v10.1.9

.playwright-mcp/console-2026-02-23T12-47-06-007Z.log

@@ -0,0 +1,31 @@
+[      75ms] TypeError: Cannot read properties of null (reading 'appendChild')
+    at TypedserverStatusPill.show (http://localhost:3000/typedserver/devtools:17607:21)
+    at TypedserverStatusPill.updateStatus (http://localhost:3000/typedserver/devtools:17567:10)
+    at ReloadChecker.checkReload (http://localhost:3000/typedserver/devtools:18137:23)
+    at async ReloadChecker.start (http://localhost:3000/typedserver/devtools:18224:9)
+[     763ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0
+[   22315ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   22315ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[   22316ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   22316ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[   22321ms] [ERROR] method: >>listApiTokens<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13
+[   22322ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   22322ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[   22322ms] [ERROR] method: >>listApiTokens<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13
+[   65371ms] [ERROR] method: >>createApiToken<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13
+[   65371ms] [ERROR] Failed to create token: zs @ http://localhost:3000/bundle.js:38142

.playwright-mcp/console-2026-02-23T12-48-31-563Z.log

@@ -0,0 +1,25 @@
+[     642ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0
+[  114916ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0
+[  179731ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[  179731ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[  179731ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[  179732ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[  179737ms] [ERROR] method: >>listApiTokens<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13
+[  179738ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[  179738ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[  179738ms] [ERROR] method: >>listApiTokens<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13

.playwright-mcp/console-2026-02-23T12-53-33-702Z.log

@@ -0,0 +1 @@
+[     603ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0

.playwright-mcp/console-2026-02-23T12-55-40-311Z.log

@@ -0,0 +1,24 @@
+[     308ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[     309ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[     309ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[     310ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[     349ms] [ERROR] method: >>listApiTokens<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13
+[     350ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[     350ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[     351ms] [ERROR] method: >>listApiTokens<< got an ERROR: "admin access required" with data undefined @ http://localhost:3000/bundle.js:13
+[     500ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/apitokens:0

.playwright-mcp/console-2026-02-23T12-57-47-953Z.log

@@ -0,0 +1,30 @@
+[     427ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0
+[   44124ms] [WARNING] FontAwesome icon not found: circle-check @ http://localhost:3000/bundle.js:1203
+[   59106ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   59106ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[   59107ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   59107ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[   59116ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   59116ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174
+[   89192ms] [ERROR] Error rendering Lucide icon: Error: Could not create element for MagnifyingGlass
+    at N.updated (http://localhost:3000/bundle.js:1204:736)
+    at N._$AE (http://localhost:3000/bundle.js:1:9837)
+    at N.performUpdate (http://localhost:3000/bundle.js:1:9701)
+    at N.scheduleUpdate (http://localhost:3000/bundle.js:1:9170)
+    at N._$EP (http://localhost:3000/bundle.js:1:9078) @ http://localhost:3000/bundle.js:1203
+[   89192ms] [WARNING] Lucide icon 'MagnifyingGlass' not found in lucideIcons object @ http://localhost:3000/bundle.js:1174

.playwright-mcp/console-2026-03-02T19-29-32-708Z.log

@@ -0,0 +1,6 @@
+[      95ms] TypeError: Cannot read properties of null (reading 'appendChild')
+    at TypedserverStatusPill.show (http://localhost:3000/typedserver/devtools:17607:21)
+    at TypedserverStatusPill.updateStatus (http://localhost:3000/typedserver/devtools:17567:10)
+    at ReloadChecker.checkReload (http://localhost:3000/typedserver/devtools:18137:23)
+    at async ReloadChecker.start (http://localhost:3000/typedserver/devtools:18224:9)
+[     992ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/overview:0

.playwright-mcp/console-2026-03-02T19-30-09-759Z.log

@@ -0,0 +1,5 @@
+[     329ms] [ERROR] method: >>getMergedRoutes<< got an ERROR: "unauthorized" with data undefined @ http://localhost:3000/bundle.js:13
+[     727ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/routes:0
+[  260513ms] [ERROR] method: >>adminLoginWithUsernameAndPassword<< got an ERROR: "login failed" with data undefined @ http://localhost:3000/bundle.js:13
+[  260514ms] [ERROR] Login failed: Ns @ http://localhost:3000/bundle.js:38066
+[  260518ms] [WARNING] FontAwesome icon not found: circle-xmark @ http://localhost:3000/bundle.js:1203

.playwright-mcp/console-2026-03-02T19-34-55-496Z.log

@@ -0,0 +1,3 @@
+[     397ms] [ERROR] method: >>getMergedRoutes<< got an ERROR: "unauthorized" with data undefined @ http://localhost:3000/bundle.js:13
+[     657ms] [ERROR] Error while trying to use the following icon from the Manifest: http://localhost:3000/assetbroker/manifest/icon-144x144.png (Download error or resource isn't a valid image) @ http://localhost:3000/routes:0
+[   24180ms] [WARNING] FontAwesome icon not found: circle-check @ http://localhost:3000/bundle.js:1203

changelog.md

@@ -1,5 +1,195 @@
 # Changelog
 
+## 2026-03-03 - 10.1.9 - fix(deps)
+bump @push.rocks/smartproxy to ^25.9.1
+
+- Updated package.json dependency @push.rocks/smartproxy from ^25.9.0 to ^25.9.1
+- No other code changes; current package version is 10.1.8, recommend a patch release
+
+## 2026-03-03 - 10.1.8 - fix(deps)
+bump dependencies: @push.rocks/smartmetrics to ^3.0.2, @push.rocks/smartproxy to ^25.9.0, @serve.zone/remoteingress to ^4.4.0
+
+- @push.rocks/smartmetrics: 3.0.1 -> 3.0.2 (patch)
+- @push.rocks/smartproxy: 25.8.5 -> 25.9.0 (minor)
+- @serve.zone/remoteingress: 4.3.0 -> 4.4.0 (minor)
+
+## 2026-03-03 - 10.1.7 - fix(ops-view-apitokens)
+use correct lucide icon name for roll/rotate actions in API tokens view
+
+- Updated iconName from 'lucide:rotate-cw' to 'lucide:rotateCw' in ts_web/elements/ops-view-apitokens.ts (two occurrences) to match lucide icon naming and ensure icons render correctly
+- Non-functional UI fix; no API or behavior changes
+
+## 2026-03-02 - 10.1.6 - fix(ts_web)
+use actionContext for dispatches in web state actions and bump @push.rocks/smartstate to ^2.2.0
+
+- Action handlers in ts_web/appstate.ts now accept an actionContext parameter and call await actionContext.dispatch(...) instead of using statePartArg.dispatchAction(...).
+- Handlers return the awaited dispatch result (ensuring callers receive refreshed state) instead of returning the previous statePartArg.getState().
+- Dependency bumped in package.json: @push.rocks/smartstate from ^2.1.1 to ^2.2.0.
+- Playwright artifacts (logs and page screenshots) were added under .playwright-mcp.
+
+## 2026-03-02 - 10.1.5 - fix(monitoring)
+use a per-second ring buffer for DNS query metrics, improve DNS logging rate limiting and security event aggregation, and bump smartmta dependency
+
+- Replace unbounded query timestamp array with a fixed-size per-second Int32Array ring buffer (300s) to calculate queries-per-second with O(1) updates and bounded memory
+- Add incrementQueryRing and getQueryRingSum helpers to correctly zero stale slots and sum recent seconds
+- Change metrics cache interval from 200ms to 1000ms to better match dashboard polling and reduce update frequency
+- Refactor DNS adaptive logging to use per-second counters (dnsLogWindowSecond / dnsLogWindowCount) instead of timestamp arrays to avoid per-query array filtering and improve rate limiting accuracy; reset counters on flush
+- Security logger: avoid mutating source when sorting/filtering, and implement single-pass aggregation with optional time-window filtering for byLevel/byType/top lists
+- Bump dependency @push.rocks/smartmta from ^5.3.0 to ^5.3.1
+
+## 2026-03-02 - 10.1.4 - fix(no-changes)
+no changes detected; no version bump required
+
+- package version is 10.1.3
+- git diff contains no changes
+
+## 2026-03-02 - 10.1.3 - fix(deps)
+bump @api.global/typedrequest to ^3.2.7
+
+- Updated @api.global/typedrequest from ^3.2.6 to ^3.2.7 in package.json
+- Dependency patch bump only — no source code changes detected
+- Current package version 10.1.2 -> recommended next version 10.1.3 (patch)
+
+## 2026-03-01 - 10.1.2 - fix(core)
+improve shutdown cleanup, socket/stream robustness, and memory/cache handling
+
+- Reset security singletons and CacheDb on shutdown to allow GC (SecurityLogger, ContentScanner, IPReputationChecker, CacheDb).
+- Add DNS socket 'error' handler and only destroy socket when not already destroyed to avoid uncaught exceptions.
+- Move pruning of dnsMetrics.queryTimestamps to a periodic interval to avoid O(n) work on every query.
+- Debounce IPReputationChecker cache saves (save timer + reset on instance reset) to reduce IO and prevent duplicate saves.
+- Fix virtualStream send timeout handling by keeping/clearing a timeout handle to avoid leaks and hung promises.
+- Add memory store eviction in StorageManager to cap entries (MAX_MEMORY_ENTRIES) and evict oldest entries when exceeded.
+- Add terminal-ready timeout in ops-view-logs to avoid blocking UI initialization if xterm CDN fails to initialize.
+- Bump dev dependency @types/node and push.rocks/smartstate versions.
+
+## 2026-02-27 - 10.1.1 - fix(ops-view-apitokens)
+replace lucide:refresh-cw with lucide:rotate-cw for Roll action icon
+
+- Updated ts_web/elements/ops-view-apitokens.ts: changed iconName in two locations to 'lucide:rotate-cw' for the Roll/Roll Token actions.
+- UI-only change — no functional or API behavior modified.
+- Current package version is 10.1.0; recommended patch bump to 10.1.1. 
+
+## 2026-02-27 - 10.1.0 - feat(api-tokens)
+add ability to roll (regenerate) API token secrets and UI to display the newly generated token once
+
+- Server: added ApiTokenManager.rollToken(id) to regenerate a token secret, update its hash, persist it and log the action.
+- Server: added opsserver handler 'rollApiToken' which requires admin identity and returns the new raw token value (shown once) or error messages.
+- API: added typed request interface IReq_RollApiToken for the rollApiToken RPC.
+- Web: added appstate.rollApiToken wrapper to call the new typed request.
+- UI: ops-view-apitokens updated with a 'Roll' action and a modal flow to confirm rolling, call the API, refresh token list, and present the new token value to copy (token value is shown only once).
+- Security: operation is admin-only and the raw token is returned only once after rolling.
+
+## 2026-02-27 - 10.0.0 - BREAKING CHANGE(remote-ingress)
+replace tlsConfigured boolean with tlsMode ('custom' | 'acme' | 'self-signed') and compute TLS mode server-side
+
+- Server: compute remoteIngress.tlsMode = 'custom' when custom certPath/keyPath provided; else attempt to detect ACME by checking stored certs for hubDomain; default to 'self-signed' as fallback.
+- API: replaced remoteIngress.tlsConfigured:boolean with tlsMode:'custom'|'acme'|'self-signed' — this is a breaking change for consumers of the config API.
+- UI: ops view updated to display TLS Mode as a badge instead of a boolean "TLS Configured" field.
+- Action required: update clients and integrations to read remoteIngress.tlsMode instead of tlsConfigured.
+
+## 2026-02-26 - 9.3.0 - feat(remoteingress)
+add TLS certificate resolution and passthrough for RemoteIngress tunnel
+
+- Resolve TLS certs for the RemoteIngress tunnel with priority: explicit certPath/keyPath files → stored ACME cert for hubDomain → fallback to self-signed
+- Expose tls option on ITunnelManagerConfig and forward certPem/keyPem into hub.start so the hub can use the provided TLS materials
+- Add logging for cert selection and file read failures
+- Bump dependency @serve.zone/remoteingress from ^4.2.0 to ^4.3.0
+
+## 2026-02-26 - 9.2.0 - feat(remoteingress)
+expose connected edge IPs and detected public IP; resolve proxy IPs from SmartProxy and improve ops UI
+
+- Add detectedPublicIp to DC Router and populate it when a configured or auto-discovered public IP is chosen
+- Use dcRouter.detectedPublicIp as a fallback for system.publicIp in the config handler
+- Resolve proxy IPs from SmartProxy runtime settings when opts.proxyIps is not provided
+- TunnelManager: capture peerAddr on edgeConnected and from Rust heartbeats, store per-edge publicIp, and add getConnectedEdgeIps()
+- Expose connectedEdgeIps in the config API and return it in remoteIngress config
+- Ops UI: show Connected Edge IPs, annotate 127.0.0.1 proxy IP as 'Remote Ingress' when applicable, and refresh remote ingress data during combined refresh when viewing remoteingress
+- Bump dependency @serve.zone/remoteingress to ^4.2.0
+
+## 2026-02-26 - 9.1.10 - fix(deps)
+bump @push.rocks/smartproxy to ^25.8.5
+
+- package.json: @push.rocks/smartproxy version updated from ^25.8.4 to ^25.8.5
+- No other files changed
+
+## 2026-02-26 - 9.1.9 - fix(deps(smartmta))
+bump @push.rocks/smartmta to ^5.3.0
+
+- Updated @push.rocks/smartmta from ^5.2.6 to ^5.3.0 in package.json
+- Patch release recommended (no source code changes)
+
+## 2026-02-26 - 9.1.8 - fix(deps)
+bump @serve.zone/remoteingress to ^4.1.0
+
+- Updated dependency @serve.zone/remoteingress from ^4.0.1 to ^4.1.0 in package.json
+- Non-breaking dependency update; recommend patch version bump
+
+## 2026-02-26 - 9.1.7 - fix(dcrouter)
+bump @push.rocks/smartproxy to ^25.8.4 and remove custom smartProxy timeout/connection lifetime settings from dcrouter
+
+- Bumped dependency @push.rocks/smartproxy from ^25.8.3 to ^25.8.4 in package.json
+- Removed explicit smartProxy options: socketTimeout, inactivityTimeout, keepAliveInactivityMultiplier, extendedKeepAliveLifetime, and maxConnectionLifetime from ts/classes.dcrouter.ts
+
+## 2026-02-26 - 9.1.6 - fix(cleanup)
+prevent event listener and log stream leaks, tighten smartProxy connection timeouts, and improve graceful shutdown behavior
+
+- Tightened smartProxy connection timeouts and lifetimes (5m socketTimeout, 10m inactivityTimeout, keep-alive multiplier, 1h extendedKeepAliveLifetime, 4h maxConnectionLifetime).
+- Remove event listeners before stopping services to avoid leaks (smartProxy, emailServer, dnsServer, remote ingress hub).
+- OpsServer.stop now invokes logsHandler.cleanup to tear down active log streams and avoid duplicate push destinations.
+- LogsHandler rewritten to use a module-level singleton push destination, track active stream stop callbacks, add cleanup(), guard against hung VirtualStream.sendData with a 10s timeout, and ensure intervals are cleared on stop.
+- updateSmartProxyConfig removes listeners on the old instance before stopping it.
+- Dependency bumps: @api.global/typedsocket ^4.1.2, @push.rocks/smartdata ^7.1.0, @push.rocks/smartmta ^5.2.6, @push.rocks/smartproxy ^25.8.3.
+
+## 2026-02-26 - 9.1.5 - fix(remoteingress)
+Reconcile tunnel manager edge statuses with authoritative Rust hub periodically; update active tunnel counts and heartbeats, add missed edges, remove stale entries, and clear reconcile interval on stop
+
+- Add reconcile() to sync TS-side edgeStatuses with hub.getStatus and overwrite activeTunnels with the authoritative activeStreams.
+- Start a periodic reconcile (setInterval every 15s) and store the interval handle on the tunnel manager.
+- Clear the reconcile interval in stop() to avoid background timers; remove edgeStatuses entries that are no longer connected in Rust.
+- Bump dependency @serve.zone/remoteingress from ^4.0.0 to ^4.0.1.
+
+## 2026-02-25 - 9.1.4 - fix(deps)
+bump @push.rocks/smartproxy to ^25.8.1
+
+- Updated package.json dependency @push.rocks/smartproxy from ^25.8.0 to ^25.8.1
+
+## 2026-02-24 - 9.1.3 - fix(deps)
+bump @api.global/typedserver to ^8.4.0 and @push.rocks/smartproxy to ^25.8.0
+
+- Updated @api.global/typedserver from ^8.3.1 to ^8.4.0
+- Updated @push.rocks/smartproxy from ^25.7.9 to ^25.8.0
+
+## 2026-02-24 - 9.1.2 - fix(deps)
+bump dependency versions for build and runtime packages
+
+- @git.zone/tsbundle: ^2.8.3 -> ^2.9.0
+- @git.zone/tswatch: ^3.1.0 -> ^3.2.0
+- @api.global/typedserver: ^8.3.0 -> ^8.3.1
+- @design.estate/dees-catalog: ^3.43.2 -> ^3.43.3
+
+## 2026-02-23 - 9.1.1 - fix(dcrouter)
+no changes detected — no files modified, no release necessary
+
+- Git diff contained no changes
+- No files added, modified, or deleted
+
+## 2026-02-23 - 9.1.0 - feat(ops-dashboard)
+add lucide icons to Ops dashboard view tabs
+
+- Added iconName property to 10 view tabs in ts_web/elements/ops-dashboard.ts to enable icons in the UI
+- Icon mappings: Overview -> lucide:layoutDashboard, Configuration -> lucide:settings, Network -> lucide:network, Emails -> lucide:mail, Logs -> lucide:scrollText, Routes -> lucide:route, ApiTokens -> lucide:key, Security -> lucide:shield, Certificates -> lucide:badgeCheck, RemoteIngress -> lucide:globe
+- Improves visual clarity of dashboard navigation
+
+## 2026-02-23 - 9.0.0 - BREAKING CHANGE(opsserver)
+Return structured configuration (IConfigData) from opsserver and update UI to render detailed config sections
+
+- Introduce IConfigData interface with typed sections: system, smartProxy, email, dns, tls, cache, radius, remoteIngress.
+- Replace ConfigHandler.getConfiguration implementation to assemble and return IConfigData (changes API response shape for getConfiguration).
+- Refactor frontend: update appstate types and ops-view-config to render the new config sections, use @serve.zone/catalog IConfigField/IConfigSectionAction, add uptime formatting and remote ingress UI.
+- Fix ops-view-apitokens form handling to correctly read dees-input-tags values.
+- Update tests to expect new configuration fields.
+- Bump dependency @serve.zone/catalog to ^2.5.0.
+
 ## 2026-02-23 - 8.1.0 - feat(route-management)
 add programmatic route management API with API tokens and admin UI
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "8.1.0",
+  "version": "10.1.9",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -20,44 +20,44 @@
   },
   "devDependencies": {
     "@git.zone/tsbuild": "^4.1.2",
-    "@git.zone/tsbundle": "^2.8.3",
+    "@git.zone/tsbundle": "^2.9.0",
     "@git.zone/tsrun": "^2.0.1",
     "@git.zone/tstest": "^3.1.8",
-    "@git.zone/tswatch": "^3.1.0",
-    "@types/node": "^25.3.0"
+    "@git.zone/tswatch": "^3.2.0",
+    "@types/node": "^25.3.3"
   },
   "dependencies": {
-    "@api.global/typedrequest": "^3.2.6",
+    "@api.global/typedrequest": "^3.2.7",
     "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^8.3.0",
-    "@api.global/typedsocket": "^4.1.0",
+    "@api.global/typedserver": "^8.4.0",
+    "@api.global/typedsocket": "^4.1.2",
     "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.43.2",
+    "@design.estate/dees-catalog": "^3.43.3",
     "@design.estate/dees-element": "^2.1.6",
     "@push.rocks/projectinfo": "^5.0.2",
     "@push.rocks/qenv": "^6.1.3",
     "@push.rocks/smartacme": "^9.1.3",
-    "@push.rocks/smartdata": "^7.0.15",
+    "@push.rocks/smartdata": "^7.1.0",
     "@push.rocks/smartdns": "^7.9.0",
     "@push.rocks/smartfile": "^13.1.2",
     "@push.rocks/smartguard": "^3.1.0",
     "@push.rocks/smartjwt": "^2.2.1",
     "@push.rocks/smartlog": "^3.2.1",
-    "@push.rocks/smartmetrics": "^3.0.1",
+    "@push.rocks/smartmetrics": "^3.0.2",
     "@push.rocks/smartmongo": "^5.1.0",
-    "@push.rocks/smartmta": "^5.2.2",
+    "@push.rocks/smartmta": "^5.3.1",
     "@push.rocks/smartnetwork": "^4.4.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.7.9",
+    "@push.rocks/smartproxy": "^25.9.1",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.0.30",
+    "@push.rocks/smartstate": "^2.2.0",
     "@push.rocks/smartunique": "^3.0.9",
-    "@serve.zone/catalog": "^2.3.0",
+    "@serve.zone/catalog": "^2.5.0",
     "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^4.0.0",
+    "@serve.zone/remoteingress": "^4.4.0",
     "@tsclass/tsclass": "^9.3.0",
     "lru-cache": "^11.2.6",
     "uuid": "^13.0.0"

test/test.opsserver-api.ts

@@ -55,10 +55,14 @@ tap.test('should respond to configuration request', async () => {
   const response = await configRequest.fire({});
   
   expect(response).toHaveProperty('config');
+  expect(response.config).toHaveProperty('system');
+  expect(response.config).toHaveProperty('smartProxy');
   expect(response.config).toHaveProperty('email');
   expect(response.config).toHaveProperty('dns');
-  expect(response.config).toHaveProperty('proxy');
-  expect(response.config).toHaveProperty('security');
+  expect(response.config).toHaveProperty('tls');
+  expect(response.config).toHaveProperty('cache');
+  expect(response.config).toHaveProperty('radius');
+  expect(response.config).toHaveProperty('remoteIngress');
 });
 
 tap.test('should handle log retrieval request', async () => {

test/test.protected-endpoint.ts

@@ -106,10 +106,14 @@ tap.test('should allow read-only config access', async () => {
   const response = await configRequest.fire({});
 
   expect(response).toHaveProperty('config');
+  expect(response.config).toHaveProperty('system');
+  expect(response.config).toHaveProperty('smartProxy');
   expect(response.config).toHaveProperty('email');
   expect(response.config).toHaveProperty('dns');
-  expect(response.config).toHaveProperty('proxy');
-  expect(response.config).toHaveProperty('security');
+  expect(response.config).toHaveProperty('tls');
+  expect(response.config).toHaveProperty('cache');
+  expect(response.config).toHaveProperty('radius');
+  expect(response.config).toHaveProperty('remoteIngress');
   console.log('Configuration read successfully');
 });
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '8.1.0',
+  version: '10.1.9',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/classes.dcrouter.ts

@@ -23,6 +23,7 @@ import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
 import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
 import { RouteConfigManager, ApiTokenManager } from './config/index.js';
+import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';
 
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
@@ -217,8 +218,12 @@ export class DcRouter {
   public routeConfigManager?: RouteConfigManager;
   public apiTokenManager?: ApiTokenManager;
 
+  // Auto-discovered public IP (populated by generateAuthoritativeRecords)
+  public detectedPublicIp: string | null = null;
+
   // DNS query logging rate limiter state
-  private dnsLogWindow: number[] = [];
+  private dnsLogWindowSecond: number = 0; // epoch second of current window
+  private dnsLogWindowCount: number = 0;  // queries logged this second
   private dnsBatchCount: number = 0;
   private dnsBatchTimer: ReturnType<typeof setTimeout> | null = null;
 
@@ -897,12 +902,27 @@ export class DcRouter {
       }
       this.dnsBatchTimer = null;
       this.dnsBatchCount = 0;
-      this.dnsLogWindow = [];
+      this.dnsLogWindowSecond = 0;
+      this.dnsLogWindowCount = 0;
     }
 
     await this.opsServer.stop();
 
     try {
+      // Remove event listeners before stopping services to prevent leaks
+      if (this.smartProxy) {
+        this.smartProxy.removeAllListeners();
+      }
+      if (this.emailServer) {
+        if ((this.emailServer as any).deliverySystem) {
+          (this.emailServer as any).deliverySystem.removeAllListeners();
+        }
+        this.emailServer.removeAllListeners();
+      }
+      if (this.dnsServer) {
+        this.dnsServer.removeAllListeners();
+      }
+
       // Stop all services in parallel for faster shutdown
       await Promise.all([
         // Stop cache cleaner if running
@@ -939,6 +959,7 @@ export class DcRouter {
       // Stop cache database after other services (they may need it during shutdown)
       if (this.cacheDb) {
         await this.cacheDb.stop().catch(err => logger.log('error', 'Error stopping CacheDb', { error: String(err) }));
+        CacheDb.resetInstance();
       }
 
       // Clear backoff cache in cert scheduler
@@ -962,6 +983,11 @@ export class DcRouter {
       this.apiTokenManager = undefined;
       this.certificateStatusMap.clear();
 
+      // Reset security singletons to allow GC
+      SecurityLogger.resetInstance();
+      ContentScanner.resetInstance();
+      IPReputationChecker.resetInstance();
+
       logger.log('info', 'All DcRouter services stopped');
     } catch (error) {
       logger.log('error', 'Error during DcRouter shutdown', { error: String(error) });
@@ -976,10 +1002,11 @@ export class DcRouter {
   public async updateSmartProxyConfig(config: plugins.smartproxy.ISmartProxyOptions): Promise<void> {
     // Stop existing SmartProxy if running
     if (this.smartProxy) {
+      this.smartProxy.removeAllListeners();
       await this.smartProxy.stop();
       this.smartProxy = undefined;
     }
-    
+
     // Update configuration
     this.options.smartProxyConfig = config;
 
@@ -1103,6 +1130,11 @@ export class DcRouter {
     try {
       // Stop the unified email server which contains all components
       if (this.emailServer) {
+        // Remove listeners before stopping to prevent leaks on config update cycles
+        if ((this.emailServer as any).deliverySystem) {
+          (this.emailServer as any).deliverySystem.removeAllListeners();
+        }
+        this.emailServer.removeAllListeners();
         await this.emailServer.stop();
         logger.log('info', 'Unified email server stopped');
         this.emailServer = undefined;
@@ -1282,11 +1314,14 @@ export class DcRouter {
         }
 
         // Adaptive logging: individual logs up to 2/sec, then batch
-        const now = Date.now();
-        this.dnsLogWindow = this.dnsLogWindow.filter(t => now - t < 1000);
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (nowSec !== this.dnsLogWindowSecond) {
+          this.dnsLogWindowSecond = nowSec;
+          this.dnsLogWindowCount = 0;
+        }
 
-        if (this.dnsLogWindow.length < 2) {
-          this.dnsLogWindow.push(now);
+        if (this.dnsLogWindowCount < 2) {
+          this.dnsLogWindowCount++;
           const summary = event.questions.map(q => `${q.type} ${q.name}`).join(', ');
           logger.log('info', `DNS query: ${summary} (${event.responseTimeMs}ms, ${event.answered ? 'answered' : 'unanswered'})`, { zone: 'dns' });
         } else {
@@ -1340,15 +1375,25 @@ export class DcRouter {
         return;
       }
       
+      // Prevent uncaught exception from socket 'error' events
+      socket.on('error', (err) => {
+        logger.log('error', `DNS socket error: ${err.message}`);
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
+      });
+
       logger.log('debug', 'DNS socket handler: passing socket to DnsServer');
-      
+
       try {
         // Use the built-in socket handler from smartdns
         // This handles HTTP/2, DoH protocol, etc.
         await (this.dnsServer as any).handleHttpsSocket(socket);
       } catch (error) {
         logger.log('error', `DNS socket handler error: ${error.message}`);
-        socket.destroy();
+        if (!socket.destroyed) {
+          socket.destroy();
+        }
       }
     };
   }
@@ -1554,6 +1599,7 @@ export class DcRouter {
     } else if (this.options.publicIp) {
       // Use explicitly configured public IP
       publicIp = this.options.publicIp;
+      this.detectedPublicIp = publicIp;
       logger.log('info', `Using configured public IP for nameserver A records: ${publicIp}`);
     } else {
       // Auto-discover public IP using smartnetwork
@@ -1564,6 +1610,7 @@ export class DcRouter {
         
         if (publicIps.v4) {
           publicIp = publicIps.v4;
+          this.detectedPublicIp = publicIp;
           logger.log('info', `Auto-discovered public IPv4: ${publicIp}`);
         } else {
           logger.log('warn', 'Could not auto-discover public IPv4 address');
@@ -1689,10 +1736,42 @@ export class DcRouter {
     const currentRoutes = this.options.smartProxyConfig?.routes || [];
     this.remoteIngressManager.setRoutes(currentRoutes as any[]);
 
+    // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
+    const riCfg = this.options.remoteIngressConfig;
+    let tlsConfig: { certPem: string; keyPem: string } | undefined;
+
+    // Priority 1: Explicit cert/key file paths
+    if (riCfg.tls?.certPath && riCfg.tls?.keyPath) {
+      try {
+        const certPem = plugins.fs.readFileSync(riCfg.tls.certPath, 'utf8');
+        const keyPem = plugins.fs.readFileSync(riCfg.tls.keyPath, 'utf8');
+        tlsConfig = { certPem, keyPem };
+        logger.log('info', 'Using explicit TLS cert/key for RemoteIngress tunnel');
+      } catch (err) {
+        logger.log('warn', `Failed to read RemoteIngress TLS cert/key files: ${err.message}`);
+      }
+    }
+
+    // Priority 2: Existing cert from SmartProxy cert store for hubDomain
+    if (!tlsConfig && riCfg.hubDomain) {
+      try {
+        const stored = await this.storageManager.getJSON(`/proxy-certs/${riCfg.hubDomain}`);
+        if (stored?.publicKey && stored?.privateKey) {
+          tlsConfig = { certPem: stored.publicKey, keyPem: stored.privateKey };
+          logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${riCfg.hubDomain}`);
+        }
+      } catch { /* no stored cert, fall through */ }
+    }
+
+    if (!tlsConfig) {
+      logger.log('info', 'No TLS cert configured for RemoteIngress tunnel — using auto-generated self-signed');
+    }
+
     // Create and start the tunnel manager
     this.tunnelManager = new TunnelManager(this.remoteIngressManager, {
-      tunnelPort: this.options.remoteIngressConfig.tunnelPort ?? 8443,
+      tunnelPort: riCfg.tunnelPort ?? 8443,
       targetHost: '127.0.0.1',
+      tls: tlsConfig,
     });
     await this.tunnelManager.start();
 

ts/config/classes.api-token-manager.ts

@@ -122,6 +122,24 @@ export class ApiTokenManager {
     return true;
   }
 
+  /**
+   * Roll (regenerate) a token's secret while keeping its identity.
+   * Returns the new raw token value (shown once).
+   */
+  public async rollToken(id: string): Promise<{ id: string; rawToken: string } | null> {
+    const stored = this.tokens.get(id);
+    if (!stored) return null;
+
+    const randomBytes = plugins.crypto.randomBytes(32);
+    const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
+    const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
+
+    stored.tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+    await this.persistToken(stored);
+    logger.log('info', `API token '${stored.name}' rolled (id: ${id})`);
+    return { id, rawToken };
+  }
+
   /**
    * Enable or disable a token.
    */

ts/monitoring/classes.metricsmanager.ts

@@ -35,7 +35,9 @@ export class MetricsManager {
     queryTypes: {} as Record<string, number>,
     topDomains: new Map<string, number>(),
     lastResetDate: new Date().toDateString(),
-    queryTimestamps: [] as number[], // Track query timestamps for rate calculation
+    // Per-second query count ring buffer (300 entries = 5 minutes)
+    queryRing: new Int32Array(300),
+    queryRingLastSecond: 0, // last epoch second that was written
     responseTimes: [] as number[], // Track response times in ms
     recentQueries: [] as Array<{ timestamp: number; domain: string; type: string; answered: boolean; responseTimeMs: number }>,
   };
@@ -95,12 +97,13 @@ export class MetricsManager {
         this.dnsMetrics.cacheMisses = 0;
         this.dnsMetrics.queryTypes = {};
         this.dnsMetrics.topDomains.clear();
-        this.dnsMetrics.queryTimestamps = [];
+        this.dnsMetrics.queryRing.fill(0);
+        this.dnsMetrics.queryRingLastSecond = 0;
         this.dnsMetrics.responseTimes = [];
         this.dnsMetrics.recentQueries = [];
         this.dnsMetrics.lastResetDate = currentDate;
       }
-      
+
       if (currentDate !== this.securityMetrics.lastResetDate) {
         this.securityMetrics.blockedIPs = 0;
         this.securityMetrics.authFailures = 0;
@@ -141,16 +144,16 @@ export class MetricsManager {
       const smartMetricsData = await this.smartMetrics.getMetrics();
       const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
       const proxyStats = this.dcRouter.smartProxy ? await this.dcRouter.smartProxy.getStatistics() : null;
+      const { heapUsed, heapTotal, external, rss } = process.memoryUsage();
 
       return {
         uptime: process.uptime(),
         startTime: Date.now() - (process.uptime() * 1000),
         memoryUsage: {
-          heapUsed: process.memoryUsage().heapUsed,
-          heapTotal: process.memoryUsage().heapTotal,
-          external: process.memoryUsage().external,
-          rss: process.memoryUsage().rss,
-          // Add SmartMetrics memory data
+          heapUsed,
+          heapTotal,
+          external,
+          rss,
           maxMemoryMB: this.smartMetrics.maxMemoryMB,
           actualUsageBytes: smartMetricsData.memoryUsageBytes,
           actualUsagePercentage: smartMetricsData.memoryPercentage,
@@ -219,11 +222,8 @@ export class MetricsManager {
         .slice(0, 10)
         .map(([domain, count]) => ({ domain, count }));
       
-      // Calculate queries per second from recent timestamps
-      const now = Date.now();
-      const oneMinuteAgo = now - 60000;
-      const recentQueries = this.dnsMetrics.queryTimestamps.filter(ts => ts >= oneMinuteAgo);
-      const queriesPerSecond = recentQueries.length / 60;
+      // Calculate queries per second from ring buffer (sum last 60 seconds)
+      const queriesPerSecond = this.getQueryRingSum(60) / 60;
       
       // Calculate average response time
       const avgResponseTime = this.dnsMetrics.responseTimes.length > 0
@@ -427,12 +427,8 @@ export class MetricsManager {
       this.dnsMetrics.cacheMisses++;
     }
     
-    // Track query timestamp
-    this.dnsMetrics.queryTimestamps.push(Date.now());
-    
-    // Keep only timestamps from last 5 minutes
-    const fiveMinutesAgo = Date.now() - 300000;
-    this.dnsMetrics.queryTimestamps = this.dnsMetrics.queryTimestamps.filter(ts => ts >= fiveMinutesAgo);
+    // Increment per-second query counter in ring buffer
+    this.incrementQueryRing();
     
     // Track response time if provided
     if (responseTimeMs) {
@@ -604,7 +600,7 @@ export class MetricsManager {
         requestsPerSecond,
         requestsTotal,
       };
-    }, 200); // Use 200ms cache for more frequent updates
+    }, 1000); // 1s cache — matches typical dashboard poll interval
   }
 
   // --- Time-series helpers ---
@@ -633,6 +629,63 @@ export class MetricsManager {
     bucket.queries++;
   }
 
+  /**
+   * Increment the per-second query counter in the ring buffer.
+   * Zeros any stale slots between the last write and the current second.
+   */
+  private incrementQueryRing(): void {
+    const currentSecond = Math.floor(Date.now() / 1000);
+    const ring = this.dnsMetrics.queryRing;
+    const last = this.dnsMetrics.queryRingLastSecond;
+
+    if (last === 0) {
+      // First call — zero and anchor
+      ring.fill(0);
+      this.dnsMetrics.queryRingLastSecond = currentSecond;
+      ring[currentSecond % ring.length] = 1;
+      return;
+    }
+
+    const gap = currentSecond - last;
+    if (gap >= ring.length) {
+      // Entire ring is stale — clear all
+      ring.fill(0);
+    } else if (gap > 0) {
+      // Zero slots from (last+1) to currentSecond (inclusive)
+      for (let s = last + 1; s <= currentSecond; s++) {
+        ring[s % ring.length] = 0;
+      }
+    }
+
+    this.dnsMetrics.queryRingLastSecond = currentSecond;
+    ring[currentSecond % ring.length]++;
+  }
+
+  /**
+   * Sum query counts from the ring buffer for the last N seconds.
+   */
+  private getQueryRingSum(seconds: number): number {
+    const currentSecond = Math.floor(Date.now() / 1000);
+    const ring = this.dnsMetrics.queryRing;
+    const last = this.dnsMetrics.queryRingLastSecond;
+
+    if (last === 0) return 0;
+
+    // First, zero stale slots so reads are accurate even without writes
+    const gap = currentSecond - last;
+    if (gap >= ring.length) return 0; // all data is stale
+
+    let sum = 0;
+    const limit = Math.min(seconds, ring.length);
+    for (let i = 0; i < limit; i++) {
+      const sec = currentSecond - i;
+      if (sec < last - (ring.length - 1)) break; // slot is from older cycle
+      if (sec > last) continue; // no writes yet for this second
+      sum += ring[sec % ring.length];
+    }
+    return sum;
+  }
+
   private pruneOldBuckets(): void {
     const cutoff = Date.now() - 86400000; // 24h
     for (const key of this.emailMinuteBuckets.keys()) {

ts/opsserver/classes.opsserver.ts

@@ -70,6 +70,10 @@ export class OpsServer {
   }
 
   public async stop() {
+    // Clean up log handler streams and push destination before stopping the server
+    if (this.logsHandler) {
+      this.logsHandler.cleanup();
+    }
     if (this.server) {
       await this.server.stop();
     }

ts/opsserver/handlers/api-token.handler.ts

@@ -77,6 +77,25 @@ export class ApiTokenHandler {
       ),
     );
 
+    // Roll API token
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RollApiToken>(
+        'rollApiToken',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg.identity);
+          const manager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!manager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const result = await manager.rollToken(dataArg.id);
+          if (!result) {
+            return { success: false, message: 'Token not found' };
+          }
+          return { success: true, tokenValue: result.rawToken };
+        },
+      ),
+    );
+
     // Toggle API token
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleApiToken>(

ts/opsserver/handlers/config.handler.ts

@@ -1,4 +1,5 @@
 import * as plugins from '../../plugins.js';
+import * as paths from '../../paths.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
@@ -17,7 +18,7 @@ export class ConfigHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetConfiguration>(
         'getConfiguration',
         async (dataArg, toolsArg) => {
-          const config = await this.getConfiguration(dataArg.section);
+          const config = await this.getConfiguration();
           return {
             config,
             section: dataArg.section,
@@ -26,83 +27,189 @@ export class ConfigHandler {
       )
     );
   }
-  
-  private async getConfiguration(section?: string): Promise<{
-    email: {
-      enabled: boolean;
-      ports: number[];
-      maxMessageSize: number;
-      rateLimits: {
-        perMinute: number;
-        perHour: number;
-        perDay: number;
-      };
-      domains?: string[];
-    };
-    dns: {
-      enabled: boolean;
-      port: number;
-      nameservers: string[];
-      caching: boolean;
-      ttl: number;
-    };
-    proxy: {
-      enabled: boolean;
-      httpPort: number;
-      httpsPort: number;
-      maxConnections: number;
-    };
-    security: {
-      blockList: string[];
-      rateLimit: boolean;
-      spamDetection: boolean;
-      tlsRequired: boolean;
-    };
-  }> {
+
+  private async getConfiguration(): Promise<interfaces.requests.IConfigData> {
     const dcRouter = this.opsServerRef.dcRouterRef;
-    
-    // Get email domains if email server is configured
+    const opts = dcRouter.options;
+    const resolvedPaths = dcRouter.resolvedPaths;
+
+    // --- System ---
+    const storageBackend: 'filesystem' | 'custom' | 'memory' = opts.storage?.readFunction
+      ? 'custom'
+      : opts.storage?.fsPath
+        ? 'filesystem'
+        : 'memory';
+
+    // Resolve proxy IPs: fall back to SmartProxy's runtime proxyIPs if not in opts
+    let proxyIps = opts.proxyIps || [];
+    if (proxyIps.length === 0 && dcRouter.smartProxy) {
+      const spSettings = (dcRouter.smartProxy as any).settings;
+      if (spSettings?.proxyIPs?.length > 0) {
+        proxyIps = spSettings.proxyIPs;
+      }
+    }
+
+    const system: interfaces.requests.IConfigData['system'] = {
+      baseDir: resolvedPaths.dcrouterHomeDir,
+      dataDir: resolvedPaths.dataDir,
+      publicIp: opts.publicIp || dcRouter.detectedPublicIp || null,
+      proxyIps,
+      uptime: Math.floor(process.uptime()),
+      storageBackend,
+      storagePath: opts.storage?.fsPath || null,
+    };
+
+    // --- SmartProxy ---
+    let acmeInfo: interfaces.requests.IConfigData['smartProxy']['acme'] = null;
+    if (opts.smartProxyConfig?.acme) {
+      const acme = opts.smartProxyConfig.acme;
+      acmeInfo = {
+        enabled: acme.enabled !== false,
+        accountEmail: acme.accountEmail || '',
+        useProduction: acme.useProduction !== false,
+        autoRenew: acme.autoRenew !== false,
+        renewThresholdDays: acme.renewThresholdDays || 30,
+      };
+    }
+
+    let routeCount = 0;
+    if (dcRouter.routeConfigManager) {
+      try {
+        const merged = await dcRouter.routeConfigManager.getMergedRoutes();
+        routeCount = merged.routes.length;
+      } catch {
+        routeCount = opts.smartProxyConfig?.routes?.length || 0;
+      }
+    } else if (opts.smartProxyConfig?.routes) {
+      routeCount = opts.smartProxyConfig.routes.length;
+    }
+
+    const smartProxy: interfaces.requests.IConfigData['smartProxy'] = {
+      enabled: !!dcRouter.smartProxy,
+      routeCount,
+      acme: acmeInfo,
+    };
+
+    // --- Email ---
     let emailDomains: string[] = [];
-    if (dcRouter.emailServer && dcRouter.emailServer.domainRegistry) {
-      emailDomains = dcRouter.emailServer.domainRegistry.getAllDomains();
-    } else if (dcRouter.options.emailConfig?.domains) {
-      // Fallback: get domains from email config options
-      emailDomains = dcRouter.options.emailConfig.domains.map(d => 
+    if (dcRouter.emailServer && (dcRouter.emailServer as any).domainRegistry) {
+      emailDomains = (dcRouter.emailServer as any).domainRegistry.getAllDomains();
+    } else if (opts.emailConfig?.domains) {
+      emailDomains = opts.emailConfig.domains.map((d: any) =>
         typeof d === 'string' ? d : d.domain
       );
     }
-    
+
+    let portMapping: Record<string, number> | null = null;
+    if (opts.emailPortConfig?.portMapping) {
+      portMapping = {};
+      for (const [ext, int] of Object.entries(opts.emailPortConfig.portMapping)) {
+        portMapping[String(ext)] = int as number;
+      }
+    }
+
+    const email: interfaces.requests.IConfigData['email'] = {
+      enabled: !!dcRouter.emailServer,
+      ports: opts.emailConfig?.ports || [],
+      portMapping,
+      hostname: opts.emailConfig?.hostname || null,
+      domains: emailDomains,
+      emailRouteCount: opts.emailConfig?.routes?.length || 0,
+      receivedEmailsPath: opts.emailPortConfig?.receivedEmailsPath || null,
+    };
+
+    // --- DNS ---
+    const dnsRecords = (opts.dnsRecords || []).map(r => ({
+      name: r.name,
+      type: r.type,
+      value: r.value,
+      ttl: r.ttl,
+    }));
+
+    const dns: interfaces.requests.IConfigData['dns'] = {
+      enabled: !!dcRouter.dnsServer,
+      port: 53,
+      nsDomains: opts.dnsNsDomains || [],
+      scopes: opts.dnsScopes || [],
+      recordCount: dnsRecords.length,
+      records: dnsRecords,
+      dnsChallenge: !!opts.dnsChallenge?.cloudflareApiKey,
+    };
+
+    // --- TLS ---
+    let tlsSource: 'acme' | 'static' | 'none' = 'none';
+    if (opts.tls?.certPath && opts.tls?.keyPath) {
+      tlsSource = 'static';
+    } else if (opts.smartProxyConfig?.acme?.enabled !== false && opts.smartProxyConfig?.acme) {
+      tlsSource = 'acme';
+    }
+
+    const tls: interfaces.requests.IConfigData['tls'] = {
+      contactEmail: opts.tls?.contactEmail || opts.smartProxyConfig?.acme?.accountEmail || null,
+      domain: opts.tls?.domain || null,
+      source: tlsSource,
+      certPath: opts.tls?.certPath || null,
+      keyPath: opts.tls?.keyPath || null,
+    };
+
+    // --- Cache ---
+    const cacheConfig = opts.cacheConfig;
+    const cache: interfaces.requests.IConfigData['cache'] = {
+      enabled: cacheConfig?.enabled !== false,
+      storagePath: cacheConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
+      dbName: cacheConfig?.dbName || 'dcrouter',
+      defaultTTLDays: cacheConfig?.defaultTTLDays || 30,
+      cleanupIntervalHours: cacheConfig?.cleanupIntervalHours || 1,
+      ttlConfig: cacheConfig?.ttlConfig ? { ...cacheConfig.ttlConfig } as Record<string, number> : {},
+    };
+
+    // --- RADIUS ---
+    const radiusCfg = opts.radiusConfig;
+    const radius: interfaces.requests.IConfigData['radius'] = {
+      enabled: !!dcRouter.radiusServer,
+      authPort: radiusCfg?.authPort || null,
+      acctPort: radiusCfg?.acctPort || null,
+      bindAddress: radiusCfg?.bindAddress || null,
+      clientCount: radiusCfg?.clients?.length || 0,
+      vlanDefaultVlan: radiusCfg?.vlanAssignment?.defaultVlan ?? null,
+      vlanAllowUnknownMacs: radiusCfg?.vlanAssignment?.allowUnknownMacs ?? null,
+      vlanMappingCount: radiusCfg?.vlanAssignment?.mappings?.length || 0,
+    };
+
+    // --- Remote Ingress ---
+    const riCfg = opts.remoteIngressConfig;
+    const connectedEdgeIps = dcRouter.tunnelManager?.getConnectedEdgeIps() || [];
+
+    // Determine TLS mode: custom certs > ACME from cert store > self-signed fallback
+    let tlsMode: 'custom' | 'acme' | 'self-signed' = 'self-signed';
+    if (riCfg?.tls?.certPath && riCfg?.tls?.keyPath) {
+      tlsMode = 'custom';
+    } else if (riCfg?.hubDomain) {
+      try {
+        const stored = await dcRouter.storageManager.getJSON(`/proxy-certs/${riCfg.hubDomain}`);
+        if (stored?.publicKey && stored?.privateKey) {
+          tlsMode = 'acme';
+        }
+      } catch { /* no stored cert */ }
+    }
+
+    const remoteIngress: interfaces.requests.IConfigData['remoteIngress'] = {
+      enabled: !!dcRouter.remoteIngressManager,
+      tunnelPort: riCfg?.tunnelPort || null,
+      hubDomain: riCfg?.hubDomain || null,
+      tlsMode,
+      connectedEdgeIps,
+    };
+
     return {
-      email: {
-        enabled: !!dcRouter.emailServer,
-        ports: dcRouter.emailServer ? [25, 465, 587, 2525] : [],
-        maxMessageSize: 10 * 1024 * 1024, // 10MB default
-        rateLimits: {
-          perMinute: 10,
-          perHour: 100,
-          perDay: 1000,
-        },
-        domains: emailDomains,
-      },
-      dns: {
-        enabled: !!dcRouter.dnsServer,
-        port: 53,
-        nameservers: dcRouter.options.dnsNsDomains || [],
-        caching: true,
-        ttl: 300,
-      },
-      proxy: {
-        enabled: !!dcRouter.smartProxy,
-        httpPort: 80,
-        httpsPort: 443,
-        maxConnections: 1000,
-      },
-      security: {
-        blockList: [],
-        rateLimit: true,
-        spamDetection: true,
-        tlsRequired: false,
-      },
+      system,
+      smartProxy,
+      email,
+      dns,
+      tls,
+      cache,
+      radius,
+      remoteIngress,
     };
   }
-}
+}

ts/opsserver/handlers/logs.handler.ts

@@ -3,8 +3,15 @@ import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 import { logBuffer, baseLogger } from '../../logger.js';
 
+// Module-level singleton: the log push destination is added once and reuses
+// the current OpsServer reference so it survives OpsServer restarts without
+// accumulating duplicate destinations.
+let logPushDestinationInstalled = false;
+let currentOpsServerRef: OpsServer | null = null;
+
 export class LogsHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
+  private activeStreamStops: Set<() => void> = new Set();
 
   constructor(private opsServerRef: OpsServer) {
     // Add this handler's router to the parent
@@ -12,7 +19,21 @@ export class LogsHandler {
     this.registerHandlers();
     this.setupLogPushDestination();
   }
-  
+
+  /**
+   * Clean up all active log streams and deactivate the push destination.
+   * Called when OpsServer stops.
+   */
+  public cleanup(): void {
+    // Stop all active follow-mode log streams
+    for (const stop of this.activeStreamStops) {
+      stop();
+    }
+    this.activeStreamStops.clear();
+    // Deactivate the push destination (it stays registered but becomes a no-op)
+    currentOpsServerRef = null;
+  }
+
   private registerHandlers(): void {
     // Get Recent Logs Handler
     this.typedrouter.addTypedHandler(
@@ -27,16 +48,16 @@ export class LogsHandler {
             dataArg.search,
             dataArg.timeRange
           );
-          
+
           return {
             logs,
-            total: logs.length, // TODO: Implement proper total count
-            hasMore: false, // TODO: Implement proper pagination
+            total: logs.length,
+            hasMore: false,
           };
         }
       )
     );
-    
+
     // Get Log Stream Handler
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetLogStream>(
@@ -44,7 +65,7 @@ export class LogsHandler {
         async (dataArg, toolsArg) => {
           // Create a virtual stream for log streaming
           const virtualStream = new plugins.typedrequest.VirtualStream<Uint8Array>();
-          
+
           // Set up log streaming
           const streamLogs = this.setupLogStream(
             virtualStream,
@@ -52,20 +73,21 @@ export class LogsHandler {
             dataArg.filters?.category,
             dataArg.follow
           );
-          
+
           // Start streaming
           streamLogs.start();
-          
-          // VirtualStream handles cleanup automatically
-          
+
+          // Track the stop function so we can clean up on shutdown
+          this.activeStreamStops.add(streamLogs.stop);
+
           return {
-            logStream: virtualStream as any, // Cast to IVirtualStream interface
+            logStream: virtualStream as any,
           };
         }
       )
     );
   }
-  
+
   private static mapLogLevel(smartlogLevel: string): 'debug' | 'info' | 'warn' | 'error' {
     switch (smartlogLevel) {
       case 'silly':
@@ -165,18 +187,30 @@ export class LogsHandler {
 
     return mapped;
   }
-  
+
   /**
    * Add a log destination to the base logger that pushes entries
    * to all connected ops_dashboard TypedSocket clients.
+   *
+   * Uses a module-level singleton so the destination is added only once,
+   * even across OpsServer restart cycles. The destination reads
+   * `currentOpsServerRef` dynamically so it always uses the active server.
    */
   private setupLogPushDestination(): void {
-    const opsServerRef = this.opsServerRef;
+    // Update the module-level reference so the existing destination uses the new server
+    currentOpsServerRef = this.opsServerRef;
+
+    if (logPushDestinationInstalled) {
+      return; // destination already registered — just updated the ref
+    }
+    logPushDestinationInstalled = true;
 
     baseLogger.addLogDestination({
       async handleLog(logPackage: any) {
-        // Access the TypedSocket server instance from OpsServer
-        const typedsocket = opsServerRef.server?.typedserver?.typedsocket;
+        const opsServer = currentOpsServerRef;
+        if (!opsServer) return;
+
+        const typedsocket = opsServer.server?.typedserver?.typedsocket;
         if (!typedsocket) return;
 
         let connections: any[];
@@ -220,8 +254,18 @@ export class LogsHandler {
     stop: () => void;
   } {
     let intervalId: NodeJS.Timeout | null = null;
+    let stopped = false;
     let logIndex = 0;
-    
+
+    const stop = () => {
+      stopped = true;
+      if (intervalId) {
+        clearInterval(intervalId);
+        intervalId = null;
+      }
+      this.activeStreamStops.delete(stop);
+    };
+
     const start = () => {
       if (!follow) {
         // Send existing logs and close
@@ -236,13 +280,19 @@ export class LogsHandler {
             const encoder = new TextEncoder();
             virtualStream.sendData(encoder.encode(logData));
           });
-          // VirtualStream doesn't have end() method - it closes automatically
         });
         return;
       }
-      
+
       // For follow mode, simulate real-time log streaming
       intervalId = setInterval(async () => {
+        if (stopped) {
+          // Guard: clear interval if stop() was called between ticks
+          clearInterval(intervalId!);
+          intervalId = null;
+          return;
+        }
+
         const categories: Array<'smtp' | 'dns' | 'security' | 'system' | 'email'> = ['smtp', 'dns', 'security', 'system', 'email'];
         const levels: Array<'debug' | 'info' | 'warn' | 'error'> = ['info', 'warn', 'error', 'debug'];
 
@@ -266,30 +316,25 @@ export class LogsHandler {
         const logData = JSON.stringify(logEntry);
         const encoder = new TextEncoder();
         try {
-          await virtualStream.sendData(encoder.encode(logData));
+          // Use a timeout to detect hung streams (sendData can hang if the
+          // VirtualStream's keepAlive loop has ended)
+          let timeoutHandle: ReturnType<typeof setTimeout>;
+          await Promise.race([
+            virtualStream.sendData(encoder.encode(logData)).then((result) => {
+              clearTimeout(timeoutHandle);
+              return result;
+            }),
+            new Promise<never>((_, reject) => {
+              timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
+            }),
+          ]);
         } catch {
-          // Stream closed or errored — clean up to prevent interval leak
-          clearInterval(intervalId!);
-          intervalId = null;
+          // Stream closed, errored, or timed out — clean up
+          stop();
         }
-      }, 2000); // Send a log every 2 seconds
-      
-      // TODO: Hook into actual logger events
-      // logger.on('log', (logEntry) => {
-      //   if (matchesCriteria(logEntry, level, service)) {
-      //     virtualStream.sendData(formatLogEntry(logEntry));
-      //   }
-      // });
+      }, 2000);
     };
-    
-    const stop = () => {
-      if (intervalId) {
-        clearInterval(intervalId);
-        intervalId = null;
-      }
-      // TODO: Unhook from logger events
-    };
-    
+
     return { start, stop };
   }
-}
+}

ts/remoteingress/classes.tunnel-manager.ts

@@ -5,6 +5,10 @@ import type { RemoteIngressManager } from './classes.remoteingress-manager.js';
 export interface ITunnelManagerConfig {
   tunnelPort?: number;
   targetHost?: string;
+  tls?: {
+    certPem?: string;
+    keyPem?: string;
+  };
 }
 
 /**
@@ -15,6 +19,7 @@ export class TunnelManager {
   private manager: RemoteIngressManager;
   private config: ITunnelManagerConfig;
   private edgeStatuses: Map<string, IRemoteIngressStatus> = new Map();
+  private reconcileInterval: ReturnType<typeof setInterval> | null = null;
 
   constructor(manager: RemoteIngressManager, config: ITunnelManagerConfig = {}) {
     this.manager = manager;
@@ -22,12 +27,11 @@ export class TunnelManager {
     this.hub = new plugins.remoteingress.RemoteIngressHub();
 
     // Listen for edge connect/disconnect events
-    this.hub.on('edgeConnected', (data: { edgeId: string }) => {
-      const existing = this.edgeStatuses.get(data.edgeId);
+    this.hub.on('edgeConnected', (data: { edgeId: string; peerAddr: string }) => {
       this.edgeStatuses.set(data.edgeId, {
         edgeId: data.edgeId,
         connected: true,
-        publicIp: existing?.publicIp ?? null,
+        publicIp: data.peerAddr || null,
         activeTunnels: 0,
         lastHeartbeat: Date.now(),
         connectedAt: Date.now(),
@@ -61,20 +65,73 @@ export class TunnelManager {
     await this.hub.start({
       tunnelPort: this.config.tunnelPort ?? 8443,
       targetHost: this.config.targetHost ?? '127.0.0.1',
+      tls: this.config.tls,
     });
 
     // Send allowed edges to the hub
     await this.syncAllowedEdges();
+
+    // Periodically reconcile with authoritative Rust hub status
+    this.reconcileInterval = setInterval(() => {
+      this.reconcile().catch(() => {});
+    }, 15_000);
   }
 
   /**
    * Stop the tunnel hub.
    */
   public async stop(): Promise<void> {
+    if (this.reconcileInterval) {
+      clearInterval(this.reconcileInterval);
+      this.reconcileInterval = null;
+    }
+    // Remove event listeners before stopping to prevent leaks
+    this.hub.removeAllListeners();
     await this.hub.stop();
     this.edgeStatuses.clear();
   }
 
+  /**
+   * Reconcile TS-side edge statuses with the authoritative Rust hub status.
+   * Overwrites event-derived activeTunnels with the real activeStreams count.
+   */
+  private async reconcile(): Promise<void> {
+    const hubStatus = await this.hub.getStatus();
+    if (!hubStatus || !hubStatus.connectedEdges) return;
+
+    const rustEdgeIds = new Set<string>();
+
+    for (const rustEdge of hubStatus.connectedEdges) {
+      rustEdgeIds.add(rustEdge.edgeId);
+      const existing = this.edgeStatuses.get(rustEdge.edgeId);
+      if (existing) {
+        existing.activeTunnels = rustEdge.activeStreams;
+        existing.lastHeartbeat = Date.now();
+        // Update peer address if available from Rust hub
+        if (rustEdge.peerAddr) {
+          existing.publicIp = rustEdge.peerAddr;
+        }
+      } else {
+        // Missed edgeConnected event — add entry
+        this.edgeStatuses.set(rustEdge.edgeId, {
+          edgeId: rustEdge.edgeId,
+          connected: true,
+          publicIp: rustEdge.peerAddr || null,
+          activeTunnels: rustEdge.activeStreams,
+          lastHeartbeat: Date.now(),
+          connectedAt: rustEdge.connectedAt * 1000,
+        });
+      }
+    }
+
+    // Remove entries for edges no longer connected in Rust (missed edgeDisconnected)
+    for (const edgeId of this.edgeStatuses.keys()) {
+      if (!rustEdgeIds.has(edgeId)) {
+        this.edgeStatuses.delete(edgeId);
+      }
+    }
+  }
+
   /**
    * Sync allowed edges from the manager to the hub.
    * Call this after creating/deleting/updating edges.
@@ -109,6 +166,19 @@ export class TunnelManager {
     return count;
   }
 
+  /**
+   * Get the public IPs of all connected edges.
+   */
+  public getConnectedEdgeIps(): string[] {
+    const ips: string[] = [];
+    for (const status of this.edgeStatuses.values()) {
+      if (status.connected && status.publicIp) {
+        ips.push(status.publicIp);
+      }
+    }
+    return ips;
+  }
+
   /**
    * Get the total number of active tunnels across all edges.
    */

ts/security/classes.contentscanner.ts

@@ -182,7 +182,14 @@ export class ContentScanner {
     }
     return ContentScanner.instance;
   }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    ContentScanner.instance = undefined;
+  }
+
   /**
    * Scan an email for malicious content
    * @param email The email to scan

ts/security/classes.ipreputationchecker.ts

@@ -65,6 +65,8 @@ export class IPReputationChecker {
   private reputationCache: LRUCache<string, IReputationResult>;
   private options: Required<IIPReputationOptions>;
   private storageManager?: any; // StorageManager instance
+  private saveCacheTimer: ReturnType<typeof setTimeout> | null = null;
+  private static readonly SAVE_CACHE_DEBOUNCE_MS = 30_000;
   
   // Default DNSBL servers
   private static readonly DEFAULT_DNSBL_SERVERS = [
@@ -143,7 +145,20 @@ export class IPReputationChecker {
     }
     return IPReputationChecker.instance;
   }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    if (IPReputationChecker.instance) {
+      if (IPReputationChecker.instance.saveCacheTimer) {
+        clearTimeout(IPReputationChecker.instance.saveCacheTimer);
+        IPReputationChecker.instance.saveCacheTimer = null;
+      }
+    }
+    IPReputationChecker.instance = undefined;
+  }
+
   /**
    * Check an IP address's reputation
    * @param ip IP address to check
@@ -213,12 +228,9 @@ export class IPReputationChecker {
       // Update cache with result
       this.reputationCache.set(ip, result);
       
-      // Save cache if enabled
+      // Schedule debounced cache save if enabled
       if (this.options.enableLocalCache) {
-        // Fire and forget the save operation
-        this.saveCache().catch(error => {
-          logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
-        });
+        this.debouncedSaveCache();
       }
       
       // Log the reputation check
@@ -447,6 +459,21 @@ export class IPReputationChecker {
     });
   }
   
+  /**
+   * Schedule a debounced cache save (at most once per SAVE_CACHE_DEBOUNCE_MS)
+   */
+  private debouncedSaveCache(): void {
+    if (this.saveCacheTimer) {
+      return; // already scheduled
+    }
+    this.saveCacheTimer = setTimeout(() => {
+      this.saveCacheTimer = null;
+      this.saveCache().catch(error => {
+        logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
+      });
+    }, IPReputationChecker.SAVE_CACHE_DEBOUNCE_MS);
+  }
+
   /**
    * Save cache to disk or storage manager
    */

ts/security/classes.securitylogger.ts

@@ -83,7 +83,14 @@ export class SecurityLogger {
     }
     return SecurityLogger.instance;
   }
-  
+
+  /**
+   * Reset the singleton instance (for shutdown/testing)
+   */
+  public static resetInstance(): void {
+    SecurityLogger.instance = undefined;
+  }
+
   /**
    * Log a security event
    * @param event The security event to log
@@ -155,8 +162,9 @@ export class SecurityLogger {
       }
     }
     
-    // Return most recent events up to limit
+    // Return most recent events up to limit (slice first to avoid mutating source)
     return filteredEvents
+      .slice()
       .sort((a, b) => b.timestamp - a.timestamp)
       .slice(0, limit);
   }
@@ -242,58 +250,46 @@ export class SecurityLogger {
     topIPs: Array<{ ip: string; count: number }>;
     topDomains: Array<{ domain: string; count: number }>;
   } {
-    // Filter by time window if provided
-    let events = this.securityEvents;
-    if (timeWindow) {
-      const cutoff = Date.now() - timeWindow;
-      events = events.filter(e => e.timestamp >= cutoff);
+    const cutoff = timeWindow ? Date.now() - timeWindow : 0;
+
+    // Initialize counters
+    const byLevel = {} as Record<SecurityLogLevel, number>;
+    for (const level of Object.values(SecurityLogLevel)) {
+      byLevel[level] = 0;
+    }
+    const byType = {} as Record<SecurityEventType, number>;
+    for (const type of Object.values(SecurityEventType)) {
+      byType[type] = 0;
     }
-    
-    // Count by level
-    const byLevel = Object.values(SecurityLogLevel).reduce((acc, level) => {
-      acc[level] = events.filter(e => e.level === level).length;
-      return acc;
-    }, {} as Record<SecurityLogLevel, number>);
-    
-    // Count by type
-    const byType = Object.values(SecurityEventType).reduce((acc, type) => {
-      acc[type] = events.filter(e => e.type === type).length;
-      return acc;
-    }, {} as Record<SecurityEventType, number>);
-    
-    // Count by IP
     const ipCounts = new Map<string, number>();
-    events.forEach(e => {
+    const domainCounts = new Map<string, number>();
+
+    // Single pass over all events
+    let total = 0;
+    for (const e of this.securityEvents) {
+      if (cutoff && e.timestamp < cutoff) continue;
+      total++;
+      byLevel[e.level]++;
+      byType[e.type]++;
       if (e.ipAddress) {
         ipCounts.set(e.ipAddress, (ipCounts.get(e.ipAddress) || 0) + 1);
       }
-    });
-    
-    // Count by domain
-    const domainCounts = new Map<string, number>();
-    events.forEach(e => {
       if (e.domain) {
         domainCounts.set(e.domain, (domainCounts.get(e.domain) || 0) + 1);
       }
-    });
-    
+    }
+
     // Sort and limit top entries
     const topIPs = Array.from(ipCounts.entries())
       .map(([ip, count]) => ({ ip, count }))
       .sort((a, b) => b.count - a.count)
       .slice(0, 10);
-    
+
     const topDomains = Array.from(domainCounts.entries())
       .map(([domain, count]) => ({ domain, count }))
       .sort((a, b) => b.count - a.count)
       .slice(0, 10);
-    
-    return {
-      total: events.length,
-      byLevel,
-      byType,
-      topIPs,
-      topDomains
-    };
+
+    return { total, byLevel, byType, topIPs, topDomains };
   }
 }

ts/storage/classes.storagemanager.ts

@@ -30,6 +30,7 @@ export type StorageBackend = 'filesystem' | 'custom' | 'memory';
  * Provides unified key-value storage with multiple backend support
  */
 export class StorageManager {
+  private static readonly MAX_MEMORY_ENTRIES = 10_000;
   private backend: StorageBackend;
   private memoryStore: Map<string, string> = new Map();
   private config: IStorageConfig;
@@ -227,6 +228,11 @@ export class StorageManager {
         
         case 'memory': {
           this.memoryStore.set(key, value);
+          // Evict oldest entries if memory store exceeds limit
+          while (this.memoryStore.size > StorageManager.MAX_MEMORY_ENTRIES) {
+            const firstKey = this.memoryStore.keys().next().value;
+            this.memoryStore.delete(firstKey);
+          }
           break;
         }
         

ts_interfaces/requests/api-tokens.ts

@@ -63,6 +63,26 @@ export interface IReq_RevokeApiToken extends plugins.typedrequestInterfaces.impl
   };
 }
 
+/**
+ * Roll (regenerate) an API token's secret. Returns the new raw token value once.
+ * Admin JWT only.
+ */
+export interface IReq_RollApiToken extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_RollApiToken
+> {
+  method: 'rollApiToken';
+  request: {
+    identity?: authInterfaces.IIdentity;
+    id: string;
+  };
+  response: {
+    success: boolean;
+    tokenValue?: string;
+    message?: string;
+  };
+}
+
 /**
  * Enable or disable an API token.
  */

ts_interfaces/requests/config.ts

@@ -1,6 +1,79 @@
 import * as plugins from '../plugins.js';
 import * as authInterfaces from '../data/auth.js';
 
+export interface IConfigData {
+  system: {
+    baseDir: string;
+    dataDir: string;
+    publicIp: string | null;
+    proxyIps: string[];
+    uptime: number;
+    storageBackend: 'filesystem' | 'custom' | 'memory';
+    storagePath: string | null;
+  };
+  smartProxy: {
+    enabled: boolean;
+    routeCount: number;
+    acme: {
+      enabled: boolean;
+      accountEmail: string;
+      useProduction: boolean;
+      autoRenew: boolean;
+      renewThresholdDays: number;
+    } | null;
+  };
+  email: {
+    enabled: boolean;
+    ports: number[];
+    portMapping: Record<string, number> | null;
+    hostname: string | null;
+    domains: string[];
+    emailRouteCount: number;
+    receivedEmailsPath: string | null;
+  };
+  dns: {
+    enabled: boolean;
+    port: number;
+    nsDomains: string[];
+    scopes: string[];
+    recordCount: number;
+    records: Array<{ name: string; type: string; value: string; ttl?: number }>;
+    dnsChallenge: boolean;
+  };
+  tls: {
+    contactEmail: string | null;
+    domain: string | null;
+    source: 'acme' | 'static' | 'none';
+    certPath: string | null;
+    keyPath: string | null;
+  };
+  cache: {
+    enabled: boolean;
+    storagePath: string | null;
+    dbName: string | null;
+    defaultTTLDays: number;
+    cleanupIntervalHours: number;
+    ttlConfig: Record<string, number>;
+  };
+  radius: {
+    enabled: boolean;
+    authPort: number | null;
+    acctPort: number | null;
+    bindAddress: string | null;
+    clientCount: number;
+    vlanDefaultVlan: number | null;
+    vlanAllowUnknownMacs: boolean | null;
+    vlanMappingCount: number;
+  };
+  remoteIngress: {
+    enabled: boolean;
+    tunnelPort: number | null;
+    hubDomain: string | null;
+    tlsMode: 'custom' | 'acme' | 'self-signed';
+    connectedEdgeIps: string[];
+  };
+}
+
 // Get Configuration (read-only)
 export interface IReq_GetConfiguration extends plugins.typedrequestInterfaces.implementsTR<
   plugins.typedrequestInterfaces.ITypedRequest,
@@ -12,7 +85,7 @@ export interface IReq_GetConfiguration extends plugins.typedrequestInterfaces.im
     section?: string;
   };
   response: {
-    config: any;
+    config: IConfigData;
     section?: string;
   };
-}
+}

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '8.1.0',
+  version: '10.1.9',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts_web/appstate.ts

@@ -21,7 +21,7 @@ export interface IStatsState {
 }
 
 export interface IConfigState {
-  config: any | null;
+  config: interfaces.requests.IConfigData | null;
   isLoading: boolean;
   error: string | null;
 }
@@ -581,7 +581,7 @@ export const fetchCertificateOverviewAction = certificateStatePart.createAction(
 });
 
 export const reprovisionCertificateAction = certificateStatePart.createAction<string>(
-  async (statePartArg, domain) => {
+  async (statePartArg, domain, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -596,8 +596,7 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
       });
 
       // Re-fetch overview after reprovisioning
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -608,7 +607,7 @@ export const reprovisionCertificateAction = certificateStatePart.createAction<st
 );
 
 export const deleteCertificateAction = certificateStatePart.createAction<string>(
-  async (statePartArg, domain) => {
+  async (statePartArg, domain, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -623,8 +622,7 @@ export const deleteCertificateAction = certificateStatePart.createAction<string>
       });
 
       // Re-fetch overview after deletion
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -643,7 +641,7 @@ export const importCertificateAction = certificateStatePart.createAction<{
   publicKey: string;
   csr: string;
 }>(
-  async (statePartArg, cert) => {
+  async (statePartArg, cert, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -658,8 +656,7 @@ export const importCertificateAction = certificateStatePart.createAction<{
       });
 
       // Re-fetch overview after import
-      await certificateStatePart.dispatchAction(fetchCertificateOverviewAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchCertificateOverviewAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -737,7 +734,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
   listenPorts?: number[];
   autoDerivePorts?: boolean;
   tags?: string[];
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -756,7 +753,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
 
     if (response.success) {
       // Refresh the list
-      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+      await actionContext.dispatch(fetchRemoteIngressAction, null);
 
       return {
         ...statePartArg.getState(),
@@ -774,7 +771,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
 });
 
 export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<string>(
-  async (statePartArg, edgeId) => {
+  async (statePartArg, edgeId, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -788,8 +785,7 @@ export const deleteRemoteIngressAction = remoteIngressStatePart.createAction<str
         id: edgeId,
       });
 
-      await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchRemoteIngressAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -805,7 +801,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
   listenPorts?: number[];
   autoDerivePorts?: boolean;
   tags?: string[];
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -823,8 +819,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
       tags: dataArg.tags,
     });
 
-    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchRemoteIngressAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -877,7 +872,7 @@ export const clearNewEdgeIdAction = remoteIngressStatePart.createAction(
 export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
   id: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -892,8 +887,7 @@ export const toggleRemoteIngressAction = remoteIngressStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchRemoteIngressAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -939,7 +933,7 @@ export const fetchMergedRoutesAction = routeManagementStatePart.createAction(asy
 export const createRouteAction = routeManagementStatePart.createAction<{
   route: any;
   enabled?: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -954,8 +948,7 @@ export const createRouteAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -965,7 +958,7 @@ export const createRouteAction = routeManagementStatePart.createAction<{
 });
 
 export const deleteRouteAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, routeId) => {
+  async (statePartArg, routeId, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -979,8 +972,7 @@ export const deleteRouteAction = routeManagementStatePart.createAction<string>(
         id: routeId,
       });
 
-      await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchMergedRoutesAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -993,7 +985,7 @@ export const deleteRouteAction = routeManagementStatePart.createAction<string>(
 export const toggleRouteAction = routeManagementStatePart.createAction<{
   id: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -1008,8 +1000,7 @@ export const toggleRouteAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -1021,7 +1012,7 @@ export const toggleRouteAction = routeManagementStatePart.createAction<{
 export const setRouteOverrideAction = routeManagementStatePart.createAction<{
   routeName: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -1036,8 +1027,7 @@ export const setRouteOverrideAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchMergedRoutesAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -1047,7 +1037,7 @@ export const setRouteOverrideAction = routeManagementStatePart.createAction<{
 });
 
 export const removeRouteOverrideAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, routeName) => {
+  async (statePartArg, routeName, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -1061,8 +1051,7 @@ export const removeRouteOverrideAction = routeManagementStatePart.createAction<s
         routeName,
       });
 
-      await routeManagementStatePart.dispatchAction(fetchMergedRoutesAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchMergedRoutesAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -1115,8 +1104,20 @@ export async function createApiToken(name: string, scopes: interfaces.data.TApiT
   });
 }
 
+export async function rollApiToken(id: string) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_RollApiToken
+  >('/typedrequest', 'rollApiToken');
+
+  return request.fire({
+    identity: context.identity,
+    id,
+  });
+}
+
 export const revokeApiTokenAction = routeManagementStatePart.createAction<string>(
-  async (statePartArg, tokenId) => {
+  async (statePartArg, tokenId, actionContext) => {
     const context = getActionContext();
     const currentState = statePartArg.getState();
 
@@ -1130,8 +1131,7 @@ export const revokeApiTokenAction = routeManagementStatePart.createAction<string
         id: tokenId,
       });
 
-      await routeManagementStatePart.dispatchAction(fetchApiTokensAction, null);
-      return statePartArg.getState();
+      return await actionContext.dispatch(fetchApiTokensAction, null);
     } catch (error) {
       return {
         ...currentState,
@@ -1144,7 +1144,7 @@ export const revokeApiTokenAction = routeManagementStatePart.createAction<string
 export const toggleApiTokenAction = routeManagementStatePart.createAction<{
   id: string;
   enabled: boolean;
-}>(async (statePartArg, dataArg) => {
+}>(async (statePartArg, dataArg, actionContext) => {
   const context = getActionContext();
   const currentState = statePartArg.getState();
 
@@ -1159,8 +1159,7 @@ export const toggleApiTokenAction = routeManagementStatePart.createAction<{
       enabled: dataArg.enabled,
     });
 
-    await routeManagementStatePart.dispatchAction(fetchApiTokensAction, null);
-    return statePartArg.getState();
+    return await actionContext.dispatch(fetchApiTokensAction, null);
   } catch (error) {
     return {
       ...currentState,
@@ -1321,6 +1320,15 @@ async function dispatchCombinedRefreshAction() {
         console.error('Certificate refresh failed:', error);
       }
     }
+
+    // Refresh remote ingress data if on remoteingress view
+    if (currentView === 'remoteingress') {
+      try {
+        await remoteIngressStatePart.dispatchAction(fetchRemoteIngressAction, null);
+      } catch (error) {
+        console.error('Remote ingress refresh failed:', error);
+      }
+    }
   } catch (error) {
     console.error('Combined refresh failed:', error);
   }

ts_web/elements/ops-dashboard.ts

@@ -43,42 +43,52 @@ export class OpsDashboard extends DeesElement {
   private viewTabs = [
     {
       name: 'Overview',
+      iconName: 'lucide:layoutDashboard',
       element: OpsViewOverview,
     },
+    {
+      name: 'Configuration',
+      iconName: 'lucide:settings',
+      element: OpsViewConfig,
+    },
     {
       name: 'Network',
+      iconName: 'lucide:network',
       element: OpsViewNetwork,
     },
     {
       name: 'Emails',
+      iconName: 'lucide:mail',
       element: OpsViewEmails,
     },
     {
       name: 'Logs',
+      iconName: 'lucide:scrollText',
       element: OpsViewLogs,
     },
     {
       name: 'Routes',
+      iconName: 'lucide:route',
       element: OpsViewRoutes,
     },
     {
       name: 'ApiTokens',
+      iconName: 'lucide:key',
       element: OpsViewApiTokens,
     },
-    {
-      name: 'Configuration',
-      element: OpsViewConfig,
-    },
     {
       name: 'Security',
+      iconName: 'lucide:shield',
       element: OpsViewSecurity,
     },
     {
       name: 'Certificates',
+      iconName: 'lucide:badgeCheck',
       element: OpsViewCertificates,
     },
     {
       name: 'RemoteIngress',
+      iconName: 'lucide:globe',
       element: OpsViewRemoteIngress,
     },
   ];

ts_web/elements/ops-view-apitokens.ts

@@ -152,6 +152,15 @@ export class OpsViewApiTokens extends DeesElement {
                 );
               },
             },
+            {
+              name: 'Roll',
+              iconName: 'lucide:rotateCw',
+              type: ['inRow', 'contextmenu'] as any,
+              actionFunc: async (actionData: any) => {
+                const token = actionData.item as interfaces.data.IApiTokenInfo;
+                await this.showRollTokenDialog(token);
+              },
+            },
             {
               name: 'Revoke',
               iconName: 'lucide:trash2',
@@ -225,13 +234,17 @@ export class OpsViewApiTokens extends DeesElement {
           name: 'Create',
           iconName: 'lucide:key',
           action: async (modalArg: any) => {
-            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            const contentEl = modalArg.shadowRoot?.querySelector('.content');
+            const form = contentEl?.querySelector('dees-form');
             if (!form) return;
             const formData = await form.collectFormData();
             if (!formData.name) return;
 
-            // dees-input-tags returns string[] directly
-            const scopes = (formData.scopes || [])
+            // dees-input-tags is not in dees-form's FORM_INPUT_TYPES, so collectFormData() won't
+            // include it. Query the tags input directly and call getValue().
+            const tagsInput = form.querySelector('dees-input-tags') as any;
+            const rawScopes: string[] = tagsInput?.getValue?.() || tagsInput?.value || formData.scopes || [];
+            const scopes = rawScopes
               .filter((s: string) => allScopes.includes(s as any)) as TApiTokenScope[];
 
             const expiresInDays = formData.expiresInDays
@@ -275,6 +288,60 @@ export class OpsViewApiTokens extends DeesElement {
     });
   }
 
+  private async showRollTokenDialog(token: interfaces.data.IApiTokenInfo) {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+
+    await DeesModal.createAndShow({
+      heading: 'Roll Token Secret',
+      content: html`
+        <div style="color: #ccc; padding: 8px 0;">
+          <p>This will regenerate the secret for <strong>${token.name}</strong>. The old token value will stop working immediately.</p>
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Roll Token',
+          iconName: 'lucide:rotateCw',
+          action: async (modalArg: any) => {
+            await modalArg.destroy();
+            try {
+              const response = await appstate.rollApiToken(token.id);
+              if (response.success && response.tokenValue) {
+                await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
+
+                await DeesModal.createAndShow({
+                  heading: 'Token Rolled',
+                  content: html`
+                    <div style="color: #ccc; padding: 8px 0;">
+                      <p>Copy this token now. It will not be shown again.</p>
+                      <div style="background: #111; padding: 12px; border-radius: 6px; margin-top: 8px;">
+                        <code style="color: #0f8; word-break: break-all; font-size: 13px;">${response.tokenValue}</code>
+                      </div>
+                    </div>
+                  `,
+                  menuOptions: [
+                    {
+                      name: 'Done',
+                      iconName: 'lucide:check',
+                      action: async (m: any) => await m.destroy(),
+                    },
+                  ],
+                });
+              }
+            } catch (error) {
+              console.error('Failed to roll token:', error);
+            }
+          },
+        },
+      ],
+    });
+  }
+
   async firstUpdated() {
     await appstate.routeManagementStatePart.dispatchAction(appstate.fetchApiTokensAction, null);
   }

ts_web/elements/ops-view-config.ts

@@ -1,6 +1,7 @@
 import * as plugins from '../plugins.js';
 import * as shared from './shared/index.js';
 import * as appstate from '../appstate.js';
+import { appRouter } from '../router.js';
 
 import {
   DeesElement,
@@ -12,6 +13,8 @@ import {
   type TemplateResult,
 } from '@design.estate/dees-element';
 
+import type { IConfigField, IConfigSectionAction } from '@serve.zone/catalog';
+
 @customElement('ops-view-config')
 export class OpsViewConfig extends DeesElement {
   @state()
@@ -35,165 +38,19 @@ export class OpsViewConfig extends DeesElement {
     cssManager.defaultStyles,
     shared.viewHostCss,
     css`
-      .configSection {
-        background: ${cssManager.bdTheme('#fff', '#222')};
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        border-radius: 8px;
-        margin-bottom: 24px;
-        overflow: hidden;
-      }
-
-      .sectionHeader {
-        background: ${cssManager.bdTheme('#f8f9fa', '#1a1a1a')};
-        padding: 16px 24px;
-        border-bottom: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-        display: flex;
-        justify-content: space-between;
-        align-items: center;
-      }
-
-      .sectionTitle {
-        font-size: 18px;
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#333', '#ccc')};
-        display: flex;
-        align-items: center;
-        gap: 12px;
-      }
-
-      .sectionTitle dees-icon {
-        font-size: 20px;
-        color: ${cssManager.bdTheme('#666', '#888')};
-      }
-
-      .sectionContent {
-        padding: 24px;
-      }
-
-      .configField {
-        margin-bottom: 20px;
-      }
-
-      .configField:last-child {
-        margin-bottom: 0;
-      }
-
-      .fieldLabel {
-        font-size: 13px;
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#666', '#999')};
-        margin-bottom: 8px;
-        display: block;
-        text-transform: uppercase;
-        letter-spacing: 0.5px;
-      }
-
-      .fieldValue {
-        font-family: 'Consolas', 'Monaco', monospace;
-        font-size: 14px;
-        color: ${cssManager.bdTheme('#333', '#ccc')};
-        background: ${cssManager.bdTheme('#f8f9fa', '#1a1a1a')};
-        padding: 10px 14px;
-        border-radius: 6px;
-        border: 1px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-      }
-
-      .fieldValue.empty {
-        color: ${cssManager.bdTheme('#999', '#666')};
-        font-style: italic;
-      }
-
-      .nestedFields {
-        margin-left: 16px;
-        padding-left: 16px;
-        border-left: 2px solid ${cssManager.bdTheme('#e9ecef', '#333')};
-      }
-
-      /* Status badge styles */
-      .statusBadge {
-        display: inline-flex;
-        align-items: center;
-        gap: 6px;
-        padding: 4px 12px;
-        border-radius: 20px;
-        font-size: 13px;
-        font-weight: 600;
-      }
-
-      .statusBadge.enabled {
-        background: ${cssManager.bdTheme('#d4edda', '#1a3d1a')};
-        color: ${cssManager.bdTheme('#155724', '#66cc66')};
-      }
-
-      .statusBadge.disabled {
-        background: ${cssManager.bdTheme('#f8d7da', '#3d1a1a')};
-        color: ${cssManager.bdTheme('#721c24', '#cc6666')};
-      }
-
-      .statusBadge dees-icon {
-        font-size: 14px;
-      }
-
-      /* Array/list display */
-      .arrayItems {
-        display: flex;
-        flex-wrap: wrap;
-        gap: 8px;
-      }
-
-      .arrayItem {
-        display: inline-flex;
-        align-items: center;
-        background: ${cssManager.bdTheme('#e7f3ff', '#1a2a3d')};
-        color: ${cssManager.bdTheme('#0066cc', '#66aaff')};
-        padding: 4px 12px;
-        border-radius: 16px;
-        font-size: 13px;
-        font-family: 'Consolas', 'Monaco', monospace;
-      }
-
-      .arrayCount {
-        font-size: 12px;
-        color: ${cssManager.bdTheme('#999', '#666')};
-        margin-bottom: 8px;
-      }
-
-      /* Numeric value formatting */
-      .numericValue {
-        font-weight: 600;
-        color: ${cssManager.bdTheme('#0066cc', '#66aaff')};
-      }
-
-      .errorMessage {
-        background: ${cssManager.bdTheme('#fee', '#4a1f1f')};
-        border: 1px solid ${cssManager.bdTheme('#fcc', '#6a2f2f')};
-        border-radius: 4px;
-        padding: 16px;
-        color: ${cssManager.bdTheme('#c00', '#ff6666')};
-        margin: 16px 0;
-      }
-
       .loadingMessage {
         text-align: center;
         padding: 40px;
-        color: ${cssManager.bdTheme('#666', '#999')};
+        color: ${cssManager.bdTheme('#71717a', '#a1a1aa')};
       }
 
-      .infoNote {
-        background: ${cssManager.bdTheme('#e7f3ff', '#1a2a3d')};
-        border: 1px solid ${cssManager.bdTheme('#b3d7ff', '#2a4a6d')};
+      .errorMessage {
+        background: ${cssManager.bdTheme('#fee2e2', 'rgba(239,68,68,0.1)')};
+        border: 1px solid ${cssManager.bdTheme('#fecaca', 'rgba(239,68,68,0.3)')};
         border-radius: 8px;
         padding: 16px;
-        margin-bottom: 24px;
-        color: ${cssManager.bdTheme('#004085', '#88ccff')};
-        display: flex;
-        align-items: center;
-        gap: 12px;
-      }
-
-      .infoNote dees-icon {
-        font-size: 20px;
-        flex-shrink: 0;
+        color: ${cssManager.bdTheme('#dc2626', '#ef4444')};
+        margin: 16px 0;
       }
     `,
   ];
@@ -202,185 +59,276 @@ export class OpsViewConfig extends DeesElement {
     return html`
       <ops-sectionheading>Configuration</ops-sectionheading>
 
-      ${this.configState.isLoading ? html`
-        <div class="loadingMessage">
-          <dees-spinner></dees-spinner>
-          <p>Loading configuration...</p>
-        </div>
-      ` : this.configState.error ? html`
-        <div class="errorMessage">
-          Error loading configuration: ${this.configState.error}
-        </div>
-      ` : this.configState.config ? html`
-        <div class="infoNote">
-          <dees-icon icon="lucide:info"></dees-icon>
-          <span>This view displays the current running configuration. DcRouter is configured through code or remote management.</span>
-        </div>
-
-        ${this.renderConfigSection('email', 'Email', 'lucide:mail', this.configState.config?.email)}
-        ${this.renderConfigSection('dns', 'DNS', 'lucide:globe', this.configState.config?.dns)}
-        ${this.renderConfigSection('proxy', 'Proxy', 'lucide:network', this.configState.config?.proxy)}
-        ${this.renderConfigSection('security', 'Security', 'lucide:shield', this.configState.config?.security)}
-      ` : html`
-        <div class="errorMessage">No configuration loaded</div>
-      `}
-    `;
-  }
-
-  private renderConfigSection(key: string, title: string, icon: string, config: any) {
-    const isEnabled = config?.enabled ?? false;
-
-    return html`
-      <div class="configSection">
-        <div class="sectionHeader">
-          <h3 class="sectionTitle">
-            <dees-icon icon="${icon}"></dees-icon>
-            ${title}
-          </h3>
-          ${this.renderStatusBadge(isEnabled)}
-        </div>
-        <div class="sectionContent">
-          ${config ? this.renderConfigFields(config) : html`
-            <div class="fieldValue empty">Not configured</div>
-          `}
-        </div>
-      </div>
-    `;
-  }
-
-  private renderStatusBadge(enabled: boolean): TemplateResult {
-    return enabled
-      ? html`<span class="statusBadge enabled"><dees-icon icon="lucide:check"></dees-icon>Enabled</span>`
-      : html`<span class="statusBadge disabled"><dees-icon icon="lucide:x"></dees-icon>Disabled</span>`;
-  }
-
-  private renderConfigFields(config: any, prefix = ''): TemplateResult | TemplateResult[] {
-    if (!config || typeof config !== 'object') {
-      return html`<div class="fieldValue">${this.formatValue(config)}</div>`;
-    }
-
-    return Object.entries(config).map(([key, value]) => {
-      const fieldName = prefix ? `${prefix}.${key}` : key;
-      const displayName = this.formatFieldName(key);
-
-      // Handle boolean values with badges
-      if (typeof value === 'boolean') {
-        return html`
-          <div class="configField">
-            <label class="fieldLabel">${displayName}</label>
-            ${this.renderStatusBadge(value)}
-          </div>
-        `;
-      }
-
-      // Handle arrays
-      if (Array.isArray(value)) {
-        return html`
-          <div class="configField">
-            <label class="fieldLabel">${displayName}</label>
-            ${this.renderArrayValue(value, key)}
-          </div>
-        `;
-      }
-
-      // Handle nested objects
-      if (typeof value === 'object' && value !== null) {
-        return html`
-          <div class="configField">
-            <label class="fieldLabel">${displayName}</label>
-            <div class="nestedFields">
-              ${this.renderConfigFields(value, fieldName)}
+      ${this.configState.isLoading
+        ? html`
+            <div class="loadingMessage">
+              <dees-spinner></dees-spinner>
+              <p>Loading configuration...</p>
             </div>
-          </div>
-        `;
-      }
-
-      // Handle primitive values
-      return html`
-        <div class="configField">
-          <label class="fieldLabel">${displayName}</label>
-          <div class="fieldValue">${this.formatValue(value, key)}</div>
-        </div>
-      `;
-    });
-  }
-
-  private renderArrayValue(arr: any[], fieldKey: string): TemplateResult {
-    if (arr.length === 0) {
-      return html`<div class="fieldValue empty">None configured</div>`;
-    }
-
-    // Determine if we should show as pills/tags
-    const showAsPills = arr.every(item => typeof item === 'string' || typeof item === 'number');
-
-    if (showAsPills) {
-      const itemLabel = this.getArrayItemLabel(fieldKey, arr.length);
-      return html`
-        <div class="arrayCount">${arr.length} ${itemLabel}</div>
-        <div class="arrayItems">
-          ${arr.map(item => html`<span class="arrayItem">${item}</span>`)}
-        </div>
-      `;
-    }
-
-    // For complex arrays, show as JSON
-    return html`
-      <div class="fieldValue">
-        ${arr.length} items configured
-      </div>
+          `
+        : this.configState.error
+          ? html`
+              <div class="errorMessage">
+                Error loading configuration: ${this.configState.error}
+              </div>
+            `
+          : this.configState.config
+            ? this.renderConfig()
+            : html`<div class="errorMessage">No configuration loaded</div>`}
     `;
   }
 
-  private getArrayItemLabel(fieldKey: string, count: number): string {
-    const labels: Record<string, [string, string]> = {
-      ports: ['port', 'ports'],
-      domains: ['domain', 'domains'],
-      nameservers: ['nameserver', 'nameservers'],
-      blockList: ['IP', 'IPs'],
-    };
+  private renderConfig(): TemplateResult {
+    const cfg = this.configState.config!;
 
-    const label = labels[fieldKey] || ['item', 'items'];
-    return count === 1 ? label[0] : label[1];
+    return html`
+      <sz-config-overview
+        infoText="This view displays the current running configuration. DcRouter is configured through code or remote management."
+        @navigate=${(e: CustomEvent) => {
+          if (e.detail?.view) {
+            appRouter.navigateToView(e.detail.view);
+          }
+        }}
+      >
+        ${this.renderSystemSection(cfg.system)}
+        ${this.renderSmartProxySection(cfg.smartProxy)}
+        ${this.renderEmailSection(cfg.email)}
+        ${this.renderDnsSection(cfg.dns)}
+        ${this.renderTlsSection(cfg.tls)}
+        ${this.renderCacheSection(cfg.cache)}
+        ${this.renderRadiusSection(cfg.radius)}
+        ${this.renderRemoteIngressSection(cfg.remoteIngress)}
+      </sz-config-overview>
+    `;
   }
 
-  private formatFieldName(key: string): string {
-    // Convert camelCase to readable format
-    return key
-      .replace(/([A-Z])/g, ' $1')
-      .replace(/^./, str => str.toUpperCase())
-      .trim();
-  }
-
-  private formatValue(value: any, fieldKey?: string): string | TemplateResult {
-    if (value === null || value === undefined) {
-      return html`<span class="empty">Not set</span>`;
+  private renderSystemSection(sys: appstate.IConfigState['config']['system']): TemplateResult {
+    // Annotate proxy IPs with source hint when Remote Ingress is active
+    const ri = this.configState.config?.remoteIngress;
+    let proxyIpValues: string[] | null = sys.proxyIps.length > 0 ? [...sys.proxyIps] : null;
+    if (proxyIpValues && ri?.enabled && proxyIpValues.includes('127.0.0.1')) {
+      proxyIpValues = proxyIpValues.map(ip =>
+        ip === '127.0.0.1' ? '127.0.0.1 (Remote Ingress)' : ip
+      );
     }
 
-    if (typeof value === 'number') {
-      // Format bytes
-      if (fieldKey?.toLowerCase().includes('size') || fieldKey?.toLowerCase().includes('bytes')) {
-        return html`<span class="numericValue">${this.formatBytes(value)}</span>`;
-      }
-      // Format time values
-      if (fieldKey?.toLowerCase().includes('ttl') || fieldKey?.toLowerCase().includes('timeout')) {
-        return html`<span class="numericValue">${value} seconds</span>`;
-      }
-      // Format port numbers
-      if (fieldKey?.toLowerCase().includes('port')) {
-        return html`<span class="numericValue">${value}</span>`;
-      }
-      // Format counts with separators
-      return html`<span class="numericValue">${value.toLocaleString()}</span>`;
-    }
+    const fields: IConfigField[] = [
+      { key: 'Base Directory', value: sys.baseDir },
+      { key: 'Data Directory', value: sys.dataDir },
+      { key: 'Public IP', value: sys.publicIp },
+      { key: 'Proxy IPs', value: proxyIpValues, type: 'pills' },
+      { key: 'Uptime', value: this.formatUptime(sys.uptime) },
+      { key: 'Storage Backend', value: sys.storageBackend, type: 'badge' },
+      { key: 'Storage Path', value: sys.storagePath },
+    ];
 
-    return String(value);
+    return html`
+      <sz-config-section
+        title="System"
+        subtitle="Base paths and infrastructure"
+        icon="lucide:server"
+        status="enabled"
+        .fields=${fields}
+      ></sz-config-section>
+    `;
   }
 
-  private formatBytes(bytes: number): string {
-    if (bytes === 0) return '0 B';
-    const k = 1024;
-    const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
-    const i = Math.floor(Math.log(bytes) / Math.log(k));
-    return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i];
+  private renderSmartProxySection(proxy: appstate.IConfigState['config']['smartProxy']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Route Count', value: proxy.routeCount },
+    ];
+
+    if (proxy.acme) {
+      fields.push(
+        { key: 'ACME Enabled', value: proxy.acme.enabled, type: 'boolean' },
+        { key: 'Account Email', value: proxy.acme.accountEmail || null },
+        { key: 'Use Production', value: proxy.acme.useProduction, type: 'boolean' },
+        { key: 'Auto Renew', value: proxy.acme.autoRenew, type: 'boolean' },
+        { key: 'Renew Threshold', value: `${proxy.acme.renewThresholdDays} days` },
+      );
+    }
+
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Routes', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'routes' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="SmartProxy"
+        subtitle="HTTP/HTTPS and TCP/SNI reverse proxy"
+        icon="lucide:network"
+        .status=${proxy.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderEmailSection(email: appstate.IConfigState['config']['email']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Ports', value: email.ports.length > 0 ? email.ports.map(String) : null, type: 'pills' },
+      { key: 'Hostname', value: email.hostname },
+      { key: 'Domains', value: email.domains.length > 0 ? email.domains : null, type: 'pills' },
+      { key: 'Email Routes', value: email.emailRouteCount },
+      { key: 'Received Emails Path', value: email.receivedEmailsPath },
+    ];
+
+    if (email.portMapping) {
+      const mappingStr = Object.entries(email.portMapping)
+        .map(([ext, int]) => `${ext} → ${int}`)
+        .join(', ');
+      fields.splice(1, 0, { key: 'Port Mapping', value: mappingStr, type: 'code' });
+    }
+
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Emails', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'emails' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="Email Server"
+        subtitle="SMTP email handling with smartmta"
+        icon="lucide:mail"
+        .status=${email.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderDnsSection(dns: appstate.IConfigState['config']['dns']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Port', value: dns.port },
+      { key: 'NS Domains', value: dns.nsDomains.length > 0 ? dns.nsDomains : null, type: 'pills' },
+      { key: 'Scopes', value: dns.scopes.length > 0 ? dns.scopes : null, type: 'pills' },
+      { key: 'Record Count', value: dns.recordCount },
+      { key: 'DNS Challenge', value: dns.dnsChallenge, type: 'boolean' },
+    ];
+
+    return html`
+      <sz-config-section
+        title="DNS Server"
+        subtitle="Authoritative DNS with smartdns"
+        icon="lucide:globe"
+        .status=${dns.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderTlsSection(tls: appstate.IConfigState['config']['tls']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Contact Email', value: tls.contactEmail },
+      { key: 'Domain', value: tls.domain },
+      { key: 'Source', value: tls.source, type: 'badge' },
+      { key: 'Certificate Path', value: tls.certPath },
+      { key: 'Key Path', value: tls.keyPath },
+    ];
+
+    const status = tls.source === 'none' ? 'not-configured' : 'enabled';
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Certificates', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'certificates' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="TLS / Certificates"
+        subtitle="Certificate management and ACME"
+        icon="lucide:shield-check"
+        .status=${status as any}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderCacheSection(cache: appstate.IConfigState['config']['cache']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Storage Path', value: cache.storagePath },
+      { key: 'DB Name', value: cache.dbName },
+      { key: 'Default TTL', value: `${cache.defaultTTLDays} days` },
+      { key: 'Cleanup Interval', value: `${cache.cleanupIntervalHours} hours` },
+    ];
+
+    if (cache.ttlConfig && Object.keys(cache.ttlConfig).length > 0) {
+      for (const [key, val] of Object.entries(cache.ttlConfig)) {
+        fields.push({ key: `TTL: ${key}`, value: `${val} days` });
+      }
+    }
+
+    return html`
+      <sz-config-section
+        title="Cache Database"
+        subtitle="Persistent caching with smartdata"
+        icon="lucide:database"
+        .status=${cache.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderRadiusSection(radius: appstate.IConfigState['config']['radius']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Auth Port', value: radius.authPort },
+      { key: 'Accounting Port', value: radius.acctPort },
+      { key: 'Bind Address', value: radius.bindAddress },
+      { key: 'Client Count', value: radius.clientCount },
+    ];
+
+    if (radius.vlanDefaultVlan !== null) {
+      fields.push(
+        { key: 'Default VLAN', value: radius.vlanDefaultVlan },
+        { key: 'Allow Unknown MACs', value: radius.vlanAllowUnknownMacs, type: 'boolean' },
+        { key: 'VLAN Mappings', value: radius.vlanMappingCount },
+      );
+    }
+
+    const status = radius.enabled ? 'enabled' : 'not-configured';
+
+    return html`
+      <sz-config-section
+        title="RADIUS Server"
+        subtitle="Network authentication and VLAN assignment"
+        icon="lucide:wifi"
+        .status=${status as any}
+        .fields=${fields}
+      ></sz-config-section>
+    `;
+  }
+
+  private renderRemoteIngressSection(ri: appstate.IConfigState['config']['remoteIngress']): TemplateResult {
+    const fields: IConfigField[] = [
+      { key: 'Tunnel Port', value: ri.tunnelPort },
+      { key: 'Hub Domain', value: ri.hubDomain },
+      { key: 'TLS Mode', value: ri.tlsMode, type: 'badge' },
+      { key: 'Connected Edge IPs', value: ri.connectedEdgeIps?.length > 0 ? ri.connectedEdgeIps : null, type: 'pills' },
+    ];
+
+    const actions: IConfigSectionAction[] = [
+      { label: 'View Remote Ingress', icon: 'lucide:arrow-right', event: 'navigate', detail: { view: 'remoteingress' } },
+    ];
+
+    return html`
+      <sz-config-section
+        title="Remote Ingress"
+        subtitle="Edge tunnel nodes"
+        icon="lucide:cloud"
+        .status=${ri.enabled ? 'enabled' : 'disabled'}
+        .fields=${fields}
+        .actions=${actions}
+      ></sz-config-section>
+    `;
+  }
+
+  private formatUptime(seconds: number): string {
+    const days = Math.floor(seconds / 86400);
+    const hours = Math.floor((seconds % 86400) / 3600);
+    const mins = Math.floor((seconds % 3600) / 60);
+
+    const parts: string[] = [];
+    if (days > 0) parts.push(`${days}d`);
+    if (hours > 0) parts.push(`${hours}h`);
+    parts.push(`${mins}m`);
+    return parts.join(' ');
   }
 }

ts_web/elements/ops-view-logs.ts

@@ -76,8 +76,15 @@ export class OpsViewLogs extends DeesElement {
     // Wait for xterm terminal to finish initializing (CDN load)
     if (!chartLog.terminalReady) {
       await new Promise<void>((resolve) => {
+        let attempts = 0;
+        const maxAttempts = 200; // 200 * 50ms = 10 seconds
         const check = () => {
           if (chartLog.terminalReady) { resolve(); return; }
+          if (++attempts >= maxAttempts) {
+            console.warn('ops-view-logs: terminal ready timeout after 10s');
+            resolve(); // resolve gracefully to avoid blocking
+            return;
+          }
           setTimeout(check, 50);
         };
         check();