch from buffer, then apply category filter client-side
+    const rawEntries = logBuffer.getEntries({
+      level: smartlogLevels as any,
+      search,
+      since,
+      limit: limit * 3, // over-fetch to compensate for category filtering
+      offset: 0,
+    });
+
+    // Map ILogPackage → UI log format and apply category filter
+    const mapped: Array<{
      timestamp: number;
      level: 'debug' | 'info' | 'warn' | 'error';
      category: 'smtp' | 'dns' | 'security' | 'system' | 'email';
      message: string;
      metadata?: any;
    }> = [];
-    
-    const categories: Array<'smtp' | 'dns' | 'security' | 'system' | 'email'> = ['smtp', 'dns', 'security', 'system', 'email'];
-    const levels: Array<'debug' | 'info' | 'warn' | 'error'> = ['info', 'warn', 'error', 'debug'];
-    const now = Date.now();
-    
-    // Generate some mock log entries
-    for (let i = 0; i < 50; i++) {
-      const mockCategory = categories[Math.floor(Math.random() * categories.length)];
-      const mockLevel = levels[Math.floor(Math.random() * levels.length)];
-      
-      // Filter by requested criteria
-      if (level && mockLevel !== level) continue;
-      if (category && mockCategory !== category) continue;
-      
-      mockLogs.push({
-        timestamp: now - (i * 60000), // 1 minute apart
-        level: mockLevel,
-        category: mockCategory,
-        message: `Sample log message ${i} from ${mockCategory}`,
-        metadata: {
-          requestId: plugins.uuid.v4(),
-        },
+
+    for (const pkg of rawEntries) {
+      const uiLevel = LogsHandler.mapLogLevel(pkg.level);
+      const uiCategory = LogsHandler.deriveCategory(pkg.context?.zone, pkg.message);
+
+      if (category && uiCategory !== category) continue;
+
+      mapped.push({
+        timestamp: pkg.timestamp,
+        level: uiLevel,
+        category: uiCategory,
+        message: pkg.message,
+        metadata: pkg.data,
      });
+
+      if (mapped.length >= limit) break;
    }
-    
-    // Apply pagination
-    return mockLogs.slice(offset, offset + limit);
+
+    return mapped;
  }
-  
+
+  /**
+   * Add a log destination to the base logger that pushes entries
+   * to all connected ops_dashboard TypedSocket clients.
+   *
+   * Uses a module-level singleton so the destination is added only once,
+   * even across OpsServer restart cycles. The destination reads
+   * `currentOpsServerRef` dynamically so it always uses the active server.
+   */
+  private setupLogPushDestination(): void {
+    // Update the module-level reference so the existing destination uses the new server
+    currentOpsServerRef = this.opsServerRef;
+
+    if (logPushDestinationInstalled) {
+      return; // destination already registered — just updated the ref
+    }
+    logPushDestinationInstalled = true;
+
+    baseLogger.addLogDestination({
+      async handleLog(logPackage: any) {
+        const opsServer = currentOpsServerRef;
+        if (!opsServer) return;
+
+        const typedsocket = opsServer.server?.typedserver?.typedsocket;
+        if (!typedsocket) return;
+
+        let connections: any[];
+        try {
+          connections = await typedsocket.findAllTargetConnectionsByTag('role', 'ops_dashboard');
+        } catch {
+          return;
+        }
+        if (connections.length === 0) return;
+
+        const entry: interfaces.data.ILogEntry = {
+          timestamp: logPackage.timestamp || Date.now(),
+          level: LogsHandler.mapLogLevel(logPackage.level),
+          category: LogsHandler.deriveCategory(logPackage.context?.zone, logPackage.message),
+          message: logPackage.message,
+          metadata: logPackage.data,
+        };
+
+        for (const conn of connections) {
+          try {
+            const push = typedsocket.createTypedRequest<interfaces.requests.IReq_PushLogEntry>(
+              'pushLogEntry',
+              conn,
+            );
+            push.fire({ entry }).catch(() => {}); // fire-and-forget
+          } catch {
+            // connection may have closed
+          }
+        }
+      },
+    });
+  }
+
  private setupLogStream(
    virtualStream: plugins.typedrequest.VirtualStream<Uint8Array>,
    levelFilter?: string[],
@@ -126,8 +254,18 @@ export class LogsHandler {
    stop: () => void;
  } {
    let intervalId: NodeJS.Timeout | null = null;
+    let stopped = false;
    let logIndex = 0;
-    
+
+    const stop = () => {
+      stopped = true;
+      if (intervalId) {
+        clearInterval(intervalId);
+        intervalId = null;
+      }
+      this.activeStreamStops.delete(stop);
+    };
+
    const start = () => {
      if (!follow) {
        // Send existing logs and close
@@ -142,23 +280,29 @@ export class LogsHandler {
            const encoder = new TextEncoder();
            virtualStream.sendData(encoder.encode(logData));
          });
-          // VirtualStream doesn't have end() method - it closes automatically
        });
        return;
      }
-      
+
      // For follow mode, simulate real-time log streaming
-      intervalId = setInterval(() => {
+      intervalId = setInterval(async () => {
+        if (stopped) {
+          // Guard: clear interval if stop() was called between ticks
+          clearInterval(intervalId!);
+          intervalId = null;
+          return;
+        }
+
        const categories: Array<'smtp' | 'dns' | 'security' | 'system' | 'email'> = ['smtp', 'dns', 'security', 'system', 'email'];
        const levels: Array<'debug' | 'info' | 'warn' | 'error'> = ['info', 'warn', 'error', 'debug'];
-        
+
        const mockCategory = categories[Math.floor(Math.random() * categories.length)];
        const mockLevel = levels[Math.floor(Math.random() * levels.length)];
-        
+
        // Filter by requested criteria
        if (levelFilter && !levelFilter.includes(mockLevel)) return;
        if (categoryFilter && !categoryFilter.includes(mockCategory)) return;
-        
+
        const logEntry = {
          timestamp: Date.now(),
          level: mockLevel,
@@ -168,28 +312,29 @@ export class LogsHandler {
            requestId: plugins.uuid.v4(),
          },
        };
-        
+
        const logData = JSON.stringify(logEntry);
        const encoder = new TextEncoder();
-        virtualStream.sendData(encoder.encode(logData));
-      }, 2000); // Send a log every 2 seconds
-      
-      // TODO: Hook into actual logger events
-      // logger.on('log', (logEntry) => {
-      //   if (matchesCriteria(logEntry, level, service)) {
-      //     virtualStream.sendData(formatLogEntry(logEntry));
-      //   }
-      // });
+        try {
+          // Use a timeout to detect hung streams (sendData can hang if the
+          // VirtualStream's keepAlive loop has ended)
+          let timeoutHandle: ReturnType<typeof setTimeout>;
+          await Promise.race([
+            virtualStream.sendData(encoder.encode(logData)).then((result) => {
+              clearTimeout(timeoutHandle);
+              return result;
+            }),
+            new Promise<never>((_, reject) => {
+              timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
+            }),
+          ]);
+        } catch {
+          // Stream closed, errored, or timed out — clean up
+          stop();
+        }
+      }, 2000);
    };
-    
-    const stop = () => {
-      if (intervalId) {
-        clearInterval(intervalId);
-        intervalId = null;
-      }
-      // TODO: Unhook from logger events
-    };
-    
+
    return { start, stop };
  }
-}
+}
--- a/ts/opsserver/handlers/radius.handler.ts
+++ b/ts/opsserver/handlers/radius.handler.ts
@@ -3,21 +3,19 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';

 export class RadiusHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
  constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }

  private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
    // ========================================================================
    // RADIUS Client Management
    // ========================================================================

-    // Get all RADIUS clients
-    this.typedrouter.addTypedHandler(
+    // Get all RADIUS clients (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusClients>(
        'getRadiusClients',
        async (dataArg, toolsArg) => {
@@ -40,8 +38,8 @@ export class RadiusHandler {
      )
    );

-    // Add or update a RADIUS client
-    this.typedrouter.addTypedHandler(
+    // Add or update a RADIUS client (write)
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetRadiusClient>(
        'setRadiusClient',
        async (dataArg, toolsArg) => {
@@ -61,8 +59,8 @@ export class RadiusHandler {
      )
    );

-    // Remove a RADIUS client
-    this.typedrouter.addTypedHandler(
+    // Remove a RADIUS client (write)
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveRadiusClient>(
        'removeRadiusClient',
        async (dataArg, toolsArg) => {
@@ -85,8 +83,8 @@ export class RadiusHandler {
    // VLAN Mapping Management
    // ========================================================================

-    // Get all VLAN mappings
-    this.typedrouter.addTypedHandler(
+    // Get all VLAN mappings (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetVlanMappings>(
        'getVlanMappings',
        async (dataArg, toolsArg) => {
@@ -121,8 +119,8 @@ export class RadiusHandler {
      )
    );

-    // Add or update a VLAN mapping
-    this.typedrouter.addTypedHandler(
+    // Add or update a VLAN mapping (write)
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetVlanMapping>(
        'setVlanMapping',
        async (dataArg, toolsArg) => {
@@ -153,8 +151,8 @@ export class RadiusHandler {
      )
    );

-    // Remove a VLAN mapping
-    this.typedrouter.addTypedHandler(
+    // Remove a VLAN mapping (write)
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveVlanMapping>(
        'removeVlanMapping',
        async (dataArg, toolsArg) => {
@@ -174,8 +172,8 @@ export class RadiusHandler {
      )
    );

-    // Update VLAN configuration
-    this.typedrouter.addTypedHandler(
+    // Update VLAN configuration (write)
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateVlanConfig>(
        'updateVlanConfig',
        async (dataArg, toolsArg) => {
@@ -206,8 +204,8 @@ export class RadiusHandler {
      )
    );

-    // Test VLAN assignment
-    this.typedrouter.addTypedHandler(
+    // Test VLAN assignment (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TestVlanAssignment>(
        'testVlanAssignment',
        async (dataArg, toolsArg) => {
@@ -240,8 +238,8 @@ export class RadiusHandler {
    // Accounting / Session Management
    // ========================================================================

-    // Get active sessions
-    this.typedrouter.addTypedHandler(
+    // Get active sessions (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusSessions>(
        'getRadiusSessions',
        async (dataArg, toolsArg) => {
@@ -289,8 +287,8 @@ export class RadiusHandler {
      )
    );

-    // Disconnect a session
-    this.typedrouter.addTypedHandler(
+    // Disconnect a session (write)
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DisconnectRadiusSession>(
        'disconnectRadiusSession',
        async (dataArg, toolsArg) => {
@@ -314,8 +312,8 @@ export class RadiusHandler {
      )
    );

-    // Get accounting summary
-    this.typedrouter.addTypedHandler(
+    // Get accounting summary (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusAccountingSummary>(
        'getRadiusAccountingSummary',
        async (dataArg, toolsArg) => {
@@ -351,8 +349,8 @@ export class RadiusHandler {
    // Statistics
    // ========================================================================

-    // Get RADIUS statistics
-    this.typedrouter.addTypedHandler(
+    // Get RADIUS statistics (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRadiusStatistics>(
        'getRadiusStatistics',
        async (dataArg, toolsArg) => {
--- a/ts/opsserver/handlers/remoteingress.handler.ts
+++ b/ts/opsserver/handlers/remoteingress.handler.ts
@@ -3,16 +3,18 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';

 export class RemoteIngressHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-
  constructor(private opsServerRef: OpsServer) {
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }

  private registerHandlers(): void {
+    const viewRouter = this.opsServerRef.viewRouter;
+    const adminRouter = this.opsServerRef.adminRouter;
+
+    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+
    // Get all remote ingress edges
-    this.typedrouter.addTypedHandler(
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngresses>(
        'getRemoteIngresses',
        async (dataArg, toolsArg) => {
@@ -36,8 +38,10 @@ export class RemoteIngressHandler {
      ),
    );

+    // ---- Write endpoints (adminRouter) ----
+
    // Create a new remote ingress edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRemoteIngress>(
        'createRemoteIngress',
        async (dataArg, toolsArg) => {
@@ -69,7 +73,7 @@ export class RemoteIngressHandler {
    );

    // Delete a remote ingress edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRemoteIngress>(
        'deleteRemoteIngress',
        async (dataArg, toolsArg) => {
@@ -94,7 +98,7 @@ export class RemoteIngressHandler {
    );

    // Update a remote ingress edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateRemoteIngress>(
        'updateRemoteIngress',
        async (dataArg, toolsArg) => {
@@ -117,8 +121,8 @@ export class RemoteIngressHandler {
            return { success: false, edge: null as any };
          }

-          // Sync allowed edges if enabled status changed
-          if (tunnelManager && dataArg.enabled !== undefined) {
+          // Sync allowed edges — ports, tags, or enabled may have changed
+          if (tunnelManager) {
            await tunnelManager.syncAllowedEdges();
          }

@@ -138,7 +142,7 @@ export class RemoteIngressHandler {
    );

    // Regenerate secret for an edge
-    this.typedrouter.addTypedHandler(
+    adminRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RegenerateRemoteIngressSecret>(
        'regenerateRemoteIngressSecret',
        async (dataArg, toolsArg) => {
@@ -164,8 +168,8 @@ export class RemoteIngressHandler {
      ),
    );

-    // Get runtime status of all edges
-    this.typedrouter.addTypedHandler(
+    // Get runtime status of all edges (read)
+    viewRouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressStatus>(
        'getRemoteIngressStatus',
        async (dataArg, toolsArg) => {
@@ -177,5 +181,46 @@ export class RemoteIngressHandler {
        },
      ),
    );
+
+    // Get a connection token for an edge (write — exposes secret)
+    adminRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressConnectionToken>(
+        'getRemoteIngressConnectionToken',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          if (!manager) {
+            return { success: false, message: 'RemoteIngress not configured' };
+          }
+
+          const edge = manager.getEdge(dataArg.edgeId);
+          if (!edge) {
+            return { success: false, message: 'Edge not found' };
+          }
+          if (!edge.enabled) {
+            return { success: false, message: 'Edge is disabled' };
+          }
+
+          const hubHost = dataArg.hubHost
+            || this.opsServerRef.dcRouterRef.options.remoteIngressConfig?.hubDomain;
+          if (!hubHost) {
+            return {
+              success: false,
+              message: 'No hub hostname configured. Set hubDomain in remoteIngressConfig or provide hubHost.',
+            };
+          }
+
+          const hubPort = this.opsServerRef.dcRouterRef.options.remoteIngressConfig?.tunnelPort ?? 8443;
+
+          const token = plugins.remoteingress.encodeConnectionToken({
+            hubHost,
+            hubPort,
+            edgeId: edge.id,
+            secret: edge.secret,
+          });
+
+          return { success: true, token };
+        },
+      ),
+    );
  }
 }
--- a/ts/opsserver/handlers/route-management.handler.ts
+++ b/ts/opsserver/handlers/route-management.handler.ts
@@ -0,0 +1,163 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class RouteManagementHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  /**
+   * Validate auth: JWT identity OR API token with required scope.
+   * Returns a userId string on success, throws on failure.
+   */
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    // Try JWT identity first
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    // Try API token
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get merged routes
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetMergedRoutes>(
+        'getMergedRoutes',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'routes:read');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { routes: [], warnings: [] };
+          }
+          return manager.getMergedRoutes();
+        },
+      ),
+    );
+
+    // Create route
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRoute>(
+        'createRoute',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'routes:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true);
+          return { success: true, storedRouteId: id };
+        },
+      ),
+    );
+
+    // Update route
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateRoute>(
+        'updateRoute',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'routes:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+          const ok = await manager.updateRoute(dataArg.id, {
+            route: dataArg.route as any,
+            enabled: dataArg.enabled,
+          });
+          return { success: ok, message: ok ? undefined : 'Route not found' };
+        },
+      ),
+    );
+
+    // Delete route
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRoute>(
+        'deleteRoute',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'routes:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+          const ok = await manager.deleteRoute(dataArg.id);
+          return { success: ok, message: ok ? undefined : 'Route not found' };
+        },
+      ),
+    );
+
+    // Set override on a hardcoded route
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetRouteOverride>(
+        'setRouteOverride',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'routes:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+          await manager.setOverride(dataArg.routeName, dataArg.enabled, userId);
+          return { success: true };
+        },
+      ),
+    );
+
+    // Remove override from a hardcoded route
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveRouteOverride>(
+        'removeRouteOverride',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'routes:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+          const ok = await manager.removeOverride(dataArg.routeName);
+          return { success: ok, message: ok ? undefined : 'Override not found' };
+        },
+      ),
+    );
+
+    // Toggle programmatic route
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleRoute>(
+        'toggleRoute',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'routes:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+          const ok = await manager.toggleRoute(dataArg.id, dataArg.enabled);
+          return { success: ok, message: ok ? undefined : 'Route not found' };
+        },
+      ),
+    );
+  }
+}
--- a/ts/opsserver/handlers/security.handler.ts
+++ b/ts/opsserver/handlers/security.handler.ts
@@ -4,17 +4,16 @@ import * as interfaces from '../../../ts_interfaces/index.js';
 import { MetricsManager } from '../../monitoring/index.js';

 export class SecurityHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-  
  constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }
-  
+
  private registerHandlers(): void {
+    // All security endpoints register directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
    // Security Metrics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityMetrics>(
        'getSecurityMetrics',
        async (dataArg, toolsArg) => {
@@ -40,7 +39,7 @@ export class SecurityHandler {
    );
    
    // Active Connections Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetActiveConnections>(
        'getActiveConnections',
        async (dataArg, toolsArg) => {
@@ -77,8 +76,8 @@ export class SecurityHandler {
    );
    
    // Network Stats Handler - provides comprehensive network metrics
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler(
+    router.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkStats>(
        'getNetworkStats',
        async (dataArg, toolsArg) => {
          // Get network stats from MetricsManager if available
@@ -121,7 +120,7 @@ export class SecurityHandler {
    );
    
    // Rate Limit Status Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRateLimitStatus>(
        'getRateLimitStatus',
        async (dataArg, toolsArg) => {
--- a/ts/opsserver/handlers/stats.handler.ts
+++ b/ts/opsserver/handlers/stats.handler.ts
@@ -2,19 +2,19 @@ import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 import { MetricsManager } from '../../monitoring/index.js';
+import { SecurityLogger } from '../../security/classes.securitylogger.js';

 export class StatsHandler {
-  public typedrouter = new plugins.typedrequest.TypedRouter();
-  
  constructor(private opsServerRef: OpsServer) {
-    // Add this handler's router to the parent
-    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
    this.registerHandlers();
  }
-  
+
  private registerHandlers(): void {
+    // All stats endpoints register directly on viewRouter (valid identity required via middleware)
+    const router = this.opsServerRef.viewRouter;
+
    // Server Statistics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetServerStatistics>(
        'getServerStatistics',
        async (dataArg, toolsArg) => {
@@ -37,7 +37,7 @@ export class StatsHandler {
    );
    
    // Email Statistics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailStatistics>(
        'getEmailStatistics',
        async (dataArg, toolsArg) => {
@@ -76,7 +76,7 @@ export class StatsHandler {
    );
    
    // DNS Statistics Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsStatistics>(
        'getDnsStatistics',
        async (dataArg, toolsArg) => {
@@ -113,7 +113,7 @@ export class StatsHandler {
    );
    
    // Queue Status Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetQueueStatus>(
        'getQueueStatus',
        async (dataArg, toolsArg) => {
@@ -141,7 +141,7 @@ export class StatsHandler {
    );
    
    // Health Status Handler
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetHealthStatus>(
        'getHealthStatus',
        async (dataArg, toolsArg) => {
@@ -166,7 +166,7 @@ export class StatsHandler {
    );
    
    // Combined Metrics Handler - More efficient for frontend polling
-    this.typedrouter.addTypedHandler(
+    router.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCombinedMetrics>(
        'getCombinedMetrics',
        async (dataArg, toolsArg) => {
@@ -203,6 +203,11 @@ export class StatsHandler {
          if (sections.email) {
            promises.push(
              this.collectEmailStats().then(stats => {
+                // Get time-series data from MetricsManager
+                const timeSeries = this.opsServerRef.dcRouterRef.metricsManager
+                  ? this.opsServerRef.dcRouterRef.metricsManager.getEmailTimeSeries(24)
+                  : undefined;
+
                metrics.email = {
                  sent: stats.sentToday,
                  received: stats.receivedToday,
@@ -212,6 +217,7 @@ export class StatsHandler {
                  averageDeliveryTime: 0,
                  deliveryRate: stats.deliveryRate,
                  bounceRate: stats.bounceRate,
+                  timeSeries,
                };
              })
            );
@@ -220,6 +226,11 @@ export class StatsHandler {
          if (sections.dns) {
            promises.push(
              this.collectDnsStats().then(stats => {
+                // Get time-series data from MetricsManager
+                const timeSeries = this.opsServerRef.dcRouterRef.metricsManager
+                  ? this.opsServerRef.dcRouterRef.metricsManager.getDnsTimeSeries(24)
+                  : undefined;
+
                metrics.dns = {
                  totalQueries: stats.totalQueries,
                  cacheHits: stats.cacheHits,
@@ -228,6 +239,8 @@ export class StatsHandler {
                  activeDomains: stats.topDomains.length,
                  averageResponseTime: 0,
                  queryTypes: stats.queryTypes,
+                  timeSeries,
+                  recentQueries: stats.recentQueries,
                };
              })
            );
@@ -236,6 +249,19 @@ export class StatsHandler {
          if (sections.security && this.opsServerRef.dcRouterRef.metricsManager) {
            promises.push(
              this.opsServerRef.dcRouterRef.metricsManager.getSecurityStats().then(stats => {
+                // Get recent events from the SecurityLogger singleton
+                const securityLogger = SecurityLogger.getInstance();
+                const recentEvents = securityLogger.getRecentEvents(50).map((evt) => ({
+                  timestamp: evt.timestamp,
+                  level: evt.level,
+                  type: evt.type,
+                  message: evt.message,
+                  details: evt.details,
+                  ipAddress: evt.ipAddress,
+                  domain: evt.domain,
+                  success: evt.success,
+                }));
+
                metrics.security = {
                  blockedIPs: stats.blockedIPs,
                  reputationScores: {},
@@ -244,6 +270,7 @@ export class StatsHandler {
                  phishingDetected: stats.phishingDetected,
                  authenticationFailures: stats.authFailures,
                  suspiciousActivities: stats.totalThreatsBlocked,
+                  recentEvents,
                };
              })
            );
@@ -395,6 +422,7 @@ export class StatsHandler {
      count: number;
    }>;
    queryTypes: { [key: string]: number };
+    recentQueries?: Array<{ timestamp: number; domain: string; type: string; answered: boolean; responseTimeMs: number }>;
    domainBreakdown?: { [domain: string]: interfaces.data.IDnsStats };
  }> {
    // Get metrics from MetricsManager if available
@@ -408,9 +436,10 @@ export class StatsHandler {
        cacheHitRate: dnsStats.cacheHitRate,
        topDomains: dnsStats.topDomains,
        queryTypes: dnsStats.queryTypes,
+        recentQueries: dnsStats.recentQueries,
      };
    }
-    
+
    // Fallback if MetricsManager not available
    return {
      queriesPerSecond: 0,
--- a/ts/opsserver/helpers/guards.ts
+++ b/ts/opsserver/helpers/guards.ts
@@ -22,16 +22,17 @@ export async function passGuards<T extends { identity?: any }>(
 }

 /**
- * Helper to check admin identity in handlers
+ * Helper to check admin identity in handlers and middleware.
+ * Accepts both optional and required identity for flexibility.
 */
-export async function requireAdminIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+export async function requireAdminIdentity(
  adminHandler: AdminHandler,
-  dataArg: T
+  dataArg: { identity?: interfaces.data.IIdentity }
 ): Promise<void> {
  if (!dataArg.identity) {
    throw new plugins.typedrequest.TypedResponseError('No identity provided');
  }
-  
+
  const passed = await adminHandler.adminIdentityGuard.exec({ identity: dataArg.identity });
  if (!passed) {
    throw new plugins.typedrequest.TypedResponseError('Admin access required');
@@ -39,16 +40,17 @@ export async function requireAdminIdentity<T extends { identity?: interfaces.dat
 }

 /**
- * Helper to check valid identity in handlers
+ * Helper to check valid identity in handlers and middleware.
+ * Accepts both optional and required identity for flexibility.
 */
-export async function requireValidIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+export async function requireValidIdentity(
  adminHandler: AdminHandler,
-  dataArg: T
+  dataArg: { identity?: interfaces.data.IIdentity }
 ): Promise<void> {
  if (!dataArg.identity) {
    throw new plugins.typedrequest.TypedResponseError('No identity provided');
  }
-  
+
  const passed = await adminHandler.validIdentityGuard.exec({ identity: dataArg.identity });
  if (!passed) {
    throw new plugins.typedrequest.TypedResponseError('Valid identity required');
--- a/ts/radius/classes.vlan.manager.ts
+++ b/ts/radius/classes.vlan.manager.ts
@@ -100,6 +100,14 @@ export class VlanManager {
    // Cache the result
    this.normalizedMacCache.set(mac, normalized);

+    // Prevent unbounded cache growth
+    if (this.normalizedMacCache.size > 10000) {
+      const iterator = this.normalizedMacCache.keys();
+      for (let i = 0; i < 1000; i++) {
+        this.normalizedMacCache.delete(iterator.next().value);
+      }
+    }
+
    return normalized;
  }

--- a/ts/readme.md
+++ b/ts/readme.md
@@ -0,0 +1,146 @@
+# @serve.zone/dcrouter
+
+The core DcRouter package — a unified datacenter gateway orchestrator. 🚀
+
+This is the main entry point for DcRouter. It provides the `DcRouter` class that wires together SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and the OpsServer dashboard into a single cohesive service.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Installation
+
+```bash
+pnpm add @serve.zone/dcrouter
+```
+
+## Usage
+
+```typescript
+import { DcRouter } from '@serve.zone/dcrouter';
+
+const router = new DcRouter({
+  smartProxyConfig: {
+    routes: [
+      {
+        name: 'web-app',
+        match: { domains: ['example.com'], ports: [443] },
+        action: {
+          type: 'forward',
+          targets: [{ host: '192.168.1.10', port: 8080 }],
+          tls: { mode: 'terminate', certificate: 'auto' }
+        }
+      }
+    ],
+    acme: { email: 'admin@example.com', enabled: true, useProduction: true }
+  }
+});
+
+await router.start();
+// OpsServer dashboard at http://localhost:3000
+
+// Graceful shutdown
+await router.stop();
+```
+
+## Module Structure
+
+```
+ts/
+├── index.ts                        # Main exports (DcRouter, re-exported smartmta types)
+├── classes.dcrouter.ts             # DcRouter orchestrator class + IDcRouterOptions
+├── classes.cert-provision-scheduler.ts  # Per-domain cert backoff scheduler
+├── classes.storage-cert-manager.ts # SmartAcme cert manager backed by StorageManager
+├── logger.ts                       # Structured logging utility
+├── paths.ts                        # Centralized data directory paths
+├── plugins.ts                      # All dependency imports
+├── cache/                          # Cache database (smartdata + LocalTsmDb)
+│   ├── classes.cachedb.ts          # CacheDb singleton
+│   ├── classes.cachecleaner.ts     # TTL-based cleanup
+│   └── documents/                  # Cached document models
+├── config/                         # Configuration utilities
+├── errors/                         # Error classes and retry logic
+├── monitoring/                     # MetricsManager (SmartMetrics integration)
+├── opsserver/                      # OpsServer dashboard + API handlers
+│   ├── classes.opsserver.ts        # HTTP server + TypedRouter setup
+│   └── handlers/                   # TypedRequest handlers by domain
+│       ├── admin.handler.ts        # Auth (login/logout/verify)
+│       ├── stats.handler.ts        # Statistics + health
+│       ├── config.handler.ts       # Configuration (read-only)
+│       ├── logs.handler.ts         # Log retrieval
+│       ├── email.handler.ts        # Email operations
+│       ├── certificate.handler.ts  # Certificate management
+│       ├── radius.handler.ts       # RADIUS management
+│       └── remoteingress.handler.ts # Remote ingress edge + token management
+├── radius/                         # RADIUS server integration
+├── remoteingress/                  # Remote ingress hub integration
+│   ├── classes.remoteingress-manager.ts  # Edge CRUD + port derivation
+│   └── classes.tunnel-manager.ts   # Rust hub lifecycle + status tracking
+├── security/                       # Security utilities
+├── sms/                            # SMS integration
+└── storage/                        # StorageManager (filesystem/custom/memory)
+```
+
+## Exports
+
+```typescript
+// Main class
+export { DcRouter, IDcRouterOptions } from './classes.dcrouter.js';
+
+// Re-exported from smartmta
+export { UnifiedEmailServer } from '@push.rocks/smartmta';
+export type { IUnifiedEmailServerOptions, IEmailRoute, IEmailDomainConfig } from '@push.rocks/smartmta';
+
+// RADIUS
+export { RadiusServer, IRadiusServerConfig } from './radius/index.js';
+
+// Remote Ingress
+export { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
+```
+
+## Key Classes
+
+### `DcRouter`
+
+The central orchestrator. Accepts `IDcRouterOptions` and manages the lifecycle of all sub-services:
+
+| Config Section | Service Started | Package |
+|----------------|----------------|---------|
+| `smartProxyConfig` | SmartProxy (HTTP/HTTPS/TCP/SNI) | `@push.rocks/smartproxy` |
+| `emailConfig` | UnifiedEmailServer (SMTP) | `@push.rocks/smartmta` |
+| `dnsNsDomains` + `dnsScopes` | DnsServer (UDP + DoH) | `@push.rocks/smartdns` |
+| `radiusConfig` | RadiusServer (auth + accounting) | `@push.rocks/smartradius` |
+| `remoteIngressConfig` | RemoteIngressManager + TunnelManager | `@serve.zone/remoteingress` |
+| `tls` + `dnsChallenge` | SmartAcme (ACME cert provisioning) | `@push.rocks/smartacme` |
+| `cacheConfig` | CacheDb (embedded MongoDB) | `@push.rocks/smartdata` |
+| *(always)* | OpsServer (dashboard + API) | `@api.global/typedserver` |
+| *(always)* | MetricsManager | `@push.rocks/smartmetrics` |
+
+### `RemoteIngressManager`
+
+Manages CRUD for remote ingress edge registrations. Persists edges via StorageManager. Provides port derivation from routes tagged with `remoteIngress.enabled`.
+
+### `TunnelManager`
+
+Manages the Rust-based RemoteIngressHub lifecycle. Syncs allowed edges, tracks connection status, and exposes edge statuses (connected, publicIp, activeTunnels, lastHeartbeat).
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
--- a/ts/remoteingress/classes.remoteingress-manager.ts
+++ b/ts/remoteingress/classes.remoteingress-manager.ts
@@ -242,11 +242,15 @@ export class RemoteIngressManager {
  /**
   * Get the list of allowed edges (enabled only) for the Rust hub.
   */
-  public getAllowedEdges(): Array<{ id: string; secret: string }> {
-    const result: Array<{ id: string; secret: string }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[] }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[] }> = [];
    for (const edge of this.edges.values()) {
      if (edge.enabled) {
-        result.push({ id: edge.id, secret: edge.secret });
+        result.push({
+          id: edge.id,
+          secret: edge.secret,
+          listenPorts: this.getEffectiveListenPorts(edge),
+        });
      }
    }
    return result;
--- a/ts/remoteingress/classes.tunnel-manager.ts
+++ b/ts/remoteingress/classes.tunnel-manager.ts
@@ -5,6 +5,10 @@ import type { RemoteIngressManager } from './classes.remoteingress-manager.js';
 export interface ITunnelManagerConfig {
  tunnelPort?: number;
  targetHost?: string;
+  tls?: {
+    certPem?: string;
+    keyPem?: string;
+  };
 }

 /**
@@ -15,6 +19,7 @@ export class TunnelManager {
  private manager: RemoteIngressManager;
  private config: ITunnelManagerConfig;
  private edgeStatuses: Map<string, IRemoteIngressStatus> = new Map();
+  private reconcileInterval: ReturnType<typeof setInterval> | null = null;

  constructor(manager: RemoteIngressManager, config: ITunnelManagerConfig = {}) {
    this.manager = manager;
@@ -22,12 +27,11 @@ export class TunnelManager {
    this.hub = new plugins.remoteingress.RemoteIngressHub();

    // Listen for edge connect/disconnect events
-    this.hub.on('edgeConnected', (data: { edgeId: string }) => {
-      const existing = this.edgeStatuses.get(data.edgeId);
+    this.hub.on('edgeConnected', (data: { edgeId: string; peerAddr: string }) => {
      this.edgeStatuses.set(data.edgeId, {
        edgeId: data.edgeId,
        connected: true,
-        publicIp: existing?.publicIp ?? null,
+        publicIp: data.peerAddr || null,
        activeTunnels: 0,
        lastHeartbeat: Date.now(),
        connectedAt: Date.now(),
@@ -35,11 +39,7 @@ export class TunnelManager {
    });

    this.hub.on('edgeDisconnected', (data: { edgeId: string }) => {
-      const existing = this.edgeStatuses.get(data.edgeId);
-      if (existing) {
-        existing.connected = false;
-        existing.activeTunnels = 0;
-      }
+      this.edgeStatuses.delete(data.edgeId);
    });

    this.hub.on('streamOpened', (data: { edgeId: string; streamId: number }) => {
@@ -65,20 +65,73 @@ export class TunnelManager {
    await this.hub.start({
      tunnelPort: this.config.tunnelPort ?? 8443,
      targetHost: this.config.targetHost ?? '127.0.0.1',
+      tls: this.config.tls,
    });

    // Send allowed edges to the hub
    await this.syncAllowedEdges();
+
+    // Periodically reconcile with authoritative Rust hub status
+    this.reconcileInterval = setInterval(() => {
+      this.reconcile().catch(() => {});
+    }, 15_000);
  }

  /**
   * Stop the tunnel hub.
   */
  public async stop(): Promise<void> {
+    if (this.reconcileInterval) {
+      clearInterval(this.reconcileInterval);
+      this.reconcileInterval = null;
+    }
+    // Remove event listeners before stopping to prevent leaks
+    this.hub.removeAllListeners();
    await this.hub.stop();
    this.edgeStatuses.clear();
  }

+  /**
+   * Reconcile TS-side edge statuses with the authoritative Rust hub status.
+   * Overwrites event-derived activeTunnels with the real activeStreams count.
+   */
+  private async reconcile(): Promise<void> {
+    const hubStatus = await this.hub.getStatus();
+    if (!hubStatus || !hubStatus.connectedEdges) return;
+
+    const rustEdgeIds = new Set<string>();
+
+    for (const rustEdge of hubStatus.connectedEdges) {
+      rustEdgeIds.add(rustEdge.edgeId);
+      const existing = this.edgeStatuses.get(rustEdge.edgeId);
+      if (existing) {
+        existing.activeTunnels = rustEdge.activeStreams;
+        existing.lastHeartbeat = Date.now();
+        // Update peer address if available from Rust hub
+        if (rustEdge.peerAddr) {
+          existing.publicIp = rustEdge.peerAddr;
+        }
+      } else {
+        // Missed edgeConnected event — add entry
+        this.edgeStatuses.set(rustEdge.edgeId, {
+          edgeId: rustEdge.edgeId,
+          connected: true,
+          publicIp: rustEdge.peerAddr || null,
+          activeTunnels: rustEdge.activeStreams,
+          lastHeartbeat: Date.now(),
+          connectedAt: rustEdge.connectedAt * 1000,
+        });
+      }
+    }
+
+    // Remove entries for edges no longer connected in Rust (missed edgeDisconnected)
+    for (const edgeId of this.edgeStatuses.keys()) {
+      if (!rustEdgeIds.has(edgeId)) {
+        this.edgeStatuses.delete(edgeId);
+      }
+    }
+  }
+
  /**
   * Sync allowed edges from the manager to the hub.
   * Call this after creating/deleting/updating edges.
@@ -113,6 +166,19 @@ export class TunnelManager {
    return count;
  }

+  /**
+   * Get the public IPs of all connected edges.
+   */
+  public getConnectedEdgeIps(): string[] {
+    const ips: string[] = [];
+    for (const status of this.edgeStatuses.values()) {
+      if (status.connected && status.publicIp) {
+        ips.push(status.publicIp);
+      }
+    }
+    return ips;
+  }
+
  /**
   * Get the total number of active tunnels across all edges.
   */
--- a/ts/security/classes.contentscanner.ts
+++ b/ts/security/classes.contentscanner.ts
@@ -182,7 +182,14 @@ export class ContentScanner {
    }
    return ContentScanner.instance;
  }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    ContentScanner.instance = undefined;
+  }
+
  /**
   * Scan an email for malicious content
   * @param email The email to scan
--- a/ts/security/classes.ipreputationchecker.ts
+++ b/ts/security/classes.ipreputationchecker.ts
@@ -65,6 +65,8 @@ export class IPReputationChecker {
  private reputationCache: LRUCache<string, IReputationResult>;
  private options: Required<IIPReputationOptions>;
  private storageManager?: any; // StorageManager instance
+  private saveCacheTimer: ReturnType<typeof setTimeout> | null = null;
+  private static readonly SAVE_CACHE_DEBOUNCE_MS = 30_000;
  
  // Default DNSBL servers
  private static readonly DEFAULT_DNSBL_SERVERS = [
@@ -143,7 +145,20 @@ export class IPReputationChecker {
    }
    return IPReputationChecker.instance;
  }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    if (IPReputationChecker.instance) {
+      if (IPReputationChecker.instance.saveCacheTimer) {
+        clearTimeout(IPReputationChecker.instance.saveCacheTimer);
+        IPReputationChecker.instance.saveCacheTimer = null;
+      }
+    }
+    IPReputationChecker.instance = undefined;
+  }
+
  /**
   * Check an IP address's reputation
   * @param ip IP address to check
@@ -213,12 +228,9 @@ export class IPReputationChecker {
      // Update cache with result
      this.reputationCache.set(ip, result);
      
-      // Save cache if enabled
+      // Schedule debounced cache save if enabled
      if (this.options.enableLocalCache) {
-        // Fire and forget the save operation
-        this.saveCache().catch(error => {
-          logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
-        });
+        this.debouncedSaveCache();
      }
      
      // Log the reputation check
@@ -447,6 +459,21 @@ export class IPReputationChecker {
    });
  }
  
+  /**
+   * Schedule a debounced cache save (at most once per SAVE_CACHE_DEBOUNCE_MS)
+   */
+  private debouncedSaveCache(): void {
+    if (this.saveCacheTimer) {
+      return; // already scheduled
+    }
+    this.saveCacheTimer = setTimeout(() => {
+      this.saveCacheTimer = null;
+      this.saveCache().catch(error => {
+        logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
+      });
+    }, IPReputationChecker.SAVE_CACHE_DEBOUNCE_MS);
+  }
+
  /**
   * Save cache to disk or storage manager
   */
--- a/ts/security/classes.securitylogger.ts
+++ b/ts/security/classes.securitylogger.ts
@@ -83,7 +83,14 @@ export class SecurityLogger {
    }
    return SecurityLogger.instance;
  }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    SecurityLogger.instance = undefined;
+  }
+
  /**
   * Log a security event
   * @param event The security event to log
@@ -155,8 +162,9 @@ export class SecurityLogger {
      }
    }
    
-    // Return most recent events up to limit
+    // Return most recent events up to limit (slice first to avoid mutating source)
    return filteredEvents
+      .slice()
      .sort((a, b) => b.timestamp - a.timestamp)
      .slice(0, limit);
  }
@@ -242,58 +250,46 @@ export class SecurityLogger {
    topIPs: Array<{ ip: string; count: number }>;
    topDomains: Array<{ domain: string; count: number }>;
  } {
-    // Filter by time window if provided
-    let events = this.securityEvents;
-    if (timeWindow) {
-      const cutoff = Date.now() - timeWindow;
-      events = events.filter(e => e.timestamp >= cutoff);
+    const cutoff = timeWindow ? Date.now() - timeWindow : 0;
+
+    // Initialize counters
+    const byLevel = {} as Record<SecurityLogLevel, number>;
+    for (const level of Object.values(SecurityLogLevel)) {
+      byLevel[level] = 0;
+    }
+    const byType = {} as Record<SecurityEventType, number>;
+    for (const type of Object.values(SecurityEventType)) {
+      byType[type] = 0;
    }
-    
-    // Count by level
-    const byLevel = Object.values(SecurityLogLevel).reduce((acc, level) => {
-      acc[level] = events.filter(e => e.level === level).length;
-      return acc;
-    }, {} as Record<SecurityLogLevel, number>);
-    
-    // Count by type
-    const byType = Object.values(SecurityEventType).reduce((acc, type) => {
-      acc[type] = events.filter(e => e.type === type).length;
-      return acc;
-    }, {} as Record<SecurityEventType, number>);
-    
-    // Count by IP
    const ipCounts = new Map<string, number>();
-    events.forEach(e => {
+    const domainCounts = new Map<string, number>();
+
+    // Single pass over all events
+    let total = 0;
+    for (const e of this.securityEvents) {
+      if (cutoff && e.timestamp < cutoff) continue;
+      total++;
+      byLevel[e.level]++;
+      byType[e.type]++;
      if (e.ipAddress) {
        ipCounts.set(e.ipAddress, (ipCounts.get(e.ipAddress) || 0) + 1);
      }
-    });
-    
-    // Count by domain
-    const domainCounts = new Map<string, number>();
-    events.forEach(e => {
      if (e.domain) {
        domainCounts.set(e.domain, (domainCounts.get(e.domain) || 0) + 1);
      }
-    });
-    
+    }
+
    // Sort and limit top entries
    const topIPs = Array.from(ipCounts.entries())
      .map(([ip, count]) => ({ ip, count }))
      .sort((a, b) => b.count - a.count)
      .slice(0, 10);
-    
+
    const topDomains = Array.from(domainCounts.entries())
      .map(([domain, count]) => ({ domain, count }))
      .sort((a, b) => b.count - a.count)
      .slice(0, 10);
-    
-    return {
-      total: events.length,
-      byLevel,
-      byType,
-      topIPs,
-      topDomains
-    };
+
+    return { total, byLevel, byType, topIPs, topDomains };
  }
 }
--- a/ts/storage/classes.storagemanager.ts
+++ b/ts/storage/classes.storagemanager.ts
@@ -30,6 +30,7 @@ export type StorageBackend = 'filesystem' | 'custom' | 'memory';
 * Provides unified key-value storage with multiple backend support
 */
 export class StorageManager {
+  private static readonly MAX_MEMORY_ENTRIES = 10_000;
  private backend: StorageBackend;
  private memoryStore: Map<string, string> = new Map();
  private config: IStorageConfig;
@@ -227,6 +228,11 @@ export class StorageManager {
        
        case 'memory': {
          this.memoryStore.set(key, value);
+          // Evict oldest entries if memory store exceeds limit
+          while (this.memoryStore.size > StorageManager.MAX_MEMORY_ENTRIES) {
+            const firstKey = this.memoryStore.keys().next().value;
+            this.memoryStore.delete(firstKey);
+          }
          break;
        }
        
--- a/ts_interfaces/data/index.ts
+++ b/ts_interfaces/data/index.ts
@@ -1,3 +1,4 @@
 export * from './auth.js';
 export * from './stats.js';
-export * from './remoteingress.js';
+export * from './remoteingress.js';
+export * from './route-management.js';
--- a/ts_interfaces/data/route-management.ts
+++ b/ts_interfaces/data/route-management.ts
@@ -0,0 +1,83 @@
+import type { IRouteConfig } from '@push.rocks/smartproxy';
+
+// ============================================================================
+// Route Management Data Types
+// ============================================================================
+
+export type TApiTokenScope = 'routes:read' | 'routes:write' | 'config:read' | 'tokens:read' | 'tokens:manage';
+
+/**
+ * A merged route combining hardcoded and programmatic sources.
+ */
+export interface IMergedRoute {
+  route: IRouteConfig;
+  source: 'hardcoded' | 'programmatic';
+  enabled: boolean;
+  overridden: boolean;
+  storedRouteId?: string;
+  createdAt?: number;
+  updatedAt?: number;
+}
+
+/**
+ * A warning generated during route merge/startup.
+ */
+export interface IRouteWarning {
+  type: 'disabled-hardcoded' | 'disabled-programmatic' | 'orphaned-override';
+  routeName: string;
+  message: string;
+}
+
+/**
+ * Public info about an API token (never includes the hash).
+ */
+export interface IApiTokenInfo {
+  id: string;
+  name: string;
+  scopes: TApiTokenScope[];
+  createdAt: number;
+  expiresAt: number | null;
+  lastUsedAt: number | null;
+  enabled: boolean;
+}
+
+// ============================================================================
+// Storage Schemas (persisted via StorageManager)
+// ============================================================================
+
+/**
+ * A programmatic route stored in /config-api/routes/{id}.json
+ */
+export interface IStoredRoute {
+  id: string;
+  route: IRouteConfig;
+  enabled: boolean;
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}
+
+/**
+ * An override for a hardcoded route, stored in /config-api/overrides/{routeName}.json
+ */
+export interface IRouteOverride {
+  routeName: string;
+  enabled: boolean;
+  updatedAt: number;
+  updatedBy: string;
+}
+
+/**
+ * A stored API token, stored in /config-api/tokens/{id}.json
+ */
+export interface IStoredApiToken {
+  id: string;
+  name: string;
+  tokenHash: string;
+  scopes: TApiTokenScope[];
+  createdAt: number;
+  expiresAt: number | null;
+  lastUsedAt: number | null;
+  createdBy: string;
+  enabled: boolean;
+}
--- a/ts_interfaces/data/stats.ts
+++ b/ts_interfaces/data/stats.ts
@@ -26,6 +26,11 @@ export interface IServerStats {
  };
 }

+export interface ITimeSeriesPoint {
+  timestamp: number;
+  value: number;
+}
+
 export interface IEmailStats {
  sent: number;
  received: number;
@@ -35,6 +40,11 @@ export interface IEmailStats {
  averageDeliveryTime: number;
  deliveryRate: number;
  bounceRate: number;
+  timeSeries?: {
+    sent: ITimeSeriesPoint[];
+    received: ITimeSeriesPoint[];
+    failed: ITimeSeriesPoint[];
+  };
 }

 export interface IDnsStats {
@@ -47,6 +57,16 @@ export interface IDnsStats {
  queryTypes: {
    [key: string]: number;
  };
+  timeSeries?: {
+    queries: ITimeSeriesPoint[];
+  };
+  recentQueries?: Array<{
+    timestamp: number;
+    domain: string;
+    type: string;
+    answered: boolean;
+    responseTimeMs: number;
+  }>;
 }

 export interface IRateLimitInfo {
@@ -58,6 +78,17 @@ export interface IRateLimitInfo {
  blocked: boolean;
 }

+export interface ISecurityEvent {
+  timestamp: number;
+  level: string;
+  type: string;
+  message: string;
+  details?: any;
+  ipAddress?: string;
+  domain?: string;
+  success?: boolean;
+}
+
 export interface ISecurityMetrics {
  blockedIPs: string[];
  reputationScores: {
@@ -68,6 +99,7 @@ export interface ISecurityMetrics {
  phishingDetected: number;
  authenticationFailures: number;
  suspiciousActivities: number;
+  recentEvents?: ISecurityEvent[];
 }

 export interface ILogEntry {
--- a/ts_interfaces/readme.md
+++ b/ts_interfaces/readme.md
@@ -82,6 +82,14 @@ interface IIdentity {
 | `INetworkMetrics` | Bandwidth, connection counts, top endpoints |
 | `ILogEntry` | Timestamp, level, category, message, metadata |

+#### Remote Ingress Interfaces
+| Interface | Description |
+|-----------|-------------|
+| `IRemoteIngress` | Edge registration: id, name, secret, listenPorts, enabled, autoDerivePorts, tags |
+| `IRemoteIngressStatus` | Runtime status: connected, publicIp, activeTunnels, lastHeartbeat |
+| `IRouteRemoteIngress` | Route-level config: enabled flag and optional edgeFilter |
+| `IDcRouterRouteConfig` | Extended SmartProxy route config with optional `remoteIngress` property |
+
 ### Request Interfaces (`requests`)

 TypedRequest interfaces for the OpsServer API, organized by domain:
@@ -134,6 +142,9 @@ TypedRequest interfaces for the OpsServer API, organized by domain:
 | `IReq_GetCertificateOverview` | `getCertificateOverview` | Domain-centric certificate status |
 | `IReq_ReprovisionCertificate` | `reprovisionCertificate` | Reprovision by route name (legacy) |
 | `IReq_ReprovisionCertificateDomain` | `reprovisionCertificateDomain` | Reprovision by domain (preferred) |
+| `IReq_ImportCertificate` | `importCertificate` | Import a certificate |
+| `IReq_ExportCertificate` | `exportCertificate` | Export a certificate |
+| `IReq_DeleteCertificate` | `deleteCertificate` | Delete a certificate |

 #### Certificate Types
 ```typescript
@@ -159,6 +170,17 @@ interface ICertificateInfo {
 }
 ```

+#### 🌍 Remote Ingress
+| Interface | Method | Description |
+|-----------|--------|-------------|
+| `IReq_CreateRemoteIngress` | `createRemoteIngress` | Register a new edge node |
+| `IReq_DeleteRemoteIngress` | `deleteRemoteIngress` | Remove an edge registration |
+| `IReq_UpdateRemoteIngress` | `updateRemoteIngress` | Update edge settings |
+| `IReq_RegenerateRemoteIngressSecret` | `regenerateRemoteIngressSecret` | Issue a new secret |
+| `IReq_GetRemoteIngresses` | `getRemoteIngresses` | List all edge registrations |
+| `IReq_GetRemoteIngressStatus` | `getRemoteIngressStatus` | Runtime status of all edges |
+| `IReq_GetRemoteIngressConnectionToken` | `getRemoteIngressConnectionToken` | Generate a connection token |
+
 #### 📡 RADIUS
 | Interface | Method | Description |
 |-----------|--------|-------------|
@@ -183,7 +205,7 @@ import { data, requests } from '@serve.zone/dcrouter-interfaces';
 // 1. Login
 const loginClient = new typedrequest.TypedRequest<requests.IReq_AdminLoginWithUsernameAndPassword>(
  'https://your-dcrouter:3000/typedrequest',
-  'adminLogin'
+  'adminLoginWithUsernameAndPassword'
 );

 const loginResponse = await loginClient.fire({
@@ -199,10 +221,8 @@ const metricsClient = new typedrequest.TypedRequest<requests.IReq_GetCombinedMet
 );

 const metrics = await metricsClient.fire({ identity });
-console.log('Server:', metrics.serverStats);
-console.log('Email:', metrics.emailStats);
-console.log('DNS:', metrics.dnsStats);
-console.log('Security:', metrics.securityMetrics);
+console.log('Server:', metrics.metrics.server);
+console.log('Email:', metrics.metrics.email);

 // 3. Check certificate status
 const certClient = new typedrequest.TypedRequest<requests.IReq_GetCertificateOverview>(
@@ -213,14 +233,23 @@ const certClient = new typedrequest.TypedRequest<requests.IReq_GetCertificateOve
 const certs = await certClient.fire({ identity });
 console.log(`Certificates: ${certs.summary.valid} valid, ${certs.summary.failed} failed`);

-// 4. Check email queues
-const queueClient = new typedrequest.TypedRequest<requests.IReq_GetQueuedEmails>(
+// 4. List remote ingress edges
+const edgesClient = new typedrequest.TypedRequest<requests.IReq_GetRemoteIngresses>(
  'https://your-dcrouter:3000/typedrequest',
-  'getQueuedEmails'
+  'getRemoteIngresses'
 );

-const queued = await queueClient.fire({ identity });
-console.log('Queued emails:', queued.emails.length);
+const edges = await edgesClient.fire({ identity });
+console.log('Registered edges:', edges.edges.length);
+
+// 5. Generate a connection token for an edge
+const tokenClient = new typedrequest.TypedRequest<requests.IReq_GetRemoteIngressConnectionToken>(
+  'https://your-dcrouter:3000/typedrequest',
+  'getRemoteIngressConnectionToken'
+);
+
+const tokenResponse = await tokenClient.fire({ identity, edgeId: edges.edges[0].id });
+console.log('Connection token:', tokenResponse.token);
 ```

 ## License and Legal Information
--- a/ts_interfaces/requests/api-tokens.ts
+++ b/ts_interfaces/requests/api-tokens.ts
@@ -0,0 +1,103 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type { IApiTokenInfo, TApiTokenScope } from '../data/route-management.js';
+
+// ============================================================================
+// API Token Management Endpoints
+// ============================================================================
+
+/**
+ * Create a new API token. Returns the raw token value once (never shown again).
+ * Admin JWT only — tokens cannot create tokens.
+ */
+export interface IReq_CreateApiToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateApiToken
+> {
+  method: 'createApiToken';
+  request: {
+    identity: authInterfaces.IIdentity;
+    name: string;
+    scopes: TApiTokenScope[];
+    expiresInDays?: number | null;
+  };
+  response: {
+    success: boolean;
+    tokenId?: string;
+    tokenValue?: string;
+    message?: string;
+  };
+}
+
+/**
+ * List all API tokens (without hashes).
+ */
+export interface IReq_ListApiTokens extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ListApiTokens
+> {
+  method: 'listApiTokens';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    tokens: IApiTokenInfo[];
+  };
+}
+
+/**
+ * Revoke (delete) an API token.
+ */
+export interface IReq_RevokeApiToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RevokeApiToken
+> {
+  method: 'revokeApiToken';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Roll (regenerate) an API token's secret. Returns the new raw token value once.
+ * Admin JWT only.
+ */
+export interface IReq_RollApiToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RollApiToken
+> {
+  method: 'rollApiToken';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    tokenValue?: string;
+    message?: string;
+  };
+}
+
+/**
+ * Enable or disable an API token.
+ */
+export interface IReq_ToggleApiToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ToggleApiToken
+> {
+  method: 'toggleApiToken';
+  request: {
+    identity: authInterfaces.IIdentity;
+    id: string;
+    enabled: boolean;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
--- a/ts_interfaces/requests/certificate.ts
+++ b/ts_interfaces/requests/certificate.ts
@@ -28,7 +28,7 @@ export interface IReq_GetCertificateOverview extends plugins.typedrequestInterfa
 > {
  method: 'getCertificateOverview';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
  };
  response: {
    certificates: ICertificateInfo[];
@@ -50,7 +50,7 @@ export interface IReq_ReprovisionCertificate extends plugins.typedrequestInterfa
 > {
  method: 'reprovisionCertificate';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    routeName: string;
  };
  response: {
@@ -66,7 +66,7 @@ export interface IReq_ReprovisionCertificateDomain extends plugins.typedrequestI
 > {
  method: 'reprovisionCertificateDomain';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    domain: string;
  };
  response: {
@@ -82,7 +82,7 @@ export interface IReq_DeleteCertificate extends plugins.typedrequestInterfaces.i
 > {
  method: 'deleteCertificate';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    domain: string;
  };
  response: {
@@ -98,7 +98,7 @@ export interface IReq_ExportCertificate extends plugins.typedrequestInterfaces.i
 > {
  method: 'exportCertificate';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    domain: string;
  };
  response: {
@@ -123,7 +123,7 @@ export interface IReq_ImportCertificate extends plugins.typedrequestInterfaces.i
 > {
  method: 'importCertificate';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    cert: {
      id: string;
      domainName: string;
--- a/ts_interfaces/requests/config.ts
+++ b/ts_interfaces/requests/config.ts
@@ -1,6 +1,79 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';

+export interface IConfigData {
+  system: {
+    baseDir: string;
+    dataDir: string;
+    publicIp: string | null;
+    proxyIps: string[];
+    uptime: number;
+    storageBackend: 'filesystem' | 'custom' | 'memory';
+    storagePath: string | null;
+  };
+  smartProxy: {
+    enabled: boolean;
+    routeCount: number;
+    acme: {
+      enabled: boolean;
+      accountEmail: string;
+      useProduction: boolean;
+      autoRenew: boolean;
+      renewThresholdDays: number;
+    } | null;
+  };
+  email: {
+    enabled: boolean;
+    ports: number[];
+    portMapping: Record<string, number> | null;
+    hostname: string | null;
+    domains: string[];
+    emailRouteCount: number;
+    receivedEmailsPath: string | null;
+  };
+  dns: {
+    enabled: boolean;
+    port: number;
+    nsDomains: string[];
+    scopes: string[];
+    recordCount: number;
+    records: Array<{ name: string; type: string; value: string; ttl?: number }>;
+    dnsChallenge: boolean;
+  };
+  tls: {
+    contactEmail: string | null;
+    domain: string | null;
+    source: 'acme' | 'static' | 'none';
+    certPath: string | null;
+    keyPath: string | null;
+  };
+  cache: {
+    enabled: boolean;
+    storagePath: string | null;
+    dbName: string | null;
+    defaultTTLDays: number;
+    cleanupIntervalHours: number;
+    ttlConfig: Record<string, number>;
+  };
+  radius: {
+    enabled: boolean;
+    authPort: number | null;
+    acctPort: number | null;
+    bindAddress: string | null;
+    clientCount: number;
+    vlanDefaultVlan: number | null;
+    vlanAllowUnknownMacs: boolean | null;
+    vlanMappingCount: number;
+  };
+  remoteIngress: {
+    enabled: boolean;
+    tunnelPort: number | null;
+    hubDomain: string | null;
+    tlsMode: 'custom' | 'acme' | 'self-signed';
+    connectedEdgeIps: string[];
+  };
+}
+
 // Get Configuration (read-only)
 export interface IReq_GetConfiguration extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
@@ -8,11 +81,11 @@ export interface IReq_GetConfiguration extends plugins.typedrequestInterfaces.im
 > {
  method: 'getConfiguration';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    section?: string;
  };
  response: {
-    config: any;
+    config: IConfigData;
    section?: string;
  };
-}
+}
--- a/ts_interfaces/requests/email-ops.ts
+++ b/ts_interfaces/requests/email-ops.ts
@@ -2,162 +2,93 @@ import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';

 // ============================================================================
-// Email Queue Item Interface (matches backend IQueueItem)
+// Catalog-compatible email types (matches @serve.zone/catalog IEmail/IEmailDetail)
 // ============================================================================
-export type TEmailQueueStatus = 'pending' | 'processing' | 'delivered' | 'failed' | 'deferred';
+export type TEmailStatus = 'delivered' | 'bounced' | 'rejected' | 'deferred' | 'pending';
+export type TEmailDirection = 'inbound' | 'outbound';

-export interface IEmailQueueItem {
+export interface IEmail {
  id: string;
-  processingMode: 'forward' | 'mta' | 'process';
-  status: TEmailQueueStatus;
-  attempts: number;
-  nextAttempt: number; // timestamp
-  lastError?: string;
-  createdAt: number; // timestamp
-  updatedAt: number; // timestamp
-  deliveredAt?: number; // timestamp
-  // Email details extracted from processingResult
-  from?: string;
-  to?: string[];
-  subject?: string;
+  direction: TEmailDirection;
+  status: TEmailStatus;
+  from: string;
+  to: string;
+  subject: string;
+  timestamp: string;
+  messageId: string;
+  size: string;
+}
+
+export interface ISmtpLogEntry {
+  timestamp: string;
+  direction: 'client' | 'server';
+  command: string;
+  responseCode?: number;
+}
+
+export interface IConnectionInfo {
+  sourceIp: string;
+  sourceHostname: string;
+  destinationIp: string;
+  destinationPort: number;
+  tlsVersion: string;
+  tlsCipher: string;
+  authenticated: boolean;
+  authMethod: string;
+  authUser: string;
+}
+
+export interface IAuthenticationResults {
+  spf: 'pass' | 'fail' | 'softfail' | 'neutral' | 'none';
+  spfDomain: string;
+  dkim: 'pass' | 'fail' | 'none';
+  dkimDomain: string;
+  dmarc: 'pass' | 'fail' | 'none';
+  dmarcPolicy: string;
+}
+
+export interface IEmailDetail extends IEmail {
+  toList: string[];
+  cc?: string[];
+  smtpLog: ISmtpLogEntry[];
+  connectionInfo: IConnectionInfo;
+  authenticationResults: IAuthenticationResults;
+  rejectionReason?: string;
+  bounceMessage?: string;
+  headers: Record<string, string>;
+  body: string;
 }

 // ============================================================================
-// Bounce Record Interface (matches backend BounceRecord)
+// Get All Emails Request
 // ============================================================================
-export type TBounceType =
-  | 'invalid_recipient'
-  | 'domain_not_found'
-  | 'mailbox_full'
-  | 'mailbox_inactive'
-  | 'blocked'
-  | 'spam_related'
-  | 'policy_related'
-  | 'server_unavailable'
-  | 'temporary_failure'
-  | 'quota_exceeded'
-  | 'network_error'
-  | 'timeout'
-  | 'auto_response'
-  | 'challenge_response'
-  | 'unknown';
-
-export type TBounceCategory = 'hard' | 'soft' | 'auto_response' | 'unknown';
-
-export interface IBounceRecord {
-  id: string;
-  originalEmailId?: string;
-  recipient: string;
-  sender: string;
-  domain: string;
-  subject?: string;
-  bounceType: TBounceType;
-  bounceCategory: TBounceCategory;
-  timestamp: number;
-  smtpResponse?: string;
-  diagnosticCode?: string;
-  statusCode?: string;
-  processed: boolean;
-  retryCount?: number;
-  nextRetryTime?: number;
-}
-
-// ============================================================================
-// Security Incident Interface (matches backend ISecurityEvent)
-// ============================================================================
-export type TSecurityLogLevel = 'info' | 'warn' | 'error' | 'critical';
-
-export type TSecurityEventType =
-  | 'authentication'
-  | 'access_control'
-  | 'email_validation'
-  | 'email_processing'
-  | 'email_forwarding'
-  | 'email_delivery'
-  | 'dkim'
-  | 'spf'
-  | 'dmarc'
-  | 'rate_limit'
-  | 'rate_limiting'
-  | 'spam'
-  | 'malware'
-  | 'connection'
-  | 'data_exposure'
-  | 'configuration'
-  | 'ip_reputation'
-  | 'rejected_connection';
-
-export interface ISecurityIncident {
-  timestamp: number;
-  level: TSecurityLogLevel;
-  type: TSecurityEventType;
-  message: string;
-  details?: any;
-  ipAddress?: string;
-  userId?: string;
-  sessionId?: string;
-  emailId?: string;
-  domain?: string;
-  action?: string;
-  result?: string;
-  success?: boolean;
-}
-
-// ============================================================================
-// Get Queued Emails Request
-// ============================================================================
-export interface IReq_GetQueuedEmails extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_GetAllEmails extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetQueuedEmails
+  IReq_GetAllEmails
 > {
-  method: 'getQueuedEmails';
+  method: 'getAllEmails';
  request: {
-    identity?: authInterfaces.IIdentity;
-    status?: TEmailQueueStatus;
-    limit?: number;
-    offset?: number;
+    identity: authInterfaces.IIdentity;
  };
  response: {
-    items: IEmailQueueItem[];
-    total: number;
+    emails: IEmail[];
  };
 }

 // ============================================================================
-// Get Sent Emails Request
+// Get Email Detail Request
 // ============================================================================
-export interface IReq_GetSentEmails extends plugins.typedrequestInterfaces.implementsTR<
+export interface IReq_GetEmailDetail extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetSentEmails
+  IReq_GetEmailDetail
 > {
-  method: 'getSentEmails';
+  method: 'getEmailDetail';
  request: {
-    identity?: authInterfaces.IIdentity;
-    limit?: number;
-    offset?: number;
+    identity: authInterfaces.IIdentity;
+    emailId: string;
  };
  response: {
-    items: IEmailQueueItem[];
-    total: number;
-  };
-}
-
-// ============================================================================
-// Get Failed Emails Request
-// ============================================================================
-export interface IReq_GetFailedEmails extends plugins.typedrequestInterfaces.implementsTR<
-  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetFailedEmails
-> {
-  method: 'getFailedEmails';
-  request: {
-    identity?: authInterfaces.IIdentity;
-    limit?: number;
-    offset?: number;
-  };
-  response: {
-    items: IEmailQueueItem[];
-    total: number;
+    email: IEmailDetail | null;
  };
 }

@@ -170,7 +101,7 @@ export interface IReq_ResendEmail extends plugins.typedrequestInterfaces.impleme
 > {
  method: 'resendEmail';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    emailId: string;
  };
  response: {
@@ -179,61 +110,3 @@ export interface IReq_ResendEmail extends plugins.typedrequestInterfaces.impleme
    error?: string;
  };
 }
-
-// ============================================================================
-// Get Security Incidents Request
-// ============================================================================
-export interface IReq_GetSecurityIncidents extends plugins.typedrequestInterfaces.implementsTR<
-  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetSecurityIncidents
-> {
-  method: 'getSecurityIncidents';
-  request: {
-    identity?: authInterfaces.IIdentity;
-    type?: TSecurityEventType;
-    level?: TSecurityLogLevel;
-    limit?: number;
-  };
-  response: {
-    incidents: ISecurityIncident[];
-    total: number;
-  };
-}
-
-// ============================================================================
-// Get Bounce Records Request
-// ============================================================================
-export interface IReq_GetBounceRecords extends plugins.typedrequestInterfaces.implementsTR<
-  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_GetBounceRecords
-> {
-  method: 'getBounceRecords';
-  request: {
-    identity?: authInterfaces.IIdentity;
-    limit?: number;
-    offset?: number;
-  };
-  response: {
-    records: IBounceRecord[];
-    suppressionList: string[];
-    total: number;
-  };
-}
-
-// ============================================================================
-// Remove from Suppression List Request
-// ============================================================================
-export interface IReq_RemoveFromSuppressionList extends plugins.typedrequestInterfaces.implementsTR<
-  plugins.typedrequestInterfaces.ITypedRequest,
-  IReq_RemoveFromSuppressionList
-> {
-  method: 'removeFromSuppressionList';
-  request: {
-    identity?: authInterfaces.IIdentity;
-    email: string;
-  };
-  response: {
-    success: boolean;
-    error?: string;
-  };
-}
--- a/ts_interfaces/requests/index.ts
+++ b/ts_interfaces/requests/index.ts
@@ -6,4 +6,6 @@ export * from './combined.stats.js';
 export * from './radius.js';
 export * from './email-ops.js';
 export * from './certificate.js';
-export * from './remoteingress.js';
+export * from './remoteingress.js';
+export * from './route-management.js';
+export * from './api-tokens.js';
--- a/ts_interfaces/requests/logs.ts
+++ b/ts_interfaces/requests/logs.ts
@@ -9,7 +9,7 @@ export interface IReq_GetRecentLogs extends plugins.typedrequestInterfaces.imple
 > {
  method: 'getRecentLogs';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    level?: 'debug' | 'info' | 'warn' | 'error';
    category?: 'smtp' | 'dns' | 'security' | 'system' | 'email';
    limit?: number;
@@ -31,7 +31,7 @@ export interface IReq_GetLogStream extends plugins.typedrequestInterfaces.implem
 > {
  method: 'getLogStream';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    follow?: boolean;
    filters?: {
      level?: string[];
@@ -41,4 +41,16 @@ export interface IReq_GetLogStream extends plugins.typedrequestInterfaces.implem
  response: {
    logStream: plugins.typedrequestInterfaces.IVirtualStream;
  };
+}
+
+// Push Log Entry (server → client via TypedSocket)
+export interface IReq_PushLogEntry extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_PushLogEntry
+> {
+  method: 'pushLogEntry';
+  request: {
+    entry: statsInterfaces.ILogEntry;
+  };
+  response: {};
 }
--- a/ts_interfaces/requests/radius.ts
+++ b/ts_interfaces/requests/radius.ts
@@ -14,7 +14,7 @@ export interface IReq_GetRadiusClients extends plugins.typedrequestInterfaces.im
 > {
  method: 'getRadiusClients';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
  };
  response: {
    clients: Array<{
@@ -35,7 +35,7 @@ export interface IReq_SetRadiusClient extends plugins.typedrequestInterfaces.imp
 > {
  method: 'setRadiusClient';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    client: {
      name: string;
      ipRange: string;
@@ -59,7 +59,7 @@ export interface IReq_RemoveRadiusClient extends plugins.typedrequestInterfaces.
 > {
  method: 'removeRadiusClient';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    name: string;
  };
  response: {
@@ -81,7 +81,7 @@ export interface IReq_GetVlanMappings extends plugins.typedrequestInterfaces.imp
 > {
  method: 'getVlanMappings';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
  };
  response: {
    mappings: Array<{
@@ -108,7 +108,7 @@ export interface IReq_SetVlanMapping extends plugins.typedrequestInterfaces.impl
 > {
  method: 'setVlanMapping';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    mapping: {
      mac: string;
      vlan: number;
@@ -139,7 +139,7 @@ export interface IReq_RemoveVlanMapping extends plugins.typedrequestInterfaces.i
 > {
  method: 'removeVlanMapping';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    mac: string;
  };
  response: {
@@ -157,7 +157,7 @@ export interface IReq_UpdateVlanConfig extends plugins.typedrequestInterfaces.im
 > {
  method: 'updateVlanConfig';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    defaultVlan?: number;
    allowUnknownMacs?: boolean;
  };
@@ -179,7 +179,7 @@ export interface IReq_TestVlanAssignment extends plugins.typedrequestInterfaces.
 > {
  method: 'testVlanAssignment';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    mac: string;
  };
  response: {
@@ -207,7 +207,7 @@ export interface IReq_GetRadiusSessions extends plugins.typedrequestInterfaces.i
 > {
  method: 'getRadiusSessions';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    filter?: {
      username?: string;
      nasIpAddress?: string;
@@ -243,7 +243,7 @@ export interface IReq_DisconnectRadiusSession extends plugins.typedrequestInterf
 > {
  method: 'disconnectRadiusSession';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    sessionId: string;
    reason?: string;
  };
@@ -262,7 +262,7 @@ export interface IReq_GetRadiusAccountingSummary extends plugins.typedrequestInt
 > {
  method: 'getRadiusAccountingSummary';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    startTime: number;
    endTime: number;
  };
@@ -296,7 +296,7 @@ export interface IReq_GetRadiusStatistics extends plugins.typedrequestInterfaces
 > {
  method: 'getRadiusStatistics';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
  };
  response: {
    stats: {
--- a/ts_interfaces/requests/remoteingress.ts
+++ b/ts_interfaces/requests/remoteingress.ts
@@ -15,7 +15,7 @@ export interface IReq_CreateRemoteIngress extends plugins.typedrequestInterfaces
 > {
  method: 'createRemoteIngress';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    name: string;
    listenPorts?: number[];
    autoDerivePorts?: boolean;
@@ -36,7 +36,7 @@ export interface IReq_DeleteRemoteIngress extends plugins.typedrequestInterfaces
 > {
  method: 'deleteRemoteIngress';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    id: string;
  };
  response: {
@@ -54,7 +54,7 @@ export interface IReq_UpdateRemoteIngress extends plugins.typedrequestInterfaces
 > {
  method: 'updateRemoteIngress';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    id: string;
    name?: string;
    listenPorts?: number[];
@@ -77,7 +77,7 @@ export interface IReq_RegenerateRemoteIngressSecret extends plugins.typedrequest
 > {
  method: 'regenerateRemoteIngressSecret';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    id: string;
  };
  response: {
@@ -95,7 +95,7 @@ export interface IReq_GetRemoteIngresses extends plugins.typedrequestInterfaces.
 > {
  method: 'getRemoteIngresses';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
  };
  response: {
    edges: IRemoteIngress[];
@@ -111,9 +111,30 @@ export interface IReq_GetRemoteIngressStatus extends plugins.typedrequestInterfa
 > {
  method: 'getRemoteIngressStatus';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
  };
  response: {
    statuses: IRemoteIngressStatus[];
  };
 }
+
+/**
+ * Get a connection token for a remote ingress edge.
+ * The token is a single opaque base64url string that encodes hubHost, hubPort, edgeId, and secret.
+ */
+export interface IReq_GetRemoteIngressConnectionToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetRemoteIngressConnectionToken
+> {
+  method: 'getRemoteIngressConnectionToken';
+  request: {
+    identity: authInterfaces.IIdentity;
+    edgeId: string;
+    hubHost?: string;
+  };
+  response: {
+    success: boolean;
+    token?: string;
+    message?: string;
+  };
+}
--- a/ts_interfaces/requests/route-management.ts
+++ b/ts_interfaces/requests/route-management.ts
@@ -0,0 +1,146 @@
+import * as plugins from '../plugins.js';
+import type * as authInterfaces from '../data/auth.js';
+import type { IMergedRoute, IRouteWarning } from '../data/route-management.js';
+import type { IRouteConfig } from '@push.rocks/smartproxy';
+
+// ============================================================================
+// Route Management Endpoints
+// ============================================================================
+
+/**
+ * Get all merged routes (hardcoded + programmatic) with warnings.
+ */
+export interface IReq_GetMergedRoutes extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetMergedRoutes
+> {
+  method: 'getMergedRoutes';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+  };
+  response: {
+    routes: IMergedRoute[];
+    warnings: IRouteWarning[];
+  };
+}
+
+/**
+ * Create a new programmatic route.
+ */
+export interface IReq_CreateRoute extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateRoute
+> {
+  method: 'createRoute';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    route: IRouteConfig;
+    enabled?: boolean;
+  };
+  response: {
+    success: boolean;
+    storedRouteId?: string;
+    message?: string;
+  };
+}
+
+/**
+ * Update a programmatic route.
+ */
+export interface IReq_UpdateRoute extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateRoute
+> {
+  method: 'updateRoute';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+    route?: Partial<IRouteConfig>;
+    enabled?: boolean;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Delete a programmatic route.
+ */
+export interface IReq_DeleteRoute extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteRoute
+> {
+  method: 'deleteRoute';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Set an override on a hardcoded route (disable/enable by name).
+ */
+export interface IReq_SetRouteOverride extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_SetRouteOverride
+> {
+  method: 'setRouteOverride';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    routeName: string;
+    enabled: boolean;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Remove an override from a hardcoded route (restore default behavior).
+ */
+export interface IReq_RemoveRouteOverride extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RemoveRouteOverride
+> {
+  method: 'removeRouteOverride';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    routeName: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Toggle a programmatic route on/off by id.
+ */
+export interface IReq_ToggleRoute extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ToggleRoute
+> {
+  method: 'toggleRoute';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    apiToken?: string;
+    id: string;
+    enabled: boolean;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
--- a/ts_interfaces/requests/stats.ts
+++ b/ts_interfaces/requests/stats.ts
@@ -9,7 +9,7 @@ export interface IReq_GetServerStatistics extends plugins.typedrequestInterfaces
 > {
  method: 'getServerStatistics';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    includeHistory?: boolean;
    timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
  };
@@ -29,7 +29,7 @@ export interface IReq_GetEmailStatistics extends plugins.typedrequestInterfaces.
 > {
  method: 'getEmailStatistics';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
    domain?: string;
    includeDetails?: boolean;
@@ -49,7 +49,7 @@ export interface IReq_GetDnsStatistics extends plugins.typedrequestInterfaces.im
 > {
  method: 'getDnsStatistics';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
    domain?: string;
    includeQueryTypes?: boolean;
@@ -69,7 +69,7 @@ export interface IReq_GetRateLimitStatus extends plugins.typedrequestInterfaces.
 > {
  method: 'getRateLimitStatus';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    domain?: string;
    ip?: string;
    includeBlocked?: boolean;
@@ -91,7 +91,7 @@ export interface IReq_GetSecurityMetrics extends plugins.typedrequestInterfaces.
 > {
  method: 'getSecurityMetrics';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    timeRange?: '1h' | '6h' | '24h' | '7d' | '30d';
    includeDetails?: boolean;
  };
@@ -112,7 +112,7 @@ export interface IReq_GetActiveConnections extends plugins.typedrequestInterface
 > {
  method: 'getActiveConnections';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    protocol?: 'smtp' | 'smtps' | 'http' | 'https';
    state?: string;
  };
@@ -137,7 +137,7 @@ export interface IReq_GetQueueStatus extends plugins.typedrequestInterfaces.impl
 > {
  method: 'getQueueStatus';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    queueName?: string;
  };
  response: {
@@ -153,10 +153,31 @@ export interface IReq_GetHealthStatus extends plugins.typedrequestInterfaces.imp
 > {
  method: 'getHealthStatus';
  request: {
-    identity?: authInterfaces.IIdentity;
+    identity: authInterfaces.IIdentity;
    detailed?: boolean;
  };
  response: {
    health: statsInterfaces.IHealthStatus;
  };
+}
+
+// Network Stats (raw SmartProxy network data)
+export interface IReq_GetNetworkStats extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetNetworkStats
+> {
+  method: 'getNetworkStats';
+  request: {
+    identity: authInterfaces.IIdentity;
+  };
+  response: {
+    connectionsByIP: Array<{ ip: string; count: number }>;
+    throughputRate: { bytesInPerSecond: number; bytesOutPerSecond: number };
+    topIPs: Array<{ ip: string; count: number }>;
+    totalDataTransferred: { bytesIn: number; bytesOut: number };
+    throughputHistory: Array<{ timestamp: number; in: number; out: number }>;
+    throughputByIP: Array<{ ip: string; in: number; out: number }>;
+    requestsPerSecond: number;
+    requestsTotal: number;
+  };
 }
--- a/ts_web/00_commitinfo_data.ts
+++ b/ts_web/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '6.10.0',
+  version: '11.0.26',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
--- a/ts_web/appstate.ts
+++ b/ts_web/appstate.ts
@@ -21,7 +21,7 @@ export interface IStatsState {
 }

 export interface IConfigState {
-  config: any | null;
+  config: interfaces.requests.IConfigData | null;
  isLoading: boolean;
  error: string | null;
 }
@@ -67,14 +67,7 @@ export interface ICertificateState {
 }

 export interface IEmailOpsState {
-  currentView: 'queued' | 'sent' | 'failed' | 'received' | 'security';
-  queuedEmails: interfaces.requests.IEmailQueueItem[];
-  sentEmails: interfaces.requests.IEmailQueueItem[];
-  failedEmails: interfaces.requests.IEmailQueueItem[];
-  securityIncidents: interfaces.requests.ISecurityIncident[];
-  bounceRecords: interfaces.requests.IBounceRecord[];
-  suppressionList: string[];
-  selectedEmailId: string | null;
+  emails: interfaces.requests.IEmail[];
  isLoading: boolean;
  error: string | null;
  lastUpdated: number;
@@ -116,7 +109,7 @@ export const configStatePart = await appState.getStatePart<IConfigState>(
 // Determine initial view from URL path
 const getInitialView = (): string => {
  const path = typeof window !== 'undefined' ? window.location.pathname : '/';
-  const validViews = ['overview', 'network', 'emails', 'logs', 'configuration', 'security', 'certificates', 'remoteingress'];
+  const validViews = ['overview', 'network', 'emails', 'logs', 'routes', 'apitokens', 'configuration', 'security', 'certificates', 'remoteingress'];
  const segments = path.split('/').filter(Boolean);
  const view = segments[0];
  return validViews.includes(view) ? view : 'overview';
@@ -165,14 +158,7 @@ export const networkStatePart = await appState.getStatePart<INetworkState>(
 export const emailOpsStatePart = await appState.getStatePart<IEmailOpsState>(
  'emailOps',
  {
-    currentView: 'queued',
-    queuedEmails: [],
-    sentEmails: [],
-    failedEmails: [],
-    securityIncidents: [],
-    bounceRecords: [],
-    suppressionList: [],
-    selectedEmailId: null,
+    emails: [],
    isLoading: false,
    error: null,
    lastUpdated: 0,
@@ -200,7 +186,7 @@ export interface IRemoteIngressState {
  edges: interfaces.data.IRemoteIngress[];
  statuses: interfaces.data.IRemoteIngressStatus[];
  selectedEdgeId: string | null;
-  newEdgeSecret: string | null;
+  newEdgeId: string | null;
  isLoading: boolean;
  error: string | null;
  lastUpdated: number;
@@ -212,7 +198,33 @@ export const remoteIngressStatePart = await appState.getStatePart<IRemoteIngress
    edges: [],
    statuses: [],
    selectedEdgeId: null,
-    newEdgeSecret: null,
+    newEdgeId: null,
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft'
+);
+
+// ============================================================================
+// Route Management State
+// ============================================================================
+
+export interface IRouteManagementState {
+  mergedRoutes: interfaces.data.IMergedRoute[];
+  warnings: interfaces.data.IRouteWarning[];
+  apiTokens: interfaces.data.IApiTokenInfo[];
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
+export const routeManagementStatePart = await appState.getStatePart<IRouteManagementState>(
+  'routeManagement',
+  {
+    mergedRoutes: [],
+    warnings: [],
+    apiTokens: [],
    isLoading: false,
    error: null,
    lastUpdated: 0,
@@ -226,9 +238,12 @@ interface IActionContext {
 }

 const getActionContext = (): IActionContext => {
-  return {
-    identity: loginStatePart.getState().identity,
-  };
+  const identity = loginStatePart.getState().identity;
+  // Treat expired JWTs as no identity — prevents stale persisted sessions from firing requests
+  if (identity && identity.expiresAt && identity.expiresAt < Date.now()) {
+    return { identity: null };
+  }
+  return { identity };
 };

 // Login Action
@@ -259,24 +274,23 @@ export const loginAction = loginStatePart.createAction<{
  }
 });

-// Logout Action
+// Logout Action — always clears state, even if identity is expired/missing
 export const logoutAction = loginStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
-  if (!context.identity) return statePartArg.getState();

-  const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
-    interfaces.requests.IReq_AdminLogout
-  >('/typedrequest', 'adminLogout');
-
-  try {
-    await typedRequest.fire({
-      identity: context.identity,
-    });
-  } catch (error) {
-    console.error('Logout error:', error);
+  // Try to notify server, but don't block logout if identity is missing/expired
+  if (context.identity) {
+    const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_AdminLogout
+    >('/typedrequest', 'adminLogout');
+    try {
+      await typedRequest.fire({ identity: context.identity });
+    } catch (error) {
+      console.error('Logout error:', error);
+    }
  }

-  // Clear login state regardless
+  // Always clear login state
  return {
    identity: null,
    isLoggedIn: false,
@@ -286,8 +300,8 @@ export const logoutAction = loginStatePart.createAction(async (statePartArg) =>
 // Fetch All Stats Action - Using combined endpoint for efficiency
 export const fetchAllStatsAction = statsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
-  
  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;

  try {
    // Use combined metrics endpoint - single request instead of 4
@@ -328,8 +342,8 @@ export const fetchAllStatsAction = statsStatePart.createAction(async (statePartA
 // Fetch Configuration Action (read-only)
 export const fetchConfigurationAction = configStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
-
  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;

  try {
    const configRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -361,6 +375,7 @@ export const fetchRecentLogsAction = logStatePart.createAction<{
  category?: 'smtp' | 'dns' | 'security' | 'system' | 'email';
 }>(async (statePartArg, dataArg) => {
  const context = getActionContext();
+  if (!context.identity) return statePartArg.getState();

  const logsRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
    interfaces.requests.IReq_GetRecentLogs
@@ -406,6 +421,20 @@ export const setActiveViewAction = uiStatePart.createAction<string>(async (state
    }, 100);
  }

+  // If switching to routes view, ensure we fetch route data
+  if (viewName === 'routes' && currentState.activeView !== 'routes') {
+    setTimeout(() => {
+      routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
+    }, 100);
+  }
+
+  // If switching to apitokens view, ensure we fetch token data
+  if (viewName === 'apitokens' && currentState.activeView !== 'apitokens') {
+    setTimeout(() => {
+      routeManagementStatePart.dispatchAction(fetchApiTokensAction, null);
+    }, 100);
+  }
+
  // If switching to remoteingress view, ensure we fetch edge data
  if (viewName === 'remoteingress' && currentState.activeView !== 'remoteingress') {
    setTimeout(() => {
@@ -422,8 +451,8 @@ export const setActiveViewAction = uiStatePart.createAction<string>(async (state
 // Fetch Network Stats Action
 export const fetchNetworkStatsAction = networkStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
-  
  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;

  try {
    // Fetch active connections using the existing endpoint
@@ -492,35 +521,23 @@ export const fetchNetworkStatsAction = networkStatePart.createAction(async (stat
 // Email Operations Actions
 // ============================================================================

-// Set Email Ops View Action
-export const setEmailOpsViewAction = emailOpsStatePart.createAction<IEmailOpsState['currentView']>(
-  async (statePartArg, view) => {
-    return {
-      ...statePartArg.getState(),
-      currentView: view,
-    };
-  }
-);
-
-// Fetch Queued Emails Action
-export const fetchQueuedEmailsAction = emailOpsStatePart.createAction(async (statePartArg) => {
+// Fetch All Emails Action
+export const fetchAllEmailsAction = emailOpsStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;

  try {
    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_GetQueuedEmails
-    >('/typedrequest', 'getQueuedEmails');
+      interfaces.requests.IReq_GetAllEmails
+    >('/typedrequest', 'getAllEmails');

    const response = await request.fire({
      identity: context.identity,
-      status: 'pending',
-      limit: 100,
    });

    return {
-      ...currentState,
-      queuedEmails: response.items,
+      emails: response.emails,
      isLoading: false,
      error: null,
      lastUpdated: Date.now(),
@@ -529,197 +546,11 @@ export const fetchQueuedEmailsAction = emailOpsStatePart.createAction(async (sta
    return {
      ...currentState,
      isLoading: false,
-      error: error instanceof Error ? error.message : 'Failed to fetch queued emails',
+      error: error instanceof Error ? error.message : 'Failed to fetch emails',
    };
  }
 });

-// Fetch Sent Emails Action
-export const fetchSentEmailsAction = emailOpsStatePart.createAction(async (statePartArg) => {
-  const context = getActionContext();
-  const currentState = statePartArg.getState();
-
-  try {
-    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_GetSentEmails
-    >('/typedrequest', 'getSentEmails');
-
-    const response = await request.fire({
-      identity: context.identity,
-      limit: 100,
-    });
-
-    return {
-      ...currentState,
-      sentEmails: response.items,
-      isLoading: false,
-      error: null,
-      lastUpdated: Date.now(),
-    };
-  } catch (error) {
-    return {
-      ...currentState,
-      isLoading: false,
-      error: error instanceof Error ? error.message : 'Failed to fetch sent emails',
-    };
-  }
-});
-
-// Fetch Failed Emails Action
-export const fetchFailedEmailsAction = emailOpsStatePart.createAction(async (statePartArg) => {
-  const context = getActionContext();
-  const currentState = statePartArg.getState();
-
-  try {
-    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_GetFailedEmails
-    >('/typedrequest', 'getFailedEmails');
-
-    const response = await request.fire({
-      identity: context.identity,
-      limit: 100,
-    });
-
-    return {
-      ...currentState,
-      failedEmails: response.items,
-      isLoading: false,
-      error: null,
-      lastUpdated: Date.now(),
-    };
-  } catch (error) {
-    return {
-      ...currentState,
-      isLoading: false,
-      error: error instanceof Error ? error.message : 'Failed to fetch failed emails',
-    };
-  }
-});
-
-// Fetch Security Incidents Action
-export const fetchSecurityIncidentsAction = emailOpsStatePart.createAction(async (statePartArg) => {
-  const context = getActionContext();
-  const currentState = statePartArg.getState();
-
-  try {
-    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_GetSecurityIncidents
-    >('/typedrequest', 'getSecurityIncidents');
-
-    const response = await request.fire({
-      identity: context.identity,
-      limit: 100,
-    });
-
-    return {
-      ...currentState,
-      securityIncidents: response.incidents,
-      isLoading: false,
-      error: null,
-      lastUpdated: Date.now(),
-    };
-  } catch (error) {
-    return {
-      ...currentState,
-      isLoading: false,
-      error: error instanceof Error ? error.message : 'Failed to fetch security incidents',
-    };
-  }
-});
-
-// Fetch Bounce Records Action
-export const fetchBounceRecordsAction = emailOpsStatePart.createAction(async (statePartArg) => {
-  const context = getActionContext();
-  const currentState = statePartArg.getState();
-
-  try {
-    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_GetBounceRecords
-    >('/typedrequest', 'getBounceRecords');
-
-    const response = await request.fire({
-      identity: context.identity,
-      limit: 100,
-    });
-
-    return {
-      ...currentState,
-      bounceRecords: response.records,
-      suppressionList: response.suppressionList,
-      isLoading: false,
-      error: null,
-      lastUpdated: Date.now(),
-    };
-  } catch (error) {
-    return {
-      ...currentState,
-      isLoading: false,
-      error: error instanceof Error ? error.message : 'Failed to fetch bounce records',
-    };
-  }
-});
-
-// Resend Failed Email Action
-export const resendEmailAction = emailOpsStatePart.createAction<string>(async (statePartArg, emailId) => {
-  const context = getActionContext();
-  const currentState = statePartArg.getState();
-
-  try {
-    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-      interfaces.requests.IReq_ResendEmail
-    >('/typedrequest', 'resendEmail');
-
-    const response = await request.fire({
-      identity: context.identity,
-      emailId,
-    });
-
-    if (response.success) {
-      // Refresh failed emails list
-      await emailOpsStatePart.dispatchAction(fetchFailedEmailsAction, null);
-      await emailOpsStatePart.dispatchAction(fetchQueuedEmailsAction, null);
-    }
-
-    return statePartArg.getState();
-  } catch (error) {
-    return {
-      ...currentState,
-      error: error instanceof Error ? error.message : 'Failed to resend email',
-    };
-  }
-});
-
-// Remove from Suppression List Action
-export const removeFromSuppressionListAction = emailOpsStatePart.createAction<string>(
-  async (statePartArg, email) => {
-    const context = getActionContext();
-    const currentState = statePartArg.getState();
-
-    try {
-      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
-        interfaces.requests.IReq_RemoveFromSuppressionList
-      >('/typedrequest', 'removeFromSuppressionList');
-
-      const response = await request.fire({
-        identity: context.identity,
-        email,
-      });
-
-      if (response.success) {
-        // Refresh bounce records
-        await emailOpsStatePart.dispatchAction(fetchBounceRecordsAction, null);
-      }
-
-      return statePartArg.getState();
-    } catch (error) {
-      return {
-        ...currentState,
-        error: error instanceof Error ? error.message : 'Failed to remove from suppression list',
-      };
-    }
-  }
-);
-
 // ============================================================================
 // Certificate Actions
 // ============================================================================
@@ -727,6 +558,7 @@ export const removeFromSuppressionListAction = emailOpsStatePart.createAction<st
 export const fetchCertificateOverviewAction = certificateStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;

  try {
    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -754,7 +586,7 @@ export const fetchCertificateOverviewAction = certificateStatePart.createAction(
 });

 export const reprovisionCertificateAction = certificateStatePart.createAction<string>(
-  async (statePartArg, domain) => {
+  async (statePartArg, domain, actionContext) => {
    const context = getActionContext();
    const currentState = statePartArg.getState();

@@ -769,8 +601,7 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
      });

      // Re-fetch overview after reprovisioning
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
    } catch (error) {
      return {
        ...currentState,
@@ -781,7 +612,7 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
 );

 export const deleteCertificateAction = certificateStatePart.createAction<string>(
-  async (statePartArg, domain) => {
+  async (statePartArg, domain, actionContext) => {
    const context = getActionContext();
    const currentState = statePartArg.getState();

@@ -796,8 +627,7 @@ export const deleteCertificateAction = certificateStatePart.createAction<string>
      });

      // Re-fetch overview after deletion
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
    } catch (error) {
      return {
        ...currentState,
@@ -816,7 +646,7 @@ export const importCertificateAction = certificateStatePart.createAction<{
  publicKey: string;
  csr: string;
 }>(
-  async (statePartArg, cert) => {
+  async (statePartArg, cert, actionContext) => {
    const context = getActionContext();
    const currentState = statePartArg.getState();

@@ -831,8 +661,7 @@ export const importCertificateAction = certificateStatePart.createAction<{
      });

      // Re-fetch overview after import
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
    } catch (error) {
      return {
        ...currentState,
@@ -854,6 +683,18 @@ export async function fetchCertificateExport(domain: string) {
  });
 }

+// ============================================================================
+// Remote Ingress Standalone Functions
+// ============================================================================
+
+export async function fetchConnectionToken(edgeId: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_GetRemoteIngressConnectionToken
+  >('/typedrequest', 'getRemoteIngressConnectionToken');
+  return request.fire({ identity: context.identity, edgeId });
+}
+
 // ============================================================================
 // Remote Ingress Actions
 // ============================================================================
@@ -861,6 +702,7 @@ export async function fetchCertificateExport(domain: string) {
 export const fetchRemoteIngressAction = remoteIngressStatePart.createAction(async (statePartArg) => {
  const context = getActionContext();
  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;

  try {
    const edgesRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -898,7 +740,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
  listenPorts?: number[];
  autoDerivePorts?: boolean;
  tags?: string[];
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
  const context = getActionContext();
  const currentState = statePartArg.getState();

@@ -916,11 +758,12 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
    });

    if (response.success) {
-      // Refresh the list and store the new secret for display
-      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+      // Refresh the list
+      await actionContext.dispatch(fetchRemoteIngressAction, null);
+
      return {
        ...statePartArg.getState(),
-        newEdgeSecret: response.edge.secret,
+        newEdgeId: response.edge.id,
      };
    }

@@ -934,7 +777,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
 });

 export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<string>(
-  async (statePartArg, edgeId) => {
+  async (statePartArg, edgeId, actionContext) => {
    const context = getActionContext();
    const currentState = statePartArg.getState();

@@ -948,8 +791,7 @@ export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<str
        id: edgeId,
      });

-      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchRemoteIngressAction, null);
    } catch (error) {
      return {
        ...currentState,
@@ -965,7 +807,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
  listenPorts?: number[];
  autoDerivePorts?: boolean;
  tags?: string[];
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
  const context = getActionContext();
  const currentState = statePartArg.getState();

@@ -983,8 +825,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
      tags: dataArg.tags,
    });

-    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchRemoteIngressAction, null);
  } catch (error) {
    return {
      ...currentState,
@@ -1011,7 +852,7 @@ export const regenerateRemoteIngressSecretAction = remoteIngressStatePart.create
      if (response.success) {
        return {
          ...currentState,
-          newEdgeSecret: response.secret,
+          newEdgeId: edgeId,
        };
      }

@@ -1025,11 +866,11 @@ export const regenerateRemoteIngressSecretAction = remoteIngressStatePart.create
  }
 );

-export const clearNewEdgeSecretAction = remoteIngressStatePart.createAction(
+export const clearNewEdgeIdAction = remoteIngressStatePart.createAction(
  async (statePartArg) => {
    return {
      ...statePartArg.getState(),
-      newEdgeSecret: null,
+      newEdgeId: null,
    };
  }
 );
@@ -1037,7 +878,7 @@ export const clearNewEdgeSecretAction = remoteIngressStatePart.createAction(
 export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
  id: string;
  enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
  const context = getActionContext();
  const currentState = statePartArg.getState();

@@ -1052,8 +893,7 @@ export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
      enabled: dataArg.enabled,
    });

-    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchRemoteIngressAction, null);
  } catch (error) {
    return {
      ...currentState,
@@ -1062,11 +902,335 @@ export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
  }
 });

+// ============================================================================
+// Route Management Actions
+// ============================================================================
+
+export const fetchMergedRoutesAction = routeManagementStatePart.createAction(async (statePartArg) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetMergedRoutes
+    >('/typedrequest', 'getMergedRoutes');
+
+    const response = await request.fire({
+      identity: context.identity,
+    });
+
+    return {
+      ...currentState,
+      mergedRoutes: response.routes,
+      warnings: response.warnings,
+      isLoading: false,
+      error: null,
+      lastUpdated: Date.now(),
+    };
+  } catch (error) {
+    return {
+      ...currentState,
+      isLoading: false,
+      error: error instanceof Error ? error.message : 'Failed to fetch routes',
+    };
+  }
+});
+
+export const createRouteAction = routeManagementStatePart.createAction<{
+  route: any;
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_CreateRoute
+    >('/typedrequest', 'createRoute');
+
+    await request.fire({
+      identity: context.identity,
+      route: dataArg.route,
+      enabled: dataArg.enabled,
+    });
+
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to create route',
+    };
+  }
+});
+
+export const deleteRouteAction = routeManagementStatePart.createAction<string>(
+  async (statePartArg, routeId, actionContext) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteRoute
+      >('/typedrequest', 'deleteRoute');
+
+      await request.fire({
+        identity: context.identity,
+        id: routeId,
+      });
+
+      return await actionContext.dispatch(fetchMergedRoutesAction, null);
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete route',
+      };
+    }
+  }
+);
+
+export const toggleRouteAction = routeManagementStatePart.createAction<{
+  id: string;
+  enabled: boolean;
+}>(async (statePartArg, dataArg, actionContext) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ToggleRoute
+    >('/typedrequest', 'toggleRoute');
+
+    await request.fire({
+      identity: context.identity,
+      id: dataArg.id,
+      enabled: dataArg.enabled,
+    });
+
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to toggle route',
+    };
+  }
+});
+
+export const setRouteOverrideAction = routeManagementStatePart.createAction<{
+  routeName: string;
+  enabled: boolean;
+}>(async (statePartArg, dataArg, actionContext) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_SetRouteOverride
+    >('/typedrequest', 'setRouteOverride');
+
+    await request.fire({
+      identity: context.identity,
+      routeName: dataArg.routeName,
+      enabled: dataArg.enabled,
+    });
+
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to set override',
+    };
+  }
+});
+
+export const removeRouteOverrideAction = routeManagementStatePart.createAction<string>(
+  async (statePartArg, routeName, actionContext) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_RemoveRouteOverride
+      >('/typedrequest', 'removeRouteOverride');
+
+      await request.fire({
+        identity: context.identity,
+        routeName,
+      });
+
+      return await actionContext.dispatch(fetchMergedRoutesAction, null);
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to remove override',
+      };
+    }
+  }
+);
+
+// ============================================================================
+// API Token Actions
+// ============================================================================
+
+export const fetchApiTokensAction = routeManagementStatePart.createAction(async (statePartArg) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListApiTokens
+    >('/typedrequest', 'listApiTokens');
+
+    const response = await request.fire({
+      identity: context.identity,
+    });
+
+    return {
+      ...currentState,
+      apiTokens: response.tokens,
+    };
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to fetch tokens',
+    };
+  }
+});
+
+export async function createApiToken(name: string, scopes: interfaces.data.TApiTokenScope[], expiresInDays?: number | null) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateApiToken
+  >('/typedrequest', 'createApiToken');
+
+  return request.fire({
+    identity: context.identity,
+    name,
+    scopes,
+    expiresInDays,
+  });
+}
+
+export async function rollApiToken(id: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_RollApiToken
+  >('/typedrequest', 'rollApiToken');
+
+  return request.fire({
+    identity: context.identity,
+    id,
+  });
+}
+
+export const revokeApiTokenAction = routeManagementStatePart.createAction<string>(
+  async (statePartArg, tokenId, actionContext) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_RevokeApiToken
+      >('/typedrequest', 'revokeApiToken');
+
+      await request.fire({
+        identity: context.identity,
+        id: tokenId,
+      });
+
+      return await actionContext.dispatch(fetchApiTokensAction, null);
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to revoke token',
+      };
+    }
+  }
+);
+
+export const toggleApiTokenAction = routeManagementStatePart.createAction<{
+  id: string;
+  enabled: boolean;
+}>(async (statePartArg, dataArg, actionContext) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ToggleApiToken
+    >('/typedrequest', 'toggleApiToken');
+
+    await request.fire({
+      identity: context.identity,
+      id: dataArg.id,
+      enabled: dataArg.enabled,
+    });
+
+    return await actionContext.dispatch(fetchApiTokensAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to toggle token',
+    };
+  }
+});
+
+// ============================================================================
+// TypedSocket Client for Real-time Log Streaming
+// ============================================================================
+
+let socketClient: plugins.typedsocket.TypedSocket | null = null;
+const socketRouter = new plugins.domtools.plugins.typedrequest.TypedRouter();
+
+// Register handler for pushed log entries from the server
+socketRouter.addTypedHandler(
+  new plugins.domtools.plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PushLogEntry>(
+    'pushLogEntry',
+    async (dataArg) => {
+      const current = logStatePart.getState();
+      const updated = [...current.recentLogs, dataArg.entry];
+      // Cap at 2000 entries
+      if (updated.length > 2000) {
+        updated.splice(0, updated.length - 2000);
+      }
+      logStatePart.setState({ ...current, recentLogs: updated });
+      return {};
+    }
+  )
+);
+
+async function connectSocket() {
+  if (socketClient) return;
+  try {
+    socketClient = await plugins.typedsocket.TypedSocket.createClient(
+      socketRouter,
+      plugins.typedsocket.TypedSocket.useWindowLocationOriginUrl(),
+    );
+    await socketClient.setTag('role', 'ops_dashboard');
+  } catch (err) {
+    console.error('TypedSocket connection failed:', err);
+    socketClient = null;
+  }
+}
+
+async function disconnectSocket() {
+  if (socketClient) {
+    try {
+      await socketClient.stop();
+    } catch {
+      // ignore disconnect errors
+    }
+    socketClient = null;
+  }
+}
+
 // Combined refresh action for efficient polling
 async function dispatchCombinedRefreshAction() {
  const context = getActionContext();
+  if (!context.identity) return;
  const currentView = uiStatePart.getState().activeView;
-  
+
  try {
    // Always fetch basic stats for dashboard widgets
    const combinedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
@@ -1165,8 +1329,23 @@ async function dispatchCombinedRefreshAction() {
        console.error('Certificate refresh failed:', error);
      }
    }
+
+    // Refresh remote ingress data if on remoteingress view
+    if (currentView === 'remoteingress') {
+      try {
+        await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+      } catch (error) {
+        console.error('Remote ingress refresh failed:', error);
+      }
+    }
  } catch (error) {
    console.error('Combined refresh failed:', error);
+    // If the error looks like an auth failure (invalid JWT), force re-login
+    const errMsg = String(error);
+    if (errMsg.includes('invalid') || errMsg.includes('unauthorized') || errMsg.includes('401')) {
+      await loginStatePart.dispatchAction(logoutAction, null);
+      window.location.reload();
+    }
  }
 }

@@ -1224,9 +1403,21 @@ let currentRefreshRate = 1000; // Track current refresh rate to avoid unnecessar
    if (state.isLoggedIn !== previousIsLoggedIn) {
      previousIsLoggedIn = state.isLoggedIn;
      startAutoRefresh();
+
+      // Connect/disconnect TypedSocket based on login state
+      if (state.isLoggedIn) {
+        connectSocket();
+      } else {
+        disconnectSocket();
+      }
    }
  });

  // Initial start
  startAutoRefresh();
+
+  // Connect TypedSocket if already logged in (e.g., persistent session)
+  if (loginStatePart.getState().isLoggedIn) {
+    connectSocket();
+  }
 })();
--- a/ts_web/elements/index.ts
+++ b/ts_web/elements/index.ts
@@ -4,6 +4,8 @@ export * from './ops-view-network.js';
 export * from './ops-view-emails.js';
 export * from './ops-view-logs.js';
 export * from './ops-view-config.js';
+export * from './ops-view-routes.js';
+export * from './ops-view-apitokens.js';
 export * from './ops-view-security.js';
 export * from './ops-view-certificates.js';
 export * from './ops-view-remoteingress.js';
--- a/ts_web/elements/ops-dashboard.ts
+++ b/ts_web/elements/ops-dashboard.ts
@@ -1,5 +1,6 @@
 import * as plugins from '../plugins.js';
 import * as appstate from '../appstate.js';
+import * as interfaces from '../../dist_ts_interfaces/index.js';
 import { appRouter } from '../router.js';

 import {
@@ -18,6 +19,8 @@ import { OpsViewNetwork } from './ops-view-network.js';
 import { OpsViewEmails } from './ops-view-emails.js';
 import { OpsViewLogs } from './ops-view-logs.js';
 import { OpsViewConfig } from './ops-view-config.js';
+import { OpsViewRoutes } from './ops-view-routes.js';
+import { OpsViewApiTokens } from './ops-view-apitokens.js';
 import { OpsViewSecurity } from './ops-view-security.js';
 import { OpsViewCertificates } from './ops-view-certificates.js';
 import { OpsViewRemoteIngress } from './ops-view-remoteingress.js';
@@ -41,34 +44,52 @@ export class OpsDashboard extends DeesElement {
  private viewTabs = [
    {
      name: 'Overview',
+      iconName: 'lucide:layoutDashboard',
      element: OpsViewOverview,
    },
+    {
+      name: 'Configuration',
+      iconName: 'lucide:settings',
+      element: OpsViewConfig,
+    },
    {
      name: 'Network',
+      iconName: 'lucide:network',
      element: OpsViewNetwork,
    },
    {
      name: 'Emails',
+      iconName: 'lucide:mail',
      element: OpsViewEmails,
    },
    {
      name: 'Logs',
+      iconName: 'lucide:scrollText',
      element: OpsViewLogs,
    },
    {
-      name: 'Configuration',
-      element: OpsViewConfig,
+      name: 'Routes',
+      iconName: 'lucide:route',
+      element: OpsViewRoutes,
+    },
+    {
+      name: 'ApiTokens',
+      iconName: 'lucide:key',
+      element: OpsViewApiTokens,
    },
    {
      name: 'Security',
+      iconName: 'lucide:shield',
      element: OpsViewSecurity,
    },
    {
      name: 'Certificates',
+      iconName: 'lucide:badgeCheck',
      element: OpsViewCertificates,
    },
    {
      name: 'RemoteIngress',
+      iconName: 'lucide:globe',
      element: OpsViewRemoteIngress,
    },
  ];
@@ -198,13 +219,27 @@ export class OpsDashboard extends DeesElement {
    // Handle initial state - check if we have a stored session that's still valid
    const loginState = appstate.loginStatePart.getState();
    if (loginState.identity?.jwt) {
-      // Verify JWT hasn't expired
      if (loginState.identity.expiresAt > Date.now()) {
-        // JWT still valid, restore logged-in state
-        this.loginState = loginState;
-        await simpleLogin.switchToSlottedContent();
-        await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
-        await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
+        // Client-side expiry looks valid — verify with server (keypair may have changed)
+        try {
+          const verifyRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+            interfaces.requests.IReq_VerifyIdentity
+          >('/typedrequest', 'verifyIdentity');
+          const response = await verifyRequest.fire({ identity: loginState.identity });
+          if (response.valid) {
+            // JWT confirmed valid by server
+            this.loginState = loginState;
+            await simpleLogin.switchToSlottedContent();
+            await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
+            await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
+          } else {
+            // Server rejected the JWT — clear state, show login
+            await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
+          }
+        } catch {
+          // Server unreachable or error — clear state, show login
+          await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
+        }
      } else {
        // JWT expired, clear the stored state
        await appstate.loginStatePart.dispatchAction(appstate.logoutAction, null);
--- a/ts_web/elements/ops-view-apitokens.ts
+++ b/ts_web/elements/ops-view-apitokens.ts
@@ -0,0 +1,348 @@
+import * as appstate from '../appstate.js';
+import * as interfaces from '../../dist_ts_interfaces/index.js';
+import { viewHostCss } from './shared/css.js';
+
+import {
+  DeesElement,
+  css,
+  cssManager,
+  customElement,
+  html,
+  state,
+  type TemplateResult,
+} from '@design.estate/dees-element';
+
+type TApiTokenScope = interfaces.data.TApiTokenScope;
+
+@customElement('ops-view-apitokens')
+export class OpsViewApiTokens extends DeesElement {
+  @state() accessor routeState: appstate.IRouteManagementState = {
+    mergedRoutes: [],
+    warnings: [],
+    apiTokens: [],
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  };
+
+  constructor() {
+    super();
+    const sub = appstate.routeManagementStatePart
+      .select((s) => s)
+      .subscribe((routeState) => {
+        this.routeState = routeState;
+      });
+    this.rxSubscriptions.push(sub);
+
+    // Re-fetch tokens when user logs in (fixes race condition where
+    // the view is created before authentication completes)
+    const loginSub = appstate.loginStatePart
+      .select((s) => s.isLoggedIn)
+      .subscribe((isLoggedIn) => {
+        if (isLoggedIn) {
+          appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
+        }
+      });
+    this.rxSubscriptions.push(loginSub);
+  }
+
+  public static styles = [
+    cssManager.defaultStyles,
+    viewHostCss,
+    css`
+      .apiTokensContainer {
+        display: flex;
+        flex-direction: column;
+        gap: 24px;
+      }
+
+      .scopePill {
+        display: inline-flex;
+        align-items: center;
+        padding: 2px 6px;
+        border-radius: 3px;
+        font-size: 11px;
+        background: ${cssManager.bdTheme('rgba(0, 130, 200, 0.1)', 'rgba(0, 170, 255, 0.1)')};
+        color: ${cssManager.bdTheme('#0369a1', '#0af')};
+        margin-right: 4px;
+        margin-bottom: 2px;
+      }
+
+      .statusBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 3px 10px;
+        border-radius: 12px;
+        font-size: 12px;
+        font-weight: 600;
+        letter-spacing: 0.02em;
+        text-transform: uppercase;
+      }
+
+      .statusBadge.active {
+        background: ${cssManager.bdTheme('#dcfce7', '#14532d')};
+        color: ${cssManager.bdTheme('#166534', '#4ade80')};
+      }
+
+      .statusBadge.disabled {
+        background: ${cssManager.bdTheme('#fef2f2', '#450a0a')};
+        color: ${cssManager.bdTheme('#991b1b', '#f87171')};
+      }
+
+      .statusBadge.expired {
+        background: ${cssManager.bdTheme('#f3f4f6', '#374151')};
+        color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};
+      }
+    `,
+  ];
+
+  public render(): TemplateResult {
+    const { apiTokens } = this.routeState;
+
+    return html`
+      <ops-sectionheading>API Tokens</ops-sectionheading>
+
+      <div class="apiTokensContainer">
+        <dees-table
+          .heading1=${'API Tokens'}
+          .heading2=${'Manage programmatic access tokens'}
+          .data=${apiTokens}
+          .dataName=${'token'}
+          .searchable=${true}
+          .displayFunction=${(token: interfaces.data.IApiTokenInfo) => ({
+            name: token.name,
+            scopes: this.renderScopePills(token.scopes),
+            status: this.renderStatusBadge(token),
+            created: new Date(token.createdAt).toLocaleDateString(),
+            expires: token.expiresAt ? new Date(token.expiresAt).toLocaleDateString() : 'Never',
+            lastUsed: token.lastUsedAt ? new Date(token.lastUsedAt).toLocaleDateString() : 'Never',
+          })}
+          .dataActions=${[
+            {
+              name: 'Create Token',
+              iconName: 'lucide:plus',
+              type: ['header'],
+              actionFunc: async () => {
+                await this.showCreateTokenDialog();
+              },
+            },
+            {
+              name: 'Enable',
+              iconName: 'lucide:play',
+              type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (actionData: any) => !actionData.item.enabled,
+              actionFunc: async (actionData: any) => {
+                const token = actionData.item as interfaces.data.IApiTokenInfo;
+                await appstate.routeManagementStatePart.dispatchAction(
+                  appstate.toggleApiTokenAction,
+                  { id: token.id, enabled: true },
+                );
+              },
+            },
+            {
+              name: 'Disable',
+              iconName: 'lucide:pause',
+              type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (actionData: any) => actionData.item.enabled,
+              actionFunc: async (actionData: any) => {
+                const token = actionData.item as interfaces.data.IApiTokenInfo;
+                await appstate.routeManagementStatePart.dispatchAction(
+                  appstate.toggleApiTokenAction,
+                  { id: token.id, enabled: false },
+                );
+              },
+            },
+            {
+              name: 'Roll',
+              iconName: 'lucide:rotateCw',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const token = actionData.item as interfaces.data.IApiTokenInfo;
+                await this.showRollTokenDialog(token);
+              },
+            },
+            {
+              name: 'Revoke',
+              iconName: 'lucide:trash2',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const token = actionData.item as interfaces.data.IApiTokenInfo;
+                await appstate.routeManagementStatePart.dispatchAction(
+                  appstate.revokeApiTokenAction,
+                  token.id,
+                );
+              },
+            },
+          ]}
+        ></dees-table>
+      </div>
+    `;
+  }
+
+  private renderScopePills(scopes: TApiTokenScope[]): TemplateResult {
+    return html`<div style="display: flex; flex-wrap: wrap; gap: 2px;">${scopes.map(
+      (s) => html`<span class="scopePill">${s}</span>`,
+    )}</div>`;
+  }
+
+  private renderStatusBadge(token: interfaces.data.IApiTokenInfo): TemplateResult {
+    if (!token.enabled) {
+      return html`<span class="statusBadge disabled">Disabled</span>`;
+    }
+    if (token.expiresAt && token.expiresAt < Date.now()) {
+      return html`<span class="statusBadge expired">Expired</span>`;
+    }
+    return html`<span class="statusBadge active">Active</span>`;
+  }
+
+  private async showCreateTokenDialog() {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    const allScopes: TApiTokenScope[] = [
+      'routes:read',
+      'routes:write',
+      'config:read',
+      'tokens:read',
+      'tokens:manage',
+    ];
+
+    await DeesModal.createAndShow({
+      heading: 'Create API Token',
+      content: html`
+        <div style="color: #888; margin-bottom: 12px; font-size: 13px;">
+          The token value will be shown once after creation. Copy it immediately.
+        </div>
+        <dees-form>
+          <dees-input-text .key=${'name'} .label=${'Token Name'} .required=${true}></dees-input-text>
+          <dees-input-tags
+            .key=${'scopes'}
+            .label=${'Token Scopes'}
+            .value=${['routes:read', 'routes:write']}
+            .suggestions=${allScopes}
+            .required=${true}
+          ></dees-input-tags>
+          <dees-input-text .key=${'expiresInDays'} .label=${'Expires in (days, blank = never)'}></dees-input-text>
+        </dees-form>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Create',
+          iconName: 'lucide:key',
+          action: async (modalArg: any) => {
+            const contentEl = modalArg.shadowRoot?.querySelector('.content');
+            const form = contentEl?.querySelector('dees-form');
+            if (!form) return;
+            const formData = await form.collectFormData();
+            if (!formData.name) return;
+
+            // dees-input-tags is not in dees-form's FORM_INPUT_TYPES, so collectFormData() won't
+            // include it. Query the tags input directly and call getValue().
+            const tagsInput = form.querySelector('dees-input-tags') as any;
+            const rawScopes: string[] = tagsInput?.getValue?.() || tagsInput?.value || formData.scopes || [];
+            const scopes = rawScopes
+              .filter((s: string) => allScopes.includes(s as any)) as TApiTokenScope[];
+
+            const expiresInDays = formData.expiresInDays
+              ? parseInt(formData.expiresInDays, 10)
+              : null;
+
+            await modalArg.destroy();
+
+            try {
+              const response = await appstate.createApiToken(formData.name, scopes, expiresInDays);
+              if (response.success && response.tokenValue) {
+                // Refresh the list first so it's ready when user dismisses the modal
+                await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
+
+                // Show the token value in a new modal
+                await DeesModal.createAndShow({
+                  heading: 'Token Created',
+                  content: html`
+                    <div style="color: #ccc; padding: 8px 0;">
+                      <p>Copy this token now. It will not be shown again.</p>
+                      <div style="background: #111; padding: 12px; border-radius: 6px; margin-top: 8px;">
+                        <code style="color: #0f8; word-break: break-all; font-size: 13px;">${response.tokenValue}</code>
+                      </div>
+                    </div>
+                  `,
+                  menuOptions: [
+                    {
+                      name: 'Done',
+                      iconName: 'lucide:check',
+                      action: async (m: any) => await m.destroy(),
+                    },
+                  ],
+                });
+              }
+            } catch (error) {
+              console.error('Failed to create token:', error);
+            }
+          },
+        },
+      ],
+    });
+  }
+
+  private async showRollTokenDialog(token: interfaces.data.IApiTokenInfo) {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    await DeesModal.createAndShow({
+      heading: 'Roll Token Secret',
+      content: html`
+        <div style="color: #ccc; padding: 8px 0;">
+          <p>This will regenerate the secret for <strong>${token.name}</strong>. The old token value will stop working immediately.</p>
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Roll Token',
+          iconName: 'lucide:rotateCw',
+          action: async (modalArg: any) => {
+            await modalArg.destroy();
+            try {
+              const response = await appstate.rollApiToken(token.id);
+              if (response.success && response.tokenValue) {
+                await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
+
+                await DeesModal.createAndShow({
+                  heading: 'Token Rolled',
+                  content: html`
+                    <div style="color: #ccc; padding: 8px 0;">
+                      <p>Copy this token now. It will not be shown again.</p>
+                      <div style="background: #111; padding: 12px; border-radius: 6px; margin-top: 8px;">
+                        <code style="color: #0f8; word-break: break-all; font-size: 13px;">${response.tokenValue}</code>
+                      </div>
+                    </div>
+                  `,
+                  menuOptions: [
+                    {
+                      name: 'Done',
+                      iconName: 'lucide:check',
+                      action: async (m: any) => await m.destroy(),
+                    },
+                  ],
+                });
+              }
+            } catch (error) {
+              console.error('Failed to roll token:', error);
+            }
+          },
+        },
+      ],
+    });
+  }
+
+  async firstUpdated() {
+    await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
+  }
+}
--- a/ts_web/elements/ops-view-certificates.ts
+++ b/ts_web/elements/ops-view-certificates.ts
@@ -382,7 +382,7 @@ export class OpsViewCertificates extends DeesElement {
          },
          {
            name: 'View Details',
-            iconName: 'lucide:Search',
+            iconName: 'fa:magnifyingGlass',
            type: ['doubleClick', 'contextmenu'],
            actionFunc: async (actionData: { item: interfaces.requests.ICertificateInfo }) => {
              const cert = actionData.item;
--- a/ts_web/elements/ops-view-config.ts
+++ b/ts_web/elements/ops-view-config.ts
@@ -1,6 +1,7 @@
 import * as plugins from '../plugins.js';
 import * as shared from './shared/index.js';
 import * as appstate from '../appstate.js';
+import { appRouter } from '../router.js';

 import {
  DeesElement,
@@ -12,6 +13,8 @@ import {
  type TemplateResult,
 } from '@design.estate/dees-element';

+import type { IConfigField, IConfigSectionAction } from '@serve.zone/catalog';
+
@customElement('ops-view-config')
 export class OpsViewConfig extends DeesElement {
  @state()
@@ -35,165 +38,19 @@ export class OpsViewConfig extends DeesElement {
    cssManager.defaultStyles,
    shared.viewHostCss,
    css`
-      .configSection {
-        background: ${cssManager.bdTheme('#fff', '#222')};
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        border-radius: 8px;
-        margin-bottom: 24px;
-        overflow: hidden;
-      }
-
-      .sectionHeader {
-        background: ${cssManager.bdTheme('#f8f9fa', '#1a1a1a')};
-        padding: 16px 24px;
-        border-bottom: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        display: flex;
-        justify-content: space-between;
-        align-items: center;
-      }
-
-      .sectionTitle {
-        font-size: 18px;
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#333', '#ccc')};
-        display: flex;
-        align-items: center;
-        gap: 12px;
-      }
-
-      .sectionTitle dees-icon {
-        font-size: 20px;
-        color: ${cssManager.bdTheme('#666', '#888')};
-      }
-
-      .sectionContent {
-        padding: 24px;
-      }
-
-      .configField {
-        margin-bottom: 20px;
-      }
-
-      .configField:last-child {
-        margin-bottom: 0;
-      }
-
-      .fieldLabel {
-        font-size: 13px;
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#666', '#999')};
-        margin-bottom: 8px;
-        display: block;
-        text-transform: uppercase;
-        letter-spacing: 0.5px;
-      }
-
-      .fieldValue {
-        font-family: 'Consolas', 'Monaco', monospace;
-        font-size: 14px;
-        color: ${cssManager.bdTheme('#333', '#ccc')};
-        background: ${cssManager.bdTheme('#f8f9fa', '#1a1a1a')};
-        padding: 10px 14px;
-        border-radius: 6px;
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-      }
-
-      .fieldValue.empty {
-        color: ${cssManager.bdTheme('#999', '#666')};
-        font-style: italic;
-      }
-
-      .nestedFields {
-        margin-left: 16px;
-        padding-left: 16px;
-        border-left: 2px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-      }
-
-      /* Status badge styles */
-      .statusBadge {
-        display: inline-flex;
-        align-items: center;
-        gap: 6px;
-        padding: 4px 12px;
-        border-radius: 20px;
-        font-size: 13px;
-        font-weight: 600;
-      }
-
-      .statusBadge.enabled {
-        background: ${cssManager.bdTheme('#d4edda', '#1a3d1a')};
-        color: ${cssManager.bdTheme('#155724', '#66cc66')};
-      }
-
-      .statusBadge.disabled {
-        background: ${cssManager.bdTheme('#f8d7da', '#3d1a1a')};
-        color: ${cssManager.bdTheme('#721c24', '#cc6666')};
-      }
-
-      .statusBadge dees-icon {
-        font-size: 14px;
-      }
-
-      /* Array/list display */
-      .arrayItems {
-        display: flex;
-        flex-wrap: wrap;
-        gap: 8px;
-      }
-
-      .arrayItem {
-        display: inline-flex;
-        align-items: center;
-        background: ${cssManager.bdTheme('#e7f3ff', '#1a2a3d')};
-        color: ${cssManager.bdTheme('#0066cc', '#66aaff')};
-        padding: 4px 12px;
-        border-radius: 16px;
-        font-size: 13px;
-        font-family: 'Consolas', 'Monaco', monospace;
-      }
-
-      .arrayCount {
-        font-size: 12px;
-        color: ${cssManager.bdTheme('#999', '#666')};
-        margin-bottom: 8px;
-      }
-
-      /* Numeric value formatting */
-      .numericValue {
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#0066cc', '#66aaff')};
-      }
-
-      .errorMessage {
-        background: ${cssManager.bdTheme('#fee', '#4a1f1f')};
-        border: 1px solid ${cssManager.bdTheme('#fcc', '#6a2f2f')};
-        border-radius: 4px;
-        padding: 16px;
-        color: ${cssManager.bdTheme('#c00', '#ff6666')};
-        margin: 16px 0;
-      }
-
      .loadingMessage {
        text-align: center;
        padding: 40px;
-        color: ${cssManager.bdTheme('#666', '#999')};
+        color: ${cssManager.bdTheme('#71717a', '#a1a1aa')};
      }

-      .infoNote {
-        background: ${cssManager.bdTheme('#e7f3ff', '#1a2a3d')};
-        border: 1px solid ${cssManager.bdTheme('#b3d7ff', '#2a4a6d')};
+      .errorMessage {
+        background: ${cssManager.bdTheme('#fee2e2', 'rgba(239,68,68,0.1)')};
+        border: 1px solid ${cssManager.bdTheme('#fecaca', 'rgba(239,68,68,0.3)')};
        border-radius: 8px;
        padding: 16px;
-        margin-bottom: 24px;
-        color: ${cssManager.bdTheme('#004085', '#88ccff')};
-        display: flex;
-        align-items: center;
-        gap: 12px;
-      }
-
-      .infoNote dees-icon {
-        font-size: 20px;
-        flex-shrink: 0;
+        color: ${cssManager.bdTheme('#dc2626', '#ef4444')};
+        margin: 16px 0;
      }
    `,
  ];
@@ -202,185 +59,276 @@ export class OpsViewConfig extends DeesElement {
    return html`
      <ops-sectionheading>Configuration</ops-sectionheading>

-      ${this.configState.isLoading ? html`
-        <div class="loadingMessage">
-          <dees-spinner></dees-spinner>
-          <p>Loading configuration...</p>
-        </div>
-      ` : this.configState.error ? html`
-        <div class="errorMessage">
-          Error loading configuration: ${this.configState.error}
-        </div>
-      ` : this.configState.config ? html`
-        <div class="infoNote">
-          <dees-icon icon="lucide:info"></dees-icon>
-          <span>This view displays the current running configuration. DcRouter is configured through code or remote management.</span>
-        </div>
-
-        ${this.renderConfigSection('email', 'Email', 'lucide:mail', this.configState.config?.email)}
-        ${this.renderConfigSection('dns', 'DNS', 'lucide:globe', this.configState.config?.dns)}
-        ${this.renderConfigSection('proxy', 'Proxy', 'lucide:network', this.configState.config?.proxy)}
-        ${this.renderConfigSection('security', 'Security', 'lucide:shield', this.configState.config?.security)}
-      ` : html`
-        <div class="errorMessage">No configuration loaded</div>
-      `}
-    `;
-  }
-
-  private renderConfigSection(key: string, title: string, icon: string, config: any) {
-    const isEnabled = config?.enabled ?? false;
-
-    return html`
-      <div class="configSection">
-        <div class="sectionHeader">
-          <h3 class="sectionTitle">
-            <dees-icon icon="${icon}"></dees-icon>
-            ${title}
-          </h3>
-          ${this.renderStatusBadge(isEnabled)}
-        </div>
-        <div class="sectionContent">
-          ${config ? this.renderConfigFields(config) : html`
-            <div class="fieldValue empty">Not configured</div>
-          `}
-        </div>
-      </div>
-    `;
-  }
-
-  private renderStatusBadge(enabled: boolean): TemplateResult {
-    return enabled
-      ? html`<span class="statusBadge enabled"><dees-icon icon="lucide:check"></dees-icon>Enabled</span>`
-      : html`<span class="statusBadge disabled"><dees-icon icon="lucide:x"></dees-icon>Disabled</span>`;
-  }
-
-  private renderConfigFields(config: any, prefix = ''): TemplateResult | TemplateResult[] {
-    if (!config || typeof config !== 'object') {
-      return html`<div class="fieldValue">${this.formatValue(config)}</div>`;
-    }
-
-    return Object.entries(config).map(([key, value]) => {
-      const fieldName = prefix ? `${prefix}.${key}` : key;
-      const displayName = this.formatFieldName(key);
-
-      // Handle boolean values with badges
-      if (typeof value === 'boolean') {
-        return html`
-          <div class="configField">
-            <label class="fieldLabel">${displayName}</label>
-            ${this.renderStatusBadge(value)}
-          </div>
-        `;
-      }
-
-      // Handle arrays
-      if (Array.isArray(value)) {
-        return html`
-          <div class="configField">
-            <label class="fieldLabel">${displayName}</label>
-            ${this.renderArrayValue(value, key)}
-          </div>
-        `;
-      }
-
-      // Handle nested objects
-      if (typeof value === 'object' && value !== null) {
-        return html`
-          <div class="configField">
-            <label class="fieldLabel">${displayName}</label>
-            <div class="nestedFields">
-              ${this.renderConfigFields(value, fieldName)}
+      ${this.configState.isLoading
+        ? html`
+            <div class="loadingMessage">
+              <dees-spinner></dees-spinner>
+              <p>Loading configuration...</p>
            </div>
-          </div>
-        `;
-      }
-
-      // Handle primitive values
-      return html`
-        <div class="configField">
-          <label class="fieldLabel">${displayName}</label>
-          <div class="fieldValue">${this.formatValue(value, key)}</div>
-        </div>
-      `;
-    });
-  }
-
-  private renderArrayValue(arr: any[], fieldKey: string): TemplateResult {
-    if (arr.length === 0) {
-      return html`<div class="fieldValue empty">None configured</div>`;
-    }
-
-    // Determine if we should show as pills/tags
-    const showAsPills = arr.every(item => typeof item === 'string' || typeof item === 'number');
-
-    if (showAsPills) {
-      const itemLabel = this.getArrayItemLabel(fieldKey, arr.length);
-      return html`
-        <div class="arrayCount">${arr.length} ${itemLabel}</div>
-        <div class="arrayItems">
-          ${arr.map(item => html`<span class="arrayItem">${item}</span>`)}
-        </div>
-      `;
-    }
-
-    // For complex arrays, show as JSON
-    return html`
-      <div class="fieldValue">
-        ${arr.length} items configured
-      </div>
+          `
+        : this.configState.error
+          ? html`
+              <div class="errorMessage">
+                Error loading configuration: ${this.configState.error}
+              </div>
+            `
+          : this.configState.config
+            ? this.renderConfig()
+            : html`<div class="errorMessage">No configuration loaded</div>`}
    `;
  }

-  private getArrayItemLabel(fieldKey: string, count: number): string {
-    const labels: Record<string, [string, string]> = {
-      ports: ['port', 'ports'],
-      domains: ['domain', 'domains'],
-      nameservers: ['nameserver', 'nameservers'],
-      blockList: ['IP', 'IPs'],
-    };
+  private renderConfig(): TemplateResult {
+    const cfg = this.configState.config!;

-    const label = labels[fieldKey] || ['item', 'items'];
-    return count === 1 ? label[0] : label[1];
+    return html`
+      <sz-config-overview
+        infoText="This view displays the current running configuration. DcRouter is configured through code or remote management."
+        @navigate=${(e: CustomEvent) => {
+          if (e.detail?.view) {
+            appRouter.navigateToView(e.detail.view);
+          }
+        }}
+      >
+        ${this.renderSystemSection(cfg.system)}
+        ${this.renderSmartProxySection(cfg.smartProxy)}
+        ${this.renderEmailSection(cfg.email)}
+        ${this.renderDnsSection(cfg.dns)}
+        ${this.renderTlsSection(cfg.tls)}
+        ${this.renderCacheSection(cfg.cache)}
+        ${this.renderRadiusSection(cfg.radius)}
+        ${this.renderRemoteIngressSection(cfg.remoteIngress)}
+      </sz-config-overview>
+    `;
  }

-  private formatFieldName(key: string): string {
-    // Convert camelCase to readable format
-    return key
-      .replace(/([A-Z])/g, ' $1')
-      .replace(/^./, str => str.toUpperCase())
-      .trim();
-  }
-
-  private formatValue(value: any, fieldKey?: string): string | TemplateResult {
-    if (value === null || value === undefined) {
-      return html`<span class="empty">Not set</span>`;
+  private renderSystemSection(sys: appstate.IConfigState['config']['system']): TemplateResult {
+    // Annotate proxy IPs with source hint when Remote Ingress is active
+    const ri = this.configState.config?.remoteIngress;
+    let proxyIpValues: string[] | null = sys.proxyIps.length > 0 ? [...sys.proxyIps] : null;
+    if (proxyIpValues && ri?.enabled && proxyIpValues.includes('127.0.0.1')) {
+      proxyIpValues = proxyIpValues.map(ip =>
+        ip === '127.0.0.1' ? '127.0.0.1 (Remote Ingress)' : ip
+      );
    }

-    if (typeof value === 'number') {
-      // Format bytes
-      if (fieldKey?.toLowerCase().includes('size') || fieldKey?.toLowerCase().includes('bytes')) {
-        return html`<span class="numericValue">${this.formatBytes(value)}</span>`;
-      }
-      // Format time values
-      if (fieldKey?.toLowerCase().includes('ttl') || fieldKey?.toLowerCase().includes('timeout')) {
-        return html`<span class="numericValue">${value} seconds</span>`;
-      }
-      // Format port numbers
-      if (fieldKey?.toLowerCase().includes('port')) {
-        return html`<span class="numericValue">${value}</span>`;
-      }
-      // Format counts with separators
-      return html`<span class="numericValue">${value.toLocaleString()}</span>`;
-    }
+    const fields: IConfigField[] = [
+      { key: 'Base Directory', value: sys.baseDir },
+      { key: 'Data Directory', value: sys.dataDir },
+      { key: 'Public IP', value: sys.publicIp },
+      { key: 'Proxy IPs', value: proxyIpValues, type: 'pills' },
+      { key: 'Uptime', value: this.formatUptime(sys.uptime) },
+      { key: 'Storage Backend', value: sys.storageBackend, type: 'badge' },
+      { key: 'Storage Path', value: sys.storagePath },
+    ];

-    return String(value);
+    return html`
+      <sz-config-section
+        title="System"
+        subtitle="Base paths and infrastructure"
+        icon="lucide:server"
+        status="enabled"
+        .fields=${fields}
+      ></sz-config-section>
+    `;
  }

-  private formatBytes(bytes: number): string {
-    if (bytes === 0) return '0 B';
-    const k = 1024;
-    const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
-    const i = Math.floor(Math.log(bytes) / Math.log(k));
-    return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i];
+  private renderSmartProxySection(proxy: appstate.IConfigState['config']['smartProxy']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Route Count', value: proxy.routeCount },
+    ];
+
+    if (proxy.acme) {
+      fields.push(
+        { key: 'ACME Enabled', value: proxy.acme.enabled, type: 'boolean' },
+        { key: 'Account Email', value: proxy.acme.accountEmail || null },
+        { key: 'Use Production', value: proxy.acme.useProduction, type: 'boolean' },
+        { key: 'Auto Renew', value: proxy.acme.autoRenew, type: 'boolean' },
+        { key: 'Renew Threshold', value: `${proxy.acme.renewThresholdDays} days` },
+      );
+    }
+
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Routes', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'routes' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="SmartProxy"
+        subtitle="HTTP/HTTPS and TCP/SNI reverse proxy"
+        icon="lucide:network"
+        .status=${proxy.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderEmailSection(email: appstate.IConfigState['config']['email']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Ports', value: email.ports.length > 0 ? email.ports.map(String) : null, type: 'pills' },
+      { key: 'Hostname', value: email.hostname },
+      { key: 'Domains', value: email.domains.length > 0 ? email.domains : null, type: 'pills' },
+      { key: 'Email Routes', value: email.emailRouteCount },
+      { key: 'Received Emails Path', value: email.receivedEmailsPath },
+    ];
+
+    if (email.portMapping) {
+      const mappingStr = Object.entries(email.portMapping)
+        .map(([ext, int]) => `${ext} → ${int}`)
+        .join(', ');
+      fields.splice(1, 0, { key: 'Port Mapping', value: mappingStr, type: 'code' });
+    }
+
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Emails', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'emails' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="Email Server"
+        subtitle="SMTP email handling with smartmta"
+        icon="lucide:mail"
+        .status=${email.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderDnsSection(dns: appstate.IConfigState['config']['dns']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Port', value: dns.port },
+      { key: 'NS Domains', value: dns.nsDomains.length > 0 ? dns.nsDomains : null, type: 'pills' },
+      { key: 'Scopes', value: dns.scopes.length > 0 ? dns.scopes : null, type: 'pills' },
+      { key: 'Record Count', value: dns.recordCount },
+      { key: 'DNS Challenge', value: dns.dnsChallenge, type: 'boolean' },
+    ];
+
+    return html`
+      <sz-config-section
+        title="DNS Server"
+        subtitle="Authoritative DNS with smartdns"
+        icon="lucide:globe"
+        .status=${dns.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderTlsSection(tls: appstate.IConfigState['config']['tls']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Contact Email', value: tls.contactEmail },
+      { key: 'Domain', value: tls.domain },
+      { key: 'Source', value: tls.source, type: 'badge' },
+      { key: 'Certificate Path', value: tls.certPath },
+      { key: 'Key Path', value: tls.keyPath },
+    ];
+
+    const status = tls.source === 'none' ? 'not-configured' : 'enabled';
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Certificates', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'certificates' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="TLS / Certificates"
+        subtitle="Certificate management and ACME"
+        icon="lucide:shield-check"
+        .status=${status as any}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderCacheSection(cache: appstate.IConfigState['config']['cache']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Storage Path', value: cache.storagePath },
+      { key: 'DB Name', value: cache.dbName },
+      { key: 'Default TTL', value: `${cache.defaultTTLDays} days` },
+      { key: 'Cleanup Interval', value: `${cache.cleanupIntervalHours} hours` },
+    ];
+
+    if (cache.ttlConfig && Object.keys(cache.ttlConfig).length > 0) {
+      for (const [key, val] of Object.entries(cache.ttlConfig)) {
+        fields.push({ key: `TTL: ${key}`, value: `${val} days` });
+      }
+    }
+
+    return html`
+      <sz-config-section
+        title="Cache Database"
+        subtitle="Persistent caching with smartdata"
+        icon="lucide:database"
+        .status=${cache.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderRadiusSection(radius: appstate.IConfigState['config']['radius']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Auth Port', value: radius.authPort },
+      { key: 'Accounting Port', value: radius.acctPort },
+      { key: 'Bind Address', value: radius.bindAddress },
+      { key: 'Client Count', value: radius.clientCount },
+    ];
+
+    if (radius.vlanDefaultVlan !== null) {
+      fields.push(
+        { key: 'Default VLAN', value: radius.vlanDefaultVlan },
+        { key: 'Allow Unknown MACs', value: radius.vlanAllowUnknownMacs, type: 'boolean' },
+        { key: 'VLAN Mappings', value: radius.vlanMappingCount },
+      );
+    }
+
+    const status = radius.enabled ? 'enabled' : 'not-configured';
+
+    return html`
+      <sz-config-section
+        title="RADIUS Server"
+        subtitle="Network authentication and VLAN assignment"
+        icon="lucide:wifi"
+        .status=${status as any}
+        .fields=${fields}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderRemoteIngressSection(ri: appstate.IConfigState['config']['remoteIngress']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Tunnel Port', value: ri.tunnelPort },
+      { key: 'Hub Domain', value: ri.hubDomain },
+      { key: 'TLS Mode', value: ri.tlsMode, type: 'badge' },
+      { key: 'Connected Edge IPs', value: ri.connectedEdgeIps?.length > 0 ? ri.connectedEdgeIps : null, type: 'pills' },
+    ];
+
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Remote Ingress', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'remoteingress' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="Remote Ingress"
+        subtitle="Edge tunnel nodes"
+        icon="lucide:cloud"
+        .status=${ri.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private formatUptime(seconds: number): string {
+    const days = Math.floor(seconds / 86400);
+    const hours = Math.floor((seconds % 86400) / 3600);
+    const mins = Math.floor((seconds % 3600) / 60);
+
+    const parts: string[] = [];
+    if (days > 0) parts.push(`${days}d`);
+    if (hours > 0) parts.push(`${hours}h`);
+    parts.push(`${mins}m`);
+    return parts.join(' ');
  }
 }
--- a/ts_web/elements/ops-view-emails.ts
+++ b/ts_web/elements/ops-view-emails.ts
@@ -1,8 +1,8 @@
 import { DeesElement, property, html, customElement, type TemplateResult, css, state, cssManager } from '@design.estate/dees-element';
+import * as plugins from '../plugins.js';
 import * as appstate from '../appstate.js';
 import * as shared from './shared/index.js';
 import * as interfaces from '../../dist_ts_interfaces/index.js';
-import { appRouter } from '../router.js';

 declare global {
  interface HTMLElementTagNameMap {
@@ -10,67 +10,30 @@ declare global {
  }
 }

-type TEmailFolder = 'queued' | 'sent' | 'failed' | 'received' | 'security';
-
@customElement('ops-view-emails')
 export class OpsViewEmails extends DeesElement {
  @state()
-  accessor selectedFolder: TEmailFolder = 'queued';
+  accessor emails: interfaces.requests.IEmail[] = [];

  @state()
-  accessor queuedEmails: interfaces.requests.IEmailQueueItem[] = [];
+  accessor selectedEmail: interfaces.requests.IEmailDetail | null = null;

  @state()
-  accessor sentEmails: interfaces.requests.IEmailQueueItem[] = [];
-
-  @state()
-  accessor failedEmails: interfaces.requests.IEmailQueueItem[] = [];
-
-  @state()
-  accessor securityIncidents: interfaces.requests.ISecurityIncident[] = [];
-
-  @state()
-  accessor selectedEmail: interfaces.requests.IEmailQueueItem | null = null;
-
-  @state()
-  accessor selectedIncident: interfaces.requests.ISecurityIncident | null = null;
-
-  @state()
-  accessor showCompose = false;
+  accessor currentView: 'list' | 'detail' = 'list';

  @state()
  accessor isLoading = false;

-  @state()
-  accessor searchTerm = '';
-
-  @state()
-  accessor emailDomains: string[] = [];
-
  private stateSubscription: any;

-  constructor() {
-    super();
-    this.loadData();
-    this.loadEmailDomains();
-  }
-
  async connectedCallback() {
    await super.connectedCallback();
-    // Subscribe to state changes
    this.stateSubscription = appstate.emailOpsStatePart.state.subscribe((state) => {
-      this.queuedEmails = state.queuedEmails;
-      this.sentEmails = state.sentEmails;
-      this.failedEmails = state.failedEmails;
-      this.securityIncidents = state.securityIncidents;
+      this.emails = state.emails;
      this.isLoading = state.isLoading;
-
-      // Sync folder from state (e.g., when URL changes)
-      if (state.currentView !== this.selectedFolder) {
-        this.selectedFolder = state.currentView as TEmailFolder;
-        this.loadFolderData(state.currentView as TEmailFolder);
-      }
    });
+    // Initial fetch
+    await appstate.emailOpsStatePart.dispatchAction(appstate.fetchAllEmailsAction, null);
  }

  async disconnectedCallback() {
@@ -89,730 +52,58 @@ export class OpsViewEmails extends DeesElement {
        height: 100%;
      }

-      .emailLayout {
-        display: flex;
-        gap: 16px;
+      .viewContainer {
        height: 100%;
-        min-height: 600px;
-      }
-
-      .sidebar {
-        flex-shrink: 0;
-        width: 280px;
-      }
-
-      .mainArea {
-        flex: 1;
-        display: flex;
-        flex-direction: column;
-        gap: 16px;
-        overflow: hidden;
-      }
-
-      .emailToolbar {
-        display: flex;
-        align-items: center;
-        gap: 12px;
-        flex-wrap: wrap;
-      }
-
-      .searchBox {
-        flex: 1;
-        min-width: 200px;
-        max-width: 400px;
-      }
-
-      .emailList {
-        flex: 1;
-        overflow: hidden;
-      }
-
-      .emailPreview {
-        flex: 1;
-        display: flex;
-        flex-direction: column;
-        background: ${cssManager.bdTheme('#fff', '#222')};
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        border-radius: 8px;
-        overflow: hidden;
-      }
-
-      .emailHeader {
-        padding: 24px;
-        border-bottom: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-      }
-
-      .emailSubject {
-        font-size: 24px;
-        font-weight: 600;
-        margin-bottom: 16px;
-        color: ${cssManager.bdTheme('#333', '#ccc')};
-      }
-
-      .emailMeta {
-        display: flex;
-        flex-direction: column;
-        gap: 8px;
-        font-size: 14px;
-        color: ${cssManager.bdTheme('#666', '#999')};
-      }
-
-      .emailMetaRow {
-        display: flex;
-        gap: 8px;
-      }
-
-      .emailMetaLabel {
-        font-weight: 600;
-        min-width: 80px;
-      }
-
-      .emailBody {
-        flex: 1;
-        padding: 24px;
-        overflow-y: auto;
-        font-size: 15px;
-        line-height: 1.6;
-      }
-
-      .emailActions {
-        display: flex;
-        gap: 8px;
-        padding: 16px 24px;
-        border-top: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        background: ${cssManager.bdTheme('#fafafa', '#1a1a1a')};
-      }
-
-      .emptyState {
-        display: flex;
-        flex-direction: column;
-        align-items: center;
-        justify-content: center;
-        height: 400px;
-        color: ${cssManager.bdTheme('#999', '#666')};
-      }
-
-      .emptyIcon {
-        font-size: 64px;
-        margin-bottom: 16px;
-        opacity: 0.3;
-      }
-
-      .emptyText {
-        font-size: 18px;
-      }
-
-      .status-pending {
-        color: ${cssManager.bdTheme('#f59e0b', '#fbbf24')};
-      }
-
-      .status-processing {
-        color: ${cssManager.bdTheme('#3b82f6', '#60a5fa')};
-      }
-
-      .status-delivered {
-        color: ${cssManager.bdTheme('#10b981', '#34d399')};
-      }
-
-      .status-failed {
-        color: ${cssManager.bdTheme('#ef4444', '#f87171')};
-      }
-
-      .status-deferred {
-        color: ${cssManager.bdTheme('#f97316', '#fb923c')};
-      }
-
-      .severity-info {
-        color: ${cssManager.bdTheme('#3b82f6', '#60a5fa')};
-      }
-
-      .severity-warn {
-        color: ${cssManager.bdTheme('#f59e0b', '#fbbf24')};
-      }
-
-      .severity-error {
-        color: ${cssManager.bdTheme('#ef4444', '#f87171')};
-      }
-
-      .severity-critical {
-        color: ${cssManager.bdTheme('#dc2626', '#ef4444')};
-        font-weight: bold;
-      }
-
-      .incidentDetails {
-        padding: 24px;
-        background: ${cssManager.bdTheme('#fff', '#222')};
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        border-radius: 8px;
-      }
-
-      .incidentHeader {
-        display: flex;
-        justify-content: space-between;
-        align-items: flex-start;
-        margin-bottom: 16px;
-      }
-
-      .incidentTitle {
-        font-size: 20px;
-        font-weight: 600;
-      }
-
-      .incidentMeta {
-        display: grid;
-        grid-template-columns: repeat(auto-fill, minmax(200px, 1fr));
-        gap: 12px;
-        margin-top: 16px;
-      }
-
-      .incidentField {
-        padding: 12px;
-        background: ${cssManager.bdTheme('#f8f9fa', '#1a1a1a')};
-        border-radius: 6px;
-      }
-
-      .incidentFieldLabel {
-        font-size: 12px;
-        color: ${cssManager.bdTheme('#666', '#999')};
-        margin-bottom: 4px;
-      }
-
-      .incidentFieldValue {
-        font-size: 14px;
-        word-break: break-all;
      }
    `,
  ];

  public render() {
-    if (this.selectedEmail) {
-      return this.renderEmailDetail();
-    }
-
-    if (this.selectedIncident) {
-      return this.renderIncidentDetail();
-    }
-
    return html`
      <ops-sectionheading>Email Operations</ops-sectionheading>
-
-      <!-- Toolbar -->
-      <div class="emailToolbar" style="margin-bottom: 16px;">
-        <dees-button @click=${() => this.openComposeModal()} type="highlighted">
-          <dees-icon icon="lucide:penLine" slot="iconSlot"></dees-icon>
-          Compose
-        </dees-button>
-
-        <dees-input-text
-          class="searchBox"
-          placeholder="Search..."
-          .value=${this.searchTerm}
-          @input=${(e: Event) => this.searchTerm = (e.target as any).value}
-        >
-          <dees-icon icon="lucide:search" slot="iconSlot"></dees-icon>
-        </dees-input-text>
-
-        <dees-button @click=${() => this.refreshData()}>
-          ${this.isLoading ? html`<dees-spinner slot="iconSlot" size="small"></dees-spinner>` : html`<dees-icon slot="iconSlot" icon="lucide:refreshCw"></dees-icon>`}
-          Refresh
-        </dees-button>
-
-        <div style="margin-left: auto; display: flex; gap: 8px;">
-          <dees-button-group>
-            <dees-button
-              @click=${() => this.selectFolder('queued')}
-              .type=${this.selectedFolder === 'queued' ? 'highlighted' : 'normal'}
-            >
-              Queued ${this.queuedEmails.length > 0 ? `(${this.queuedEmails.length})` : ''}
-            </dees-button>
-            <dees-button
-              @click=${() => this.selectFolder('sent')}
-              .type=${this.selectedFolder === 'sent' ? 'highlighted' : 'normal'}
-            >
-              Sent
-            </dees-button>
-            <dees-button
-              @click=${() => this.selectFolder('failed')}
-              .type=${this.selectedFolder === 'failed' ? 'highlighted' : 'normal'}
-            >
-              Failed ${this.failedEmails.length > 0 ? `(${this.failedEmails.length})` : ''}
-            </dees-button>
-            <dees-button
-              @click=${() => this.selectFolder('security')}
-              .type=${this.selectedFolder === 'security' ? 'highlighted' : 'normal'}
-            >
-              Security ${this.securityIncidents.length > 0 ? `(${this.securityIncidents.length})` : ''}
-            </dees-button>
-          </dees-button-group>
-        </div>
+      <div class="viewContainer">
+        ${this.currentView === 'detail' && this.selectedEmail
+          ? html`
+              <sz-mta-detail-view
+                .email=${this.selectedEmail}
+                @back=${this.handleBack}
+              ></sz-mta-detail-view>
+            `
+          : html`
+              <sz-mta-list-view
+                .emails=${this.emails}
+                @email-click=${this.handleEmailClick}
+              ></sz-mta-list-view>
+            `
+        }
      </div>
-
-      ${this.renderContent()}
    `;
  }

-  private renderContent() {
-    switch (this.selectedFolder) {
-      case 'queued':
-        return this.renderEmailTable(this.queuedEmails, 'Queued Emails', 'Emails waiting to be delivered');
-      case 'sent':
-        return this.renderEmailTable(this.sentEmails, 'Sent Emails', 'Successfully delivered emails');
-      case 'failed':
-        return this.renderEmailTable(this.failedEmails, 'Failed Emails', 'Emails that failed to deliver', true);
-      case 'security':
-        return this.renderSecurityIncidents();
-      default:
-        return this.renderEmptyState('Select a folder');
-    }
-  }
+  private async handleEmailClick(e: CustomEvent<interfaces.requests.IEmail>) {
+    const emailSummary = e.detail;
+    try {
+      const context = appstate.loginStatePart.getState();
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_GetEmailDetail
+      >('/typedrequest', 'getEmailDetail');

-  private renderEmailTable(
-    emails: interfaces.requests.IEmailQueueItem[],
-    heading1: string,
-    heading2: string,
-    showResend = false
-  ) {
-    const filteredEmails = this.filterEmails(emails);
-
-    if (filteredEmails.length === 0) {
-      return this.renderEmptyState(`No emails in ${this.selectedFolder}`);
-    }
-
-    const actions = [
-      {
-        name: 'View Details',
-        iconName: 'lucide:eye',
-        type: ['doubleClick', 'inRow'] as any,
-        actionFunc: async (actionData: any) => {
-          this.selectedEmail = actionData.item;
-        }
-      }
-    ];
-
-    if (showResend) {
-      actions.push({
-        name: 'Resend',
-        iconName: 'lucide:send',
-        type: ['inRow'] as any,
-        actionFunc: async (actionData: any) => {
-          await this.resendEmail(actionData.item.id);
-        }
+      const response = await request.fire({
+        identity: context.identity,
+        emailId: emailSummary.id,
      });
-    }

-    return html`
-      <dees-table
-        .data=${filteredEmails}
-        .displayFunction=${(email: interfaces.requests.IEmailQueueItem) => ({
-          'Status': html`<span class="status-${email.status}">${email.status}</span>`,
-          'From': email.from || 'N/A',
-          'To': email.to?.join(', ') || 'N/A',
-          'Subject': email.subject || 'No subject',
-          'Attempts': email.attempts,
-          'Created': this.formatDate(email.createdAt),
-        })}
-        .dataActions=${actions}
-        .selectionMode=${'single'}
-        heading1=${heading1}
-        heading2=${`${filteredEmails.length} emails - ${heading2}`}
-      ></dees-table>
-    `;
-  }
-
-  private renderSecurityIncidents() {
-    const incidents = this.securityIncidents;
-
-    if (incidents.length === 0) {
-      return this.renderEmptyState('No security incidents');
-    }
-
-    return html`
-      <dees-table
-        .data=${incidents}
-        .displayFunction=${(incident: interfaces.requests.ISecurityIncident) => ({
-          'Severity': html`<span class="severity-${incident.level}">${incident.level.toUpperCase()}</span>`,
-          'Type': incident.type,
-          'Message': incident.message,
-          'IP': incident.ipAddress || 'N/A',
-          'Domain': incident.domain || 'N/A',
-          'Time': this.formatDate(incident.timestamp),
-        })}
-        .dataActions=${[
-          {
-            name: 'View Details',
-            iconName: 'lucide:eye',
-            type: ['doubleClick', 'inRow'],
-            actionFunc: async (actionData: any) => {
-              this.selectedIncident = actionData.item;
-            }
-          }
-        ]}
-        .selectionMode=${'single'}
-        heading1="Security Incidents"
-        heading2=${`${incidents.length} incidents`}
-      ></dees-table>
-    `;
-  }
-
-  private renderEmailDetail() {
-    if (!this.selectedEmail) return '';
-
-    return html`
-      <ops-sectionheading>Email Details</ops-sectionheading>
-      <div class="emailLayout">
-        <div class="sidebar">
-          <dees-windowbox>
-            <dees-button @click=${() => this.selectedEmail = null} type="secondary" style="width: 100%;">
-              <dees-icon icon="lucide:arrowLeft" slot="iconSlot"></dees-icon>
-              Back to List
-            </dees-button>
-          </dees-windowbox>
-        </div>
-        <div class="mainArea">
-          <div class="emailPreview">
-            <div class="emailHeader">
-              <div class="emailSubject">${this.selectedEmail.subject || 'No subject'}</div>
-              <div class="emailMeta">
-                <div class="emailMetaRow">
-                  <span class="emailMetaLabel">Status:</span>
-                  <span class="status-${this.selectedEmail.status}">${this.selectedEmail.status}</span>
-                </div>
-                <div class="emailMetaRow">
-                  <span class="emailMetaLabel">From:</span>
-                  <span>${this.selectedEmail.from || 'N/A'}</span>
-                </div>
-                <div class="emailMetaRow">
-                  <span class="emailMetaLabel">To:</span>
-                  <span>${this.selectedEmail.to?.join(', ') || 'N/A'}</span>
-                </div>
-                <div class="emailMetaRow">
-                  <span class="emailMetaLabel">Mode:</span>
-                  <span>${this.selectedEmail.processingMode}</span>
-                </div>
-                <div class="emailMetaRow">
-                  <span class="emailMetaLabel">Attempts:</span>
-                  <span>${this.selectedEmail.attempts}</span>
-                </div>
-                <div class="emailMetaRow">
-                  <span class="emailMetaLabel">Created:</span>
-                  <span>${new Date(this.selectedEmail.createdAt).toLocaleString()}</span>
-                </div>
-                ${this.selectedEmail.deliveredAt ? html`
-                  <div class="emailMetaRow">
-                    <span class="emailMetaLabel">Delivered:</span>
-                    <span>${new Date(this.selectedEmail.deliveredAt).toLocaleString()}</span>
-                  </div>
-                ` : ''}
-                ${this.selectedEmail.lastError ? html`
-                  <div class="emailMetaRow">
-                    <span class="emailMetaLabel">Last Error:</span>
-                    <span style="color: #ef4444;">${this.selectedEmail.lastError}</span>
-                  </div>
-                ` : ''}
-              </div>
-            </div>
-
-            <div class="emailActions">
-              ${this.selectedEmail.status === 'failed' ? html`
-                <dees-button @click=${() => this.resendEmail(this.selectedEmail!.id)} type="highlighted">
-                  <dees-icon icon="lucide:send" slot="iconSlot"></dees-icon>
-                  Resend
-                </dees-button>
-              ` : ''}
-              <dees-button @click=${() => this.selectedEmail = null}>
-                <dees-icon icon="lucide:x" slot="iconSlot"></dees-icon>
-                Close
-              </dees-button>
-            </div>
-          </div>
-        </div>
-      </div>
-    `;
-  }
-
-  private renderIncidentDetail() {
-    if (!this.selectedIncident) return '';
-
-    const incident = this.selectedIncident;
-
-    return html`
-      <ops-sectionheading>Security Incident Details</ops-sectionheading>
-      <div style="margin-bottom: 16px;">
-        <dees-button @click=${() => this.selectedIncident = null} type="secondary">
-          <dees-icon icon="lucide:arrowLeft" slot="iconSlot"></dees-icon>
-          Back to List
-        </dees-button>
-      </div>
-      <div class="incidentDetails">
-        <div class="incidentHeader">
-          <div>
-            <div class="incidentTitle">${incident.message}</div>
-            <div style="margin-top: 8px; color: #666;">
-              ${new Date(incident.timestamp).toLocaleString()}
-            </div>
-          </div>
-          <span class="severity-${incident.level}" style="font-size: 16px; padding: 4px 12px; background: rgba(0,0,0,0.1); border-radius: 4px;">
-            ${incident.level.toUpperCase()}
-          </span>
-        </div>
-
-        <div class="incidentMeta">
-          <div class="incidentField">
-            <div class="incidentFieldLabel">Type</div>
-            <div class="incidentFieldValue">${incident.type}</div>
-          </div>
-          ${incident.ipAddress ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">IP Address</div>
-              <div class="incidentFieldValue">${incident.ipAddress}</div>
-            </div>
-          ` : ''}
-          ${incident.domain ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">Domain</div>
-              <div class="incidentFieldValue">${incident.domain}</div>
-            </div>
-          ` : ''}
-          ${incident.emailId ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">Email ID</div>
-              <div class="incidentFieldValue">${incident.emailId}</div>
-            </div>
-          ` : ''}
-          ${incident.userId ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">User ID</div>
-              <div class="incidentFieldValue">${incident.userId}</div>
-            </div>
-          ` : ''}
-          ${incident.action ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">Action</div>
-              <div class="incidentFieldValue">${incident.action}</div>
-            </div>
-          ` : ''}
-          ${incident.result ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">Result</div>
-              <div class="incidentFieldValue">${incident.result}</div>
-            </div>
-          ` : ''}
-          ${incident.success !== undefined ? html`
-            <div class="incidentField">
-              <div class="incidentFieldLabel">Success</div>
-              <div class="incidentFieldValue">${incident.success ? 'Yes' : 'No'}</div>
-            </div>
-          ` : ''}
-        </div>
-
-        ${incident.details ? html`
-          <div style="margin-top: 24px;">
-            <div class="incidentFieldLabel" style="margin-bottom: 8px;">Details</div>
-            <pre style="background: #1a1a1a; color: #e5e5e5; padding: 16px; border-radius: 6px; overflow-x: auto; font-size: 13px;">
-${JSON.stringify(incident.details, null, 2)}
-            </pre>
-          </div>
-        ` : ''}
-      </div>
-    `;
-  }
-
-  private renderEmptyState(message: string) {
-    return html`
-      <div class="emptyState">
-        <dees-icon class="emptyIcon" icon="lucide:inbox"></dees-icon>
-        <div class="emptyText">${message}</div>
-      </div>
-    `;
-  }
-
-  private async openComposeModal() {
-    const { DeesModal } = await import('@design.estate/dees-catalog');
-
-    // Ensure domains are loaded before opening modal
-    if (this.emailDomains.length === 0) {
-      await this.loadEmailDomains();
-    }
-
-    await DeesModal.createAndShow({
-      heading: 'New Email',
-      width: 'large',
-      content: html`
-        <div>
-          <dees-form @formData=${async (e: CustomEvent) => {
-            await this.sendEmail(e.detail);
-            const modals = document.querySelectorAll('dees-modal');
-            modals.forEach(m => (m as any).destroy?.());
-          }}>
-            <div style="display: flex; gap: 8px; align-items: flex-end;">
-              <dees-input-text
-                key="fromUsername"
-                label="From"
-                placeholder="username"
-                .value=${'admin'}
-                required
-                style="flex: 1;"
-              ></dees-input-text>
-              <span style="padding-bottom: 12px; font-size: 18px; color: #666;">@</span>
-              <dees-input-dropdown
-                key="fromDomain"
-                label=" "
-                .options=${this.emailDomains.length > 0
-                  ? this.emailDomains.map(domain => ({ key: domain, value: domain }))
-                  : [{ key: 'dcrouter.local', value: 'dcrouter.local' }]}
-                .selectedKey=${this.emailDomains[0] || 'dcrouter.local'}
-                required
-                style="flex: 1;"
-              ></dees-input-dropdown>
-            </div>
-
-            <dees-input-tags
-              key="to"
-              label="To"
-              placeholder="Enter recipient email addresses..."
-              required
-            ></dees-input-tags>
-
-            <dees-input-tags
-              key="cc"
-              label="CC"
-              placeholder="Enter CC recipients..."
-            ></dees-input-tags>
-
-            <dees-input-text
-              key="subject"
-              label="Subject"
-              placeholder="Enter email subject..."
-              required
-            ></dees-input-text>
-
-            <dees-input-wysiwyg
-              key="body"
-              label="Message"
-              outputFormat="html"
-            ></dees-input-wysiwyg>
-          </dees-form>
-        </div>
-      `,
-      menuOptions: [
-        {
-          name: 'Send',
-          iconName: 'lucide:send',
-          action: async (modalArg) => {
-            const form = modalArg.shadowRoot?.querySelector('dees-form') as any;
-            form?.submit();
-          }
-        },
-        {
-          name: 'Cancel',
-          iconName: 'lucide:x',
-          action: async (modalArg) => await modalArg.destroy()
-        }
-      ]
-    });
-  }
-
-  private filterEmails(emails: interfaces.requests.IEmailQueueItem[]): interfaces.requests.IEmailQueueItem[] {
-    if (!this.searchTerm) {
-      return emails;
-    }
-
-    const search = this.searchTerm.toLowerCase();
-    return emails.filter(e =>
-      (e.subject?.toLowerCase().includes(search)) ||
-      (e.from?.toLowerCase().includes(search)) ||
-      (e.to?.some(t => t.toLowerCase().includes(search)))
-    );
-  }
-
-  private selectFolder(folder: TEmailFolder) {
-    // Use router for navigation to update URL
-    appRouter.navigateToEmailFolder(folder);
-    // Clear selections
-    this.selectedEmail = null;
-    this.selectedIncident = null;
-  }
-
-  private formatDate(timestamp: number): string {
-    const date = new Date(timestamp);
-    const now = new Date();
-    const diff = now.getTime() - date.getTime();
-    const hours = diff / (1000 * 60 * 60);
-
-    if (hours < 24) {
-      return date.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
-    } else if (hours < 168) { // 7 days
-      return date.toLocaleDateString([], { weekday: 'short', hour: '2-digit', minute: '2-digit' });
-    } else {
-      return date.toLocaleDateString([], { month: 'short', day: 'numeric' });
-    }
-  }
-
-  private async loadData() {
-    this.isLoading = true;
-    await this.loadFolderData(this.selectedFolder);
-    this.isLoading = false;
-  }
-
-  private async loadFolderData(folder: TEmailFolder) {
-    switch (folder) {
-      case 'queued':
-        await appstate.emailOpsStatePart.dispatchAction(appstate.fetchQueuedEmailsAction, null);
-        break;
-      case 'sent':
-        await appstate.emailOpsStatePart.dispatchAction(appstate.fetchSentEmailsAction, null);
-        break;
-      case 'failed':
-        await appstate.emailOpsStatePart.dispatchAction(appstate.fetchFailedEmailsAction, null);
-        break;
-      case 'security':
-        await appstate.emailOpsStatePart.dispatchAction(appstate.fetchSecurityIncidentsAction, null);
-        break;
-    }
-  }
-
-  private async loadEmailDomains() {
-    try {
-      await appstate.configStatePart.dispatchAction(appstate.fetchConfigurationAction, null);
-      const config = appstate.configStatePart.getState().config;
-
-      if (config?.email?.domains && Array.isArray(config.email.domains) && config.email.domains.length > 0) {
-        this.emailDomains = config.email.domains;
-      } else {
-        this.emailDomains = ['dcrouter.local'];
+      if (response.email) {
+        this.selectedEmail = response.email;
+        this.currentView = 'detail';
      }
    } catch (error) {
-      console.error('Failed to load email domains:', error);
-      this.emailDomains = ['dcrouter.local'];
+      console.error('Failed to fetch email detail:', error);
    }
  }

-  private async refreshData() {
-    this.isLoading = true;
-    await this.loadFolderData(this.selectedFolder);
-    this.isLoading = false;
-  }
-
-  private async sendEmail(formData: any) {
-    try {
-      console.log('Sending email:', formData);
-      // TODO: Implement actual email sending via API
-      // For now, just log the data
-      const fromEmail = `${formData.fromUsername || 'admin'}@${formData.fromDomain || this.emailDomains[0] || 'dcrouter.local'}`;
-      console.log('From:', fromEmail);
-      console.log('To:', formData.to);
-      console.log('Subject:', formData.subject);
-    } catch (error: any) {
-      console.error('Failed to send email', error);
-    }
-  }
-
-  private async resendEmail(emailId: string) {
-    try {
-      await appstate.emailOpsStatePart.dispatchAction(appstate.resendEmailAction, emailId);
-      this.selectedEmail = null;
-    } catch (error) {
-      console.error('Failed to resend email:', error);
-    }
+  private handleBack() {
+    this.selectedEmail = null;
+    this.currentView = 'list';
  }
 }
--- a/ts_web/elements/ops-view-logs.ts
+++ b/ts_web/elements/ops-view-logs.ts
@@ -1,4 +1,3 @@
-import * as plugins from '../plugins.js';
 import * as shared from './shared/index.js';
 import * as appstate from '../appstate.js';

@@ -20,6 +19,8 @@ export class OpsViewLogs extends DeesElement {
    filters: {},
  };

+  private lastPushedCount = 0;
+
  constructor() {
    super();
    const subscription = appstate.logStatePart
@@ -33,175 +34,83 @@ export class OpsViewLogs extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
    shared.viewHostCss,
-    css`
-      .controls {
-        display: flex;
-        gap: 16px;
-        margin-bottom: 24px;
-        flex-wrap: wrap;
-      }
-
-      .filterGroup {
-        display: flex;
-        align-items: center;
-        gap: 8px;
-      }
-
-      .logContainer {
-        background: ${cssManager.bdTheme('#f8f9fa', '#1e1e1e')};
-        border-radius: 8px;
-        padding: 16px;
-        max-height: 600px;
-        overflow-y: auto;
-        font-family: 'Consolas', 'Monaco', monospace;
-        font-size: 13px;
-      }
-
-      .logEntry {
-        margin-bottom: 8px;
-        line-height: 1.5;
-      }
-
-      .logTimestamp {
-        color: ${cssManager.bdTheme('#7a7a7a', '#7a7a7a')};
-        margin-right: 8px;
-      }
-
-      .logLevel {
-        font-weight: bold;
-        margin-right: 8px;
-        padding: 2px 6px;
-        border-radius: 3px;
-        font-size: 11px;
-      }
-
-      .logLevel.debug { 
-        color: ${cssManager.bdTheme('#6a9955', '#6a9955')}; 
-        background: ${cssManager.bdTheme('rgba(106, 153, 85, 0.1)', 'rgba(106, 153, 85, 0.1)')};
-      }
-      .logLevel.info { 
-        color: ${cssManager.bdTheme('#569cd6', '#569cd6')}; 
-        background: ${cssManager.bdTheme('rgba(86, 156, 214, 0.1)', 'rgba(86, 156, 214, 0.1)')};
-      }
-      .logLevel.warn { 
-        color: ${cssManager.bdTheme('#ce9178', '#ce9178')}; 
-        background: ${cssManager.bdTheme('rgba(206, 145, 120, 0.1)', 'rgba(206, 145, 120, 0.1)')};
-      }
-      .logLevel.error { 
-        color: ${cssManager.bdTheme('#f44747', '#f44747')}; 
-        background: ${cssManager.bdTheme('rgba(244, 71, 71, 0.1)', 'rgba(244, 71, 71, 0.1)')};
-      }
-
-      .logCategory {
-        color: ${cssManager.bdTheme('#c586c0', '#c586c0')};
-        margin-right: 8px;
-      }
-
-      .logMessage {
-        color: ${cssManager.bdTheme('#333', '#d4d4d4')};
-      }
-
-      .noLogs {
-        color: ${cssManager.bdTheme('#7a7a7a', '#7a7a7a')};
-        text-align: center;
-        padding: 40px;
-      }
-    `,
+    css``,
  ];

  public render() {
    return html`
      <ops-sectionheading>Logs</ops-sectionheading>
-      
-      <div class="controls">
-        <div class="filterGroup">
-          <dees-button 
-            @click=${() => this.fetchLogs()}
-          >
-            Refresh Logs
-          </dees-button>
-          
-          <dees-button 
-            @click=${() => this.toggleStreaming()}
-            .type=${this.logState.isStreaming ? 'highlighted' : 'normal'}
-          >
-            ${this.logState.isStreaming ? 'Stop Streaming' : 'Start Streaming'}
-          </dees-button>
-        </div>

-        <div class="filterGroup">
-          <label>Level:</label>
-          <dees-input-dropdown
-            .options=${['all', 'debug', 'info', 'warn', 'error']}
-            .selectedOption=${'all'}
-            @selectedOption=${(e) => this.updateFilter('level', e.detail)}
-          ></dees-input-dropdown>
-        </div>
-
-        <div class="filterGroup">
-          <label>Category:</label>
-          <dees-input-dropdown
-            .options=${['all', 'smtp', 'dns', 'security', 'system', 'email']}
-            .selectedOption=${'all'}
-            @selectedOption=${(e) => this.updateFilter('category', e.detail)}
-          ></dees-input-dropdown>
-        </div>
-
-        <div class="filterGroup">
-          <label>Limit:</label>
-          <dees-input-dropdown
-            .options=${['50', '100', '200', '500']}
-            .selectedOption=${'100'}
-            @selectedOption=${(e) => this.updateFilter('limit', e.detail)}
-          ></dees-input-dropdown>
-        </div>
-      </div>
-
-      <div class="logContainer">
-        ${this.logState.recentLogs.length > 0 ? 
-          this.logState.recentLogs.map(log => html`
-            <div class="logEntry">
-              <span class="logTimestamp">${new Date(log.timestamp).toLocaleTimeString()}</span>
-              <span class="logLevel ${log.level}">${log.level.toUpperCase()}</span>
-              <span class="logCategory">[${log.category}]</span>
-              <span class="logMessage">${log.message}</span>
-            </div>
-          `) : html`
-            <div class="noLogs">No logs to display</div>
-          `
-        }
-      </div>
+      <dees-chart-log
+        .label=${'Application Logs'}
+        .autoScroll=${true}
+        .maxEntries=${2000}
+        .showMetrics=${true}
+      ></dees-chart-log>
    `;
  }

-  private async fetchLogs() {
-    const filters = this.getActiveFilters();
-    await appstate.logStatePart.dispatchAction(appstate.fetchRecentLogsAction, {
-      limit: filters.limit || 100,
-      level: filters.level as 'debug' | 'info' | 'warn' | 'error' | undefined,
-      category: filters.category as 'smtp' | 'dns' | 'security' | 'system' | 'email' | undefined,
-    });
-  }
-
-  private updateFilter(type: string, value: string) {
-    if (value === 'all') {
-      value = undefined;
+  async connectedCallback() {
+    super.connectedCallback();
+    this.lastPushedCount = 0;
+    // Only fetch if state is empty (streaming will handle new entries)
+    if (this.logState.recentLogs.length === 0) {
+      await appstate.logStatePart.dispatchAction(appstate.fetchRecentLogsAction, { limit: 100 });
    }
-    
-    // Update filters then fetch logs
-    this.fetchLogs();
  }

-  private getActiveFilters() {
-    return {
-      level: this.logState.filters.level?.[0],
-      category: this.logState.filters.category?.[0],
-      limit: 100,
-    };
+  async updated(changedProperties: Map<string, any>) {
+    super.updated(changedProperties);
+    if (changedProperties.has('logState')) {
+      this.pushLogsToChart();
+    }
  }

-  private toggleStreaming() {
-    // TODO: Implement log streaming with VirtualStream
-    console.log('Streaming toggle not yet implemented');
+  private async pushLogsToChart() {
+    const chartLog = this.shadowRoot?.querySelector('dees-chart-log') as any;
+    if (!chartLog) return;
+
+    // Ensure the chart element has finished its own initialization
+    await chartLog.updateComplete;
+
+    // Wait for xterm terminal to finish initializing (CDN load)
+    if (!chartLog.terminalReady) {
+      await new Promise<void>((resolve) => {
+        let attempts = 0;
+        const maxAttempts = 200; // 200 * 50ms = 10 seconds
+        const check = () => {
+          if (chartLog.terminalReady) { resolve(); return; }
+          if (++attempts >= maxAttempts) {
+            console.warn('ops-view-logs: terminal ready timeout after 10s');
+            resolve(); // resolve gracefully to avoid blocking
+            return;
+          }
+          setTimeout(check, 50);
+        };
+        check();
+      });
+    }
+
+    const allEntries = this.getMappedLogEntries();
+    if (this.lastPushedCount === 0 && allEntries.length > 0) {
+      // Initial load: push all entries
+      chartLog.updateLog(allEntries);
+      this.lastPushedCount = allEntries.length;
+    } else if (allEntries.length > this.lastPushedCount) {
+      // Incremental: only push new entries
+      const newEntries = allEntries.slice(this.lastPushedCount);
+      chartLog.updateLog(newEntries);
+      this.lastPushedCount = allEntries.length;
+    }
  }
-}
+
+  private getMappedLogEntries() {
+    return this.logState.recentLogs.map((log) => ({
+      timestamp: new Date(log.timestamp).toISOString(),
+      level: log.level as 'debug' | 'info' | 'warn' | 'error',
+      message: log.message,
+      source: log.category,
+    }));
+  }
+
+}
--- a/ts_web/elements/ops-view-network.ts
+++ b/ts_web/elements/ops-view-network.ts
@@ -47,9 +47,6 @@ export class OpsViewNetwork extends DeesElement {
  private lastChartUpdate = 0;
  private chartUpdateThreshold = 1000; // Minimum ms between chart updates
  
-  private lastTrafficUpdateTime = 0;
-  private trafficUpdateInterval = 1000; // Update every 1 second
-  private requestCountHistory = new Map<number, number>(); // Track requests per time bucket
  private trafficUpdateTimer: any = null;
  private requestsPerSecHistory: number[] = []; // Track requests/sec over time for trend
  private historyLoaded = false; // Whether server-side throughput history has been loaded
@@ -106,8 +103,6 @@ export class OpsViewNetwork extends DeesElement {

    this.trafficDataIn = [...emptyData];
    this.trafficDataOut = emptyData.map(point => ({ ...point }));
-
-    this.lastTrafficUpdateTime = now;
  }

  /**
@@ -287,7 +282,7 @@ export class OpsViewNetwork extends DeesElement {
          .dataActions=${[
            {
              name: 'View Details',
-              iconName: 'lucide:Search',
+              iconName: 'fa:magnifyingGlass',
              type: ['inRow', 'doubleClick', 'contextmenu'],
              actionFunc: async (actionData) => {
                await this.showRequestDetails(actionData.item);
@@ -413,11 +408,7 @@ export class OpsViewNetwork extends DeesElement {
    const throughput = this.calculateThroughput();
    const activeConnections = this.statsState.serverStats?.activeConnections || 0;

-    // Track requests/sec history for the trend sparkline
-    this.requestsPerSecHistory.push(reqPerSec);
-    if (this.requestsPerSecHistory.length > 20) {
-      this.requestsPerSecHistory.shift();
-    }
+    // Build trend data from pre-computed history (mutated in updateNetworkData, not here)
    const trendData = [...this.requestsPerSecHistory];
    while (trendData.length < 20) {
      trendData.unshift(0);
@@ -435,7 +426,7 @@ export class OpsViewNetwork extends DeesElement {
        actions: [
          {
            name: 'View Details',
-            iconName: 'lucide:Search',
+            iconName: 'fa:magnifyingGlass',
            action: async () => {
            },
          },
@@ -529,6 +520,13 @@ export class OpsViewNetwork extends DeesElement {
  }

  private async updateNetworkData() {
+    // Track requests/sec history for the trend sparkline (moved out of render)
+    const reqPerSec = this.networkState.requestsPerSecond || 0;
+    this.requestsPerSecHistory.push(reqPerSec);
+    if (this.requestsPerSecHistory.length > 20) {
+      this.requestsPerSecHistory.shift();
+    }
+
    // Only update if connections changed significantly
    const newConnectionCount = this.networkState.connections.length;
    const oldConnectionCount = this.networkRequests.length;
@@ -602,16 +600,13 @@ export class OpsViewNetwork extends DeesElement {
      y: Math.round(throughputOutMbps * 10) / 10
    };
    
-    // Efficient array updates - modify in place when possible
+    // In-place mutation then reassign for Lit reactivity (avoids 4 intermediate arrays)
    if (this.trafficDataIn.length >= 60) {
-      // Remove oldest and add newest
-      this.trafficDataIn = [...this.trafficDataIn.slice(1), newDataPointIn];
-      this.trafficDataOut = [...this.trafficDataOut.slice(1), newDataPointOut];
-    } else {
-      // Still filling up the initial data
-      this.trafficDataIn = [...this.trafficDataIn, newDataPointIn];
-      this.trafficDataOut = [...this.trafficDataOut, newDataPointOut];
+      this.trafficDataIn.shift();
+      this.trafficDataOut.shift();
    }
+    this.trafficDataIn = [...this.trafficDataIn, newDataPointIn];
+    this.trafficDataOut = [...this.trafficDataOut, newDataPointOut];
    
    this.lastChartUpdate = now;
  }
--- a/ts_web/elements/ops-view-overview.ts
+++ b/ts_web/elements/ops-view-overview.ts
@@ -26,14 +26,36 @@ export class OpsViewOverview extends DeesElement {
    error: null,
  };

+  @state()
+  accessor logState: appstate.ILogState = {
+    recentLogs: [],
+    isStreaming: false,
+    filters: {},
+  };
+
  constructor() {
    super();
-    const subscription = appstate.statsStatePart
+    const statsSub = appstate.statsStatePart
      .select((stateArg) => stateArg)
      .subscribe((statsState) => {
        this.statsState = statsState;
      });
-    this.rxSubscriptions.push(subscription);
+    this.rxSubscriptions.push(statsSub);
+
+    const logSub = appstate.logStatePart
+      .select((stateArg) => stateArg)
+      .subscribe((logState) => {
+        this.logState = logState;
+      });
+    this.rxSubscriptions.push(logSub);
+  }
+
+  async connectedCallback() {
+    super.connectedCallback();
+    // Ensure logs are fetched for the overview charts
+    if (this.logState.recentLogs.length === 0) {
+      appstate.logStatePart.dispatchAction(appstate.fetchRecentLogsAction, { limit: 100 });
+    }
  }

  public static styles = [
@@ -96,10 +118,24 @@ export class OpsViewOverview extends DeesElement {
        ${this.renderDnsStats()}

        <div class="chartGrid">
-          <dees-chart-area .label=${'Email Traffic (24h)'} .data=${[]}></dees-chart-area>
-          <dees-chart-area .label=${'DNS Queries (24h)'} .data=${[]}></dees-chart-area>
-          <dees-chart-log .label=${'Recent Events'} .data=${[]}></dees-chart-log>
-          <dees-chart-log .label=${'Security Alerts'} .data=${[]}></dees-chart-log>
+          <dees-chart-area
+            .label=${'Email Traffic (24h)'}
+            .series=${this.getEmailTrafficSeries()}
+            .yAxisFormatter=${(val: number) => `${val}`}
+          ></dees-chart-area>
+          <dees-chart-area
+            .label=${'DNS Queries (24h)'}
+            .series=${this.getDnsQuerySeries()}
+            .yAxisFormatter=${(val: number) => `${val}`}
+          ></dees-chart-area>
+          <dees-chart-log
+            .label=${'Recent Events'}
+            .logEntries=${this.getRecentEventEntries()}
+          ></dees-chart-log>
+          <dees-chart-log
+            .label=${'DNS Queries'}
+            .logEntries=${this.getDnsQueryEntries()}
+          ></dees-chart-log>
        </div>
      `}
    `;
@@ -337,4 +373,52 @@ export class OpsViewOverview extends DeesElement {
      <dees-statsgrid .tiles=${tiles}></dees-statsgrid>
    `;
  }
+
+  // --- Chart data helpers ---
+
+  private getRecentEventEntries(): Array<{ timestamp: string; level: 'debug' | 'info' | 'warn' | 'error' | 'success'; message: string; source?: string }> {
+    return this.logState.recentLogs.map((log) => ({
+      timestamp: new Date(log.timestamp).toISOString(),
+      level: log.level as 'debug' | 'info' | 'warn' | 'error',
+      message: log.message,
+      source: log.category,
+    }));
+  }
+
+  private getSecurityAlertEntries(): Array<{ timestamp: string; level: 'debug' | 'info' | 'warn' | 'error' | 'success'; message: string; source?: string }> {
+    const events: any[] = this.statsState.securityMetrics?.recentEvents || [];
+    return events.map((evt: any) => ({
+      timestamp: new Date(evt.timestamp).toISOString(),
+      level: evt.level === 'critical' || evt.level === 'error' ? 'error' as const : evt.level === 'warn' ? 'warn' as const : 'info' as const,
+      message: evt.message,
+      source: evt.type,
+    }));
+  }
+
+  private getDnsQueryEntries(): Array<{ timestamp: string; level: 'debug' | 'info' | 'warn' | 'error' | 'success'; message: string; source?: string }> {
+    const queries: any[] = (this.statsState.dnsStats as any)?.recentQueries || [];
+    return queries.map((q: any) => ({
+      timestamp: new Date(q.timestamp).toISOString(),
+      level: q.answered ? 'info' as const : 'warn' as const,
+      message: `${q.type} ${q.domain} (${q.responseTimeMs}ms)`,
+      source: 'dns',
+    }));
+  }
+
+  private getEmailTrafficSeries(): Array<{ name: string; color: string; data: Array<{ x: number; y: number }> }> {
+    const ts = this.statsState.emailStats?.timeSeries;
+    if (!ts) return [];
+    return [
+      { name: 'Sent', color: '#22c55e', data: (ts.sent || []).map((p: any) => ({ x: p.timestamp, y: p.value })) },
+      { name: 'Received', color: '#3b82f6', data: (ts.received || []).map((p: any) => ({ x: p.timestamp, y: p.value })) },
+    ];
+  }
+
+  private getDnsQuerySeries(): Array<{ name: string; color: string; data: Array<{ x: number; y: number }> }> {
+    const ts = this.statsState.dnsStats?.timeSeries;
+    if (!ts) return [];
+    return [
+      { name: 'Queries', color: '#8b5cf6', data: (ts.queries || []).map((p: any) => ({ x: p.timestamp, y: p.value })) },
+    ];
+  }
 }
--- a/ts_web/elements/ops-view-remoteingress.ts
+++ b/ts_web/elements/ops-view-remoteingress.ts
@@ -176,13 +176,39 @@ export class OpsViewRemoteIngress extends DeesElement {
    return html`
      <ops-sectionheading>Remote Ingress</ops-sectionheading>

-      ${this.riState.newEdgeSecret ? html`
+      ${this.riState.newEdgeId ? html`
        <div class="secretDialog">
-          <strong>Edge Secret (copy now - shown only once):</strong>
-          <code>${this.riState.newEdgeSecret}</code>
-          <div class="warning">This secret will not be shown again. Save it securely.</div>
+          <strong>Edge created successfully!</strong>
+          <div class="warning">Copy the connection token now. Use it with edge.start({ token: '...' }).</div>
          <dees-button
-            @click=${() => appstate.remoteIngressStatePart.dispatchAction(appstate.clearNewEdgeSecretAction, null)}
+            @click=${async () => {
+              const { DeesToast } = await import('@design.estate/dees-catalog');
+              try {
+                const response = await appstate.fetchConnectionToken(this.riState.newEdgeId);
+                if (response.success && response.token) {
+                  if (navigator.clipboard && typeof navigator.clipboard.writeText === 'function') {
+                    await navigator.clipboard.writeText(response.token);
+                  } else {
+                    const textarea = document.createElement('textarea');
+                    textarea.value = response.token;
+                    textarea.style.position = 'fixed';
+                    textarea.style.opacity = '0';
+                    document.body.appendChild(textarea);
+                    textarea.select();
+                    document.execCommand('copy');
+                    document.body.removeChild(textarea);
+                  }
+                  DeesToast.show({ message: 'Connection token copied!', type: 'success', duration: 3000 });
+                } else {
+                  DeesToast.show({ message: response.message || 'Failed to get token', type: 'error', duration: 4000 });
+                }
+              } catch (err) {
+                DeesToast.show({ message: `Failed: ${err.message}`, type: 'error', duration: 4000 });
+              }
+            }}
+          >Copy Connection Token</dees-button>
+          <dees-button
+            @click=${() => appstate.remoteIngressStatePart.dispatchAction(appstate.clearNewEdgeIdAction, null)}
          >Dismiss</dees-button>
        </div>
      ` : ''}
@@ -346,6 +372,38 @@ export class OpsViewRemoteIngress extends DeesElement {
                );
              },
            },
+            {
+              name: 'Copy Token',
+              iconName: 'lucide:ClipboardCopy',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                const { DeesToast } = await import('@design.estate/dees-catalog');
+                try {
+                  const response = await appstate.fetchConnectionToken(edge.id);
+                  if (response.success && response.token) {
+                    // Use clipboard API with fallback for non-HTTPS contexts
+                    if (navigator.clipboard && typeof navigator.clipboard.writeText === 'function') {
+                      await navigator.clipboard.writeText(response.token);
+                    } else {
+                      const textarea = document.createElement('textarea');
+                      textarea.value = response.token;
+                      textarea.style.position = 'fixed';
+                      textarea.style.opacity = '0';
+                      document.body.appendChild(textarea);
+                      textarea.select();
+                      document.execCommand('copy');
+                      document.body.removeChild(textarea);
+                    }
+                    DeesToast.show({ message: `Connection token copied for ${edge.name}`, type: 'success', duration: 3000 });
+                  } else {
+                    DeesToast.show({ message: response.message || 'Failed to get token', type: 'error', duration: 4000 });
+                  }
+                } catch (err) {
+                  DeesToast.show({ message: `Failed: ${err.message}`, type: 'error', duration: 4000 });
+                }
+              },
+            },
            {
              name: 'Delete',
              iconName: 'lucide:trash2',
--- a/ts_web/elements/ops-view-routes.ts
+++ b/ts_web/elements/ops-view-routes.ts
@@ -0,0 +1,389 @@
+import * as appstate from '../appstate.js';
+import * as interfaces from '../../dist_ts_interfaces/index.js';
+import { viewHostCss } from './shared/css.js';
+import { type IStatsTile } from '@design.estate/dees-catalog';
+
+import {
+  DeesElement,
+  css,
+  cssManager,
+  customElement,
+  html,
+  state,
+  type TemplateResult,
+} from '@design.estate/dees-element';
+
+@customElement('ops-view-routes')
+export class OpsViewRoutes extends DeesElement {
+  @state() accessor routeState: appstate.IRouteManagementState = {
+    mergedRoutes: [],
+    warnings: [],
+    apiTokens: [],
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  };
+
+  constructor() {
+    super();
+    const sub = appstate.routeManagementStatePart
+      .select((s) => s)
+      .subscribe((routeState) => {
+        this.routeState = routeState;
+      });
+    this.rxSubscriptions.push(sub);
+
+    // Re-fetch routes when user logs in (fixes race condition where
+    // the view is created before authentication completes)
+    const loginSub = appstate.loginStatePart
+      .select((s) => s.isLoggedIn)
+      .subscribe((isLoggedIn) => {
+        if (isLoggedIn) {
+          appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
+        }
+      });
+    this.rxSubscriptions.push(loginSub);
+  }
+
+  public static styles = [
+    cssManager.defaultStyles,
+    viewHostCss,
+    css`
+      .routesContainer {
+        display: flex;
+        flex-direction: column;
+        gap: 24px;
+      }
+
+      .warnings-bar {
+        background: ${cssManager.bdTheme('rgba(255, 170, 0, 0.08)', 'rgba(255, 170, 0, 0.1)')};
+        border: 1px solid ${cssManager.bdTheme('rgba(255, 170, 0, 0.25)', 'rgba(255, 170, 0, 0.3)')};
+        border-radius: 8px;
+        padding: 12px 16px;
+      }
+
+      .warning-item {
+        display: flex;
+        align-items: center;
+        gap: 8px;
+        padding: 4px 0;
+        font-size: 13px;
+        color: ${cssManager.bdTheme('#b45309', '#fa0')};
+      }
+
+      .warning-icon {
+        flex-shrink: 0;
+      }
+
+      .empty-state {
+        text-align: center;
+        padding: 48px 24px;
+        color: ${cssManager.bdTheme('#6b7280', '#666')};
+      }
+
+      .empty-state p {
+        margin: 8px 0;
+      }
+    `,
+  ];
+
+  public render(): TemplateResult {
+    const { mergedRoutes, warnings } = this.routeState;
+
+    const hardcodedCount = mergedRoutes.filter((mr) => mr.source === 'hardcoded').length;
+    const programmaticCount = mergedRoutes.filter((mr) => mr.source === 'programmatic').length;
+    const disabledCount = mergedRoutes.filter((mr) => !mr.enabled).length;
+
+    const statsTiles: IStatsTile[] = [
+      {
+        id: 'totalRoutes',
+        title: 'Total Routes',
+        type: 'number',
+        value: mergedRoutes.length,
+        icon: 'lucide:route',
+        description: 'All configured routes',
+        color: '#3b82f6',
+      },
+      {
+        id: 'hardcoded',
+        title: 'Hardcoded',
+        type: 'number',
+        value: hardcodedCount,
+        icon: 'lucide:lock',
+        description: 'Routes from constructor config',
+        color: '#8b5cf6',
+      },
+      {
+        id: 'programmatic',
+        title: 'Programmatic',
+        type: 'number',
+        value: programmaticCount,
+        icon: 'lucide:code',
+        description: 'Routes added via API',
+        color: '#0ea5e9',
+      },
+      {
+        id: 'disabled',
+        title: 'Disabled',
+        type: 'number',
+        value: disabledCount,
+        icon: 'lucide:pauseCircle',
+        description: 'Currently disabled routes',
+        color: disabledCount > 0 ? '#ef4444' : '#6b7280',
+      },
+    ];
+
+    // Map merged routes to sz-route-list-view format
+    const szRoutes = mergedRoutes.map((mr) => {
+      const tags = [...(mr.route.tags || [])];
+      tags.push(mr.source);
+      if (!mr.enabled) tags.push('disabled');
+      if (mr.overridden) tags.push('overridden');
+
+      return {
+        ...mr.route,
+        enabled: mr.enabled,
+        tags,
+        id: mr.storedRouteId || mr.route.name || undefined,
+      };
+    });
+
+    return html`
+      <ops-sectionheading>Route Management</ops-sectionheading>
+
+      <div class="routesContainer">
+        <dees-statsgrid
+          .tiles=${statsTiles}
+          .gridActions=${[
+            {
+              name: 'Add Route',
+              iconName: 'lucide:plus',
+              action: () => this.showCreateRouteDialog(),
+            },
+            {
+              name: 'Refresh',
+              iconName: 'lucide:refreshCw',
+              action: () => this.refreshData(),
+            },
+          ]}
+        ></dees-statsgrid>
+
+        ${warnings.length > 0
+          ? html`
+              <div class="warnings-bar">
+                ${warnings.map(
+                  (w) => html`
+                    <div class="warning-item">
+                      <span class="warning-icon">&#9888;</span>
+                      <span>${w.message}</span>
+                    </div>
+                  `,
+                )}
+              </div>
+            `
+          : ''}
+
+        ${szRoutes.length > 0
+          ? html`
+              <sz-route-list-view
+                .routes=${szRoutes}
+                @route-click=${(e: CustomEvent) => this.handleRouteClick(e)}
+              ></sz-route-list-view>
+            `
+          : html`
+              <div class="empty-state">
+                <p>No routes configured</p>
+                <p>Add a programmatic route or check your constructor configuration.</p>
+              </div>
+            `}
+      </div>
+    `;
+  }
+
+  private async handleRouteClick(e: CustomEvent) {
+    const clickedRoute = e.detail;
+    if (!clickedRoute) return;
+
+    // Find the corresponding merged route
+    const merged = this.routeState.mergedRoutes.find(
+      (mr) => mr.route.name === clickedRoute.name,
+    );
+    if (!merged) return;
+
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    if (merged.source === 'hardcoded') {
+      const menuOptions = merged.enabled
+        ? [
+            {
+              name: 'Disable Route',
+              iconName: 'lucide:pause',
+              action: async (modalArg: any) => {
+                await appstate.routeManagementStatePart.dispatchAction(
+                  appstate.setRouteOverrideAction,
+                  { routeName: merged.route.name!, enabled: false },
+                );
+                await modalArg.destroy();
+              },
+            },
+            {
+              name: 'Close',
+              iconName: 'lucide:x',
+              action: async (modalArg: any) => await modalArg.destroy(),
+            },
+          ]
+        : [
+            {
+              name: 'Enable Route',
+              iconName: 'lucide:play',
+              action: async (modalArg: any) => {
+                await appstate.routeManagementStatePart.dispatchAction(
+                  appstate.setRouteOverrideAction,
+                  { routeName: merged.route.name!, enabled: true },
+                );
+                await modalArg.destroy();
+              },
+            },
+            {
+              name: 'Remove Override',
+              iconName: 'lucide:undo',
+              action: async (modalArg: any) => {
+                await appstate.routeManagementStatePart.dispatchAction(
+                  appstate.removeRouteOverrideAction,
+                  merged.route.name!,
+                );
+                await modalArg.destroy();
+              },
+            },
+            {
+              name: 'Close',
+              iconName: 'lucide:x',
+              action: async (modalArg: any) => await modalArg.destroy(),
+            },
+          ];
+
+      await DeesModal.createAndShow({
+        heading: `Route: ${merged.route.name}`,
+        content: html`
+          <div style="color: #ccc; padding: 8px 0;">
+            <p>Source: <strong style="color: #88f;">hardcoded</strong></p>
+            <p>Status: <strong>${merged.enabled ? 'Enabled' : 'Disabled (overridden)'}</strong></p>
+            <p style="color: #888; font-size: 13px;">Hardcoded routes cannot be edited or deleted, but they can be disabled via an override.</p>
+          </div>
+        `,
+        menuOptions,
+      });
+    } else {
+      // Programmatic route
+      await DeesModal.createAndShow({
+        heading: `Route: ${merged.route.name}`,
+        content: html`
+          <div style="color: #ccc; padding: 8px 0;">
+            <p>Source: <strong style="color: #0af;">programmatic</strong></p>
+            <p>Status: <strong>${merged.enabled ? 'Enabled' : 'Disabled'}</strong></p>
+            <p>ID: <code style="color: #888;">${merged.storedRouteId}</code></p>
+          </div>
+        `,
+        menuOptions: [
+          {
+            name: merged.enabled ? 'Disable' : 'Enable',
+            iconName: merged.enabled ? 'lucide:pause' : 'lucide:play',
+            action: async (modalArg: any) => {
+              await appstate.routeManagementStatePart.dispatchAction(
+                appstate.toggleRouteAction,
+                { id: merged.storedRouteId!, enabled: !merged.enabled },
+              );
+              await modalArg.destroy();
+            },
+          },
+          {
+            name: 'Delete',
+            iconName: 'lucide:trash-2',
+            action: async (modalArg: any) => {
+              await appstate.routeManagementStatePart.dispatchAction(
+                appstate.deleteRouteAction,
+                merged.storedRouteId!,
+              );
+              await modalArg.destroy();
+            },
+          },
+          {
+            name: 'Close',
+            iconName: 'lucide:x',
+            action: async (modalArg: any) => await modalArg.destroy(),
+          },
+        ],
+      });
+    }
+  }
+
+  private async showCreateRouteDialog() {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    await DeesModal.createAndShow({
+      heading: 'Add Programmatic Route',
+      content: html`
+        <dees-form>
+          <dees-input-text .key=${'name'} .label=${'Route Name'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'ports'} .label=${'Ports (comma-separated)'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'domains'} .label=${'Domains (comma-separated, optional)'}></dees-input-text>
+          <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .value=${'localhost'} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .required=${true}></dees-input-text>
+        </dees-form>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Create',
+          iconName: 'lucide:plus',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const formData = await form.collectFormData();
+            if (!formData.name || !formData.ports) return;
+
+            const ports = formData.ports.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p));
+            const domains = formData.domains
+              ? formData.domains.split(',').map((d: string) => d.trim()).filter(Boolean)
+              : undefined;
+
+            const route: any = {
+              name: formData.name,
+              match: {
+                ports,
+                ...(domains && domains.length > 0 ? { domains } : {}),
+              },
+              action: {
+                type: 'forward',
+                targets: [
+                  {
+                    host: formData.targetHost || 'localhost',
+                    port: parseInt(formData.targetPort, 10),
+                  },
+                ],
+              },
+            };
+
+            await appstate.routeManagementStatePart.dispatchAction(
+              appstate.createRouteAction,
+              { route },
+            );
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
+  private refreshData() {
+    appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
+  }
+
+  async firstUpdated() {
+    await appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
+  }
+}
--- a/ts_web/elements/ops-view-security.ts
+++ b/ts_web/elements/ops-view-security.ts
@@ -249,7 +249,14 @@ export class OpsViewSecurity extends DeesElement {
  private renderOverview(metrics: any) {
    const threatLevel = this.calculateThreatLevel(metrics);
    const threatScore = this.getThreatScore(metrics);
-    
+
+    // Derive active sessions from recent successful auth events (last hour)
+    const allEvents: any[] = metrics.recentEvents || [];
+    const oneHourAgo = Date.now() - 3600000;
+    const recentAuthSuccesses = allEvents.filter(
+      (evt: any) => evt.type === 'authentication' && evt.success === true && evt.timestamp >= oneHourAgo
+    ).length;
+
    const tiles: IStatsTile[] = [
      {
        id: 'threatLevel',
@@ -271,7 +278,7 @@ export class OpsViewSecurity extends DeesElement {
      {
        id: 'blockedThreats',
        title: 'Blocked Threats',
-        value: metrics.blockedIPs.length + metrics.spamDetected,
+        value: (metrics.blockedIPs?.length || 0) + metrics.spamDetected,
        type: 'number',
        icon: 'lucide:ShieldCheck',
        color: '#ef4444',
@@ -280,11 +287,11 @@ export class OpsViewSecurity extends DeesElement {
      {
        id: 'activeSessions',
        title: 'Active Sessions',
-        value: 0,
+        value: recentAuthSuccesses,
        type: 'number',
        icon: 'lucide:Users',
        color: '#22c55e',
-        description: 'Current authenticated sessions',
+        description: 'Authenticated in last hour',
      },
      {
        id: 'authFailures',
@@ -349,6 +356,11 @@ export class OpsViewSecurity extends DeesElement {
  }

  private renderAuthentication(metrics: any) {
+    // Derive auth events from recentEvents
+    const allEvents: any[] = metrics.recentEvents || [];
+    const authEvents = allEvents.filter((evt: any) => evt.type === 'authentication');
+    const successfulLogins = authEvents.filter((evt: any) => evt.success === true).length;
+
    const tiles: IStatsTile[] = [
      {
        id: 'authFailures',
@@ -362,7 +374,7 @@ export class OpsViewSecurity extends DeesElement {
      {
        id: 'successfulLogins',
        title: 'Successful Logins',
-        value: 0,
+        value: successfulLogins,
        type: 'number',
        icon: 'lucide:Lock',
        color: '#22c55e',
@@ -370,6 +382,15 @@ export class OpsViewSecurity extends DeesElement {
      },
    ];

+    // Map auth events to login history table data
+    const loginHistory = authEvents.map((evt: any) => ({
+      timestamp: evt.timestamp,
+      username: evt.details?.username || 'unknown',
+      ipAddress: evt.ipAddress || 'unknown',
+      success: evt.success ?? false,
+      reason: evt.success ? '' : evt.message || 'Authentication failed',
+    }));
+
    return html`
      <dees-statsgrid
        .tiles=${tiles}
@@ -380,7 +401,7 @@ export class OpsViewSecurity extends DeesElement {
      <dees-table
        .heading1=${'Login History'}
        .heading2=${'Recent authentication attempts'}
-        .data=${[]}
+        .data=${loginHistory}
        .displayFunction=${(item) => ({
          'Time': new Date(item.timestamp).toLocaleString(),
          'Username': item.username,
@@ -483,48 +504,38 @@ export class OpsViewSecurity extends DeesElement {
  private getThreatScore(metrics: any): number {
    // Simple scoring algorithm
    let score = 100;
-    score -= metrics.blockedIPs.length * 2;
-    score -= metrics.authenticationFailures * 1;
-    score -= metrics.spamDetected * 0.5;
-    score -= metrics.malwareDetected * 3;
-    score -= metrics.phishingDetected * 3;
-    score -= metrics.suspiciousActivities * 2;
+    const blockedCount = Array.isArray(metrics.blockedIPs) ? metrics.blockedIPs.length : (metrics.blockedIPs || 0);
+    score -= blockedCount * 2;
+    score -= (metrics.authenticationFailures || 0) * 1;
+    score -= (metrics.spamDetected || 0) * 0.5;
+    score -= (metrics.malwareDetected || 0) * 3;
+    score -= (metrics.phishingDetected || 0) * 3;
+    score -= (metrics.suspiciousActivities || 0) * 2;
    return Math.max(0, Math.min(100, Math.round(score)));
  }

  private getSecurityEvents(metrics: any): any[] {
-    // Mock data - in real implementation, this would come from the server
-    return [
-      {
-        timestamp: Date.now() - 1000 * 60 * 5,
-        event: 'Multiple failed login attempts',
-        severity: 'warning',
-        details: 'IP: 192.168.1.100',
-      },
-      {
-        timestamp: Date.now() - 1000 * 60 * 15,
-        event: 'SPF check failed',
-        severity: 'medium',
-        details: 'Domain: example.com',
-      },
-      {
-        timestamp: Date.now() - 1000 * 60 * 30,
-        event: 'IP blocked due to spam',
-        severity: 'high',
-        details: 'IP: 10.0.0.1',
-      },
-    ];
+    const events: any[] = metrics.recentEvents || [];
+    return events.map((evt: any) => ({
+      timestamp: evt.timestamp,
+      event: evt.message,
+      severity: evt.level === 'critical' ? 'critical' : evt.level === 'error' ? 'high' : evt.level === 'warn' ? 'warning' : 'info',
+      details: evt.ipAddress ? `IP: ${evt.ipAddress}` : evt.domain ? `Domain: ${evt.domain}` : evt.type,
+    }));
  }

  private async clearBlockedIPs() {
-    console.log('Clear blocked IPs');
+    // SmartProxy manages IP blocking — not yet exposed via API
+    alert('Clearing blocked IPs is not yet supported from the UI.');
  }

  private async unblockIP(ip: string) {
-    console.log('Unblock IP:', ip);
+    // SmartProxy manages IP blocking — not yet exposed via API
+    alert(`Unblocking IP ${ip} is not yet supported from the UI.`);
  }

  private async saveEmailSecuritySettings() {
-    console.log('Save email security settings');
+    // Config is read-only from the UI for now
+    alert('Email security settings are read-only. Update the dcrouter configuration file to change these settings.');
  }
 }
--- a/ts_web/plugins.ts
+++ b/ts_web/plugins.ts
@@ -2,9 +2,17 @@
 import * as deesElement from '@design.estate/dees-element';
 import * as deesCatalog from '@design.estate/dees-catalog';

+// @serve.zone scope
+import * as szCatalog from '@serve.zone/catalog';
+
+// TypedSocket for real-time push communication
+import * as typedsocket from '@api.global/typedsocket';
+
 export {
  deesElement,
-  deesCatalog
+  deesCatalog,
+  szCatalog,
+  typedsocket,
 }

 // domtools gives us TypedRequest and other utilities
--- a/ts_web/readme.md
+++ b/ts_web/readme.md
@@ -40,6 +40,15 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - Expiry date monitoring and alerts
 - Per-domain backoff status for failed provisions
 - One-click reprovisioning per domain
+- Certificate import, export, and deletion
+
+### 🌍 Remote Ingress Management
+- Edge node registration with name, ports, and tags
+- Real-time connection status (connected/disconnected/disabled)
+- Public IP and active tunnel count per edge
+- Auto-derived port display with manual/derived breakdown
+- **Connection token generation** — one-click "Copy Token" for easy edge provisioning
+- Enable/disable, edit, secret regeneration, and delete actions

 ### 📜 Log Viewer
 - Real-time log streaming
@@ -85,6 +94,7 @@ ts_web/
    ├── ops-view-network.ts   # Network monitoring
    ├── ops-view-emails.ts    # Email queue management
    ├── ops-view-certificates.ts  # Certificate overview & reprovisioning
+    ├── ops-view-remoteingress.ts # Remote ingress edge management
    ├── ops-view-logs.ts      # Log viewer
    ├── ops-view-config.ts    # Configuration display
    ├── ops-view-security.ts  # Security dashboard
@@ -106,6 +116,8 @@ The app uses `@push.rocks/smartstate` with multiple state parts:
 | `logStatePart` | Soft | Recent logs, streaming status, filters |
 | `networkStatePart` | Soft | Connections, IPs, throughput rates |
 | `emailOpsStatePart` | Soft | Email queues, bounces, suppression list |
+| `certificateStatePart` | Soft | Certificate list, summary, loading state |
+| `remoteIngressStatePart` | Soft | Edge list, statuses, new edge secret |

 ### Actions

@@ -128,6 +140,23 @@ fetchSecurityIncidentsAction()     // Security events
 fetchBounceRecordsAction()         // Bounce records
 resendEmailAction(emailId)         // Re-queue failed email
 removeFromSuppressionAction(email) // Remove from suppression list
+
+// Certificates
+fetchCertificateOverviewAction()   // All certificates with summary
+reprovisionCertificateAction(domain) // Reprovision a certificate
+deleteCertificateAction(domain)    // Delete a certificate
+importCertificateAction(cert)      // Import a certificate
+fetchCertificateExport(domain)     // Export (standalone function)
+
+// Remote Ingress
+fetchRemoteIngressAction()         // Edges + statuses
+createRemoteIngressAction(data)    // Create new edge
+updateRemoteIngressAction(data)    // Update edge settings
+deleteRemoteIngressAction(id)      // Remove edge
+regenerateRemoteIngressSecretAction(id) // New secret
+toggleRemoteIngressAction(id, enabled)  // Enable/disable
+clearNewEdgeSecretAction()         // Dismiss secret banner
+fetchConnectionToken(edgeId)       // Get connection token (standalone function)
 ```

 ### Client-Side Routing
@@ -141,6 +170,7 @@ removeFromSuppressionAction(email) // Remove from suppression list
  /emails/failed    → Failed emails
  /emails/security  → Security incidents
 /certificates    → Certificate management
+/remoteingress   → Remote ingress edge management
 /logs            → Log viewer
 /configuration   → System configuration
 /security        → Security dashboard
--- a/ts_web/router.ts
+++ b/ts_web/router.ts
@@ -3,11 +3,9 @@ import * as appstate from './appstate.js';

 const SmartRouter = plugins.domtools.plugins.smartrouter.SmartRouter;

-export const validViews = ['overview', 'network', 'emails', 'logs', 'configuration', 'security', 'certificates', 'remoteingress'] as const;
-export const validEmailFolders = ['queued', 'sent', 'failed', 'security'] as const;
+export const validViews = ['overview', 'network', 'emails', 'logs', 'routes', 'apitokens', 'configuration', 'security', 'certificates', 'remoteingress'] as const;

 export type TValidView = typeof validViews[number];
-export type TValidEmailFolder = typeof validEmailFolders[number];

 class AppRouter {
  private router: InstanceType<typeof SmartRouter>;
@@ -27,31 +25,10 @@ class AppRouter {
  }

  private setupRoutes(): void {
-    // Main views
    for (const view of validViews) {
-      if (view === 'emails') {
-        // Email root - default to queued
-        this.router.on('/emails', async () => {
-          this.updateViewState('emails');
-          this.updateEmailFolder('queued');
-        });
-
-        // Email with folder parameter
-        this.router.on('/emails/:folder', async (routeInfo) => {
-          const folder = routeInfo.params.folder as string;
-          if (validEmailFolders.includes(folder as TValidEmailFolder)) {
-            this.updateViewState('emails');
-            this.updateEmailFolder(folder as TValidEmailFolder);
-          } else {
-            // Invalid folder, redirect to queued
-            this.navigateTo('/emails/queued');
-          }
-        });
-      } else {
-        this.router.on(`/${view}`, async () => {
-          this.updateViewState(view);
-        });
-      }
+      this.router.on(`/${view}`, async () => {
+        this.updateViewState(view);
+      });
    }

    // Root redirect
@@ -61,60 +38,32 @@ class AppRouter {
  }

  private setupStateSync(): void {
-    // Sync URL when state changes programmatically (not from router)
    appstate.uiStatePart.state.subscribe((uiState) => {
      if (this.suppressStateUpdate) return;

      const currentPath = window.location.pathname;
-      const expectedPath = this.getExpectedPath(uiState.activeView);
+      const expectedPath = `/${uiState.activeView}`;

-      // Only update URL if it doesn't match current state
-      if (!currentPath.startsWith(expectedPath)) {
+      if (currentPath !== expectedPath) {
        this.suppressStateUpdate = true;
-        if (uiState.activeView === 'emails') {
-          const emailState = appstate.emailOpsStatePart.getState();
-          this.router.pushUrl(`/emails/${emailState.currentView}`);
-        } else {
-          this.router.pushUrl(`/${uiState.activeView}`);
-        }
+        this.router.pushUrl(expectedPath);
        this.suppressStateUpdate = false;
      }
    });
  }

-  private getExpectedPath(view: string): string {
-    if (view === 'emails') {
-      return '/emails';
-    }
-    return `/${view}`;
-  }
-
  private handleInitialRoute(): void {
    const path = window.location.pathname;

    if (!path || path === '/') {
-      // Redirect root to overview
      this.router.pushUrl('/overview');
    } else {
-      // Parse current path and update state
      const segments = path.split('/').filter(Boolean);
      const view = segments[0];

      if (validViews.includes(view as TValidView)) {
        this.updateViewState(view as TValidView);
-
-        if (view === 'emails' && segments[1]) {
-          const folder = segments[1];
-          if (validEmailFolders.includes(folder as TValidEmailFolder)) {
-            this.updateEmailFolder(folder as TValidEmailFolder);
-          } else {
-            this.updateEmailFolder('queued');
-          }
-        } else if (view === 'emails') {
-          this.updateEmailFolder('queued');
-        }
      } else {
-        // Invalid view, redirect to overview
        this.router.pushUrl('/overview');
      }
    }
@@ -132,18 +81,6 @@ class AppRouter {
    this.suppressStateUpdate = false;
  }

-  private updateEmailFolder(folder: TValidEmailFolder): void {
-    this.suppressStateUpdate = true;
-    const currentState = appstate.emailOpsStatePart.getState();
-    if (currentState.currentView !== folder) {
-      appstate.emailOpsStatePart.setState({
-        ...currentState,
-        currentView: folder as appstate.IEmailOpsState['currentView'],
-      });
-    }
-    this.suppressStateUpdate = false;
-  }
-
  public navigateTo(path: string): void {
    this.router.pushUrl(path);
  }
@@ -156,22 +93,10 @@ class AppRouter {
    }
  }

-  public navigateToEmailFolder(folder: string): void {
-    if (validEmailFolders.includes(folder as TValidEmailFolder)) {
-      this.navigateTo(`/emails/${folder}`);
-    } else {
-      this.navigateTo('/emails/queued');
-    }
-  }
-
  public getCurrentView(): string {
    return appstate.uiStatePart.getState().activeView;
  }

-  public getCurrentEmailFolder(): string {
-    return appstate.emailOpsStatePart.getState().currentView;
-  }
-
  public destroy(): void {
    this.router.destroy();
    this.initialized = false;