v6.13.2

changelog.md

@@ -1,5 +1,147 @@
 # Changelog
 
+## 2026-02-19 - 6.13.2 - fix(runtime)
+prevent memory leaks and improve shutdown/stream handling across services
+
+- Add CertProvisionScheduler.clear() to reset in-memory backoff cache and call it during DcRouter shutdown
+- Stop any existing SmartAcme instance before creating a new one (await stop and log errors) to avoid duplicate running instances
+- Null out many DcRouter service references and clear certificateStatusMap on shutdown to allow GC of stopped services
+- Cap emailMetrics.recipients map size and trim to ~80% of MAX_TOP_DOMAINS to prevent unbounded growth
+- Await virtualStream.sendData in logs follow handler and clear the interval if the stream errors/closes to avoid interval leaks
+- Limit normalizedMacCache size and evict oldest entries when it exceeds 10000 to prevent unbounded cache growth
+
+## 2026-02-18 - 6.13.1 - fix(dcrouter)
+enable PROXY protocol v1 handling for SmartProxy when remoteIngress is enabled to preserve client IPs
+
+- Set smartProxyConfig.acceptProxyProtocol = true when options.remoteIngressConfig.enabled
+- Whitelist loopback address by setting smartProxyConfig.proxyIPs = ['127.0.0.1']
+- Only applies when remoteIngress is enabled; used to accept tunneled connections forwarded by the hub to preserve original client IPs
+
+## 2026-02-18 - 6.13.0 - feat(remoteingress)
+include listenPorts for allowed edges sent to the Rust hub and always resync allowed edges when edge properties change
+
+- getAllowedEdges now returns listenPorts for each allowed edge (uses getEffectiveListenPorts)
+- remoteingress handler now calls tunnelManager.syncAllowedEdges() whenever tunnelManager exists so ports/tags/enabled changes are propagated
+- Improves Rust hub routing by providing per-edge listening ports and ensuring allowed-edge list is kept up-to-date
+
+## 2026-02-18 - 6.12.0 - feat(remote-ingress)
+add Remote Ingress hub integration, OpsServer UI, APIs, and docs
+
+- Integrates RemoteIngress (hub/tunnel) into DcRouter: runtime manager, tunnel manager and Rust data plane references added
+- Bumps dependency @serve.zone/remoteingress to ^3.3.0
+- Adds configuration defaults and IDcRouterOptions.remoteIngressConfig with tunnelPort/hubDomain/tls fields
+- Introduces OpsServer API endpoints and TypedRequest methods for remote ingress: getRemoteIngresses, createRemoteIngress, updateRemoteIngress, deleteRemoteIngress, regenerateRemoteIngressSecret, getRemoteIngressStatus, getRemoteIngressConnectionToken
+- UI updates: new Remote Ingress dashboard view, connection token generation & copy (clipboard API + fallback), auto-derived ports display, and toast notifications
+- State/API rename: newEdgeSecret -> newEdgeId and clearNewEdgeIdAction; appstate fetchConnectionToken usage
+- Documentation: README, ts/ and ts_web readmes, and ts_interfaces updated with interfaces and examples for Remote Ingress
+- Minor UI icon updates (search -> fa:magnifyingGlass, clipboard icon casing) and other doc/README improvements
+
+## 2026-02-18 - 6.11.0 - feat(remoteingress)
+add ability to generate remote ingress connection tokens and UI copy action; add hubDomain config option; update remoteingress dependency to ^3.1.1
+
+- Add server typed handler 'getRemoteIngressConnectionToken' to generate an encoded connection token containing hubHost, hubPort, edgeId and secret.
+- Add request interface IReq_GetRemoteIngressConnectionToken for typed requests.
+- Add fetchConnectionToken helper in web appstate and a 'Copy Token' action in ops-view-remoteingress to copy tokens to the clipboard with toast feedback.
+- Add hubDomain option to remoteIngressConfig in dcrouter options so an external hostname can be embedded in connection tokens.
+- Bump dependency @serve.zone/remoteingress from ^3.0.4 to ^3.1.1 in package.json.
+
+## 2026-02-17 - 6.10.0 - feat(ops-view-certificates)
+Make Export and Delete actions available inline (inRow) as well as in the context menu; bump @design.estate/dees-catalog to ^3.43.0
+
+- Added 'inRow' to action types for 'Export' and 'Delete' in ts_web/elements/ops-view-certificates.ts to expose actions inline in the row
+- Updated dependency @design.estate/dees-catalog from ^3.42.2 to ^3.43.0 in package.json
+
+## 2026-02-17 - 6.9.0 - feat(certificates)
+add certificate import, export, and deletion support (server handlers, request types, and UI)
+
+- Add typed request handlers in opsserver: deleteCertificate, exportCertificate, importCertificate (ts/opsserver/handlers/certificate.handler.ts)
+- Implement deleteCertificate/exportCertificate/importCertificate functions handling storage paths, in-memory status map updates, backoff clearing, validation, and SmartAcme-compatible /certs/ and /proxy-certs/ formats
+- Add request interfaces IReq_DeleteCertificate, IReq_ExportCertificate, IReq_ImportCertificate (ts_interfaces/requests/certificate.ts)
+- Add web app actions deleteCertificateAction, importCertificateAction and fetchCertificateExport to call new typed requests (ts_web/appstate.ts)
+- Update certificates UI to support Import, Export, and Delete actions and add downloadJsonFile helper (ts_web/elements/ops-view-certificates.ts)
+
+## 2026-02-17 - 6.8.0 - feat(remote-ingress)
+support auto-deriving ports for remote ingress edges and expose manual/derived port breakdown in API and UI
+
+- Add autoDerivePorts flag to IRemoteIngress with default true and migration to set existing stored edges to autoDerivePorts = true
+- RemoteIngressManager: getEffectiveListenPorts now returns the union of manual + derived ports when autoDerivePorts is enabled; added getPortBreakdown to return manual vs derived lists
+- API handlers updated: create/update requests accept autoDerivePorts; responses now include effectiveListenPorts, manualPorts, and derivedPorts (secrets still masked)
+- Web UI updated: create and edit dialogs include an Auto-derive checkbox; port badges now visually distinguish manual vs derived ports; added updateRemoteIngressAction
+- Non-breaking change: new field defaults to true so existing behavior is preserved
+
+## 2026-02-17 - 6.7.0 - feat(remote-ingress)
+Support auto-derived effective listen ports, make listenPorts optional, add toggle action and refine remote ingress creation/management UI
+
+- Add effectiveListenPorts?: number[] to IRemoteIngress interface (present in API responses)
+- Make createRemoteIngressAction.listenPorts optional and update creation modal to allow empty ports (auto-derived)
+- Add toggleRemoteIngressAction to enable/disable remote ingress edges and wire up Enable/Disable row/context-menu actions
+- Update getPortsHtml to prefer manual listenPorts, fall back to effectiveListenPorts, show '(auto)' when derived and 'none' when no ports
+- Standardize UI actions to use inRow/contextmenu and actionFunc signatures; update create modal to use explicit Cancel/Create menu options and collect form data programmatically
+
+## 2026-02-17 - 6.6.1 - fix(icons)
+standardize icon identifiers to lucide-prefixed names across operational views
+
+- Replaced legacy/ambiguous icon names with 'lucide:...' identifiers in four UI modules: ts_web/elements/ops-view-certificates.ts, ops-view-network.ts, ops-view-overview.ts, and ops-view-security.ts.
+- Updated common action/menu icons (e.g. arrowsRotate -> lucide:RefreshCw, magnifyingGlass -> lucide:Search, copy -> lucide:Copy, fileExport -> lucide:FileOutput).
+- Mapped dashboard/tile icons to lucide equivalents (e.g. server -> lucide:Server, networkWired/sitemap -> lucide:Network, download/upload -> lucide:Download/Upload, microchip/memory -> lucide:Cpu/MemoryStick).
+- Normalized alert and status icons to lucide names (e.g. triangleExclamation -> lucide:TriangleAlert, shield/userShield -> lucide:Shield/ShieldCheck, clock/clockRotateLeft -> lucide:Clock/History).
+
+## 2026-02-17 - 6.6.0 - feat(remoteingress)
+derive effective remote ingress listen ports from route configs and expose them via ops API
+
+- Derive listen ports from SmartProxy route configs with remoteIngress.enabled; supports optional edgeFilter to target edges by id or tags.
+- Add RemoteIngressManager.setRoutes(), derivePortsForEdge(), and getEffectiveListenPorts() which falls back to manual listenPorts when present.
+- dcrouter now supplies route configs to RemoteIngressManager during initialization and when updating SmartProxy configuration to keep derived ports in sync.
+- Ops API now returns effectiveListenPorts for edges; createRemoteIngress.listenPorts is optional and createEdge defaults listenPorts to an empty array.
+- Bump dependency @serve.zone/remoteingress to ^3.0.4 to align types/behavior.
+
+## 2026-02-16 - 6.5.0 - feat(ops-view-remoteingress)
+add 'Create Edge Node' header action to remote ingress table and remove duplicate createNewAction
+
+- Add a 'Create Edge Node' header action in dataActions that opens DeesModal to collect name, listenPorts and tags
+- Parse comma-separated listenPorts into integer array and normalize optional tags
+- Dispatch appstate.createRemoteIngressAction with the collected payload
+- Remove the previously duplicated createNewAction prop from the dees-table
+
+## 2026-02-16 - 6.4.5 - fix(remoteingress)
+mark remote ingress data actions as row actions and bump @design.estate/dees-catalog dependency
+
+- Add type:['row'] to 'Regenerate Secret' and 'Delete' dataActions in ts_web/elements/ops-view-remoteingress.ts to ensure they are treated as row actions in the UI
+- Bump @design.estate/dees-catalog from ^3.42.0 to ^3.42.2 in package.json
+
+## 2026-02-16 - 6.4.4 - fix(deps)
+bump @push.rocks/smartproxy to ^25.7.3
+
+- Updated @push.rocks/smartproxy from ^25.7.2 to ^25.7.3 in package.json
+
+## 2026-02-16 - 6.4.3 - fix(deps)
+bump @push.rocks/smartproxy to ^25.7.2
+
+- Updated package.json: @push.rocks/smartproxy ^25.7.1 -> ^25.7.2 (patch dependency update)
+
+## 2026-02-16 - 6.4.2 - fix(smartproxy)
+bump @push.rocks/smartproxy to ^25.7.1
+
+- Updated dependency @push.rocks/smartproxy from ^25.7.0 to ^25.7.1 in package.json
+- No other source changes; dependency patch bump only
+
+## 2026-02-16 - 6.4.1 - fix(deps)
+bump dependencies: @push.rocks/smartproxy to ^25.7.0 and @serve.zone/remoteingress to ^3.0.2
+
+- Bumped @push.rocks/smartproxy from ^25.5.0 to ^25.7.0
+- Bumped @serve.zone/remoteingress from ^3.0.1 to ^3.0.2
+- Package current version is 6.4.0 — recommended patch release
+
+## 2026-02-16 - 6.4.0 - feat(remoteingress)
+add Remote Ingress hub and management for edge tunnel nodes, including backend managers, tunnel hub integration, opsserver handlers, typedrequest APIs, and web UI
+
+- Introduce RemoteIngressManager for CRUD and persistent storage of edge registrations
+- Introduce TunnelManager to run the RemoteIngressHub, track connected edge statuses, and sync allowed edges to the hub
+- Integrate remote ingress into DcRouter (options.remoteIngressConfig, setupRemoteIngress, startup/shutdown handling, and startup summary)
+- Add OpsServer RemoteIngressHandler exposing typedrequest APIs (create/update/delete/regenerate/get/status)
+- Add web UI: Remote Ingress view, app state parts, actions and components to manage edges and display runtime statuses
+- Add typedrequest and data interfaces for remoteingress and export the remoteingress module; add @serve.zone/remoteingress dependency in package.json
+
 ## 2026-02-16 - 6.3.0 - feat(dcrouter)
 add configurable baseDir and centralized path resolution; use resolved data paths for storage, cache and DNS
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "6.3.0",
+  "version": "6.13.2",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -32,7 +32,7 @@
     "@api.global/typedserver": "^8.3.0",
     "@api.global/typedsocket": "^4.1.0",
     "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.42.0",
+    "@design.estate/dees-catalog": "^3.43.0",
     "@design.estate/dees-element": "^2.1.6",
     "@push.rocks/projectinfo": "^5.0.2",
     "@push.rocks/qenv": "^6.1.3",
@@ -49,13 +49,14 @@
     "@push.rocks/smartnetwork": "^4.4.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.5.0",
+    "@push.rocks/smartproxy": "^25.7.3",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstate": "^2.0.30",
     "@push.rocks/smartunique": "^3.0.9",
     "@serve.zone/interfaces": "^5.3.0",
+    "@serve.zone/remoteingress": "^3.3.0",
     "@tsclass/tsclass": "^9.3.0",
     "lru-cache": "^11.2.6",
     "uuid": "^13.0.0"

pnpm-lock.yaml

@@ -24,8 +24,8 @@ importers:
         specifier: ^7.1.0
         version: 7.1.0
       '@design.estate/dees-catalog':
-        specifier: ^3.42.0
-        version: 3.42.0(@tiptap/pm@2.27.2)
+        specifier: ^3.43.0
+        version: 3.43.0(@tiptap/pm@2.27.2)
       '@design.estate/dees-element':
         specifier: ^2.1.6
         version: 2.1.6
@@ -75,8 +75,8 @@ importers:
         specifier: ^4.2.3
         version: 4.2.3
       '@push.rocks/smartproxy':
-        specifier: ^25.5.0
-        version: 25.5.0
+        specifier: ^25.7.3
+        version: 25.7.3
       '@push.rocks/smartradius':
         specifier: ^1.1.1
         version: 1.1.1
@@ -95,6 +95,9 @@ importers:
       '@serve.zone/interfaces':
         specifier: ^5.3.0
         version: 5.3.0
+      '@serve.zone/remoteingress':
+        specifier: ^3.3.0
+        version: 3.3.0
       '@tsclass/tsclass':
         specifier: ^9.3.0
         version: 9.3.0
@@ -348,8 +351,8 @@ packages:
   '@configvault.io/interfaces@1.0.17':
     resolution: {integrity: sha512-bEcCUR2VBDJsTin8HQh8Uw/mlYl2v8A3jMIaQ+MTB9Hrqd6CZL2dL7iJdWyFl/3EIX+LDxWFR+Oq7liIq7w+1Q==}
 
-  '@design.estate/dees-catalog@3.42.0':
-    resolution: {integrity: sha512-pArkafnrhRsHsSxKUMUM2YP5ei/AbcchPEKZY2PyHHAdXcNxyT3pE2Oh1FPcs1pqF2LpEgJRq8KFQbFhvhp8Nw==}
+  '@design.estate/dees-catalog@3.43.0':
+    resolution: {integrity: sha512-UFW8oThP9Mc4L0wVVgmuGux868Ct/TwZ1WP8hZCe4e/+5gmxDc+4EArnt5hePHENboe1Soobh9mmrMN6kQZ3xQ==}
 
   '@design.estate/dees-comms@1.0.30':
     resolution: {integrity: sha512-KchMlklJfKAjQiJiR0xmofXtQ27VgZtBIxcMwPE9d+h3jJRv+lPZxzBQVOM0eyM0uS44S5vJMZ11IeV4uDXSHg==}
@@ -678,74 +681,74 @@ packages:
   '@mongodb-js/saslprep@1.4.6':
     resolution: {integrity: sha512-y+x3H1xBZd38n10NZF/rEBlvDOOMQ6LKUTHqr8R9VkJ+mmQOYtJFxIlkkK8fZrtOiL6VixbOBWMbZGBdal3Z1g==}
 
-  '@napi-rs/canvas-android-arm64@0.1.91':
-    resolution: {integrity: sha512-SLLzXXgSnfct4zy/BVAfweZQkYkPJsNsJ2e5DOE8DFEHC6PufyUrwb12yqeu2So2IOIDpWJJaDAxKY/xpy6MYQ==}
+  '@napi-rs/canvas-android-arm64@0.1.93':
+    resolution: {integrity: sha512-xRIoOPFvneR29Dtq5d9p2AJbijDCFeV4jQ+5Ms/xVAXJVb8R0Jlu+pPr/SkhrG+Mouaml4roPSXugTIeRl6CMA==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [android]
 
-  '@napi-rs/canvas-darwin-arm64@0.1.91':
-    resolution: {integrity: sha512-bzdbCjIjw3iRuVFL+uxdSoMra/l09ydGNX9gsBxO/zg+5nlppscIpj6gg+nL6VNG85zwUarDleIrUJ+FWHvmuA==}
+  '@napi-rs/canvas-darwin-arm64@0.1.93':
+    resolution: {integrity: sha512-daNDi76HN5grC6GXDmpxdfP+N2mQPd3sCfg62VyHwUuvbZh32P7R/IUjkzAxtYMtTza+Zvx9hfLJ3J7ENL6WMA==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [darwin]
 
-  '@napi-rs/canvas-darwin-x64@0.1.91':
-    resolution: {integrity: sha512-q3qpkpw0IsG9fAS/dmcGIhCVoNxj8ojbexZKWwz3HwxlEWsLncEQRl4arnxrwbpLc2nTNTyj4WwDn7QR5NDAaA==}
+  '@napi-rs/canvas-darwin-x64@0.1.93':
+    resolution: {integrity: sha512-1YfuNPIQLawsg/gSNdJRk4kQWUy9M/Gy8FGsOI79nhQEJ2PZdqpSPl5UNzf4elfuNXuVbEbmmjP68EQdUunDuQ==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [darwin]
 
-  '@napi-rs/canvas-linux-arm-gnueabihf@0.1.91':
-    resolution: {integrity: sha512-Io3g8wJZVhK8G+Fpg1363BE90pIPqg+ZbeehYNxPWDSzbgwU3xV0l8r/JBzODwC7XHi1RpFEk+xyUTMa2POj6w==}
+  '@napi-rs/canvas-linux-arm-gnueabihf@0.1.93':
+    resolution: {integrity: sha512-8kEkOQPZjuyHjupvXExuJZiuiVNecdABGq3DLI7aO1EvQFOOlWMm2d/8Q5qXdV73Tn+nu3m16+kPajsN1oJefQ==}
     engines: {node: '>= 10'}
     cpu: [arm]
     os: [linux]
 
-  '@napi-rs/canvas-linux-arm64-gnu@0.1.91':
-    resolution: {integrity: sha512-HBnto+0rxx1bQSl8bCWA9PyBKtlk2z/AI32r3cu4kcNO+M/5SD4b0v1MWBWZyqMQyxFjWgy3ECyDjDKMC6tY1A==}
+  '@napi-rs/canvas-linux-arm64-gnu@0.1.93':
+    resolution: {integrity: sha512-qIKLKkBkYSyWSYAoDThoxf5y1gr4X0g7W8rDU7d2HDeAAcotdVHUwuKkMeNe6+5VNk7/95EIhbslQjSxiCu32g==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
 
-  '@napi-rs/canvas-linux-arm64-musl@0.1.91':
-    resolution: {integrity: sha512-/eJtVe2Xw9A86I4kwXpxxoNagdGclu12/NSMsfoL8q05QmeRCbfjhg1PJS7ENAuAvaiUiALGrbVfeY1KU1gztQ==}
+  '@napi-rs/canvas-linux-arm64-musl@0.1.93':
+    resolution: {integrity: sha512-mAwQBGM3qArS9XEO21AK4E1uGvCuUCXjhIZk0dlVvs49MQ6wAAuCkYKNFpSKeSicKrLWwBMfgWX4qZoPh+M00A==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
 
-  '@napi-rs/canvas-linux-riscv64-gnu@0.1.91':
-    resolution: {integrity: sha512-floNK9wQuRWevUhhXRcuis7h0zirdytVxPgkonWO+kQlbvxV7gEUHGUFQyq4n55UHYFwgck1SAfJ1HuXv/+ppQ==}
+  '@napi-rs/canvas-linux-riscv64-gnu@0.1.93':
+    resolution: {integrity: sha512-kaIH5MpPzOZfkM+QMsBxGdM9jlJT+N+fwz2IEaju/S+DL65E5TgPOx4QcD5dQ8vsMxlak6uDrudBc4ns5xzZCw==}
     engines: {node: '>= 10'}
     cpu: [riscv64]
     os: [linux]
 
-  '@napi-rs/canvas-linux-x64-gnu@0.1.91':
-    resolution: {integrity: sha512-c3YDqBdf7KETuZy2AxsHFMsBBX1dWT43yFfWUq+j1IELdgesWtxf/6N7csi3VPf6VA3PmnT9EhMyb+M1wfGtqw==}
+  '@napi-rs/canvas-linux-x64-gnu@0.1.93':
+    resolution: {integrity: sha512-KtMZJqYWvOSeW5w3VSV2f5iGnwNdKJm4gwgVid4xNy1NFi+NJSyuglA1lX1u4wIPxizyxh8OW5c5Usf6oSOMNQ==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
 
-  '@napi-rs/canvas-linux-x64-musl@0.1.91':
-    resolution: {integrity: sha512-RpZ3RPIwgEcNBHSHSX98adm+4VP8SMT5FN6250s5jQbWpX/XNUX5aLMfAVJS/YnDjS1QlsCgQxFOPU0aCCWgag==}
+  '@napi-rs/canvas-linux-x64-musl@0.1.93':
+    resolution: {integrity: sha512-qRZhOvlDBooRLX6V3/t9X9B+plZK+OrPLgfFixu0A1RO/3VHbubOknfnMnocSDAqk/L6cRyKI83VP2ciR9UO7w==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
 
-  '@napi-rs/canvas-win32-arm64-msvc@0.1.91':
-    resolution: {integrity: sha512-gF8MBp4X134AgVurxqlCdDA2qO0WaDdi9o6Sd5rWRVXRhWhYQ6wkdEzXNLIrmmros0Tsp2J0hQzx4ej/9O8trQ==}
+  '@napi-rs/canvas-win32-arm64-msvc@0.1.93':
+    resolution: {integrity: sha512-um5XE44vF8bjkQEsH2iRSUP9fDeQGYbn/qjM/v4whXG83qsqapAXlOPOQqSARZB1SiNvPUAuXoRsJLlKFmAEFw==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [win32]
 
-  '@napi-rs/canvas-win32-x64-msvc@0.1.91':
-    resolution: {integrity: sha512-++gtW9EV/neKI8TshD8WFxzBYALSPag2kFRahIJV+LYsyt5kBn21b1dBhEUDHf7O+wiZmuFCeUa7QKGHnYRZBA==}
+  '@napi-rs/canvas-win32-x64-msvc@0.1.93':
+    resolution: {integrity: sha512-maHlizZgmKsAPJwjwBZMnsWfq3Ca9QutoteQwKe7YqsmbECoylrLCCOGCDOredstW4BRWqRTfCl6NJaVVeAQvQ==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [win32]
 
-  '@napi-rs/canvas@0.1.91':
-    resolution: {integrity: sha512-eeIe1GoB74P1B0Nkw6pV8BCQ3hfCfvyYr4BntzlCsnFXzVJiPMDnLeIx3gVB0xQMblHYnjK/0nCLvirEhOjr5g==}
+  '@napi-rs/canvas@0.1.93':
+    resolution: {integrity: sha512-unVFo8CUlUeJCCxt50+j4yy91NF4x6n9zdGcvEsOFAWzowtZm3mgx8X2D7xjwV0cFSfxmpGPoe+JS77uzeFsxg==}
     engines: {node: '>= 10'}
 
   '@napi-rs/wasm-runtime@1.0.7':
@@ -1031,8 +1034,8 @@ packages:
   '@push.rocks/smartpromise@4.2.3':
     resolution: {integrity: sha512-Ycg/TJR+tMt+S3wSFurOpEoW6nXv12QBtKXgBcjMZ4RsdO28geN46U09osPn9N9WuwQy1PkmTV5J/V4F9U8qEw==}
 
-  '@push.rocks/smartproxy@25.5.0':
-    resolution: {integrity: sha512-ePjxuwplEWpvvK0Xnb3q/8BVmE4xrBJl1mSoKBcZOzizF2T6ZmwuQKIvjnDJ13Q/KHLSIqMFS61CWVJHwtOUfA==}
+  '@push.rocks/smartproxy@25.7.3':
+    resolution: {integrity: sha512-9b5dwsLAhuDqnJptGBum4qBHlZwZPqPG3CJKxAwE3uFKjCmcE8qGDwodI0CjrQ7KW2PJ1BMq/Lk4ghs3Da6PWw==}
 
   '@push.rocks/smartpuppeteer@2.0.5':
     resolution: {integrity: sha512-yK/qSeWVHIGWRp3c8S5tfdGP6WCKllZC4DR8d8CQlEjszOSBmHtlTdyyqOMBZ/BA4kd+eU5f3A1r4K2tGYty1g==}
@@ -1337,6 +1340,9 @@ packages:
   '@serve.zone/interfaces@5.3.0':
     resolution: {integrity: sha512-venO7wtDR9ixzD9NhdERBGjNKbFA5LL0yHw4eqGh0UpmvtXVc3SFG0uuHDilOKMZqZ8bttV88qVsFy1aSTJrtA==}
 
+  '@serve.zone/remoteingress@3.3.0':
+    resolution: {integrity: sha512-nmw0F+Otrg78Xai9G3qLcP3NP4VkGPGm/6IGJmrXEgx3Z+ewh5Rhs1/rtN0mJFNXP77LZz1HuEBgR8aWbSHFQw==}
+
   '@sindresorhus/is@5.6.0':
     resolution: {integrity: sha512-TV7t8GKYaJWsn00tFDqBw8+Uqmr8A0fRU1tvTQhyZzGv0sJCGRQL3JGMI3ucuKo3XIZdUP+Lx7/gh2t3lewy7g==}
     engines: {node: '>=14.16'}
@@ -1560,31 +1566,6 @@ packages:
   '@socket.io/component-emitter@3.1.2':
     resolution: {integrity: sha512-9BCxFwvbGg/RsZK9tjXd8s4UcwR0MWeFQ1XEKIQVVvAGJyINdrqKMcTRyLoK8Rse1GjzLV9cwjWV1olXRWEXVA==}
 
-  '@svgdotjs/svg.draggable.js@3.0.6':
-    resolution: {integrity: sha512-7iJFm9lL3C40HQcqzEfezK2l+dW2CpoVY3b77KQGqc8GXWa6LhhmX5Ckv7alQfUXBuZbjpICZ+Dvq1czlGx7gA==}
-    peerDependencies:
-      '@svgdotjs/svg.js': ^3.2.4
-
-  '@svgdotjs/svg.filter.js@3.0.9':
-    resolution: {integrity: sha512-/69XMRCDoam2HgC4ldHIaDgeQf1ViHIsa0Ld4uWgiXtZ+E24DWHe/9Ib6kbNiZ7WRIdlVokUDR1Fg0kjIpkfbw==}
-    engines: {node: '>= 0.8.0'}
-
-  '@svgdotjs/svg.js@3.2.5':
-    resolution: {integrity: sha512-/VNHWYhNu+BS7ktbYoVGrCmsXDh+chFMaONMwGNdIBcFHrWqk2jY8fNyr3DLdtQUIalvkPfM554ZSFa3dm3nxQ==}
-
-  '@svgdotjs/svg.resize.js@2.0.5':
-    resolution: {integrity: sha512-4heRW4B1QrJeENfi7326lUPYBCevj78FJs8kfeDxn5st0IYPIRXoTtOSYvTzFWgaWWXd3YCDE6ao4fmv91RthA==}
-    engines: {node: '>= 14.18'}
-    peerDependencies:
-      '@svgdotjs/svg.js': ^3.2.4
-      '@svgdotjs/svg.select.js': ^4.0.1
-
-  '@svgdotjs/svg.select.js@4.0.3':
-    resolution: {integrity: sha512-qkMgso1sd2hXKd1FZ1weO7ANq12sNmQJeGDjs46QwDVsxSRcHmvWKL2NDF7Yimpwf3sl5esOLkPqtV2bQ3v/Jg==}
-    engines: {node: '>= 14.18'}
-    peerDependencies:
-      '@svgdotjs/svg.js': ^3.2.4
-
   '@szmarczak/http-timer@5.0.1':
     resolution: {integrity: sha512-+PmQX0PiAYPMeVYe237LJAYvOMYW1j2rH5YROyS3b4CTVJum34HfRvKvAzozHAQG0TnHNdUfY9nCeUyRAs//cw==}
     engines: {node: '>=14.16'}
@@ -1985,8 +1966,8 @@ packages:
     resolution: {integrity: sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==}
     engines: {node: '>=12'}
 
-  apexcharts@5.3.6:
-    resolution: {integrity: sha512-sVEPw+J0Gp0IHQabKu8cfdsxlfME0e36Wid7RIaPclGM2OUt+O7O4+6mfAmTUYhy5bDk8cNHzEhPfVtLCIXEJA==}
+  apexcharts@5.6.0:
+    resolution: {integrity: sha512-BZua59yedRsaDfnxkzNrkyLCvluq2c3ZDBIz4joxSKtgr0xDQXQ5dzceMhf/TpTbAjaF+2NYIpLP3BEEIG2s/w==}
 
   argparse@1.0.10:
     resolution: {integrity: sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==}
@@ -3038,8 +3019,8 @@ packages:
     resolution: {integrity: sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==}
     engines: {node: '>=12'}
 
-  lucide@0.563.0:
-    resolution: {integrity: sha512-2zBzDJ5n2Plj3d0ksj6h9TWPOSiKu9gtxJxnBAye11X/8gfWied6IYJn6ADYBp1NPoJmgpyOYP3wMrVx69+2AA==}
+  lucide@0.564.0:
+    resolution: {integrity: sha512-FasyXKHWon773WIl3HeCQpd5xS6E0aLjqxiQStlHNKktni+HDncc1sqY+6vRUbCfmDsIaKQz43EEQLAUDLZO0g==}
 
   mailparser@3.9.3:
     resolution: {integrity: sha512-AnB0a3zROum6fLaa52L+/K2SoRJVyFDk78Ea6q1D0ofcZLxWEWDtsS1+OrVqKbV7r5dulKL/AwYQccFGAPpuYQ==}
@@ -3602,8 +3583,8 @@ packages:
   property-information@7.1.0:
     resolution: {integrity: sha512-TwEZ+X+yCJmYfL7TPUOcvBZ4QfoT5YenQiJuX//0th53DE6w0xxLEtfK3iyryQFddXuvkIk51EEgrJQ0WJkOmQ==}
 
-  prosemirror-changeset@2.3.1:
-    resolution: {integrity: sha512-j0kORIBm8ayJNl3zQvD1TTPHJX3g042et6y/KQhZhnPrruO8exkTgG8X+NRpj7kIyMMEx74Xb3DyMIBtO0IKkQ==}
+  prosemirror-changeset@2.4.0:
+    resolution: {integrity: sha512-LvqH2v7Q2SF6yxatuPP2e8vSUKS/L+xAU7dPDC4RMyHMhZoGDfBC74mYuyYF4gLqOEG758wajtyhNnsTkuhvng==}
 
   prosemirror-collab@1.3.1:
     resolution: {integrity: sha512-4SnynYR9TTYaQVXd/ieUvsVV4PDMBzrq2xPUWutHivDuOshZXqQ5rGbZM84HEaXKbLdItse7weMGOUdDVcLKEQ==}
@@ -3629,8 +3610,8 @@ packages:
   prosemirror-markdown@1.13.4:
     resolution: {integrity: sha512-D98dm4cQ3Hs6EmjK500TdAOew4Z03EV71ajEFiWra3Upr7diytJsjF4mPV2dW+eK5uNectiRj0xFxYI9NLXDbw==}
 
-  prosemirror-menu@1.2.5:
-    resolution: {integrity: sha512-qwXzynnpBIeg1D7BAtjOusR+81xCp53j7iWu/IargiRZqRjGIlQuu1f3jFi+ehrHhWMLoyOQTSRx/IWZJqOYtQ==}
+  prosemirror-menu@1.3.0:
+    resolution: {integrity: sha512-TImyPXCHPcDsSka2/lwJ6WjTASr4re/qWq1yoTTuLOqfXucwF6VcRa2LWCkM/EyTD1UO3CUwiH8qURJoWJRxwg==}
 
   prosemirror-model@1.25.4:
     resolution: {integrity: sha512-PIM7E43PBxKce8OQeezAs9j4TP+5yDpZVbuurd1h5phUxEKIu+G2a+EUZzIC5nS1mJktDJWzbqS23n1tsAf5QA==}
@@ -4266,11 +4247,13 @@ packages:
 
   xterm-addon-fit@0.8.0:
     resolution: {integrity: sha512-yj3Np7XlvxxhYF/EJ7p3KHaMt6OdwQ+HDu573Vx1lRXsVxOcnVJs51RgjZOouIZOczTsskaS+CpXspK81/DLqw==}
+    deprecated: This package is now deprecated. Move to @xterm/addon-fit instead.
     peerDependencies:
       xterm: ^5.0.0
 
   xterm@5.3.0:
     resolution: {integrity: sha512-8QqjlekLUFTrU6x7xck1MsPzPA571K5zNqWm0M0oroYEWVOptZ0+ubQSkQ3uxIEhcIHRujJy6emDWX4A7qyFzg==}
+    deprecated: This package is now deprecated. Move to @xterm/xterm instead.
 
   y18n@5.0.8:
     resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==}
@@ -4382,7 +4365,7 @@ snapshots:
       '@api.global/typedrequest-interfaces': 3.0.19
       '@api.global/typedsocket': 4.1.0(@push.rocks/smartserve@2.0.1)
       '@cloudflare/workers-types': 4.20260210.0
-      '@design.estate/dees-catalog': 3.42.0(@tiptap/pm@2.27.2)
+      '@design.estate/dees-catalog': 3.43.0(@tiptap/pm@2.27.2)
       '@design.estate/dees-comms': 1.0.30
       '@push.rocks/lik': 6.2.2
       '@push.rocks/smartdelay': 3.0.5
@@ -4980,7 +4963,7 @@ snapshots:
     dependencies:
       '@api.global/typedrequest-interfaces': 3.0.19
 
-  '@design.estate/dees-catalog@3.42.0(@tiptap/pm@2.27.2)':
+  '@design.estate/dees-catalog@3.43.0(@tiptap/pm@2.27.2)':
     dependencies:
       '@design.estate/dees-domtools': 2.3.8
       '@design.estate/dees-element': 2.1.6
@@ -5000,10 +4983,10 @@ snapshots:
       '@tiptap/extension-underline': 2.27.2(@tiptap/core@2.27.2(@tiptap/pm@2.27.2))
       '@tiptap/starter-kit': 2.27.2
       '@tsclass/tsclass': 9.3.0
-      apexcharts: 5.3.6
+      apexcharts: 5.6.0
       highlight.js: 11.11.1
       ibantools: 4.5.1
-      lucide: 0.563.0
+      lucide: 0.564.0
       monaco-editor: 0.55.1
       pdfjs-dist: 4.10.38
       xterm: 5.3.0
@@ -5489,52 +5472,52 @@ snapshots:
     dependencies:
       sparse-bitfield: 3.0.3
 
-  '@napi-rs/canvas-android-arm64@0.1.91':
+  '@napi-rs/canvas-android-arm64@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-darwin-arm64@0.1.91':
+  '@napi-rs/canvas-darwin-arm64@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-darwin-x64@0.1.91':
+  '@napi-rs/canvas-darwin-x64@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-linux-arm-gnueabihf@0.1.91':
+  '@napi-rs/canvas-linux-arm-gnueabihf@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-linux-arm64-gnu@0.1.91':
+  '@napi-rs/canvas-linux-arm64-gnu@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-linux-arm64-musl@0.1.91':
+  '@napi-rs/canvas-linux-arm64-musl@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-linux-riscv64-gnu@0.1.91':
+  '@napi-rs/canvas-linux-riscv64-gnu@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-linux-x64-gnu@0.1.91':
+  '@napi-rs/canvas-linux-x64-gnu@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-linux-x64-musl@0.1.91':
+  '@napi-rs/canvas-linux-x64-musl@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-win32-arm64-msvc@0.1.91':
+  '@napi-rs/canvas-win32-arm64-msvc@0.1.93':
     optional: true
 
-  '@napi-rs/canvas-win32-x64-msvc@0.1.91':
+  '@napi-rs/canvas-win32-x64-msvc@0.1.93':
     optional: true
 
-  '@napi-rs/canvas@0.1.91':
+  '@napi-rs/canvas@0.1.93':
     optionalDependencies:
-      '@napi-rs/canvas-android-arm64': 0.1.91
-      '@napi-rs/canvas-darwin-arm64': 0.1.91
-      '@napi-rs/canvas-darwin-x64': 0.1.91
-      '@napi-rs/canvas-linux-arm-gnueabihf': 0.1.91
-      '@napi-rs/canvas-linux-arm64-gnu': 0.1.91
-      '@napi-rs/canvas-linux-arm64-musl': 0.1.91
-      '@napi-rs/canvas-linux-riscv64-gnu': 0.1.91
-      '@napi-rs/canvas-linux-x64-gnu': 0.1.91
-      '@napi-rs/canvas-linux-x64-musl': 0.1.91
-      '@napi-rs/canvas-win32-arm64-msvc': 0.1.91
-      '@napi-rs/canvas-win32-x64-msvc': 0.1.91
+      '@napi-rs/canvas-android-arm64': 0.1.93
+      '@napi-rs/canvas-darwin-arm64': 0.1.93
+      '@napi-rs/canvas-darwin-x64': 0.1.93
+      '@napi-rs/canvas-linux-arm-gnueabihf': 0.1.93
+      '@napi-rs/canvas-linux-arm64-gnu': 0.1.93
+      '@napi-rs/canvas-linux-arm64-musl': 0.1.93
+      '@napi-rs/canvas-linux-riscv64-gnu': 0.1.93
+      '@napi-rs/canvas-linux-x64-gnu': 0.1.93
+      '@napi-rs/canvas-linux-x64-musl': 0.1.93
+      '@napi-rs/canvas-win32-arm64-msvc': 0.1.93
+      '@napi-rs/canvas-win32-x64-msvc': 0.1.93
     optional: true
 
   '@napi-rs/wasm-runtime@1.0.7':
@@ -6369,7 +6352,7 @@ snapshots:
 
   '@push.rocks/smartpromise@4.2.3': {}
 
-  '@push.rocks/smartproxy@25.5.0':
+  '@push.rocks/smartproxy@25.7.3':
     dependencies:
       '@push.rocks/smartcrypto': 2.0.4
       '@push.rocks/smartlog': 3.1.11
@@ -6847,6 +6830,11 @@ snapshots:
       '@push.rocks/smartlog-interfaces': 3.0.2
       '@tsclass/tsclass': 9.3.0
 
+  '@serve.zone/remoteingress@3.3.0':
+    dependencies:
+      '@push.rocks/qenv': 6.1.3
+      '@push.rocks/smartrust': 1.2.1
+
   '@sindresorhus/is@5.6.0': {}
 
   '@smithy/abort-controller@4.2.8':
@@ -7189,25 +7177,6 @@ snapshots:
 
   '@socket.io/component-emitter@3.1.2': {}
 
-  '@svgdotjs/svg.draggable.js@3.0.6(@svgdotjs/svg.js@3.2.5)':
-    dependencies:
-      '@svgdotjs/svg.js': 3.2.5
-
-  '@svgdotjs/svg.filter.js@3.0.9':
-    dependencies:
-      '@svgdotjs/svg.js': 3.2.5
-
-  '@svgdotjs/svg.js@3.2.5': {}
-
-  '@svgdotjs/svg.resize.js@2.0.5(@svgdotjs/svg.js@3.2.5)(@svgdotjs/svg.select.js@4.0.3(@svgdotjs/svg.js@3.2.5))':
-    dependencies:
-      '@svgdotjs/svg.js': 3.2.5
-      '@svgdotjs/svg.select.js': 4.0.3(@svgdotjs/svg.js@3.2.5)
-
-  '@svgdotjs/svg.select.js@4.0.3(@svgdotjs/svg.js@3.2.5)':
-    dependencies:
-      '@svgdotjs/svg.js': 3.2.5
-
   '@szmarczak/http-timer@5.0.1':
     dependencies:
       defer-to-connect: 2.0.1
@@ -7323,7 +7292,7 @@ snapshots:
 
   '@tiptap/pm@2.27.2':
     dependencies:
-      prosemirror-changeset: 2.3.1
+      prosemirror-changeset: 2.4.0
       prosemirror-collab: 1.3.1
       prosemirror-commands: 1.7.1
       prosemirror-dropcursor: 1.8.2
@@ -7332,7 +7301,7 @@ snapshots:
       prosemirror-inputrules: 1.5.1
       prosemirror-keymap: 1.2.3
       prosemirror-markdown: 1.13.4
-      prosemirror-menu: 1.2.5
+      prosemirror-menu: 1.3.0
       prosemirror-model: 1.25.4
       prosemirror-schema-basic: 1.2.4
       prosemirror-schema-list: 1.5.1
@@ -7636,13 +7605,8 @@ snapshots:
 
   ansi-styles@6.2.3: {}
 
-  apexcharts@5.3.6:
+  apexcharts@5.6.0:
     dependencies:
-      '@svgdotjs/svg.draggable.js': 3.0.6(@svgdotjs/svg.js@3.2.5)
-      '@svgdotjs/svg.filter.js': 3.0.9
-      '@svgdotjs/svg.js': 3.2.5
-      '@svgdotjs/svg.resize.js': 2.0.5(@svgdotjs/svg.js@3.2.5)(@svgdotjs/svg.select.js@4.0.3(@svgdotjs/svg.js@3.2.5))
-      '@svgdotjs/svg.select.js': 4.0.3(@svgdotjs/svg.js@3.2.5)
       '@yr/monotone-cubic-spline': 1.0.3
 
   argparse@1.0.10:
@@ -8798,7 +8762,7 @@ snapshots:
 
   lru-cache@7.18.3: {}
 
-  lucide@0.563.0: {}
+  lucide@0.564.0: {}
 
   mailparser@3.9.3:
     dependencies:
@@ -9463,7 +9427,7 @@ snapshots:
 
   pdfjs-dist@4.10.38:
     optionalDependencies:
-      '@napi-rs/canvas': 0.1.91
+      '@napi-rs/canvas': 0.1.93
 
   peberminta@0.9.0: {}
 
@@ -9502,7 +9466,7 @@ snapshots:
 
   property-information@7.1.0: {}
 
-  prosemirror-changeset@2.3.1:
+  prosemirror-changeset@2.4.0:
     dependencies:
       prosemirror-transform: 1.11.0
 
@@ -9552,7 +9516,7 @@ snapshots:
       markdown-it: 14.1.1
       prosemirror-model: 1.25.4
 
-  prosemirror-menu@1.2.5:
+  prosemirror-menu@1.3.0:
     dependencies:
       crelt: 1.0.6
       prosemirror-commands: 1.7.1

readme.md

@@ -4,7 +4,7 @@
 
 **dcrouter: The all-in-one gateway for your datacenter.** 🚀
 
-A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, and RADIUS protocols. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, and enterprise-grade email infrastructure — all from a single process.
+A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, RADIUS, and remote edge ingress — all from a single process. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, distributed edge networking, and enterprise-grade email infrastructure.
 
 ## Issue Reporting and Security
 
@@ -21,6 +21,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - [Email System](#email-system)
 - [DNS Server](#dns-server)
 - [RADIUS Server](#radius-server)
+- [Remote Ingress](#remote-ingress)
 - [Certificate Management](#certificate-management)
 - [Storage & Caching](#storage--caching)
 - [Security Features](#security-features)
@@ -60,6 +61,14 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **RADIUS accounting** for session tracking, traffic metering, and billing
 - **Real-time management** via OpsServer API
 
+### 🌍 Remote Ingress (powered by [remoteingress](https://code.foss.global/serve.zone/remoteingress))
+- **Distributed edge networking** — accept traffic at remote edge nodes and tunnel it to the hub
+- **Edge registration CRUD** with secret-based authentication
+- **Auto-derived ports** — edges automatically pick up ports from routes tagged with `remoteIngress.enabled`
+- **Connection tokens** — generate a single opaque base64url token containing hubHost, hubPort, edgeId, and secret for easy edge provisioning
+- **Real-time status monitoring** — connected/disconnected state, public IP, active tunnels, heartbeat tracking
+- **OpsServer dashboard** with enable/disable, edit, secret regeneration, token copy, and delete actions
+
 ### ⚡ High Performance
 - **Rust-powered proxy engine** via SmartProxy for maximum throughput
 - **Rust-powered MTA engine** via smartmta (TypeScript + Rust hybrid) for reliable email delivery
@@ -76,8 +85,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 ### 🖥️ OpsServer Dashboard
 - **Web-based management interface** with real-time monitoring
 - **JWT authentication** with session persistence
-- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, and security events
+- **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, remote ingress edges, and security events
 - **Domain-centric certificate overview** with backoff status and one-click reprovisioning
+- **Remote ingress management** with connection token generation and one-click copy
 - **Read-only configuration display** — DcRouter is configured through code
 
 ## Installation
@@ -219,6 +229,13 @@ const router = new DcRouter({
     accounting: { enabled: true, retentionDays: 30 }
   },
 
+  // Remote Ingress — edge nodes tunnel traffic to this hub
+  remoteIngressConfig: {
+    enabled: true,
+    tunnelPort: 8443,
+    hubDomain: 'hub.example.com',
+  },
+
   // Persistent storage
   storage: { fsPath: '/var/lib/dcrouter/data' },
 
@@ -246,6 +263,7 @@ graph TB
         TCP[TCP Clients]
         DNS[DNS Queries]
         RAD[RADIUS Clients]
+        EDGE[Edge Nodes]
     end
 
     subgraph "DcRouter Core"
@@ -254,6 +272,7 @@ graph TB
         ES[smartmta Email Server<br/><i>TypeScript + Rust</i>]
         DS[SmartDNS Server<br/><i>Rust-powered</i>]
         RS[SmartRadius Server]
+        RI[RemoteIngress Hub<br/><i>Rust data plane</i>]
         CM[Certificate Manager<br/><i>smartacme v9</i>]
         OS[OpsServer Dashboard]
         MM[Metrics Manager]
@@ -273,11 +292,13 @@ graph TB
     SMTP --> ES
     DNS --> DS
     RAD --> RS
+    EDGE --> RI
 
     DC --> SP
     DC --> ES
     DC --> DS
     DC --> RS
+    DC --> RI
     DC --> CM
     DC --> OS
     DC --> MM
@@ -288,6 +309,7 @@ graph TB
     SP --> API
     ES --> MAIL
     ES --> DB
+    RI --> SP
 
     CM -.-> SP
     CM -.-> ES
@@ -303,6 +325,7 @@ graph TB
 | **DNS Server** | `@push.rocks/smartdns` | Authoritative DNS with dynamic records and DKIM TXT auto-generation (Rust engine) |
 | **SmartAcme** | `@push.rocks/smartacme` | ACME certificate management with per-domain dedup, concurrency control, and rate limiting |
 | **RADIUS Server** | `@push.rocks/smartradius` | Network authentication with MAB, VLAN assignment, and accounting |
+| **RemoteIngress** | `@serve.zone/remoteingress` | Distributed edge tunneling with Rust data plane and TS management |
 | **OpsServer** | `@api.global/typedserver` | Web dashboard + TypedRequest API for monitoring and management |
 | **MetricsManager** | `@push.rocks/smartmetrics` | Real-time metrics collection (CPU, memory, email, DNS, security) |
 | **StorageManager** | built-in | Pluggable key-value storage (filesystem, custom, or in-memory) |
@@ -312,19 +335,20 @@ graph TB
 
 DcRouter acts purely as an **orchestrator** — it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:
 
-1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, and SmartRadius based on which configs are provided.
-2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
+1. **On `start()`**: DcRouter initializes OpsServer (port 3000), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, and RemoteIngress based on which configs are provided.
+2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
 3. **On `stop()`**: All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.
 
 ### Rust-Powered Architecture
 
-DcRouter itself is a pure TypeScript orchestrator, but three of its core sub-components ship with **compiled Rust binaries** for performance-critical paths. At runtime each package detects the platform, unpacks the correct binary, and communicates with TypeScript over IPC/FFI — so you get the ergonomics of TypeScript with the throughput of native code.
+DcRouter itself is a pure TypeScript orchestrator, but several of its core sub-components ship with **compiled Rust binaries** for performance-critical paths. At runtime each package detects the platform, unpacks the correct binary, and communicates with TypeScript over IPC/FFI — so you get the ergonomics of TypeScript with the throughput of native code.
 
 | Component | Rust Binary | What It Handles |
 |-----------|-------------|-----------------|
 | **SmartProxy** | `smartproxy-bin` | All TCP/TLS/HTTP proxy networking, NFTables integration, connection metrics |
 | **smartmta** | `mailer-bin` | SMTP server + client, DKIM/SPF/DMARC, content scanning, IP reputation |
 | **SmartDNS** | `smartdns-bin` | DNS server (UDP + DNS-over-HTTPS), DNSSEC, DNS client resolution |
+| **RemoteIngress** | `remoteingress-bin` | Edge tunnel data plane, multiplexed streams, heartbeat management |
 | **SmartRadius** | — | Pure TypeScript (no Rust component) |
 
 ## Configuration Reference
@@ -333,6 +357,10 @@ DcRouter itself is a pure TypeScript orchestrator, but three of its core sub-com
 
 ```typescript
 interface IDcRouterOptions {
+  // ── Base ───────────────────────────────────────────────────────
+  /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
+  baseDir?: string;
+
   // ── Traffic Routing ────────────────────────────────────────────
   /** SmartProxy config for HTTP/HTTPS and TCP/SNI routing */
   smartProxyConfig?: ISmartProxyOptions;
@@ -376,6 +404,18 @@ interface IDcRouterOptions {
     accounting?: { enabled: boolean; retentionDays?: number };
   };
 
+  // ── Remote Ingress ─────────────────────────────────────────────
+  /** Remote Ingress hub for edge tunnel connections */
+  remoteIngressConfig?: {
+    enabled?: boolean;                   // default: false
+    tunnelPort?: number;                 // default: 8443
+    hubDomain?: string;                  // External hostname for connection tokens
+    tls?: {
+      certPath?: string;
+      keyPath?: string;
+    };
+  };
+
   // ── TLS & Certificates ────────────────────────────────────────
   tls?: {
     contactEmail: string;
@@ -701,6 +741,107 @@ RADIUS is fully manageable at runtime via the OpsServer API:
 - Session monitoring and forced disconnects
 - Accounting summaries and statistics
 
+## Remote Ingress
+
+DcRouter can act as a **hub** for distributed edge nodes using [`@serve.zone/remoteingress`](https://code.foss.global/serve.zone/remoteingress). Edge nodes accept incoming traffic at remote locations and tunnel it back to the hub over a single multiplexed connection. This is ideal for scenarios where you need to accept traffic at multiple geographic locations but process it centrally.
+
+### Enabling Remote Ingress
+
+```typescript
+const router = new DcRouter({
+  remoteIngressConfig: {
+    enabled: true,
+    tunnelPort: 8443,
+    hubDomain: 'hub.example.com',  // Embedded in connection tokens
+  },
+  // Routes tagged with remoteIngress are auto-derived to edge listen ports
+  smartProxyConfig: {
+    routes: [
+      {
+        name: 'web-via-edge',
+        match: { domains: ['app.example.com'], ports: [443] },
+        action: {
+          type: 'forward',
+          targets: [{ host: '192.168.1.10', port: 8080 }],
+          tls: { mode: 'terminate', certificate: 'auto' }
+        },
+        remoteIngress: { enabled: true }  // Edges will listen on port 443
+      }
+    ]
+  }
+});
+
+await router.start();
+```
+
+### Edge Registration
+
+Edges are registered via the OpsServer API (or dashboard UI). Each edge gets a unique ID and secret:
+
+```typescript
+// Via TypedRequest API
+const createReq = new TypedRequest<IReq_CreateRemoteIngress>(
+  'https://hub:3000/typedrequest', 'createRemoteIngress'
+);
+const { edge } = await createReq.fire({
+  identity,
+  name: 'edge-nyc-01',
+  autoDerivePorts: true,
+  tags: ['us-east'],
+});
+// edge.secret is returned only on creation — save it!
+```
+
+### Connection Tokens 🔑
+
+Instead of configuring edges with four separate values (hubHost, hubPort, edgeId, secret), DcRouter can generate a single **connection token** — an opaque base64url string that encodes everything:
+
+```typescript
+// Via TypedRequest API
+const tokenReq = new TypedRequest<IReq_GetRemoteIngressConnectionToken>(
+  'https://hub:3000/typedrequest', 'getRemoteIngressConnectionToken'
+);
+const { token } = await tokenReq.fire({ identity, edgeId: 'edge-uuid' });
+// token = "eyJoIjoiaHViLmV4YW1wbGUuY29tIiwicCI6ODQ0MywiZSI6I..."
+
+// On the edge side, just pass the token:
+const edge = new RemoteIngressEdge({ token });
+await edge.start();
+```
+
+The token is generated using `remoteingress.encodeConnectionToken()` and contains `{ hubHost, hubPort, edgeId, secret }`. The `hubHost` comes from `remoteIngressConfig.hubDomain` (or can be overridden per-request).
+
+In the OpsServer dashboard, click **"Copy Token"** on any edge row to copy the connection token to your clipboard.
+
+### Auto-Derived Ports
+
+When routes have `remoteIngress: { enabled: true }`, edges with `autoDerivePorts: true` (default) automatically pick up those routes' ports. You can also use `edgeFilter` to restrict which edges get which ports:
+
+```typescript
+{
+  name: 'web-route',
+  match: { ports: [443] },
+  action: { /* ... */ },
+  remoteIngress: {
+    enabled: true,
+    edgeFilter: ['us-east', 'edge-uuid-123']  // Only edges with matching id or tags
+  }
+}
+```
+
+### Dashboard Actions
+
+The OpsServer Remote Ingress view provides:
+
+| Action | Description |
+|--------|-------------|
+| **Create Edge Node** | Register a new edge with name, ports, tags |
+| **Enable / Disable** | Toggle an edge on or off |
+| **Edit** | Modify name, manual ports, auto-derive setting, tags |
+| **Regenerate Secret** | Issue a new secret (invalidates the old one) |
+| **Copy Token** | Generate and copy a base64url connection token to clipboard |
+| **Delete** | Remove the edge registration |
+
 ## Certificate Management
 
 DcRouter uses [`@push.rocks/smartacme`](https://code.foss.global/push.rocks/smartacme) v9 for ACME certificate provisioning. smartacme v9 brings significant improvements over previous versions:
@@ -767,6 +908,7 @@ The OpsServer includes a **Certificates** view showing:
 - Expiry dates and issuer information
 - Backoff status for failed domains
 - One-click reprovisioning per domain
+- Certificate import and export
 
 ## Storage & Caching
 
@@ -788,7 +930,7 @@ storage: {
 // Simply omit the storage config
 ```
 
-Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state.
+Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state, remote ingress edge registrations.
 
 ### Cache Database
 
@@ -874,7 +1016,8 @@ The OpsServer provides a web-based management interface served on port 3000. It'
 | 📊 **Overview** | Real-time server stats, CPU/memory, connection counts, email throughput |
 | 🌐 **Network** | Active connections, top IPs, throughput rates, SmartProxy metrics |
 | 📧 **Email** | Queue monitoring (queued/sent/failed), bounce records, security incidents |
-| 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning |
+| 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning, import/export |
+| 🌍 **RemoteIngress** | Edge node management, connection status, token generation, enable/disable |
 | 📜 **Logs** | Real-time log viewer with level filtering and search |
 | ⚙️ **Configuration** | Read-only view of current system configuration |
 | 🛡️ **Security** | IP reputation, rate limit status, blocked connections |
@@ -906,6 +1049,18 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'getCertificateOverview'               // Domain-centric certificate status
 'reprovisionCertificate'               // Reprovision by route name (legacy)
 'reprovisionCertificateDomain'         // Reprovision by domain (preferred)
+'importCertificate'                    // Import a certificate
+'exportCertificate'                    // Export a certificate
+'deleteCertificate'                    // Delete a certificate
+
+// Remote Ingress
+'getRemoteIngresses'                   // List all edge registrations
+'createRemoteIngress'                  // Register a new edge
+'updateRemoteIngress'                  // Update edge settings
+'deleteRemoteIngress'                  // Remove an edge
+'regenerateRemoteIngressSecret'        // Issue a new secret
+'getRemoteIngressStatus'               // Runtime status of all edges
+'getRemoteIngressConnectionToken'      // Generate a connection token for an edge
 
 // Configuration (read-only)
 'getConfiguration'                     // Current system config
@@ -957,6 +1112,8 @@ const router = new DcRouter(options: IDcRouterOptions);
 | `emailServer` | `UnifiedEmailServer` | Email server instance (from smartmta) |
 | `dnsServer` | `DnsServer` | DNS server instance |
 | `radiusServer` | `RadiusServer` | RADIUS server instance |
+| `remoteIngressManager` | `RemoteIngressManager` | Edge registration CRUD manager |
+| `tunnelManager` | `TunnelManager` | Tunnel lifecycle and status manager |
 | `storageManager` | `StorageManager` | Storage backend |
 | `opsServer` | `OpsServer` | OpsServer/dashboard instance |
 | `metricsManager` | `MetricsManager` | Metrics collector |
@@ -1000,7 +1157,7 @@ import { data, requests } from '@serve.zone/dcrouter/interfaces';
 DcRouter includes a comprehensive test suite covering all system components:
 
 ```bash
-# Run all tests (10 files, 73 tests)
+# Run all tests
 pnpm test
 
 # Run a specific test file

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '6.3.0',
+  version: '6.13.2',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.cert-provision-scheduler.ts

@@ -106,6 +106,13 @@ export class CertProvisionScheduler {
     }
   }
 
+  /**
+   * Clear all in-memory backoff cache entries
+   */
+  public clear(): void {
+    this.backoffCache.clear();
+  }
+
   /**
    * Get backoff info for UI display
    */

ts/classes.dcrouter.ts

@@ -21,6 +21,7 @@ import { CacheDb, CacheCleaner, type ICacheDbOptions } from './cache/index.js';
 import { OpsServer } from './opsserver/index.js';
 import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
+import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -155,6 +156,24 @@ export interface IDcRouterOptions {
    * Enables MAC Authentication Bypass (MAB) and VLAN assignment
    */
   radiusConfig?: IRadiusServerConfig;
+
+  /**
+   * Remote Ingress configuration for edge tunnel nodes
+   * Enables edge nodes to accept incoming connections and tunnel them to this DcRouter
+   */
+  remoteIngressConfig?: {
+    /** Enable remote ingress hub (default: false) */
+    enabled?: boolean;
+    /** Port for tunnel connections from edge nodes (default: 8443) */
+    tunnelPort?: number;
+    /** External hostname of this hub, embedded in connection tokens */
+    hubDomain?: string;
+    /** TLS configuration for the tunnel server */
+    tls?: {
+      certPath?: string;
+      keyPath?: string;
+    };
+  };
 }
 
 /**
@@ -189,6 +208,10 @@ export class DcRouter {
   public cacheDb?: CacheDb;
   public cacheCleaner?: CacheCleaner;
 
+  // Remote Ingress
+  public remoteIngressManager?: RemoteIngressManager;
+  public tunnelManager?: TunnelManager;
+
   // Certificate status tracking from SmartProxy events (keyed by domain)
   public certificateStatusMap = new Map<string, {
     status: 'valid' | 'failed';
@@ -266,6 +289,11 @@ export class DcRouter {
         await this.setupRadiusServer();
       }
 
+      // Set up Remote Ingress hub if configured
+      if (this.options.remoteIngressConfig?.enabled) {
+        await this.setupRemoteIngress();
+      }
+
       this.logStartupSummary();
     } catch (error) {
       console.error('❌ Error starting DcRouter:', error);
@@ -352,6 +380,16 @@ export class DcRouter {
       console.log(`   └─ Accounting: ${this.options.radiusConfig.accounting?.enabled ? 'Enabled' : 'Disabled'}`);
     }
 
+    // Remote Ingress summary
+    if (this.tunnelManager && this.options.remoteIngressConfig?.enabled) {
+      console.log('\n🌐 Remote Ingress:');
+      console.log(`   ├─ Tunnel Port: ${this.options.remoteIngressConfig.tunnelPort || 8443}`);
+      const edgeCount = this.remoteIngressManager?.getAllEdges().length || 0;
+      const connectedCount = this.tunnelManager.getConnectedCount();
+      console.log(`   ├─ Registered Edges: ${edgeCount}`);
+      console.log(`   └─ Connected Edges: ${connectedCount}`);
+    }
+
     // Storage summary
     if (this.storageManager && this.options.storage) {
       console.log('\n💾 Storage:');
@@ -496,6 +534,12 @@ export class DcRouter {
 
       // If we have DNS challenge handlers, create SmartAcme and wire to certProvisionFunction
       if (challengeHandlers.length > 0) {
+        // Stop old SmartAcme if it exists (e.g., during updateSmartProxyConfig)
+        if (this.smartAcme) {
+          await this.smartAcme.stop().catch(err =>
+            console.error('[DcRouter] Error stopping old SmartAcme:', err)
+          );
+        }
         this.smartAcme = new plugins.smartacme.SmartAcme({
           accountEmail: acmeConfig?.accountEmail || this.options.tls?.contactEmail || 'admin@example.com',
           certManager: new StorageBackedCertManager(this.storageManager),
@@ -548,6 +592,13 @@ export class DcRouter {
         };
       }
       
+      // When remoteIngress is enabled, the hub binary forwards tunneled connections
+      // to SmartProxy with PROXY protocol v1 headers to preserve client IPs.
+      if (this.options.remoteIngressConfig?.enabled) {
+        smartProxyConfig.acceptProxyProtocol = true;
+        smartProxyConfig.proxyIPs = ['127.0.0.1'];
+      }
+
       // Create SmartProxy instance
       console.log('[DcRouter] Creating SmartProxy instance with config:', JSON.stringify({
         routeCount: smartProxyConfig.routes?.length,
@@ -886,6 +937,11 @@ export class DcRouter {
         // Stop RADIUS server if running
         this.radiusServer ?
           this.radiusServer.stop().catch(err => console.error('Error stopping RADIUS server:', err)) :
+          Promise.resolve(),
+
+        // Stop Remote Ingress tunnel manager if running
+        this.tunnelManager ?
+          this.tunnelManager.stop().catch(err => console.error('Error stopping TunnelManager:', err)) :
           Promise.resolve()
       ]);
 
@@ -894,6 +950,25 @@ export class DcRouter {
         await this.cacheDb.stop().catch(err => console.error('Error stopping CacheDb:', err));
       }
 
+      // Clear backoff cache in cert scheduler
+      if (this.certProvisionScheduler) {
+        this.certProvisionScheduler.clear();
+      }
+
+      // Allow GC of stopped services by nulling references
+      this.smartProxy = undefined;
+      this.emailServer = undefined;
+      this.dnsServer = undefined;
+      this.metricsManager = undefined;
+      this.cacheCleaner = undefined;
+      this.cacheDb = undefined;
+      this.tunnelManager = undefined;
+      this.radiusServer = undefined;
+      this.smartAcme = undefined;
+      this.certProvisionScheduler = undefined;
+      this.remoteIngressManager = undefined;
+      this.certificateStatusMap.clear();
+
       console.log('All DcRouter services stopped');
     } catch (error) {
       console.error('Error during DcRouter shutdown:', error);
@@ -914,10 +989,15 @@ export class DcRouter {
     
     // Update configuration
     this.options.smartProxyConfig = config;
-    
+
+    // Update routes on RemoteIngressManager so derived ports stay in sync
+    if (this.remoteIngressManager && config.routes) {
+      this.remoteIngressManager.setRoutes(config.routes as any[]);
+    }
+
     // Start new SmartProxy with updated configuration (will include email routes if configured)
     await this.setupSmartProxy();
-    
+
     console.log('SmartProxy configuration updated');
   }
   
@@ -1532,6 +1612,35 @@ export class DcRouter {
     }
   }
   
+  /**
+   * Set up Remote Ingress hub for edge tunnel connections
+   */
+  private async setupRemoteIngress(): Promise<void> {
+    if (!this.options.remoteIngressConfig?.enabled) {
+      return;
+    }
+
+    logger.log('info', 'Setting up Remote Ingress hub...');
+
+    // Initialize the edge registration manager
+    this.remoteIngressManager = new RemoteIngressManager(this.storageManager);
+    await this.remoteIngressManager.initialize();
+
+    // Pass current routes so the manager can derive edge ports from remoteIngress-tagged routes
+    const currentRoutes = this.options.smartProxyConfig?.routes || [];
+    this.remoteIngressManager.setRoutes(currentRoutes as any[]);
+
+    // Create and start the tunnel manager
+    this.tunnelManager = new TunnelManager(this.remoteIngressManager, {
+      tunnelPort: this.options.remoteIngressConfig.tunnelPort ?? 8443,
+      targetHost: '127.0.0.1',
+    });
+    await this.tunnelManager.start();
+
+    const edgeCount = this.remoteIngressManager.getAllEdges().length;
+    logger.log('info', `Remote Ingress hub started on port ${this.options.remoteIngressConfig.tunnelPort || 8443} with ${edgeCount} registered edge(s)`);
+  }
+
   /**
    * Set up RADIUS server for network authentication
    */

ts/index.ts

@@ -10,4 +10,7 @@ export * from './classes.dcrouter.js';
 // RADIUS module
 export * from './radius/index.js';
 
+// Remote Ingress module
+export * from './remoteingress/index.js';
+
 export const runCli = async () => {};

ts/monitoring/classes.metricsmanager.ts

@@ -279,6 +279,14 @@ export class MetricsManager {
     if (recipient) {
       const count = this.emailMetrics.recipients.get(recipient) || 0;
       this.emailMetrics.recipients.set(recipient, count + 1);
+
+      // Cap recipients map to prevent unbounded growth within a day
+      if (this.emailMetrics.recipients.size > this.MAX_TOP_DOMAINS) {
+        const sorted = Array.from(this.emailMetrics.recipients.entries())
+          .sort((a, b) => b[1] - a[1])
+          .slice(0, Math.floor(this.MAX_TOP_DOMAINS * 0.8));
+        this.emailMetrics.recipients = new Map(sorted);
+      }
     }
     
     if (deliveryTimeMs) {

ts/opsserver/classes.opsserver.ts

@@ -19,6 +19,7 @@ export class OpsServer {
   private radiusHandler: handlers.RadiusHandler;
   private emailOpsHandler: handlers.EmailOpsHandler;
   private certificateHandler: handlers.CertificateHandler;
+  private remoteIngressHandler: handlers.RemoteIngressHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
@@ -59,6 +60,7 @@ export class OpsServer {
     this.radiusHandler = new handlers.RadiusHandler(this);
     this.emailOpsHandler = new handlers.EmailOpsHandler(this);
     this.certificateHandler = new handlers.CertificateHandler(this);
+    this.remoteIngressHandler = new handlers.RemoteIngressHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');
   }

ts/opsserver/handlers/certificate.handler.ts

@@ -42,6 +42,36 @@ export class CertificateHandler {
         }
       )
     );
+
+    // Delete certificate
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteCertificate>(
+        'deleteCertificate',
+        async (dataArg) => {
+          return this.deleteCertificate(dataArg.domain);
+        }
+      )
+    );
+
+    // Export certificate
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportCertificate>(
+        'exportCertificate',
+        async (dataArg) => {
+          return this.exportCertificate(dataArg.domain);
+        }
+      )
+    );
+
+    // Import certificate
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ImportCertificate>(
+        'importCertificate',
+        async (dataArg) => {
+          return this.importCertificate(dataArg.cert);
+        }
+      )
+    );
   }
 
   /**
@@ -324,4 +354,154 @@ export class CertificateHandler {
 
     return { success: false, message: `No routes found for domain '${domain}'` };
   }
+
+  /**
+   * Delete certificate data for a domain from storage
+   */
+  private async deleteCertificate(domain: string): Promise<{ success: boolean; message?: string }> {
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    const cleanDomain = domain.replace(/^\*\.?/, '');
+
+    // Delete from all known storage paths
+    const paths = [
+      `/proxy-certs/${domain}`,
+      `/proxy-certs/${cleanDomain}`,
+      `/certs/${cleanDomain}`,
+    ];
+
+    for (const path of paths) {
+      try {
+        await dcRouter.storageManager.delete(path);
+      } catch {
+        // Path may not exist — ignore
+      }
+    }
+
+    // Clear from in-memory status map
+    dcRouter.certificateStatusMap.delete(domain);
+
+    // Clear backoff info
+    if (dcRouter.certProvisionScheduler) {
+      await dcRouter.certProvisionScheduler.clearBackoff(domain);
+    }
+
+    return { success: true, message: `Certificate data deleted for '${domain}'` };
+  }
+
+  /**
+   * Export certificate data for a domain as ICert-shaped JSON
+   */
+  private async exportCertificate(domain: string): Promise<{
+    success: boolean;
+    cert?: {
+      id: string;
+      domainName: string;
+      created: number;
+      validUntil: number;
+      privateKey: string;
+      publicKey: string;
+      csr: string;
+    };
+    message?: string;
+  }> {
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    const cleanDomain = domain.replace(/^\*\.?/, '');
+
+    // Try SmartAcme /certs/ path first (has full ICert fields)
+    let certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
+    if (certData && certData.publicKey && certData.privateKey) {
+      return {
+        success: true,
+        cert: {
+          id: certData.id || plugins.crypto.randomUUID(),
+          domainName: certData.domainName || domain,
+          created: certData.created || Date.now(),
+          validUntil: certData.validUntil || 0,
+          privateKey: certData.privateKey,
+          publicKey: certData.publicKey,
+          csr: certData.csr || '',
+        },
+      };
+    }
+
+    // Fallback: try /proxy-certs/ with original domain
+    certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${domain}`);
+    if (!certData || !certData.publicKey) {
+      // Try with clean domain
+      certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${cleanDomain}`);
+    }
+
+    if (certData && certData.publicKey && certData.privateKey) {
+      return {
+        success: true,
+        cert: {
+          id: plugins.crypto.randomUUID(),
+          domainName: domain,
+          created: certData.validFrom || Date.now(),
+          validUntil: certData.validUntil || 0,
+          privateKey: certData.privateKey,
+          publicKey: certData.publicKey,
+          csr: '',
+        },
+      };
+    }
+
+    return { success: false, message: `No certificate data found for '${domain}'` };
+  }
+
+  /**
+   * Import a certificate from ICert-shaped JSON
+   */
+  private async importCertificate(cert: {
+    id: string;
+    domainName: string;
+    created: number;
+    validUntil: number;
+    privateKey: string;
+    publicKey: string;
+    csr: string;
+  }): Promise<{ success: boolean; message?: string }> {
+    // Validate PEM content
+    if (!cert.publicKey || !cert.publicKey.includes('-----BEGIN CERTIFICATE-----')) {
+      return { success: false, message: 'Invalid publicKey: must contain a PEM-encoded certificate' };
+    }
+    if (!cert.privateKey || !cert.privateKey.includes('-----BEGIN')) {
+      return { success: false, message: 'Invalid privateKey: must contain a PEM-encoded key' };
+    }
+
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    const cleanDomain = cert.domainName.replace(/^\*\.?/, '');
+
+    // Save to /certs/ (SmartAcme-compatible path)
+    await dcRouter.storageManager.setJSON(`/certs/${cleanDomain}`, {
+      id: cert.id,
+      domainName: cert.domainName,
+      created: cert.created,
+      validUntil: cert.validUntil,
+      privateKey: cert.privateKey,
+      publicKey: cert.publicKey,
+      csr: cert.csr || '',
+    });
+
+    // Also save to /proxy-certs/ (proxy-cert format)
+    await dcRouter.storageManager.setJSON(`/proxy-certs/${cert.domainName}`, {
+      domain: cert.domainName,
+      publicKey: cert.publicKey,
+      privateKey: cert.privateKey,
+      ca: undefined,
+      validUntil: cert.validUntil,
+      validFrom: cert.created,
+    });
+
+    // Update in-memory status map
+    dcRouter.certificateStatusMap.set(cert.domainName, {
+      status: 'valid',
+      source: 'static',
+      expiryDate: cert.validUntil ? new Date(cert.validUntil).toISOString() : undefined,
+      issuedAt: cert.created ? new Date(cert.created).toISOString() : undefined,
+      routeNames: [],
+    });
+
+    return { success: true, message: `Certificate imported for '${cert.domainName}'` };
+  }
 }

ts/opsserver/handlers/index.ts

@@ -5,4 +5,5 @@ export * from './security.handler.js';
 export * from './stats.handler.js';
 export * from './radius.handler.js';
 export * from './email-ops.handler.js';
-export * from './certificate.handler.js';
+export * from './certificate.handler.js';
+export * from './remoteingress.handler.js';

ts/opsserver/handlers/logs.handler.ts

@@ -148,17 +148,17 @@ export class LogsHandler {
       }
       
       // For follow mode, simulate real-time log streaming
-      intervalId = setInterval(() => {
+      intervalId = setInterval(async () => {
         const categories: Array<'smtp' | 'dns' | 'security' | 'system' | 'email'> = ['smtp', 'dns', 'security', 'system', 'email'];
         const levels: Array<'debug' | 'info' | 'warn' | 'error'> = ['info', 'warn', 'error', 'debug'];
-        
+
         const mockCategory = categories[Math.floor(Math.random() * categories.length)];
         const mockLevel = levels[Math.floor(Math.random() * levels.length)];
-        
+
         // Filter by requested criteria
         if (levelFilter && !levelFilter.includes(mockLevel)) return;
         if (categoryFilter && !categoryFilter.includes(mockCategory)) return;
-        
+
         const logEntry = {
           timestamp: Date.now(),
           level: mockLevel,
@@ -168,10 +168,16 @@ export class LogsHandler {
             requestId: plugins.uuid.v4(),
           },
         };
-        
+
         const logData = JSON.stringify(logEntry);
         const encoder = new TextEncoder();
-        virtualStream.sendData(encoder.encode(logData));
+        try {
+          await virtualStream.sendData(encoder.encode(logData));
+        } catch {
+          // Stream closed or errored — clean up to prevent interval leak
+          clearInterval(intervalId!);
+          intervalId = null;
+        }
       }, 2000); // Send a log every 2 seconds
       
       // TODO: Hook into actual logger events

ts/opsserver/handlers/remoteingress.handler.ts

@@ -0,0 +1,222 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class RemoteIngressHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    // Get all remote ingress edges
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngresses>(
+        'getRemoteIngresses',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          if (!manager) {
+            return { edges: [] };
+          }
+          // Return edges without secrets, enriched with effective listen ports and breakdown
+          const edges = manager.getAllEdges().map((e) => {
+            const breakdown = manager.getPortBreakdown(e);
+            return {
+              ...e,
+              secret: '********', // Never expose secrets via API
+              effectiveListenPorts: manager.getEffectiveListenPorts(e),
+              manualPorts: breakdown.manual,
+              derivedPorts: breakdown.derived,
+            };
+          });
+          return { edges };
+        },
+      ),
+    );
+
+    // Create a new remote ingress edge
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateRemoteIngress>(
+        'createRemoteIngress',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
+
+          if (!manager) {
+            return {
+              success: false,
+              edge: null as any,
+            };
+          }
+
+          const edge = await manager.createEdge(
+            dataArg.name,
+            dataArg.listenPorts || [],
+            dataArg.tags,
+            dataArg.autoDerivePorts ?? true,
+          );
+
+          // Sync allowed edges with the hub
+          if (tunnelManager) {
+            await tunnelManager.syncAllowedEdges();
+          }
+
+          return { success: true, edge };
+        },
+      ),
+    );
+
+    // Delete a remote ingress edge
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteRemoteIngress>(
+        'deleteRemoteIngress',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
+
+          if (!manager) {
+            return { success: false, message: 'RemoteIngress not configured' };
+          }
+
+          const deleted = await manager.deleteEdge(dataArg.id);
+          if (deleted && tunnelManager) {
+            await tunnelManager.syncAllowedEdges();
+          }
+
+          return {
+            success: deleted,
+            message: deleted ? undefined : 'Edge not found',
+          };
+        },
+      ),
+    );
+
+    // Update a remote ingress edge
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateRemoteIngress>(
+        'updateRemoteIngress',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
+
+          if (!manager) {
+            return { success: false, edge: null as any };
+          }
+
+          const edge = await manager.updateEdge(dataArg.id, {
+            name: dataArg.name,
+            listenPorts: dataArg.listenPorts,
+            autoDerivePorts: dataArg.autoDerivePorts,
+            enabled: dataArg.enabled,
+            tags: dataArg.tags,
+          });
+
+          if (!edge) {
+            return { success: false, edge: null as any };
+          }
+
+          // Sync allowed edges — ports, tags, or enabled may have changed
+          if (tunnelManager) {
+            await tunnelManager.syncAllowedEdges();
+          }
+
+          const breakdown = manager.getPortBreakdown(edge);
+          return {
+            success: true,
+            edge: {
+              ...edge,
+              secret: '********',
+              effectiveListenPorts: manager.getEffectiveListenPorts(edge),
+              manualPorts: breakdown.manual,
+              derivedPorts: breakdown.derived,
+            },
+          };
+        },
+      ),
+    );
+
+    // Regenerate secret for an edge
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RegenerateRemoteIngressSecret>(
+        'regenerateRemoteIngressSecret',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
+
+          if (!manager) {
+            return { success: false, secret: '' };
+          }
+
+          const secret = await manager.regenerateSecret(dataArg.id);
+          if (!secret) {
+            return { success: false, secret: '' };
+          }
+
+          // Sync allowed edges since secret changed
+          if (tunnelManager) {
+            await tunnelManager.syncAllowedEdges();
+          }
+
+          return { success: true, secret };
+        },
+      ),
+    );
+
+    // Get runtime status of all edges
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressStatus>(
+        'getRemoteIngressStatus',
+        async (dataArg, toolsArg) => {
+          const tunnelManager = this.opsServerRef.dcRouterRef.tunnelManager;
+          if (!tunnelManager) {
+            return { statuses: [] };
+          }
+          return { statuses: tunnelManager.getEdgeStatuses() };
+        },
+      ),
+    );
+
+    // Get a connection token for an edge
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetRemoteIngressConnectionToken>(
+        'getRemoteIngressConnectionToken',
+        async (dataArg, toolsArg) => {
+          const manager = this.opsServerRef.dcRouterRef.remoteIngressManager;
+          if (!manager) {
+            return { success: false, message: 'RemoteIngress not configured' };
+          }
+
+          const edge = manager.getEdge(dataArg.edgeId);
+          if (!edge) {
+            return { success: false, message: 'Edge not found' };
+          }
+          if (!edge.enabled) {
+            return { success: false, message: 'Edge is disabled' };
+          }
+
+          const hubHost = dataArg.hubHost
+            || this.opsServerRef.dcRouterRef.options.remoteIngressConfig?.hubDomain;
+          if (!hubHost) {
+            return {
+              success: false,
+              message: 'No hub hostname configured. Set hubDomain in remoteIngressConfig or provide hubHost.',
+            };
+          }
+
+          const hubPort = this.opsServerRef.dcRouterRef.options.remoteIngressConfig?.tunnelPort ?? 8443;
+
+          const token = plugins.remoteingress.encodeConnectionToken({
+            hubHost,
+            hubPort,
+            edgeId: edge.id,
+            secret: edge.secret,
+          });
+
+          return { success: true, token };
+        },
+      ),
+    );
+  }
+}

ts/plugins.ts

@@ -23,9 +23,11 @@ export {
 
 // @serve.zone scope
 import * as servezoneInterfaces from '@serve.zone/interfaces';
+import * as remoteingress from '@serve.zone/remoteingress';
 
 export {
-  servezoneInterfaces
+  servezoneInterfaces,
+  remoteingress,
 }
 
 // @api.global scope

ts/radius/classes.vlan.manager.ts

@@ -100,6 +100,14 @@ export class VlanManager {
     // Cache the result
     this.normalizedMacCache.set(mac, normalized);
 
+    // Prevent unbounded cache growth
+    if (this.normalizedMacCache.size > 10000) {
+      const iterator = this.normalizedMacCache.keys();
+      for (let i = 0; i < 1000; i++) {
+        this.normalizedMacCache.delete(iterator.next().value);
+      }
+    }
+
     return normalized;
   }
 

ts/readme.md

@@ -0,0 +1,146 @@
+# @serve.zone/dcrouter
+
+The core DcRouter package — a unified datacenter gateway orchestrator. 🚀
+
+This is the main entry point for DcRouter. It provides the `DcRouter` class that wires together SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and the OpsServer dashboard into a single cohesive service.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Installation
+
+```bash
+pnpm add @serve.zone/dcrouter
+```
+
+## Usage
+
+```typescript
+import { DcRouter } from '@serve.zone/dcrouter';
+
+const router = new DcRouter({
+  smartProxyConfig: {
+    routes: [
+      {
+        name: 'web-app',
+        match: { domains: ['example.com'], ports: [443] },
+        action: {
+          type: 'forward',
+          targets: [{ host: '192.168.1.10', port: 8080 }],
+          tls: { mode: 'terminate', certificate: 'auto' }
+        }
+      }
+    ],
+    acme: { email: 'admin@example.com', enabled: true, useProduction: true }
+  }
+});
+
+await router.start();
+// OpsServer dashboard at http://localhost:3000
+
+// Graceful shutdown
+await router.stop();
+```
+
+## Module Structure
+
+```
+ts/
+├── index.ts                        # Main exports (DcRouter, re-exported smartmta types)
+├── classes.dcrouter.ts             # DcRouter orchestrator class + IDcRouterOptions
+├── classes.cert-provision-scheduler.ts  # Per-domain cert backoff scheduler
+├── classes.storage-cert-manager.ts # SmartAcme cert manager backed by StorageManager
+├── logger.ts                       # Structured logging utility
+├── paths.ts                        # Centralized data directory paths
+├── plugins.ts                      # All dependency imports
+├── cache/                          # Cache database (smartdata + LocalTsmDb)
+│   ├── classes.cachedb.ts          # CacheDb singleton
+│   ├── classes.cachecleaner.ts     # TTL-based cleanup
+│   └── documents/                  # Cached document models
+├── config/                         # Configuration utilities
+├── errors/                         # Error classes and retry logic
+├── monitoring/                     # MetricsManager (SmartMetrics integration)
+├── opsserver/                      # OpsServer dashboard + API handlers
+│   ├── classes.opsserver.ts        # HTTP server + TypedRouter setup
+│   └── handlers/                   # TypedRequest handlers by domain
+│       ├── admin.handler.ts        # Auth (login/logout/verify)
+│       ├── stats.handler.ts        # Statistics + health
+│       ├── config.handler.ts       # Configuration (read-only)
+│       ├── logs.handler.ts         # Log retrieval
+│       ├── email.handler.ts        # Email operations
+│       ├── certificate.handler.ts  # Certificate management
+│       ├── radius.handler.ts       # RADIUS management
+│       └── remoteingress.handler.ts # Remote ingress edge + token management
+├── radius/                         # RADIUS server integration
+├── remoteingress/                  # Remote ingress hub integration
+│   ├── classes.remoteingress-manager.ts  # Edge CRUD + port derivation
+│   └── classes.tunnel-manager.ts   # Rust hub lifecycle + status tracking
+├── security/                       # Security utilities
+├── sms/                            # SMS integration
+└── storage/                        # StorageManager (filesystem/custom/memory)
+```
+
+## Exports
+
+```typescript
+// Main class
+export { DcRouter, IDcRouterOptions } from './classes.dcrouter.js';
+
+// Re-exported from smartmta
+export { UnifiedEmailServer } from '@push.rocks/smartmta';
+export type { IUnifiedEmailServerOptions, IEmailRoute, IEmailDomainConfig } from '@push.rocks/smartmta';
+
+// RADIUS
+export { RadiusServer, IRadiusServerConfig } from './radius/index.js';
+
+// Remote Ingress
+export { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
+```
+
+## Key Classes
+
+### `DcRouter`
+
+The central orchestrator. Accepts `IDcRouterOptions` and manages the lifecycle of all sub-services:
+
+| Config Section | Service Started | Package |
+|----------------|----------------|---------|
+| `smartProxyConfig` | SmartProxy (HTTP/HTTPS/TCP/SNI) | `@push.rocks/smartproxy` |
+| `emailConfig` | UnifiedEmailServer (SMTP) | `@push.rocks/smartmta` |
+| `dnsNsDomains` + `dnsScopes` | DnsServer (UDP + DoH) | `@push.rocks/smartdns` |
+| `radiusConfig` | RadiusServer (auth + accounting) | `@push.rocks/smartradius` |
+| `remoteIngressConfig` | RemoteIngressManager + TunnelManager | `@serve.zone/remoteingress` |
+| `tls` + `dnsChallenge` | SmartAcme (ACME cert provisioning) | `@push.rocks/smartacme` |
+| `cacheConfig` | CacheDb (embedded MongoDB) | `@push.rocks/smartdata` |
+| *(always)* | OpsServer (dashboard + API) | `@api.global/typedserver` |
+| *(always)* | MetricsManager | `@push.rocks/smartmetrics` |
+
+### `RemoteIngressManager`
+
+Manages CRUD for remote ingress edge registrations. Persists edges via StorageManager. Provides port derivation from routes tagged with `remoteIngress.enabled`.
+
+### `TunnelManager`
+
+Manages the Rust-based RemoteIngressHub lifecycle. Syncs allowed edges, tracks connection status, and exposes edge statuses (connected, publicIp, activeTunnels, lastHeartbeat).
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

ts/remoteingress/classes.remoteingress-manager.ts

@@ -0,0 +1,258 @@
+import * as plugins from '../plugins.js';
+import type { StorageManager } from '../storage/classes.storagemanager.js';
+import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+
+const STORAGE_PREFIX = '/remote-ingress/';
+
+/**
+ * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
+ */
+function extractPorts(portRange: number | number[] | Array<{ from: number; to: number }>): number[] {
+  const ports = new Set<number>();
+  if (typeof portRange === 'number') {
+    ports.add(portRange);
+  } else if (Array.isArray(portRange)) {
+    for (const entry of portRange) {
+      if (typeof entry === 'number') {
+        ports.add(entry);
+      } else if (typeof entry === 'object' && 'from' in entry && 'to' in entry) {
+        for (let p = entry.from; p <= entry.to; p++) {
+          ports.add(p);
+        }
+      }
+    }
+  }
+  return [...ports].sort((a, b) => a - b);
+}
+
+/**
+ * Manages CRUD for remote ingress edge registrations.
+ * Persists edge configs via StorageManager and provides
+ * the allowed edges list for the Rust hub.
+ */
+export class RemoteIngressManager {
+  private storageManager: StorageManager;
+  private edges: Map<string, IRemoteIngress> = new Map();
+  private routes: IDcRouterRouteConfig[] = [];
+
+  constructor(storageManager: StorageManager) {
+    this.storageManager = storageManager;
+  }
+
+  /**
+   * Load all edge registrations from storage into memory.
+   */
+  public async initialize(): Promise<void> {
+    const keys = await this.storageManager.list(STORAGE_PREFIX);
+    for (const key of keys) {
+      const edge = await this.storageManager.getJSON<IRemoteIngress>(key);
+      if (edge) {
+        // Migration: old edges without autoDerivePorts default to true
+        if ((edge as any).autoDerivePorts === undefined) {
+          edge.autoDerivePorts = true;
+          await this.storageManager.setJSON(key, edge);
+        }
+        this.edges.set(edge.id, edge);
+      }
+    }
+  }
+
+  /**
+   * Store the current route configs for port derivation.
+   */
+  public setRoutes(routes: IDcRouterRouteConfig[]): void {
+    this.routes = routes;
+  }
+
+  /**
+   * Derive listen ports for an edge from routes tagged with remoteIngress.enabled.
+   * When a route specifies edgeFilter, only edges whose id or tags match get that route's ports.
+   * When edgeFilter is absent, the route applies to all edges.
+   */
+  public derivePortsForEdge(edgeId: string, edgeTags?: string[]): number[] {
+    const ports = new Set<number>();
+
+    for (const route of this.routes) {
+      if (!route.remoteIngress?.enabled) continue;
+
+      // Apply edge filter if present
+      const filter = route.remoteIngress.edgeFilter;
+      if (filter && filter.length > 0) {
+        const idMatch = filter.includes(edgeId);
+        const tagMatch = edgeTags?.some((tag) => filter.includes(tag)) ?? false;
+        if (!idMatch && !tagMatch) continue;
+      }
+
+      // Extract ports from the route match
+      if (route.match?.ports) {
+        for (const p of extractPorts(route.match.ports)) {
+          ports.add(p);
+        }
+      }
+    }
+
+    return [...ports].sort((a, b) => a - b);
+  }
+
+  /**
+   * Get the effective listen ports for an edge.
+   * Manual ports are always included. Auto-derived ports are added (union) when autoDerivePorts is true.
+   */
+  public getEffectiveListenPorts(edge: IRemoteIngress): number[] {
+    const manualPorts = edge.listenPorts || [];
+    const shouldDerive = edge.autoDerivePorts !== false;
+    if (!shouldDerive) return [...manualPorts].sort((a, b) => a - b);
+    const derivedPorts = this.derivePortsForEdge(edge.id, edge.tags);
+    return [...new Set([...manualPorts, ...derivedPorts])].sort((a, b) => a - b);
+  }
+
+  /**
+   * Get manual and derived port breakdown for an edge (used in API responses).
+   * Derived ports exclude any ports already present in the manual list.
+   */
+  public getPortBreakdown(edge: IRemoteIngress): { manual: number[]; derived: number[] } {
+    const manual = edge.listenPorts || [];
+    const shouldDerive = edge.autoDerivePorts !== false;
+    if (!shouldDerive) return { manual, derived: [] };
+    const manualSet = new Set(manual);
+    const allDerived = this.derivePortsForEdge(edge.id, edge.tags);
+    const derived = allDerived.filter((p) => !manualSet.has(p));
+    return { manual, derived };
+  }
+
+  /**
+   * Create a new edge registration.
+   */
+  public async createEdge(
+    name: string,
+    listenPorts: number[] = [],
+    tags?: string[],
+    autoDerivePorts: boolean = true,
+  ): Promise<IRemoteIngress> {
+    const id = plugins.uuid.v4();
+    const secret = plugins.crypto.randomBytes(32).toString('hex');
+    const now = Date.now();
+
+    const edge: IRemoteIngress = {
+      id,
+      name,
+      secret,
+      listenPorts,
+      enabled: true,
+      autoDerivePorts,
+      tags: tags || [],
+      createdAt: now,
+      updatedAt: now,
+    };
+
+    await this.storageManager.setJSON(`${STORAGE_PREFIX}${id}`, edge);
+    this.edges.set(id, edge);
+    return edge;
+  }
+
+  /**
+   * Get an edge by ID.
+   */
+  public getEdge(id: string): IRemoteIngress | undefined {
+    return this.edges.get(id);
+  }
+
+  /**
+   * Get all edge registrations.
+   */
+  public getAllEdges(): IRemoteIngress[] {
+    return Array.from(this.edges.values());
+  }
+
+  /**
+   * Update an edge registration.
+   */
+  public async updateEdge(
+    id: string,
+    updates: {
+      name?: string;
+      listenPorts?: number[];
+      autoDerivePorts?: boolean;
+      enabled?: boolean;
+      tags?: string[];
+    },
+  ): Promise<IRemoteIngress | null> {
+    const edge = this.edges.get(id);
+    if (!edge) {
+      return null;
+    }
+
+    if (updates.name !== undefined) edge.name = updates.name;
+    if (updates.listenPorts !== undefined) edge.listenPorts = updates.listenPorts;
+    if (updates.autoDerivePorts !== undefined) edge.autoDerivePorts = updates.autoDerivePorts;
+    if (updates.enabled !== undefined) edge.enabled = updates.enabled;
+    if (updates.tags !== undefined) edge.tags = updates.tags;
+    edge.updatedAt = Date.now();
+
+    await this.storageManager.setJSON(`${STORAGE_PREFIX}${id}`, edge);
+    this.edges.set(id, edge);
+    return edge;
+  }
+
+  /**
+   * Delete an edge registration.
+   */
+  public async deleteEdge(id: string): Promise<boolean> {
+    if (!this.edges.has(id)) {
+      return false;
+    }
+    await this.storageManager.delete(`${STORAGE_PREFIX}${id}`);
+    this.edges.delete(id);
+    return true;
+  }
+
+  /**
+   * Regenerate the secret for an edge.
+   */
+  public async regenerateSecret(id: string): Promise<string | null> {
+    const edge = this.edges.get(id);
+    if (!edge) {
+      return null;
+    }
+
+    edge.secret = plugins.crypto.randomBytes(32).toString('hex');
+    edge.updatedAt = Date.now();
+
+    await this.storageManager.setJSON(`${STORAGE_PREFIX}${id}`, edge);
+    this.edges.set(id, edge);
+    return edge.secret;
+  }
+
+  /**
+   * Verify an edge's secret using constant-time comparison.
+   */
+  public verifySecret(id: string, secret: string): boolean {
+    const edge = this.edges.get(id);
+    if (!edge) {
+      return false;
+    }
+    const expected = Buffer.from(edge.secret);
+    const provided = Buffer.from(secret);
+    if (expected.length !== provided.length) {
+      return false;
+    }
+    return plugins.crypto.timingSafeEqual(expected, provided);
+  }
+
+  /**
+   * Get the list of allowed edges (enabled only) for the Rust hub.
+   */
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[] }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[] }> = [];
+    for (const edge of this.edges.values()) {
+      if (edge.enabled) {
+        result.push({
+          id: edge.id,
+          secret: edge.secret,
+          listenPorts: this.getEffectiveListenPorts(edge),
+        });
+      }
+    }
+    return result;
+  }
+}

ts/remoteingress/classes.tunnel-manager.ts

@@ -0,0 +1,126 @@
+import * as plugins from '../plugins.js';
+import type { IRemoteIngressStatus } from '../../ts_interfaces/data/remoteingress.js';
+import type { RemoteIngressManager } from './classes.remoteingress-manager.js';
+
+export interface ITunnelManagerConfig {
+  tunnelPort?: number;
+  targetHost?: string;
+}
+
+/**
+ * Manages the RemoteIngressHub instance and tracks connected edge statuses.
+ */
+export class TunnelManager {
+  private hub: InstanceType<typeof plugins.remoteingress.RemoteIngressHub>;
+  private manager: RemoteIngressManager;
+  private config: ITunnelManagerConfig;
+  private edgeStatuses: Map<string, IRemoteIngressStatus> = new Map();
+
+  constructor(manager: RemoteIngressManager, config: ITunnelManagerConfig = {}) {
+    this.manager = manager;
+    this.config = config;
+    this.hub = new plugins.remoteingress.RemoteIngressHub();
+
+    // Listen for edge connect/disconnect events
+    this.hub.on('edgeConnected', (data: { edgeId: string }) => {
+      const existing = this.edgeStatuses.get(data.edgeId);
+      this.edgeStatuses.set(data.edgeId, {
+        edgeId: data.edgeId,
+        connected: true,
+        publicIp: existing?.publicIp ?? null,
+        activeTunnels: 0,
+        lastHeartbeat: Date.now(),
+        connectedAt: Date.now(),
+      });
+    });
+
+    this.hub.on('edgeDisconnected', (data: { edgeId: string }) => {
+      const existing = this.edgeStatuses.get(data.edgeId);
+      if (existing) {
+        existing.connected = false;
+        existing.activeTunnels = 0;
+      }
+    });
+
+    this.hub.on('streamOpened', (data: { edgeId: string; streamId: number }) => {
+      const existing = this.edgeStatuses.get(data.edgeId);
+      if (existing) {
+        existing.activeTunnels++;
+        existing.lastHeartbeat = Date.now();
+      }
+    });
+
+    this.hub.on('streamClosed', (data: { edgeId: string; streamId: number }) => {
+      const existing = this.edgeStatuses.get(data.edgeId);
+      if (existing && existing.activeTunnels > 0) {
+        existing.activeTunnels--;
+      }
+    });
+  }
+
+  /**
+   * Start the tunnel hub and load allowed edges.
+   */
+  public async start(): Promise<void> {
+    await this.hub.start({
+      tunnelPort: this.config.tunnelPort ?? 8443,
+      targetHost: this.config.targetHost ?? '127.0.0.1',
+    });
+
+    // Send allowed edges to the hub
+    await this.syncAllowedEdges();
+  }
+
+  /**
+   * Stop the tunnel hub.
+   */
+  public async stop(): Promise<void> {
+    await this.hub.stop();
+    this.edgeStatuses.clear();
+  }
+
+  /**
+   * Sync allowed edges from the manager to the hub.
+   * Call this after creating/deleting/updating edges.
+   */
+  public async syncAllowedEdges(): Promise<void> {
+    const edges = this.manager.getAllowedEdges();
+    await this.hub.updateAllowedEdges(edges);
+  }
+
+  /**
+   * Get runtime statuses for all known edges.
+   */
+  public getEdgeStatuses(): IRemoteIngressStatus[] {
+    return Array.from(this.edgeStatuses.values());
+  }
+
+  /**
+   * Get status for a specific edge.
+   */
+  public getEdgeStatus(edgeId: string): IRemoteIngressStatus | undefined {
+    return this.edgeStatuses.get(edgeId);
+  }
+
+  /**
+   * Get the count of connected edges.
+   */
+  public getConnectedCount(): number {
+    let count = 0;
+    for (const status of this.edgeStatuses.values()) {
+      if (status.connected) count++;
+    }
+    return count;
+  }
+
+  /**
+   * Get the total number of active tunnels across all edges.
+   */
+  public getTotalActiveTunnels(): number {
+    let total = 0;
+    for (const status of this.edgeStatuses.values()) {
+      total += status.activeTunnels;
+    }
+    return total;
+  }
+}

ts/remoteingress/index.ts

@@ -0,0 +1,2 @@
+export * from './classes.remoteingress-manager.js';
+export * from './classes.tunnel-manager.js';

ts_interfaces/data/index.ts

@@ -1,2 +1,3 @@
 export * from './auth.js';
-export * from './stats.js';
+export * from './stats.js';
+export * from './remoteingress.js';

ts_interfaces/data/remoteingress.ts

@@ -0,0 +1,57 @@
+import type { IRouteConfig } from '@push.rocks/smartproxy';
+
+/**
+ * A stored remote ingress edge registration.
+ */
+export interface IRemoteIngress {
+  id: string;
+  name: string;
+  secret: string;
+  listenPorts: number[];
+  enabled: boolean;
+  /** Whether to auto-derive ports from remoteIngress-tagged routes. Defaults to true. */
+  autoDerivePorts: boolean;
+  tags?: string[];
+  createdAt: number;
+  updatedAt: number;
+  /** Effective ports (union of manual + derived) — only present in API responses. */
+  effectiveListenPorts?: number[];
+  /** Ports explicitly set by the user — only present in API responses. */
+  manualPorts?: number[];
+  /** Ports auto-derived from route configs — only present in API responses. */
+  derivedPorts?: number[];
+}
+
+/**
+ * Runtime status of a remote ingress edge.
+ */
+export interface IRemoteIngressStatus {
+  edgeId: string;
+  connected: boolean;
+  publicIp: string | null;
+  activeTunnels: number;
+  lastHeartbeat: number | null;
+  connectedAt: number | null;
+}
+
+/**
+ * Route-level remote ingress configuration.
+ * When attached to a route, signals that traffic for this route
+ * should be accepted from remote edge nodes.
+ */
+export interface IRouteRemoteIngress {
+  /** Whether this route receives traffic from edge nodes */
+  enabled: boolean;
+  /** Optional filter: only edges whose id or tags match get this route's ports.
+   *  When absent, the route applies to all edges. */
+  edgeFilter?: string[];
+}
+
+/**
+ * Extended route config used within dcrouter.
+ * Adds the optional `remoteIngress` property to SmartProxy's IRouteConfig.
+ * SmartProxy ignores unknown properties at runtime.
+ */
+export type IDcRouterRouteConfig = IRouteConfig & {
+  remoteIngress?: IRouteRemoteIngress;
+};

ts_interfaces/readme.md

@@ -82,6 +82,14 @@ interface IIdentity {
 | `INetworkMetrics` | Bandwidth, connection counts, top endpoints |
 | `ILogEntry` | Timestamp, level, category, message, metadata |
 
+#### Remote Ingress Interfaces
+| Interface | Description |
+|-----------|-------------|
+| `IRemoteIngress` | Edge registration: id, name, secret, listenPorts, enabled, autoDerivePorts, tags |
+| `IRemoteIngressStatus` | Runtime status: connected, publicIp, activeTunnels, lastHeartbeat |
+| `IRouteRemoteIngress` | Route-level config: enabled flag and optional edgeFilter |
+| `IDcRouterRouteConfig` | Extended SmartProxy route config with optional `remoteIngress` property |
+
 ### Request Interfaces (`requests`)
 
 TypedRequest interfaces for the OpsServer API, organized by domain:
@@ -134,6 +142,9 @@ TypedRequest interfaces for the OpsServer API, organized by domain:
 | `IReq_GetCertificateOverview` | `getCertificateOverview` | Domain-centric certificate status |
 | `IReq_ReprovisionCertificate` | `reprovisionCertificate` | Reprovision by route name (legacy) |
 | `IReq_ReprovisionCertificateDomain` | `reprovisionCertificateDomain` | Reprovision by domain (preferred) |
+| `IReq_ImportCertificate` | `importCertificate` | Import a certificate |
+| `IReq_ExportCertificate` | `exportCertificate` | Export a certificate |
+| `IReq_DeleteCertificate` | `deleteCertificate` | Delete a certificate |
 
 #### Certificate Types
 ```typescript
@@ -159,6 +170,17 @@ interface ICertificateInfo {
 }
 ```
 
+#### 🌍 Remote Ingress
+| Interface | Method | Description |
+|-----------|--------|-------------|
+| `IReq_CreateRemoteIngress` | `createRemoteIngress` | Register a new edge node |
+| `IReq_DeleteRemoteIngress` | `deleteRemoteIngress` | Remove an edge registration |
+| `IReq_UpdateRemoteIngress` | `updateRemoteIngress` | Update edge settings |
+| `IReq_RegenerateRemoteIngressSecret` | `regenerateRemoteIngressSecret` | Issue a new secret |
+| `IReq_GetRemoteIngresses` | `getRemoteIngresses` | List all edge registrations |
+| `IReq_GetRemoteIngressStatus` | `getRemoteIngressStatus` | Runtime status of all edges |
+| `IReq_GetRemoteIngressConnectionToken` | `getRemoteIngressConnectionToken` | Generate a connection token |
+
 #### 📡 RADIUS
 | Interface | Method | Description |
 |-----------|--------|-------------|
@@ -183,7 +205,7 @@ import { data, requests } from '@serve.zone/dcrouter-interfaces';
 // 1. Login
 const loginClient = new typedrequest.TypedRequest<requests.IReq_AdminLoginWithUsernameAndPassword>(
   'https://your-dcrouter:3000/typedrequest',
-  'adminLogin'
+  'adminLoginWithUsernameAndPassword'
 );
 
 const loginResponse = await loginClient.fire({
@@ -199,10 +221,8 @@ const metricsClient = new typedrequest.TypedRequest<requests.IReq_GetCombinedMet
 );
 
 const metrics = await metricsClient.fire({ identity });
-console.log('Server:', metrics.serverStats);
-console.log('Email:', metrics.emailStats);
-console.log('DNS:', metrics.dnsStats);
-console.log('Security:', metrics.securityMetrics);
+console.log('Server:', metrics.metrics.server);
+console.log('Email:', metrics.metrics.email);
 
 // 3. Check certificate status
 const certClient = new typedrequest.TypedRequest<requests.IReq_GetCertificateOverview>(
@@ -213,14 +233,23 @@ const certClient = new typedrequest.TypedRequest<requests.IReq_GetCertificateOve
 const certs = await certClient.fire({ identity });
 console.log(`Certificates: ${certs.summary.valid} valid, ${certs.summary.failed} failed`);
 
-// 4. Check email queues
-const queueClient = new typedrequest.TypedRequest<requests.IReq_GetQueuedEmails>(
+// 4. List remote ingress edges
+const edgesClient = new typedrequest.TypedRequest<requests.IReq_GetRemoteIngresses>(
   'https://your-dcrouter:3000/typedrequest',
-  'getQueuedEmails'
+  'getRemoteIngresses'
 );
 
-const queued = await queueClient.fire({ identity });
-console.log('Queued emails:', queued.emails.length);
+const edges = await edgesClient.fire({ identity });
+console.log('Registered edges:', edges.edges.length);
+
+// 5. Generate a connection token for an edge
+const tokenClient = new typedrequest.TypedRequest<requests.IReq_GetRemoteIngressConnectionToken>(
+  'https://your-dcrouter:3000/typedrequest',
+  'getRemoteIngressConnectionToken'
+);
+
+const tokenResponse = await tokenClient.fire({ identity, edgeId: edges.edges[0].id });
+console.log('Connection token:', tokenResponse.token);
 ```
 
 ## License and Legal Information

ts_interfaces/requests/certificate.ts

@@ -74,3 +74,68 @@ export interface IReq_ReprovisionCertificateDomain extends plugins.typedrequestI
     message?: string;
   };
 }
+
+// Delete a certificate by domain
+export interface IReq_DeleteCertificate extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteCertificate
+> {
+  method: 'deleteCertificate';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    domain: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+// Export a certificate as ICert JSON
+export interface IReq_ExportCertificate extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ExportCertificate
+> {
+  method: 'exportCertificate';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    domain: string;
+  };
+  response: {
+    success: boolean;
+    cert?: {
+      id: string;
+      domainName: string;
+      created: number;
+      validUntil: number;
+      privateKey: string;
+      publicKey: string;
+      csr: string;
+    };
+    message?: string;
+  };
+}
+
+// Import a certificate from ICert JSON
+export interface IReq_ImportCertificate extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_ImportCertificate
+> {
+  method: 'importCertificate';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    cert: {
+      id: string;
+      domainName: string;
+      created: number;
+      validUntil: number;
+      privateKey: string;
+      publicKey: string;
+      csr: string;
+    };
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}

ts_interfaces/requests/index.ts

@@ -5,4 +5,5 @@ export * from './stats.js';
 export * from './combined.stats.js';
 export * from './radius.js';
 export * from './email-ops.js';
-export * from './certificate.js';
+export * from './certificate.js';
+export * from './remoteingress.js';

ts_interfaces/requests/remoteingress.ts

@@ -0,0 +1,140 @@
+import * as plugins from '../plugins.js';
+import * as authInterfaces from '../data/auth.js';
+import type { IRemoteIngress, IRemoteIngressStatus } from '../data/remoteingress.js';
+
+// ============================================================================
+// Remote Ingress Edge Management
+// ============================================================================
+
+/**
+ * Create a new remote ingress edge registration.
+ */
+export interface IReq_CreateRemoteIngress extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_CreateRemoteIngress
+> {
+  method: 'createRemoteIngress';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    name: string;
+    listenPorts?: number[];
+    autoDerivePorts?: boolean;
+    tags?: string[];
+  };
+  response: {
+    success: boolean;
+    edge: IRemoteIngress;
+  };
+}
+
+/**
+ * Delete a remote ingress edge registration.
+ */
+export interface IReq_DeleteRemoteIngress extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_DeleteRemoteIngress
+> {
+  method: 'deleteRemoteIngress';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    message?: string;
+  };
+}
+
+/**
+ * Update a remote ingress edge registration.
+ */
+export interface IReq_UpdateRemoteIngress extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_UpdateRemoteIngress
+> {
+  method: 'updateRemoteIngress';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    id: string;
+    name?: string;
+    listenPorts?: number[];
+    autoDerivePorts?: boolean;
+    enabled?: boolean;
+    tags?: string[];
+  };
+  response: {
+    success: boolean;
+    edge: IRemoteIngress;
+  };
+}
+
+/**
+ * Regenerate the secret for a remote ingress edge.
+ */
+export interface IReq_RegenerateRemoteIngressSecret extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RegenerateRemoteIngressSecret
+> {
+  method: 'regenerateRemoteIngressSecret';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    secret: string;
+  };
+}
+
+/**
+ * Get all remote ingress edge registrations.
+ */
+export interface IReq_GetRemoteIngresses extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetRemoteIngresses
+> {
+  method: 'getRemoteIngresses';
+  request: {
+    identity?: authInterfaces.IIdentity;
+  };
+  response: {
+    edges: IRemoteIngress[];
+  };
+}
+
+/**
+ * Get runtime status of all remote ingress edges.
+ */
+export interface IReq_GetRemoteIngressStatus extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetRemoteIngressStatus
+> {
+  method: 'getRemoteIngressStatus';
+  request: {
+    identity?: authInterfaces.IIdentity;
+  };
+  response: {
+    statuses: IRemoteIngressStatus[];
+  };
+}
+
+/**
+ * Get a connection token for a remote ingress edge.
+ * The token is a single opaque base64url string that encodes hubHost, hubPort, edgeId, and secret.
+ */
+export interface IReq_GetRemoteIngressConnectionToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetRemoteIngressConnectionToken
+> {
+  method: 'getRemoteIngressConnectionToken';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    edgeId: string;
+    hubHost?: string;
+  };
+  response: {
+    success: boolean;
+    token?: string;
+    message?: string;
+  };
+}

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '6.3.0',
+  version: '6.13.2',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -116,7 +116,7 @@ export const configStatePart = await appState.getStatePart<IConfigState>(
 // Determine initial view from URL path
 const getInitialView = (): string => {
   const path = typeof window !== 'undefined' ? window.location.pathname : '/';
-  const validViews = ['overview', 'network', 'emails', 'logs', 'configuration', 'security', 'certificates'];
+  const validViews = ['overview', 'network', 'emails', 'logs', 'configuration', 'security', 'certificates', 'remoteingress'];
   const segments = path.split('/').filter(Boolean);
   const view = segments[0];
   return validViews.includes(view) ? view : 'overview';
@@ -192,6 +192,34 @@ export const certificateStatePart = await appState.getStatePart<ICertificateStat
   'soft'
 );
 
+// ============================================================================
+// Remote Ingress State
+// ============================================================================
+
+export interface IRemoteIngressState {
+  edges: interfaces.data.IRemoteIngress[];
+  statuses: interfaces.data.IRemoteIngressStatus[];
+  selectedEdgeId: string | null;
+  newEdgeId: string | null;
+  isLoading: boolean;
+  error: string | null;
+  lastUpdated: number;
+}
+
+export const remoteIngressStatePart = await appState.getStatePart<IRemoteIngressState>(
+  'remoteIngress',
+  {
+    edges: [],
+    statuses: [],
+    selectedEdgeId: null,
+    newEdgeId: null,
+    isLoading: false,
+    error: null,
+    lastUpdated: 0,
+  },
+  'soft'
+);
+
 // Actions for state management
 interface IActionContext {
   identity: interfaces.data.IIdentity | null;
@@ -378,6 +406,13 @@ export const setActiveViewAction = uiStatePart.createAction<string>(async (state
     }, 100);
   }
 
+  // If switching to remoteingress view, ensure we fetch edge data
+  if (viewName === 'remoteingress' && currentState.activeView !== 'remoteingress') {
+    setTimeout(() => {
+      remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+    }, 100);
+  }
+
   return {
     ...currentState,
     activeView: viewName,
@@ -745,6 +780,301 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
   }
 );
 
+export const deleteCertificateAction = certificateStatePart.createAction<string>(
+  async (statePartArg, domain) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteCertificate
+      >('/typedrequest', 'deleteCertificate');
+
+      await request.fire({
+        identity: context.identity,
+        domain,
+      });
+
+      // Re-fetch overview after deletion
+      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
+      return statePartArg.getState();
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete certificate',
+      };
+    }
+  }
+);
+
+export const importCertificateAction = certificateStatePart.createAction<{
+  id: string;
+  domainName: string;
+  created: number;
+  validUntil: number;
+  privateKey: string;
+  publicKey: string;
+  csr: string;
+}>(
+  async (statePartArg, cert) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_ImportCertificate
+      >('/typedrequest', 'importCertificate');
+
+      await request.fire({
+        identity: context.identity,
+        cert,
+      });
+
+      // Re-fetch overview after import
+      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
+      return statePartArg.getState();
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to import certificate',
+      };
+    }
+  }
+);
+
+export async function fetchCertificateExport(domain: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_ExportCertificate
+  >('/typedrequest', 'exportCertificate');
+
+  return request.fire({
+    identity: context.identity,
+    domain,
+  });
+}
+
+// ============================================================================
+// Remote Ingress Standalone Functions
+// ============================================================================
+
+export async function fetchConnectionToken(edgeId: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_GetRemoteIngressConnectionToken
+  >('/typedrequest', 'getRemoteIngressConnectionToken');
+  return request.fire({ identity: context.identity, edgeId });
+}
+
+// ============================================================================
+// Remote Ingress Actions
+// ============================================================================
+
+export const fetchRemoteIngressAction = remoteIngressStatePart.createAction(async (statePartArg) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const edgesRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetRemoteIngresses
+    >('/typedrequest', 'getRemoteIngresses');
+
+    const statusRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetRemoteIngressStatus
+    >('/typedrequest', 'getRemoteIngressStatus');
+
+    const [edgesResponse, statusResponse] = await Promise.all([
+      edgesRequest.fire({ identity: context.identity }),
+      statusRequest.fire({ identity: context.identity }),
+    ]);
+
+    return {
+      ...currentState,
+      edges: edgesResponse.edges,
+      statuses: statusResponse.statuses,
+      isLoading: false,
+      error: null,
+      lastUpdated: Date.now(),
+    };
+  } catch (error) {
+    return {
+      ...currentState,
+      isLoading: false,
+      error: error instanceof Error ? error.message : 'Failed to fetch remote ingress data',
+    };
+  }
+});
+
+export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
+  name: string;
+  listenPorts?: number[];
+  autoDerivePorts?: boolean;
+  tags?: string[];
+}>(async (statePartArg, dataArg) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_CreateRemoteIngress
+    >('/typedrequest', 'createRemoteIngress');
+
+    const response = await request.fire({
+      identity: context.identity,
+      name: dataArg.name,
+      listenPorts: dataArg.listenPorts,
+      autoDerivePorts: dataArg.autoDerivePorts,
+      tags: dataArg.tags,
+    });
+
+    if (response.success) {
+      // Refresh the list
+      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+
+      return {
+        ...statePartArg.getState(),
+        newEdgeId: response.edge.id,
+      };
+    }
+
+    return currentState;
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to create edge',
+    };
+  }
+});
+
+export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<string>(
+  async (statePartArg, edgeId) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteRemoteIngress
+      >('/typedrequest', 'deleteRemoteIngress');
+
+      await request.fire({
+        identity: context.identity,
+        id: edgeId,
+      });
+
+      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+      return statePartArg.getState();
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete edge',
+      };
+    }
+  }
+);
+
+export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
+  id: string;
+  name?: string;
+  listenPorts?: number[];
+  autoDerivePorts?: boolean;
+  tags?: string[];
+}>(async (statePartArg, dataArg) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateRemoteIngress
+    >('/typedrequest', 'updateRemoteIngress');
+
+    await request.fire({
+      identity: context.identity,
+      id: dataArg.id,
+      name: dataArg.name,
+      listenPorts: dataArg.listenPorts,
+      autoDerivePorts: dataArg.autoDerivePorts,
+      tags: dataArg.tags,
+    });
+
+    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+    return statePartArg.getState();
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update edge',
+    };
+  }
+});
+
+export const regenerateRemoteIngressSecretAction = remoteIngressStatePart.createAction<string>(
+  async (statePartArg, edgeId) => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState();
+
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_RegenerateRemoteIngressSecret
+      >('/typedrequest', 'regenerateRemoteIngressSecret');
+
+      const response = await request.fire({
+        identity: context.identity,
+        id: edgeId,
+      });
+
+      if (response.success) {
+        return {
+          ...currentState,
+          newEdgeId: edgeId,
+        };
+      }
+
+      return currentState;
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to regenerate secret',
+      };
+    }
+  }
+);
+
+export const clearNewEdgeIdAction = remoteIngressStatePart.createAction(
+  async (statePartArg) => {
+    return {
+      ...statePartArg.getState(),
+      newEdgeId: null,
+    };
+  }
+);
+
+export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
+  id: string;
+  enabled: boolean;
+}>(async (statePartArg, dataArg) => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState();
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateRemoteIngress
+    >('/typedrequest', 'updateRemoteIngress');
+
+    await request.fire({
+      identity: context.identity,
+      id: dataArg.id,
+      enabled: dataArg.enabled,
+    });
+
+    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+    return statePartArg.getState();
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to toggle edge',
+    };
+  }
+});
+
 // Combined refresh action for efficient polling
 async function dispatchCombinedRefreshAction() {
   const context = getActionContext();

ts_web/elements/index.ts

@@ -6,4 +6,5 @@ export * from './ops-view-logs.js';
 export * from './ops-view-config.js';
 export * from './ops-view-security.js';
 export * from './ops-view-certificates.js';
+export * from './ops-view-remoteingress.js';
 export * from './shared/index.js';

ts_web/elements/ops-dashboard.ts

@@ -20,6 +20,7 @@ import { OpsViewLogs } from './ops-view-logs.js';
 import { OpsViewConfig } from './ops-view-config.js';
 import { OpsViewSecurity } from './ops-view-security.js';
 import { OpsViewCertificates } from './ops-view-certificates.js';
+import { OpsViewRemoteIngress } from './ops-view-remoteingress.js';
 
 @customElement('ops-dashboard')
 export class OpsDashboard extends DeesElement {
@@ -66,6 +67,10 @@ export class OpsDashboard extends DeesElement {
       name: 'Certificates',
       element: OpsViewCertificates,
     },
+    {
+      name: 'RemoteIngress',
+      element: OpsViewRemoteIngress,
+    },
   ];
 
   /**

ts_web/elements/ops-view-certificates.ts

@@ -175,7 +175,7 @@ export class OpsViewCertificates extends DeesElement {
         title: 'Total Certificates',
         value: summary.total,
         type: 'number',
-        icon: 'shieldHalved',
+        icon: 'lucide:ShieldHalf',
         color: '#3b82f6',
       },
       {
@@ -183,7 +183,7 @@ export class OpsViewCertificates extends DeesElement {
         title: 'Valid',
         value: summary.valid,
         type: 'number',
-        icon: 'check',
+        icon: 'lucide:Check',
         color: '#22c55e',
       },
       {
@@ -191,7 +191,7 @@ export class OpsViewCertificates extends DeesElement {
         title: 'Expiring Soon',
         value: summary.expiring,
         type: 'number',
-        icon: 'clock',
+        icon: 'lucide:Clock',
         color: '#f59e0b',
       },
       {
@@ -199,7 +199,7 @@ export class OpsViewCertificates extends DeesElement {
         title: 'Failed / Expired',
         value: summary.failed + summary.expired,
         type: 'number',
-        icon: 'triangleExclamation',
+        icon: 'lucide:TriangleAlert',
         color: '#ef4444',
       },
     ];
@@ -211,7 +211,7 @@ export class OpsViewCertificates extends DeesElement {
         .gridActions=${[
           {
             name: 'Refresh',
-            iconName: 'arrowsRotate',
+            iconName: 'lucide:RefreshCw',
             action: async () => {
               await appstate.certificateStatePart.dispatchAction(
                 appstate.fetchCertificateOverviewAction,
@@ -241,9 +241,64 @@ export class OpsViewCertificates extends DeesElement {
               : '',
         })}
         .dataActions=${[
+          {
+            name: 'Import Certificate',
+            iconName: 'lucide:upload',
+            type: ['header'],
+            actionFunc: async () => {
+              const { DeesModal } = await import('@design.estate/dees-catalog');
+              await DeesModal.createAndShow({
+                heading: 'Import Certificate',
+                content: html`
+                  <dees-form>
+                    <dees-input-fileupload
+                      key="certJsonFile"
+                      label="Certificate JSON (.tsclass.cert.json)"
+                      accept=".json"
+                      .multiple=${false}
+                      required
+                    ></dees-input-fileupload>
+                  </dees-form>
+                `,
+                menuOptions: [
+                  {
+                    name: 'Import',
+                    iconName: 'lucide:upload',
+                    action: async (modal) => {
+                      const { DeesToast } = await import('@design.estate/dees-catalog');
+                      try {
+                        const form = modal.shadowRoot.querySelector('dees-form') as any;
+                        const formData = await form.collectFormData();
+                        const files = formData.certJsonFile;
+                        if (!files || files.length === 0) {
+                          DeesToast.show({ message: 'Please select a JSON file.', type: 'warning', duration: 3000 });
+                          return;
+                        }
+                        const file = files[0];
+                        const text = await file.text();
+                        const cert = JSON.parse(text);
+                        if (!cert.domainName || !cert.publicKey || !cert.privateKey) {
+                          DeesToast.show({ message: 'Invalid cert JSON: missing domainName, publicKey, or privateKey.', type: 'error', duration: 4000 });
+                          return;
+                        }
+                        await appstate.certificateStatePart.dispatchAction(
+                          appstate.importCertificateAction,
+                          cert,
+                        );
+                        DeesToast.show({ message: `Certificate imported for ${cert.domainName}`, type: 'success', duration: 3000 });
+                        modal.destroy();
+                      } catch (err) {
+                        DeesToast.show({ message: `Import failed: ${err.message}`, type: 'error', duration: 4000 });
+                      }
+                    },
+                  },
+                ],
+              });
+            },
+          },
           {
             name: 'Reprovision',
-            iconName: 'arrowsRotate',
+            iconName: 'lucide:RefreshCw',
             type: ['inRow'],
             actionFunc: async (actionData: { item: interfaces.requests.ICertificateInfo }) => {
               const cert = actionData.item;
@@ -268,9 +323,66 @@ export class OpsViewCertificates extends DeesElement {
               });
             },
           },
+          {
+            name: 'Export',
+            iconName: 'lucide:download',
+            type: ['inRow', 'contextmenu'],
+            actionFunc: async (actionData: { item: interfaces.requests.ICertificateInfo }) => {
+              const { DeesToast } = await import('@design.estate/dees-catalog');
+              const cert = actionData.item;
+              try {
+                const response = await appstate.fetchCertificateExport(cert.domain);
+                if (response.success && response.cert) {
+                  const safeDomain = cert.domain.replace(/\*/g, '_wildcard');
+                  this.downloadJsonFile(`${safeDomain}.tsclass.cert.json`, response.cert);
+                  DeesToast.show({ message: `Certificate exported for ${cert.domain}`, type: 'success', duration: 3000 });
+                } else {
+                  DeesToast.show({ message: response.message || 'Export failed', type: 'error', duration: 4000 });
+                }
+              } catch (err) {
+                DeesToast.show({ message: `Export failed: ${err.message}`, type: 'error', duration: 4000 });
+              }
+            },
+          },
+          {
+            name: 'Delete',
+            iconName: 'lucide:trash-2',
+            type: ['inRow', 'contextmenu'],
+            actionFunc: async (actionData: { item: interfaces.requests.ICertificateInfo }) => {
+              const cert = actionData.item;
+              const { DeesModal, DeesToast } = await import('@design.estate/dees-catalog');
+              await DeesModal.createAndShow({
+                heading: `Delete Certificate: ${cert.domain}`,
+                content: html`
+                  <div style="padding: 20px; font-size: 14px;">
+                    <p>Are you sure you want to delete the certificate data for <strong>${cert.domain}</strong>?</p>
+                    <p style="color: #f59e0b; margin-top: 12px;">Note: The certificate may remain in proxy memory until the next restart or reprovisioning.</p>
+                  </div>
+                `,
+                menuOptions: [
+                  {
+                    name: 'Delete',
+                    iconName: 'lucide:trash-2',
+                    action: async (modal) => {
+                      try {
+                        await appstate.certificateStatePart.dispatchAction(
+                          appstate.deleteCertificateAction,
+                          cert.domain,
+                        );
+                        DeesToast.show({ message: `Certificate deleted for ${cert.domain}`, type: 'success', duration: 3000 });
+                        modal.destroy();
+                      } catch (err) {
+                        DeesToast.show({ message: `Delete failed: ${err.message}`, type: 'error', duration: 4000 });
+                      }
+                    },
+                  },
+                ],
+              });
+            },
+          },
           {
             name: 'View Details',
-            iconName: 'magnifyingGlass',
+            iconName: 'fa:magnifyingGlass',
             type: ['doubleClick', 'contextmenu'],
             actionFunc: async (actionData: { item: interfaces.requests.ICertificateInfo }) => {
               const cert = actionData.item;
@@ -289,7 +401,7 @@ export class OpsViewCertificates extends DeesElement {
                 menuOptions: [
                   {
                     name: 'Copy Domain',
-                    iconName: 'copy',
+                    iconName: 'lucide:Copy',
                     action: async () => {
                       await navigator.clipboard.writeText(cert.domain);
                     },
@@ -309,6 +421,19 @@ export class OpsViewCertificates extends DeesElement {
     `;
   }
 
+  private downloadJsonFile(filename: string, data: any): void {
+    const json = JSON.stringify(data, null, 2);
+    const blob = new Blob([json], { type: 'application/json' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = filename;
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+    URL.revokeObjectURL(url);
+  }
+
   private renderRoutePills(routeNames: string[]): TemplateResult {
     const maxShow = 3;
     const visible = routeNames.slice(0, maxShow);

ts_web/elements/ops-view-network.ts

@@ -287,7 +287,7 @@ export class OpsViewNetwork extends DeesElement {
           .dataActions=${[
             {
               name: 'View Details',
-              iconName: 'magnifyingGlass',
+              iconName: 'fa:magnifyingGlass',
               type: ['inRow', 'doubleClick', 'contextmenu'],
               actionFunc: async (actionData) => {
                 await this.showRequestDetails(actionData.item);
@@ -336,7 +336,7 @@ export class OpsViewNetwork extends DeesElement {
       menuOptions: [
         {
           name: 'Copy Request ID',
-          iconName: 'copy',
+          iconName: 'lucide:Copy',
           action: async () => {
             await navigator.clipboard.writeText(request.id);
           }
@@ -429,13 +429,13 @@ export class OpsViewNetwork extends DeesElement {
         title: 'Active Connections',
         value: activeConnections,
         type: 'number',
-        icon: 'plug',
+        icon: 'lucide:Plug',
         color: activeConnections > 100 ? '#f59e0b' : '#22c55e',
         description: `Total: ${this.networkState.requestsTotal || this.statsState.serverStats?.totalConnections || 0}`,
         actions: [
           {
             name: 'View Details',
-            iconName: 'magnifyingGlass',
+            iconName: 'fa:magnifyingGlass',
             action: async () => {
             },
           },
@@ -446,7 +446,7 @@ export class OpsViewNetwork extends DeesElement {
         title: 'Requests/sec',
         value: reqPerSec,
         type: 'trend',
-        icon: 'chartLine',
+        icon: 'lucide:ChartLine',
         color: '#3b82f6',
         trendData: trendData,
         description: `Total: ${this.formatNumber(this.networkState.requestsTotal || 0)} requests`,
@@ -457,7 +457,7 @@ export class OpsViewNetwork extends DeesElement {
         value: this.formatBitsPerSecond(throughput.in),
         unit: '',
         type: 'number',
-        icon: 'download',
+        icon: 'lucide:Download',
         color: '#22c55e',
         description: `Total: ${this.formatBytes(this.networkState.totalBytes?.in || 0)}`,
       },
@@ -467,7 +467,7 @@ export class OpsViewNetwork extends DeesElement {
         value: this.formatBitsPerSecond(throughput.out),
         unit: '',
         type: 'number',
-        icon: 'upload',
+        icon: 'lucide:Upload',
         color: '#8b5cf6',
         description: `Total: ${this.formatBytes(this.networkState.totalBytes?.out || 0)}`,
       },
@@ -480,7 +480,7 @@ export class OpsViewNetwork extends DeesElement {
         .gridActions=${[
           {
             name: 'Export Data',
-            iconName: 'fileExport',
+            iconName: 'lucide:FileOutput',
             action: async () => {
               console.log('Export feature coming soon');
             },

ts_web/elements/ops-view-overview.ts

@@ -163,7 +163,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Server Status',
         value: this.statsState.serverStats.uptime ? 'Online' : 'Offline',
         type: 'text',
-        icon: 'server',
+        icon: 'lucide:Server',
         color: this.statsState.serverStats.uptime ? '#22c55e' : '#ef4444',
         description: `Uptime: ${this.formatUptime(this.statsState.serverStats.uptime)}`,
       },
@@ -172,7 +172,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Active Connections',
         value: this.statsState.serverStats.activeConnections,
         type: 'number',
-        icon: 'networkWired',
+        icon: 'lucide:Network',
         color: '#3b82f6',
         description: `Total: ${this.statsState.serverStats.totalConnections}`,
       },
@@ -181,7 +181,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Throughput In',
         value: this.formatBitsPerSecond(this.statsState.serverStats.throughput?.bytesInPerSecond || 0),
         type: 'text',
-        icon: 'download',
+        icon: 'lucide:Download',
         color: '#22c55e',
         description: `Total: ${this.formatBytes(this.statsState.serverStats.throughput?.bytesIn || 0)}`,
       },
@@ -190,7 +190,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Throughput Out',
         value: this.formatBitsPerSecond(this.statsState.serverStats.throughput?.bytesOutPerSecond || 0),
         type: 'text',
-        icon: 'upload',
+        icon: 'lucide:Upload',
         color: '#8b5cf6',
         description: `Total: ${this.formatBytes(this.statsState.serverStats.throughput?.bytesOut || 0)}`,
       },
@@ -199,7 +199,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'CPU Usage',
         value: cpuUsage,
         type: 'gauge',
-        icon: 'microchip',
+        icon: 'lucide:Cpu',
         gaugeOptions: {
           min: 0,
           max: 100,
@@ -215,7 +215,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Memory Usage',
         value: memoryUsage,
         type: 'percentage',
-        icon: 'memory',
+        icon: 'lucide:MemoryStick',
         color: memoryUsage > 80 ? '#ef4444' : memoryUsage > 60 ? '#f59e0b' : '#22c55e',
         description: this.statsState.serverStats.memoryUsage.actualUsageBytes !== undefined && this.statsState.serverStats.memoryUsage.maxMemoryMB !== undefined
           ? `${this.formatBytes(this.statsState.serverStats.memoryUsage.actualUsageBytes)} / ${this.formatBytes(this.statsState.serverStats.memoryUsage.maxMemoryMB * 1024 * 1024)}`
@@ -229,7 +229,7 @@ export class OpsViewOverview extends DeesElement {
         .gridActions=${[
           {
             name: 'Refresh',
-            iconName: 'arrowsRotate',
+            iconName: 'lucide:RefreshCw',
             action: async () => {
               await appstate.statsStatePart.dispatchAction(appstate.fetchAllStatsAction, null);
             },
@@ -251,7 +251,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Emails Sent',
         value: this.statsState.emailStats.sent,
         type: 'number',
-        icon: 'paperPlane',
+        icon: 'lucide:Send',
         color: '#22c55e',
         description: `Delivery rate: ${(deliveryRate * 100).toFixed(1)}%`,
       },
@@ -260,7 +260,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Emails Received',
         value: this.statsState.emailStats.received,
         type: 'number',
-        icon: 'envelope',
+        icon: 'lucide:Mail',
         color: '#3b82f6',
       },
       {
@@ -268,7 +268,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Queued',
         value: this.statsState.emailStats.queued,
         type: 'number',
-        icon: 'clock',
+        icon: 'lucide:Clock',
         color: '#f59e0b',
         description: 'Pending delivery',
       },
@@ -277,7 +277,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Failed',
         value: this.statsState.emailStats.failed,
         type: 'number',
-        icon: 'triangleExclamation',
+        icon: 'lucide:TriangleAlert',
         color: '#ef4444',
         description: `Bounce rate: ${(bounceRate * 100).toFixed(1)}%`,
       },
@@ -300,7 +300,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'DNS Queries',
         value: this.statsState.dnsStats.totalQueries,
         type: 'number',
-        icon: 'globe',
+        icon: 'lucide:Globe',
         color: '#3b82f6',
         description: 'Total queries handled',
       },
@@ -309,7 +309,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Cache Hit Rate',
         value: cacheHitRate,
         type: 'percentage',
-        icon: 'database',
+        icon: 'lucide:Database',
         color: cacheHitRate > 80 ? '#22c55e' : cacheHitRate > 60 ? '#f59e0b' : '#ef4444',
         description: `${this.statsState.dnsStats.cacheHits} hits / ${this.statsState.dnsStats.cacheMisses} misses`,
       },
@@ -318,7 +318,7 @@ export class OpsViewOverview extends DeesElement {
         title: 'Active Domains',
         value: this.statsState.dnsStats.activeDomains,
         type: 'number',
-        icon: 'sitemap',
+        icon: 'lucide:Network',
         color: '#8b5cf6',
       },
       {
@@ -327,7 +327,7 @@ export class OpsViewOverview extends DeesElement {
         value: this.statsState.dnsStats.averageResponseTime.toFixed(1),
         unit: 'ms',
         type: 'number',
-        icon: 'clockRotateLeft',
+        icon: 'lucide:History',
         color: this.statsState.dnsStats.averageResponseTime < 50 ? '#22c55e' : '#f59e0b',
       },
     ];

ts_web/elements/ops-view-remoteingress.ts

@@ -0,0 +1,467 @@
+import {
+  DeesElement,
+  html,
+  customElement,
+  type TemplateResult,
+  css,
+  state,
+  cssManager,
+} from '@design.estate/dees-element';
+import * as appstate from '../appstate.js';
+import * as interfaces from '../../dist_ts_interfaces/index.js';
+import { viewHostCss } from './shared/css.js';
+import { type IStatsTile } from '@design.estate/dees-catalog';
+
+declare global {
+  interface HTMLElementTagNameMap {
+    'ops-view-remoteingress': OpsViewRemoteIngress;
+  }
+}
+
+@customElement('ops-view-remoteingress')
+export class OpsViewRemoteIngress extends DeesElement {
+  @state()
+  accessor riState: appstate.IRemoteIngressState = appstate.remoteIngressStatePart.getState();
+
+  constructor() {
+    super();
+    const sub = appstate.remoteIngressStatePart.state.subscribe((newState) => {
+      this.riState = newState;
+    });
+    this.rxSubscriptions.push(sub);
+  }
+
+  async connectedCallback() {
+    await super.connectedCallback();
+    await appstate.remoteIngressStatePart.dispatchAction(appstate.fetchRemoteIngressAction, null);
+  }
+
+  public static styles = [
+    cssManager.defaultStyles,
+    viewHostCss,
+    css`
+      .remoteIngressContainer {
+        display: flex;
+        flex-direction: column;
+        gap: 24px;
+      }
+
+      .statusBadge {
+        display: inline-flex;
+        align-items: center;
+        padding: 3px 10px;
+        border-radius: 12px;
+        font-size: 12px;
+        font-weight: 600;
+        letter-spacing: 0.02em;
+        text-transform: uppercase;
+      }
+
+      .statusBadge.connected {
+        background: ${cssManager.bdTheme('#dcfce7', '#14532d')};
+        color: ${cssManager.bdTheme('#166534', '#4ade80')};
+      }
+
+      .statusBadge.disconnected {
+        background: ${cssManager.bdTheme('#fef2f2', '#450a0a')};
+        color: ${cssManager.bdTheme('#991b1b', '#f87171')};
+      }
+
+      .statusBadge.disabled {
+        background: ${cssManager.bdTheme('#f3f4f6', '#374151')};
+        color: ${cssManager.bdTheme('#6b7280', '#9ca3af')};
+      }
+
+      .secretDialog {
+        padding: 16px;
+        background: ${cssManager.bdTheme('#fffbeb', '#1c1917')};
+        border: 1px solid ${cssManager.bdTheme('#fbbf24', '#92400e')};
+        border-radius: 8px;
+        margin-bottom: 16px;
+      }
+
+      .secretDialog code {
+        display: block;
+        padding: 8px 12px;
+        background: ${cssManager.bdTheme('#1f2937', '#111827')};
+        color: #10b981;
+        border-radius: 4px;
+        font-family: monospace;
+        font-size: 13px;
+        word-break: break-all;
+        margin: 8px 0;
+        user-select: all;
+      }
+
+      .secretDialog .warning {
+        font-size: 12px;
+        color: ${cssManager.bdTheme('#92400e', '#fbbf24')};
+        margin-top: 8px;
+      }
+
+      .portsDisplay {
+        display: flex;
+        gap: 4px;
+        flex-wrap: wrap;
+      }
+
+      .portBadge {
+        display: inline-flex;
+        padding: 2px 8px;
+        border-radius: 4px;
+        font-size: 12px;
+        font-weight: 500;
+        background: ${cssManager.bdTheme('#eff6ff', '#172554')};
+        color: ${cssManager.bdTheme('#1e40af', '#60a5fa')};
+      }
+
+      .portBadge.manual {
+        background: ${cssManager.bdTheme('#eff6ff', '#172554')};
+        color: ${cssManager.bdTheme('#1e40af', '#60a5fa')};
+      }
+
+      .portBadge.derived {
+        background: ${cssManager.bdTheme('#ecfdf5', '#022c22')};
+        color: ${cssManager.bdTheme('#047857', '#34d399')};
+        border: 1px dashed ${cssManager.bdTheme('#6ee7b7', '#065f46')};
+      }
+    `,
+  ];
+
+  render(): TemplateResult {
+    const totalEdges = this.riState.edges.length;
+    const connectedEdges = this.riState.statuses.filter(s => s.connected).length;
+    const disconnectedEdges = totalEdges - connectedEdges;
+    const activeTunnels = this.riState.statuses.reduce((sum, s) => sum + s.activeTunnels, 0);
+
+    const statsTiles: IStatsTile[] = [
+      {
+        id: 'totalEdges',
+        title: 'Total Edges',
+        type: 'number',
+        value: totalEdges,
+        icon: 'lucide:server',
+        description: 'Registered edge nodes',
+        color: '#3b82f6',
+      },
+      {
+        id: 'connectedEdges',
+        title: 'Connected',
+        type: 'number',
+        value: connectedEdges,
+        icon: 'lucide:link',
+        description: 'Currently connected edges',
+        color: '#10b981',
+      },
+      {
+        id: 'disconnectedEdges',
+        title: 'Disconnected',
+        type: 'number',
+        value: disconnectedEdges,
+        icon: 'lucide:unlink',
+        description: 'Offline edge nodes',
+        color: disconnectedEdges > 0 ? '#ef4444' : '#6b7280',
+      },
+      {
+        id: 'activeTunnels',
+        title: 'Active Tunnels',
+        type: 'number',
+        value: activeTunnels,
+        icon: 'lucide:cable',
+        description: 'Active client connections',
+        color: '#8b5cf6',
+      },
+    ];
+
+    return html`
+      <ops-sectionheading>Remote Ingress</ops-sectionheading>
+
+      ${this.riState.newEdgeId ? html`
+        <div class="secretDialog">
+          <strong>Edge created successfully!</strong>
+          <div class="warning">Copy the connection token now. Use it with edge.start({ token: '...' }).</div>
+          <dees-button
+            @click=${async () => {
+              const { DeesToast } = await import('@design.estate/dees-catalog');
+              try {
+                const response = await appstate.fetchConnectionToken(this.riState.newEdgeId);
+                if (response.success && response.token) {
+                  if (navigator.clipboard && typeof navigator.clipboard.writeText === 'function') {
+                    await navigator.clipboard.writeText(response.token);
+                  } else {
+                    const textarea = document.createElement('textarea');
+                    textarea.value = response.token;
+                    textarea.style.position = 'fixed';
+                    textarea.style.opacity = '0';
+                    document.body.appendChild(textarea);
+                    textarea.select();
+                    document.execCommand('copy');
+                    document.body.removeChild(textarea);
+                  }
+                  DeesToast.show({ message: 'Connection token copied!', type: 'success', duration: 3000 });
+                } else {
+                  DeesToast.show({ message: response.message || 'Failed to get token', type: 'error', duration: 4000 });
+                }
+              } catch (err) {
+                DeesToast.show({ message: `Failed: ${err.message}`, type: 'error', duration: 4000 });
+              }
+            }}
+          >Copy Connection Token</dees-button>
+          <dees-button
+            @click=${() => appstate.remoteIngressStatePart.dispatchAction(appstate.clearNewEdgeIdAction, null)}
+          >Dismiss</dees-button>
+        </div>
+      ` : ''}
+
+      <div class="remoteIngressContainer">
+        <dees-statsgrid .tiles=${statsTiles}></dees-statsgrid>
+
+        <dees-table
+          .heading1=${'Edge Nodes'}
+          .heading2=${'Manage remote ingress edge registrations'}
+          .data=${this.riState.edges}
+          .displayFunction=${(edge: interfaces.data.IRemoteIngress) => ({
+            name: edge.name,
+            status: this.getEdgeStatusHtml(edge),
+            publicIp: this.getEdgePublicIp(edge.id),
+            ports: this.getPortsHtml(edge),
+            tunnels: this.getEdgeTunnelCount(edge.id),
+            lastHeartbeat: this.getLastHeartbeat(edge.id),
+          })}
+          .dataActions=${[
+            {
+              name: 'Create Edge Node',
+              iconName: 'lucide:plus',
+              type: ['header'],
+              actionFunc: async () => {
+                const { DeesModal } = await import('@design.estate/dees-catalog');
+                const modal = await DeesModal.createAndShow({
+                  heading: 'Create Edge Node',
+                  content: html`
+                    <dees-form>
+                      <dees-input-text .key=${'name'} .label=${'Name'} .required=${true}></dees-input-text>
+                      <dees-input-text .key=${'listenPorts'} .label=${'Additional Manual Ports (comma-separated, optional)'}></dees-input-text>
+                      <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${true}></dees-input-checkbox>
+                      <dees-input-text .key=${'tags'} .label=${'Tags (comma-separated, optional)'}></dees-input-text>
+                    </dees-form>
+                  `,
+                  menuOptions: [
+                    {
+                      name: 'Cancel',
+                      iconName: 'lucide:x',
+                      action: async (modalArg: any) => await modalArg.destroy(),
+                    },
+                    {
+                      name: 'Create',
+                      iconName: 'lucide:plus',
+                      action: async (modalArg: any) => {
+                        const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+                        if (!form) return;
+                        const formData = await form.collectFormData();
+                        const name = formData.name;
+                        if (!name) return;
+                        const portsStr = formData.listenPorts?.trim();
+                        const listenPorts = portsStr
+                          ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
+                          : undefined;
+                        const autoDerivePorts = formData.autoDerivePorts !== false;
+                        const tags = formData.tags
+                          ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
+                          : undefined;
+                        await appstate.remoteIngressStatePart.dispatchAction(
+                          appstate.createRemoteIngressAction,
+                          { name, listenPorts, autoDerivePorts, tags },
+                        );
+                        await modalArg.destroy();
+                      },
+                    },
+                  ],
+                });
+              },
+            },
+            {
+              name: 'Enable',
+              iconName: 'lucide:play',
+              type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (actionData: any) => !actionData.item.enabled,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                await appstate.remoteIngressStatePart.dispatchAction(
+                  appstate.toggleRemoteIngressAction,
+                  { id: edge.id, enabled: true },
+                );
+              },
+            },
+            {
+              name: 'Disable',
+              iconName: 'lucide:pause',
+              type: ['inRow', 'contextmenu'] as any,
+              actionRelevancyCheckFunc: (actionData: any) => actionData.item.enabled,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                await appstate.remoteIngressStatePart.dispatchAction(
+                  appstate.toggleRemoteIngressAction,
+                  { id: edge.id, enabled: false },
+                );
+              },
+            },
+            {
+              name: 'Edit',
+              iconName: 'lucide:pencil',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                const { DeesModal } = await import('@design.estate/dees-catalog');
+                await DeesModal.createAndShow({
+                  heading: `Edit Edge: ${edge.name}`,
+                  content: html`
+                    <dees-form>
+                      <dees-input-text .key=${'name'} .label=${'Name'} .value=${edge.name}></dees-input-text>
+                      <dees-input-text .key=${'listenPorts'} .label=${'Manual Ports (comma-separated)'} .value=${(edge.listenPorts || []).join(', ')}></dees-input-text>
+                      <dees-input-checkbox .key=${'autoDerivePorts'} .label=${'Auto-derive ports from routes'} .value=${edge.autoDerivePorts !== false}></dees-input-checkbox>
+                      <dees-input-text .key=${'tags'} .label=${'Tags (comma-separated)'} .value=${(edge.tags || []).join(', ')}></dees-input-text>
+                    </dees-form>
+                  `,
+                  menuOptions: [
+                    {
+                      name: 'Cancel',
+                      iconName: 'lucide:x',
+                      action: async (modalArg: any) => await modalArg.destroy(),
+                    },
+                    {
+                      name: 'Save',
+                      iconName: 'lucide:check',
+                      action: async (modalArg: any) => {
+                        const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+                        if (!form) return;
+                        const formData = await form.collectFormData();
+                        const portsStr = formData.listenPorts?.trim();
+                        const listenPorts = portsStr
+                          ? portsStr.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p))
+                          : [];
+                        const autoDerivePorts = formData.autoDerivePorts !== false;
+                        const tags = formData.tags
+                          ? formData.tags.split(',').map((t: string) => t.trim()).filter(Boolean)
+                          : [];
+                        await appstate.remoteIngressStatePart.dispatchAction(
+                          appstate.updateRemoteIngressAction,
+                          {
+                            id: edge.id,
+                            name: formData.name || edge.name,
+                            listenPorts,
+                            autoDerivePorts,
+                            tags,
+                          },
+                        );
+                        await modalArg.destroy();
+                      },
+                    },
+                  ],
+                });
+              },
+            },
+            {
+              name: 'Regenerate Secret',
+              iconName: 'lucide:key',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                await appstate.remoteIngressStatePart.dispatchAction(
+                  appstate.regenerateRemoteIngressSecretAction,
+                  edge.id,
+                );
+              },
+            },
+            {
+              name: 'Copy Token',
+              iconName: 'lucide:ClipboardCopy',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                const { DeesToast } = await import('@design.estate/dees-catalog');
+                try {
+                  const response = await appstate.fetchConnectionToken(edge.id);
+                  if (response.success && response.token) {
+                    // Use clipboard API with fallback for non-HTTPS contexts
+                    if (navigator.clipboard && typeof navigator.clipboard.writeText === 'function') {
+                      await navigator.clipboard.writeText(response.token);
+                    } else {
+                      const textarea = document.createElement('textarea');
+                      textarea.value = response.token;
+                      textarea.style.position = 'fixed';
+                      textarea.style.opacity = '0';
+                      document.body.appendChild(textarea);
+                      textarea.select();
+                      document.execCommand('copy');
+                      document.body.removeChild(textarea);
+                    }
+                    DeesToast.show({ message: `Connection token copied for ${edge.name}`, type: 'success', duration: 3000 });
+                  } else {
+                    DeesToast.show({ message: response.message || 'Failed to get token', type: 'error', duration: 4000 });
+                  }
+                } catch (err) {
+                  DeesToast.show({ message: `Failed: ${err.message}`, type: 'error', duration: 4000 });
+                }
+              },
+            },
+            {
+              name: 'Delete',
+              iconName: 'lucide:trash2',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const edge = actionData.item as interfaces.data.IRemoteIngress;
+                await appstate.remoteIngressStatePart.dispatchAction(
+                  appstate.deleteRemoteIngressAction,
+                  edge.id,
+                );
+              },
+            },
+          ]}
+        ></dees-table>
+      </div>
+    `;
+  }
+
+  private getEdgeStatus(edgeId: string): interfaces.data.IRemoteIngressStatus | undefined {
+    return this.riState.statuses.find(s => s.edgeId === edgeId);
+  }
+
+  private getEdgeStatusHtml(edge: interfaces.data.IRemoteIngress): TemplateResult {
+    if (!edge.enabled) {
+      return html`<span class="statusBadge disabled">Disabled</span>`;
+    }
+    const status = this.getEdgeStatus(edge.id);
+    if (status?.connected) {
+      return html`<span class="statusBadge connected">Connected</span>`;
+    }
+    return html`<span class="statusBadge disconnected">Disconnected</span>`;
+  }
+
+  private getEdgePublicIp(edgeId: string): string {
+    const status = this.getEdgeStatus(edgeId);
+    return status?.publicIp || '-';
+  }
+
+  private getPortsHtml(edge: interfaces.data.IRemoteIngress): TemplateResult {
+    const manualPorts = edge.manualPorts || [];
+    const derivedPorts = edge.derivedPorts || [];
+    if (manualPorts.length === 0 && derivedPorts.length === 0) {
+      return html`<span style="color: var(--text-muted, #6b7280); font-size: 12px;">none</span>`;
+    }
+    return html`<div class="portsDisplay">${manualPorts.map(p => html`<span class="portBadge manual">${p}</span>`)}${derivedPorts.map(p => html`<span class="portBadge derived">${p}</span>`)}${derivedPorts.length > 0 ? html`<span style="font-size: 11px; color: var(--text-muted, #6b7280); align-self: center;">(auto)</span>` : ''}</div>`;
+  }
+
+  private getEdgeTunnelCount(edgeId: string): number {
+    const status = this.getEdgeStatus(edgeId);
+    return status?.activeTunnels || 0;
+  }
+
+  private getLastHeartbeat(edgeId: string): string {
+    const status = this.getEdgeStatus(edgeId);
+    if (!status?.lastHeartbeat) return '-';
+    const ago = Date.now() - status.lastHeartbeat;
+    if (ago < 60000) return `${Math.floor(ago / 1000)}s ago`;
+    if (ago < 3600000) return `${Math.floor(ago / 60000)}m ago`;
+    return `${Math.floor(ago / 3600000)}h ago`;
+  }
+}

ts_web/elements/ops-view-security.ts

@@ -256,7 +256,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Threat Level',
         value: threatScore,
         type: 'gauge',
-        icon: 'shield',
+        icon: 'lucide:Shield',
         gaugeOptions: {
           min: 0,
           max: 100,
@@ -273,7 +273,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Blocked Threats',
         value: metrics.blockedIPs.length + metrics.spamDetected,
         type: 'number',
-        icon: 'userShield',
+        icon: 'lucide:ShieldCheck',
         color: '#ef4444',
         description: 'Total threats blocked today',
       },
@@ -282,7 +282,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Active Sessions',
         value: 0,
         type: 'number',
-        icon: 'users',
+        icon: 'lucide:Users',
         color: '#22c55e',
         description: 'Current authenticated sessions',
       },
@@ -291,7 +291,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Auth Failures',
         value: metrics.authenticationFailures,
         type: 'number',
-        icon: 'lockOpen',
+        icon: 'lucide:LockOpen',
         color: metrics.authenticationFailures > 10 ? '#ef4444' : '#f59e0b',
         description: 'Failed login attempts today',
       },
@@ -355,7 +355,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Authentication Failures',
         value: metrics.authenticationFailures,
         type: 'number',
-        icon: 'lockOpen',
+        icon: 'lucide:LockOpen',
         color: metrics.authenticationFailures > 10 ? '#ef4444' : '#f59e0b',
         description: 'Failed authentication attempts today',
       },
@@ -364,7 +364,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Successful Logins',
         value: 0,
         type: 'number',
-        icon: 'lock',
+        icon: 'lucide:Lock',
         color: '#22c55e',
         description: 'Successful logins today',
       },
@@ -399,7 +399,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Malware Detection',
         value: metrics.malwareDetected,
         type: 'number',
-        icon: 'virusSlash',
+        icon: 'lucide:BugOff',
         color: metrics.malwareDetected > 0 ? '#ef4444' : '#22c55e',
         description: 'Malware detected',
       },
@@ -408,7 +408,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Phishing Detection',
         value: metrics.phishingDetected,
         type: 'number',
-        icon: 'fishFins',
+        icon: 'lucide:Fish',
         color: metrics.phishingDetected > 0 ? '#ef4444' : '#22c55e',
         description: 'Phishing attempts detected',
       },
@@ -417,7 +417,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Suspicious Activities',
         value: metrics.suspiciousActivities,
         type: 'number',
-        icon: 'triangleExclamation',
+        icon: 'lucide:TriangleAlert',
         color: metrics.suspiciousActivities > 5 ? '#ef4444' : '#f59e0b',
         description: 'Suspicious activities detected',
       },
@@ -426,7 +426,7 @@ export class OpsViewSecurity extends DeesElement {
         title: 'Spam Detection',
         value: metrics.spamDetected,
         type: 'number',
-        icon: 'ban',
+        icon: 'lucide:Ban',
         color: '#f59e0b',
         description: 'Spam emails blocked',
       },

ts_web/readme.md

@@ -40,6 +40,15 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - Expiry date monitoring and alerts
 - Per-domain backoff status for failed provisions
 - One-click reprovisioning per domain
+- Certificate import, export, and deletion
+
+### 🌍 Remote Ingress Management
+- Edge node registration with name, ports, and tags
+- Real-time connection status (connected/disconnected/disabled)
+- Public IP and active tunnel count per edge
+- Auto-derived port display with manual/derived breakdown
+- **Connection token generation** — one-click "Copy Token" for easy edge provisioning
+- Enable/disable, edit, secret regeneration, and delete actions
 
 ### 📜 Log Viewer
 - Real-time log streaming
@@ -85,6 +94,7 @@ ts_web/
     ├── ops-view-network.ts   # Network monitoring
     ├── ops-view-emails.ts    # Email queue management
     ├── ops-view-certificates.ts  # Certificate overview & reprovisioning
+    ├── ops-view-remoteingress.ts # Remote ingress edge management
     ├── ops-view-logs.ts      # Log viewer
     ├── ops-view-config.ts    # Configuration display
     ├── ops-view-security.ts  # Security dashboard
@@ -106,6 +116,8 @@ The app uses `@push.rocks/smartstate` with multiple state parts:
 | `logStatePart` | Soft | Recent logs, streaming status, filters |
 | `networkStatePart` | Soft | Connections, IPs, throughput rates |
 | `emailOpsStatePart` | Soft | Email queues, bounces, suppression list |
+| `certificateStatePart` | Soft | Certificate list, summary, loading state |
+| `remoteIngressStatePart` | Soft | Edge list, statuses, new edge secret |
 
 ### Actions
 
@@ -128,6 +140,23 @@ fetchSecurityIncidentsAction()     // Security events
 fetchBounceRecordsAction()         // Bounce records
 resendEmailAction(emailId)         // Re-queue failed email
 removeFromSuppressionAction(email) // Remove from suppression list
+
+// Certificates
+fetchCertificateOverviewAction()   // All certificates with summary
+reprovisionCertificateAction(domain) // Reprovision a certificate
+deleteCertificateAction(domain)    // Delete a certificate
+importCertificateAction(cert)      // Import a certificate
+fetchCertificateExport(domain)     // Export (standalone function)
+
+// Remote Ingress
+fetchRemoteIngressAction()         // Edges + statuses
+createRemoteIngressAction(data)    // Create new edge
+updateRemoteIngressAction(data)    // Update edge settings
+deleteRemoteIngressAction(id)      // Remove edge
+regenerateRemoteIngressSecretAction(id) // New secret
+toggleRemoteIngressAction(id, enabled)  // Enable/disable
+clearNewEdgeSecretAction()         // Dismiss secret banner
+fetchConnectionToken(edgeId)       // Get connection token (standalone function)
 ```
 
 ### Client-Side Routing
@@ -141,6 +170,7 @@ removeFromSuppressionAction(email) // Remove from suppression list
   /emails/failed    → Failed emails
   /emails/security  → Security incidents
 /certificates    → Certificate management
+/remoteingress   → Remote ingress edge management
 /logs            → Log viewer
 /configuration   → System configuration
 /security        → Security dashboard

ts_web/router.ts

@@ -3,7 +3,7 @@ import * as appstate from './appstate.js';
 
 const SmartRouter = plugins.domtools.plugins.smartrouter.SmartRouter;
 
-export const validViews = ['overview', 'network', 'emails', 'logs', 'configuration', 'security', 'certificates'] as const;
+export const validViews = ['overview', 'network', 'emails', 'logs', 'configuration', 'security', 'certificates', 'remoteingress'] as const;
 export const validEmailFolders = ['queued', 'sent', 'failed', 'security'] as const;
 
 export type TValidView = typeof validViews[number];