@serve.zone/dcrouter
a traffic router intended to be gating your datacenter.
readme.md for @serve.zone/dcrouter
dcrouter: The all-in-one gateway for your datacenter. π
A comprehensive traffic routing solution that provides unified gateway capabilities for HTTP/HTTPS, TCP/SNI, email (SMTP), DNS, RADIUS, VPN, and remote edge ingress β all from a single process. Designed for enterprises requiring robust traffic management, automatic TLS certificate provisioning, VPN-based access control, distributed edge networking, and enterprise-grade email infrastructure.
Issue Reporting and Security
For reporting bugs, issues, or security vulnerabilities, please visit community.foss.global/. This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a code.foss.global/ account to submit Pull Requests directly.
Table of Contents
Features
Installation
Quick Start
Architecture
Configuration Reference
HTTP/HTTPS & TCP/SNI Routing
HTTP/3 (QUIC) Support
Email System
DNS Server
RADIUS Server
Remote Ingress
VPN Access Control
Certificate Management
Storage & Caching
Security Features
OpsServer Dashboard
API Client
API Reference
Sub-Modules
Testing
Docker / OCI Container Deployment
License and Legal Information
Features
π Universal Traffic Router
HTTP/HTTPS routing with domain matching, path-based forwarding, and automatic TLS
HTTP/3 (QUIC) enabled by default β qualifying HTTPS routes automatically get QUIC/H3 support with zero configuration
TCP/SNI proxy for any protocol with TLS termination or passthrough
DNS server (Rust-powered via SmartDNS) with authoritative zones, dynamic record management, and DNS-over-HTTPS
Multi-protocol support on the same infrastructure via SmartProxy
π§ Complete Email Infrastructure (powered by smartmta)
Multi-domain SMTP server on standard ports (25, 587, 465)
Pattern-based email routing with four action types: forward, process, deliver, reject
DKIM signing & verification, SPF, DMARC authentication stack
Enterprise deliverability with IP warmup schedules and sender reputation tracking
Bounce handling with automatic suppression lists
Hierarchical rate limiting β global, per-domain, per-sender
π Enterprise Security
Automatic TLS certificates via ACME (smartacme v9) with Cloudflare DNS-01 challenges
Smart certificate scheduling β per-domain deduplication, controlled parallelism, and account rate limiting handled automatically
Per-domain exponential backoff β failed provisioning attempts are tracked and backed off to avoid hammering ACME servers
IP reputation checking with caching and configurable thresholds
Content scanning for spam, viruses, and malicious attachments
Security event logging with structured audit trails
π‘ RADIUS Server
MAC Authentication Bypass (MAB) for network device authentication
VLAN assignment based on exact MAC, OUI prefix, or wildcard patterns
RADIUS accounting for session tracking, traffic metering, and billing
Real-time management via OpsServer API
π Remote Ingress (powered by remoteingress)
Distributed edge networking β accept traffic at remote edge nodes and tunnel it to the hub
Edge registration CRUD with secret-based authentication
Auto-derived ports β edges automatically pick up ports from routes tagged with
remoteIngress.enabled
Connection tokens β generate a single opaque base64url token containing hubHost, hubPort, edgeId, and secret for easy edge provisioning
Real-time status monitoring β connected/disconnected state, public IP, active tunnels, heartbeat tracking
OpsServer dashboard with enable/disable, edit, secret regeneration, token copy, and delete actions
π VPN Access Control (powered by smartvpn)
WireGuard + native transports β standard WireGuard clients (iOS, Android, macOS, Windows, Linux) plus custom WebSocket/QUIC tunnels
Route-level VPN gating β mark any route with
vpn: { enabled: true } to restrict access to VPN clients only, or
vpn: { enabled: true, mandatory: false } to add VPN clients alongside existing access rules
Tag-based access control β assign
serverDefinedClientTags to clients and restrict routes with
allowedServerDefinedClientTags
Constructor-defined clients β pre-define VPN clients with tags in config for declarative, code-driven setup
Rootless operation β uses userspace NAT (smoltcp) with no root required
Destination policy β configurable
forceTarget,
block, or
allow with allowList/blockList for granular traffic control
Client management β create, enable, disable, rotate keys, export WireGuard/SmartVPN configs via OpsServer API and dashboard
IP-based enforcement β VPN clients get IPs from a configurable subnet; SmartProxy enforces
ipAllowList per route
PROXY protocol v2 β the NAT engine sends PP v2 on outbound connections to preserve VPN client identity
β‘ High Performance
Rust-powered proxy engine via SmartProxy for maximum throughput
Rust-powered MTA engine via smartmta (TypeScript + Rust hybrid) for reliable email delivery
Rust-powered DNS engine via SmartDNS for high-performance UDP and DNS-over-HTTPS
Connection pooling for outbound SMTP and backend services
Socket-handler mode β direct socket passing eliminates internal port hops
Real-time metrics via SmartMetrics (CPU, memory, connections, throughput)
πΎ Persistent Storage & Caching
Multiple storage backends: filesystem, custom functions, or in-memory
Embedded cache database via smartdata + smartdb (MongoDB-compatible)
Automatic TTL-based cleanup for cached emails and IP reputation data
π₯οΈ OpsServer Dashboard
Web-based management interface with real-time monitoring
JWT authentication with session persistence
Live views for connections, email queues, DNS queries, RADIUS sessions, certificates, remote ingress edges, VPN clients, and security events
Domain-centric certificate overview with backoff status and one-click reprovisioning
Remote ingress management with connection token generation and one-click copy
Read-only configuration display β DcRouter is configured through code
Smart tab visibility handling β auto-pauses all polling, WebSocket connections, and chart updates when the browser tab is hidden, preventing resource waste and tab freezing
π§ Programmatic API Client
Object-oriented API β resource classes (
Route,
Certificate,
ApiToken,
RemoteIngress,
Email) with instance methods
Builder pattern β fluent
.setName().setMatch().save() chains for creating routes, tokens, and edges
Auto-injected auth β JWT identity and API tokens included automatically in every request
Dual auth modes β login with credentials (JWT) or pass an API token for programmatic access
Full coverage β wraps every OpsServer endpoint with typed request/response pairs
Installation
pnpm add @serve.zone/dcrouter
# or
npm install @serve.zone/dcrouter
Prerequisites
Node.js 20+ with ES module support
Valid domain with DNS control (for ACME certificate automation)
Cloudflare API token (for DNS-01 challenges) β optional
Quick Start
Basic HTTP/HTTPS Router
import { DcRouter } from '@serve.zone/dcrouter';
const router = new DcRouter({
smartProxyConfig: {
routes: [
{
name: 'web-app',
match: { domains: ['example.com', 'www.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.10', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' }
}
}
],
acme: {
email: 'admin@example.com',
enabled: true,
useProduction: true
}
}
});
await router.start();
Basic Email Server
import { DcRouter } from '@serve.zone/dcrouter';
const router = new DcRouter({
emailConfig: {
ports: [25, 587, 465],
hostname: 'mail.example.com',
domains: [
{
domain: 'example.com',
dnsMode: 'external-dns'
}
],
routes: [
{
name: 'process-all',
match: { recipients: '*@example.com' },
action: {
type: 'process',
process: { scan: true, dkim: true, queue: 'normal' }
}
}
]
}
});
await router.start();
Full Stack with Dashboard
import { DcRouter } from '@serve.zone/dcrouter';
const router = new DcRouter({
// HTTP/HTTPS routing
smartProxyConfig: {
routes: [
{
name: 'website',
match: { domains: ['example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.10', port: 80 }],
tls: { mode: 'terminate', certificate: 'auto' }
}
}
],
acme: { email: 'ssl@example.com', enabled: true, useProduction: true }
},
// Email system (powered by smartmta)
emailConfig: {
ports: [25, 587, 465],
hostname: 'mail.example.com',
domains: [{ domain: 'example.com', dnsMode: 'external-dns' }],
routes: [
{
name: 'inbound-mail',
match: { recipients: '*@example.com' },
action: { type: 'process', process: { scan: true, dkim: true, queue: 'normal' } }
}
]
},
// Authoritative DNS
dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
dnsScopes: ['example.com'],
publicIp: '203.0.113.1',
dnsRecords: [
{ name: 'example.com', type: 'A', value: '203.0.113.1' },
{ name: 'www.example.com', type: 'CNAME', value: 'example.com' }
],
// RADIUS authentication
radiusConfig: {
authPort: 1812,
acctPort: 1813,
clients: [
{ name: 'switch-1', ipRange: '192.168.1.0/24', secret: 'radius-secret', enabled: true }
],
vlanAssignment: {
defaultVlan: 100,
allowUnknownMacs: true,
mappings: [
{ mac: 'aa:bb:cc:dd:ee:ff', vlan: 10, enabled: true },
{ mac: 'aa:bb:cc', vlan: 20, enabled: true } // OUI prefix
]
},
accounting: { enabled: true, retentionDays: 30 }
},
// Remote Ingress β edge nodes tunnel traffic to this hub
remoteIngressConfig: {
enabled: true,
tunnelPort: 8443,
hubDomain: 'hub.example.com',
},
// VPN β restrict sensitive routes to VPN clients
vpnConfig: {
enabled: true,
serverEndpoint: 'vpn.example.com',
clients: [
{ clientId: 'dev-laptop', serverDefinedClientTags: ['engineering'] },
],
},
// Persistent storage
storage: { fsPath: '/var/lib/dcrouter/data' },
// Cache database
cacheConfig: { enabled: true, storagePath: '~/.serve.zone/dcrouter/tsmdb' },
// TLS & ACME
tls: { contactEmail: 'admin@example.com' },
dnsChallenge: { cloudflareApiKey: process.env.CLOUDFLARE_API_KEY }
});
await router.start();
// OpsServer dashboard available at http://localhost:3000
Architecture
System Overview
graph TB
subgraph "External Traffic"
HTTP[HTTP/HTTPS Clients]
SMTP[SMTP Clients]
TCP[TCP Clients]
DNS[DNS Queries]
RAD[RADIUS Clients]
EDGE[Edge Nodes]
VPN[VPN Clients]
end
subgraph "DcRouter Core"
DC[DcRouter Orchestrator]
SP[SmartProxy Engine
Rust-powered]
ES[smartmta Email Server
TypeScript + Rust]
DS[SmartDNS Server
Rust-powered]
RS[SmartRadius Server]
RI[RemoteIngress Hub
Rust data plane]
VS[SmartVPN Server
Rust data plane]
CM[Certificate Manager
smartacme v9]
OS[OpsServer Dashboard]
MM[Metrics Manager]
SM[Storage Manager]
CD[Cache Database]
end
subgraph "Backend Services"
WEB[Web Services]
MAIL[Mail Servers]
DB[Databases]
API[Internal APIs]
end
HTTP --> SP
TCP --> SP
SMTP --> ES
DNS --> DS
RAD --> RS
EDGE --> RI
VPN --> VS
DC --> SP
DC --> ES
DC --> DS
DC --> RS
DC --> RI
DC --> VS
DC --> CM
DC --> OS
DC --> MM
DC --> SM
DC --> CD
SP --> WEB
SP --> API
ES --> MAIL
ES --> DB
RI --> SP
CM -.-> SP
CM -.-> ES
Core Components
Component
Package
Description
DcRouter
@serve.zone/dcrouter
Central orchestrator β starts, stops, and coordinates all services
SmartProxy
@push.rocks/smartproxy
High-performance HTTP/HTTPS and TCP/SNI proxy with route-based config (Rust engine)
UnifiedEmailServer
@push.rocks/smartmta
Full SMTP server with pattern-based routing, DKIM, queue management (TypeScript + Rust)
DNS Server
@push.rocks/smartdns
Authoritative DNS with dynamic records and DKIM TXT auto-generation (Rust engine)
SmartAcme
@push.rocks/smartacme
ACME certificate management with per-domain dedup, concurrency control, and rate limiting
RADIUS Server
@push.rocks/smartradius
Network authentication with MAB, VLAN assignment, and accounting
RemoteIngress
@serve.zone/remoteingress
Distributed edge tunneling with Rust data plane and TS management
OpsServer
@api.global/typedserver
Web dashboard + TypedRequest API for monitoring and management
MetricsManager
@push.rocks/smartmetrics
Real-time metrics collection (CPU, memory, email, DNS, security)
StorageManager
built-in
Pluggable key-value storage (filesystem, custom, or in-memory)
CacheDb
@push.rocks/smartdb
Embedded MongoDB-compatible database (LocalSmartDb) for persistent caching
How It Works
DcRouter acts purely as an orchestrator β it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:
On
start(): DcRouter initializes OpsServer (default port 3000, configurable via
opsServerPort), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and SmartVPN based on which configs are provided. Services start in dependency order via
ServiceManager.
During operation: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartVPN runs a Rust data plane for WireGuard and custom transports. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
On
stop(): All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.
Rust-Powered Architecture
DcRouter itself is a pure TypeScript orchestrator, but several of its core sub-components ship with compiled Rust binaries for performance-critical paths. At runtime each package detects the platform, unpacks the correct binary, and communicates with TypeScript over IPC/FFI β so you get the ergonomics of TypeScript with the throughput of native code.
Component
Rust Binary
What It Handles
SmartProxy
smartproxy-bin
All TCP/TLS/HTTP proxy networking, NFTables integration, connection metrics
smartmta
mailer-bin
SMTP server + client, DKIM/SPF/DMARC, content scanning, IP reputation
SmartDNS
smartdns-bin
DNS server (UDP + DNS-over-HTTPS), DNSSEC, DNS client resolution
RemoteIngress
remoteingress-bin
Edge tunnel data plane, multiplexed streams, heartbeat management
SmartVPN
smartvpn_daemon
WireGuard (boringtun), Noise IK handshake, QUIC/WS transports, userspace NAT (smoltcp)
SmartRadius
β
Pure TypeScript (no Rust component)
Configuration Reference
IDcRouterOptions
interface IDcRouterOptions {
// ββ Base βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
/** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
baseDir?: string;
// ββ Traffic Routing ββββββββββββββββββββββββββββββββββββββββββββ
/** SmartProxy config for HTTP/HTTPS and TCP/SNI routing */
smartProxyConfig?: ISmartProxyOptions;
// ββ Email ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
/** Unified email server configuration (smartmta) */
emailConfig?: IUnifiedEmailServerOptions;
/** Custom email port mapping overrides */
emailPortConfig?: {
portMapping?: Record;
portSettings?: Record;
receivedEmailsPath?: string;
};
// ββ DNS ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
/** Nameserver domains β get A records automatically */
dnsNsDomains?: string[];
/** Domains this server is authoritative for */
dnsScopes?: string[];
/** Public IP for NS A records */
publicIp?: string;
/** Ingress proxy IPs (hides real server IP) */
proxyIps?: string[];
/** Custom DNS records */
dnsRecords?: Array<{
name: string;
type: 'A' | 'AAAA' | 'CNAME' | 'MX' | 'TXT' | 'NS' | 'SOA';
value: string;
ttl?: number;
useIngressProxy?: boolean;
}>;
// ββ RADIUS βββββββββββββββββββββββββββββββββββββββββββββββββββββ
/** RADIUS server for network authentication */
radiusConfig?: {
authPort?: number; // default: 1812
acctPort?: number; // default: 1813
clients: IRadiusClient[];
vlanAssignment?: IVlanManagerConfig;
accounting?: { enabled: boolean; retentionDays?: number };
};
// ββ Remote Ingress βββββββββββββββββββββββββββββββββββββββββββββ
/** Remote Ingress hub for edge tunnel connections */
remoteIngressConfig?: {
enabled?: boolean; // default: false
tunnelPort?: number; // default: 8443
hubDomain?: string; // External hostname for connection tokens
tls?: {
certPath?: string;
keyPath?: string;
};
};
// ββ VPN βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
/** VPN server for route-level access control */
vpnConfig?: {
enabled?: boolean; // default: false
subnet?: string; // default: '10.8.0.0/24'
wgListenPort?: number; // default: 51820
dns?: string[]; // DNS servers pushed to VPN clients
serverEndpoint?: string; // Hostname in generated client configs
clients?: Array<{ // Pre-defined VPN clients
clientId: string;
serverDefinedClientTags?: string[];
description?: string;
}>;
destinationPolicy?: { // Traffic routing policy
default: 'forceTarget' | 'block' | 'allow';
target?: string; // IP for forceTarget (default: '127.0.0.1')
allowList?: string[]; // Pass through directly
blockList?: string[]; // Always block (overrides allowList)
};
};
// ββ HTTP/3 (QUIC) ββββββββββββββββββββββββββββββββββββββββββββ
/** HTTP/3 config β enabled by default on qualifying HTTPS routes */
http3?: {
enabled?: boolean; // default: true
quicSettings?: {
maxIdleTimeout?: number; // default: 30000ms
maxConcurrentBidiStreams?: number; // default: 100
maxConcurrentUniStreams?: number; // default: 100
initialCongestionWindow?: number;
};
altSvc?: {
port?: number; // default: listening port
maxAge?: number; // default: 86400s
};
udpSettings?: {
sessionTimeout?: number; // default: 60000ms
maxSessionsPerIP?: number; // default: 1000
maxDatagramSize?: number; // default: 65535
};
};
// ββ OpsServer ββββββββββββββββββββββββββββββββββββββββββββββββ
/** Port for the OpsServer web dashboard (default: 3000) */
opsServerPort?: number;
// ββ TLS & Certificates ββββββββββββββββββββββββββββββββββββββββ
tls?: {
contactEmail: string;
domain?: string;
certPath?: string;
keyPath?: string;
};
dnsChallenge?: { cloudflareApiKey?: string };
// ββ Storage & Caching βββββββββββββββββββββββββββββββββββββββββ
storage?: {
fsPath?: string;
readFunction?: (key: string) => Promise;
writeFunction?: (key: string, value: string) => Promise;
};
cacheConfig?: {
enabled?: boolean; // default: true
storagePath?: string; // default: '~/.serve.zone/dcrouter/tsmdb'
dbName?: string; // default: 'dcrouter'
cleanupIntervalHours?: number; // default: 1
ttlConfig?: {
emails?: number; // default: 30 days
ipReputation?: number; // default: 1 day
bounces?: number; // default: 30 days
dkimKeys?: number; // default: 90 days
suppression?: number; // default: 30 days
};
};
}
HTTP/HTTPS & TCP/SNI Routing
DcRouter uses SmartProxy for all HTTP/HTTPS and TCP/SNI routing. Routes are pattern-matched by domain, port, or both.
HTTPS with Auto-TLS
{
name: 'api-gateway',
match: { domains: ['api.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.20', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' }
}
}
TLS Passthrough (SNI Routing)
{
name: 'secure-backend',
match: { domains: ['secure.example.com'], ports: [8443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.40', port: 8443 }],
tls: { mode: 'passthrough' }
}
}
TCP Port Range Forwarding
{
name: 'database-cluster',
match: { ports: [{ from: 5432, to: 5439 }] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.30', port: 'preserve' }],
security: { ipAllowList: ['192.168.1.0/24'] }
}
}
HTTP Redirect
{
name: 'http-to-https',
match: { ports: [80] },
action: { type: 'redirect', redirect: { to: 'https://{domain}{path}' } }
}
HTTP/3 (QUIC) Support
DcRouter ships with HTTP/3 enabled by default π. All qualifying HTTPS routes on port 443 are automatically augmented with QUIC/H3 configuration β no extra setup needed. Under the hood, SmartProxy's native HTTP/3 support (via
IRouteQuic) handles QUIC transport, Alt-Svc advertisement, and HTTP/3 negotiation.
How It Works
When DcRouter assembles routes in
setupSmartProxy(), it automatically augments qualifying routes with:
match.transport: 'all' β listen on both TCP (HTTP/1.1 + HTTP/2) and UDP (QUIC/HTTP/3) on the same port
action.udp.quic β QUIC configuration with
enableHttp3: true and
altSvcMaxAge: 86400
Browsers that support HTTP/3 will discover it via the
Alt-Svc header on initial TCP responses, then upgrade to QUIC for subsequent requests.
What Gets Augmented
A route qualifies for HTTP/3 augmentation when all of these are true:
Port includes 443 (single number, array, or range)
Action type is
forward (not
socket-handler)
TLS is enabled (passthrough, terminate, or terminate-and-reencrypt)
Route is not an email route (ports 25/587/465)
Route doesn't already have
transport: 'all' or existing
udp.quic config
Zero-Config (Default Behavior)
// HTTP/3 is ON by default β this route automatically gets QUIC/H3:
const router = new DcRouter({
smartProxyConfig: {
routes: [{
name: 'web-app',
match: { domains: ['example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.10', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' }
}
}]
}
});
Per-Route Opt-Out
Disable HTTP/3 on a specific route using
action.options.http3:
{
name: 'legacy-app',
match: { domains: ['legacy.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.50', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' },
options: { http3: false } // β This route stays TCP-only
}
}
Global Opt-Out
Disable HTTP/3 across all routes:
const router = new DcRouter({
http3: { enabled: false },
smartProxyConfig: { routes: [/* ... */] }
});
Custom QUIC Settings
Fine-tune QUIC parameters globally:
const router = new DcRouter({
http3: {
quicSettings: {
maxIdleTimeout: 60000, // 60s idle timeout
maxConcurrentBidiStreams: 200, // More parallel streams
maxConcurrentUniStreams: 50,
},
altSvc: {
maxAge: 3600, // 1 hour Alt-Svc cache
},
udpSettings: {
sessionTimeout: 120000, // 2 min UDP session timeout
maxSessionsPerIP: 500,
}
},
smartProxyConfig: { routes: [/* ... */] }
});
Programmatic Routes
Routes added at runtime via the Route Management API also get HTTP/3 augmentation automatically β the
RouteConfigManager applies the same augmentation logic when merging programmatic routes.
Email System
The email system is powered by
@push.rocks/smartmta, a TypeScript + Rust hybrid MTA. DcRouter configures and orchestrates smartmta's UnifiedEmailServer, which handles SMTP sessions, route matching, delivery queuing, DKIM signing, and all email processing.
Email Domain Configuration
Domains define infrastructure β how DNS and DKIM are handled for each domain:
Forward Mode
Simple forwarding without local DNS management:
{
domain: 'forwarded.com',
dnsMode: 'forward',
dns: { forward: { skipDnsValidation: true, targetDomain: 'mail.target.com' } }
}
Internal DNS Mode
Uses DcRouter's built-in DNS server (requires
dnsNsDomains +
dnsScopes):
{
domain: 'mail.example.com',
dnsMode: 'internal-dns',
dns: { internal: { mxPriority: 10, ttl: 3600 } },
dkim: { selector: 'mail2024', keySize: 2048, rotateKeys: true, rotationInterval: 90 }
}
External DNS Mode
Uses existing DNS infrastructure with validation:
{
domain: 'mail.external.com',
dnsMode: 'external-dns',
dns: { external: { requiredRecords: ['MX', 'SPF', 'DKIM', 'DMARC'] } },
rateLimits: {
inbound: { messagesPerMinute: 100, connectionsPerIp: 10 },
outbound: { messagesPerMinute: 200 }
}
}
Email Route Actions
Routes define behavior β what happens when an email matches:
Forward π€
Routes emails to an external SMTP server:
{
name: 'forward-to-internal',
match: { recipients: '*@company.com' },
action: {
type: 'forward',
forward: {
host: 'internal-mail.company.com',
port: 25,
auth: { user: 'relay-user', pass: 'relay-pass' },
addHeaders: { 'X-Forwarded-By': 'dcrouter' }
}
}
}
Process βοΈ
Full MTA processing with content scanning and delivery queues:
{
name: 'process-notifications',
match: { recipients: '*@notifications.company.com' },
action: {
type: 'process',
process: { scan: true, dkim: true, queue: 'priority' }
}
}
Deliver π₯
Local mailbox delivery:
{
name: 'deliver-local',
match: { recipients: '*@local.company.com' },
action: { type: 'deliver' }
}
Reject π«
Reject with custom SMTP response code:
{
name: 'reject-spam-domain',
match: { senders: '*@spam-domain.com', sizeRange: { min: 1000000 } },
action: {
type: 'reject',
reject: { code: 550, message: 'Message rejected due to policy' }
}
}
Route Matching
Routes support powerful matching criteria:
// Recipient patterns
match: { recipients: '*@example.com' } // All addresses at domain
match: { recipients: 'admin@*' } // "admin" at any domain
match: { senders: ['*@trusted.com', '*@vip.com'] } // Multiple sender patterns
// IP-based matching (CIDR)
match: { clientIp: '192.168.0.0/16' }
match: { clientIp: ['10.0.0.0/8', '172.16.0.0/12'] }
// Authentication state
match: { authenticated: true }
// Header matching
match: { headers: { 'X-Priority': 'high', 'Subject': /urgent|emergency/i } }
// Size and content
match: { sizeRange: { min: 1000, max: 5000000 }, hasAttachments: true }
match: { subject: /invoice|receipt/i }
Email Security Stack
DKIM β Automatic key generation, signing, and rotation for all domains
SPF β Sender Policy Framework verification on inbound mail
DMARC β Domain-based Message Authentication verification
IP Reputation β Real-time IP reputation checking with caching
Content Scanning β Spam, virus, and attachment scanning
Rate Limiting β Hierarchical limits (global β domain β sender)
Bounce Management β Automatic bounce detection and suppression lists
Email Deliverability
IP Warmup Manager β Multi-stage warmup schedules for new IPs
Sender Reputation Monitor β Per-domain reputation tracking and scoring
Connection Pooling β Pooled outbound SMTP connections per destination
DNS Server
DcRouter includes an authoritative DNS server built on smartdns. It handles standard UDP DNS on port 53 and DNS-over-HTTPS via SmartProxy socket handler.
Enabling DNS
DNS is activated when both
dnsNsDomains and
dnsScopes are configured:
const router = new DcRouter({
dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
dnsScopes: ['example.com'],
publicIp: '203.0.113.1',
dnsRecords: [
{ name: 'example.com', type: 'A', value: '203.0.113.1' },
{ name: 'www.example.com', type: 'CNAME', value: 'example.com' },
{ name: 'example.com', type: 'MX', value: '10:mail.example.com' },
{ name: 'example.com', type: 'TXT', value: 'v=spf1 a mx ~all' }
]
});
Automatic DNS Records
DcRouter auto-generates:
NS records for all domains in
dnsScopes
SOA records for authoritative zones
A records for nameserver domains (
dnsNsDomains)
MX, SPF, DKIM, DMARC records for email domains with
internal-dns mode
ACME challenge records for certificate provisioning
Ingress Proxy Support
When
proxyIps is configured, A records with
useIngressProxy: true (default) will use the proxy IP instead of the real server IP β hiding your origin:
{
proxyIps: ['198.51.100.1', '198.51.100.2'],
dnsRecords: [
{ name: 'example.com', type: 'A', value: '203.0.113.1' }, // Will resolve to 198.51.100.1
{ name: 'ns1.example.com', type: 'A', value: '203.0.113.1', useIngressProxy: false } // Stays real IP
]
}
RADIUS Server
DcRouter includes a RADIUS server for network access control, built on smartradius.
Configuration
const router = new DcRouter({
radiusConfig: {
authPort: 1812,
acctPort: 1813,
clients: [
{
name: 'core-switch',
ipRange: '192.168.1.0/24',
secret: 'shared-secret',
enabled: true
}
],
vlanAssignment: {
defaultVlan: 100,
allowUnknownMacs: true,
mappings: [
{ mac: 'aa:bb:cc:dd:ee:ff', vlan: 10, enabled: true }, // Exact MAC
{ mac: 'aa:bb:cc', vlan: 20, enabled: true }, // OUI prefix
]
},
accounting: {
enabled: true,
retentionDays: 30
}
}
});
Components
Component
Purpose
RadiusServer
Main RADIUS server handling auth + accounting requests
VlanManager
MAC-to-VLAN mapping with exact, OUI, and wildcard patterns
AccountingManager
Session tracking, traffic metering, start/stop/interim updates
OpsServer API
RADIUS is fully manageable at runtime via the OpsServer API:
Client management (add/remove/list NAS devices)
VLAN mapping CRUD operations
Session monitoring and forced disconnects
Accounting summaries and statistics
Remote Ingress
DcRouter can act as a hub for distributed edge nodes using
@serve.zone/remoteingress. Edge nodes accept incoming traffic at remote locations and tunnel it back to the hub over a single multiplexed connection. This is ideal for scenarios where you need to accept traffic at multiple geographic locations but process it centrally.
Enabling Remote Ingress
const router = new DcRouter({
remoteIngressConfig: {
enabled: true,
tunnelPort: 8443,
hubDomain: 'hub.example.com', // Embedded in connection tokens
},
// Routes tagged with remoteIngress are auto-derived to edge listen ports
smartProxyConfig: {
routes: [
{
name: 'web-via-edge',
match: { domains: ['app.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.10', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' }
},
remoteIngress: { enabled: true } // Edges will listen on port 443
}
]
}
});
await router.start();
Edge Registration
Edges are registered via the OpsServer API (or dashboard UI). Each edge gets a unique ID and secret:
// Via TypedRequest API
const createReq = new TypedRequest(
'https://hub:3000/typedrequest', 'createRemoteIngress'
);
const { edge } = await createReq.fire({
identity,
name: 'edge-nyc-01',
autoDerivePorts: true,
tags: ['us-east'],
});
// edge.secret is returned only on creation β save it!
Connection Tokens π
Instead of configuring edges with four separate values (hubHost, hubPort, edgeId, secret), DcRouter can generate a single connection token β an opaque base64url string that encodes everything:
// Via TypedRequest API
const tokenReq = new TypedRequest(
'https://hub:3000/typedrequest', 'getRemoteIngressConnectionToken'
);
const { token } = await tokenReq.fire({ identity, edgeId: 'edge-uuid' });
// token = "eyJoIjoiaHViLmV4YW1wbGUuY29tIiwicCI6ODQ0MywiZSI6I..."
// On the edge side, just pass the token:
const edge = new RemoteIngressEdge({ token });
await edge.start();
The token is generated using
remoteingress.encodeConnectionToken() and contains
{ hubHost, hubPort, edgeId, secret }. The
hubHost comes from
remoteIngressConfig.hubDomain (or can be overridden per-request).
In the OpsServer dashboard, click "Copy Token" on any edge row to copy the connection token to your clipboard.
Auto-Derived Ports
When routes have
remoteIngress: { enabled: true }, edges with
autoDerivePorts: true (default) automatically pick up those routes' ports. You can also use
edgeFilter to restrict which edges get which ports:
{
name: 'web-route',
match: { ports: [443] },
action: { /* ... */ },
remoteIngress: {
enabled: true,
edgeFilter: ['us-east', 'edge-uuid-123'] // Only edges with matching id or tags
}
}
Dashboard Actions
The OpsServer Remote Ingress view provides:
Action
Description
Create Edge Node
Register a new edge with name, ports, tags
Enable / Disable
Toggle an edge on or off
Edit
Modify name, manual ports, auto-derive setting, tags
Regenerate Secret
Issue a new secret (invalidates the old one)
Copy Token
Generate and copy a base64url connection token to clipboard
Delete
Remove the edge registration
VPN Access Control
DcRouter integrates
@push.rocks/smartvpn to provide VPN-based route access control. VPN clients connect via standard WireGuard or native WebSocket/QUIC transports, receive an IP from a configurable subnet, and can then access routes that are restricted to VPN-only traffic.
How It Works
SmartVPN daemon runs inside dcrouter with a Rust data plane (WireGuard via
boringtun, custom protocol via Noise IK)
Clients connect and get assigned an IP from the VPN subnet (e.g.
10.8.0.0/24)
Smart split tunnel β generated WireGuard configs auto-include the VPN subnet plus DNS-resolved IPs of VPN-gated domains. Domains from routes with
vpn.enabled are resolved at config generation time, so clients route only the necessary traffic through the tunnel
Routes with
vpn: { enabled: true } get
security.ipAllowList dynamically injected (re-computed on every client change). With
mandatory: true (default), the allowlist is replaced; with
mandatory: false, VPN IPs are appended to existing rules
When
allowedServerDefinedClientTags is set, only matching client IPs are injected (not the whole subnet)
SmartProxy enforces the allowlist β only authorized VPN clients can access protected routes
All VPN traffic is forced through SmartProxy via userspace NAT with PROXY protocol v2 β no root required
Destination Policy
By default, VPN client traffic is redirected to localhost (SmartProxy) via
forceTarget. You can customize this with a destination policy:
// Default: all traffic β SmartProxy
destinationPolicy: { default: 'forceTarget', target: '127.0.0.1' }
// Allow direct access to a backend subnet
destinationPolicy: {
default: 'forceTarget',
target: '127.0.0.1',
allowList: ['192.168.190.*'], // direct access to this subnet
blockList: ['192.168.190.1'], // except the gateway
}
// Block everything except specific IPs
destinationPolicy: {
default: 'block',
allowList: ['10.0.0.*', '192.168.1.*'],
}
Configuration
const router = new DcRouter({
vpnConfig: {
enabled: true,
subnet: '10.8.0.0/24', // VPN client IP pool (default)
wgListenPort: 51820, // WireGuard UDP port (default)
serverEndpoint: 'vpn.example.com', // Hostname in generated client configs
dns: ['1.1.1.1', '8.8.8.8'], // DNS servers pushed to clients
// Pre-define VPN clients with server-defined tags
clients: [
{ clientId: 'alice-laptop', serverDefinedClientTags: ['engineering'], description: 'Dev laptop' },
{ clientId: 'bob-phone', serverDefinedClientTags: ['engineering', 'mobile'] },
{ clientId: 'carol-desktop', serverDefinedClientTags: ['finance'] },
],
// Optional: customize destination policy (default: forceTarget β localhost)
// destinationPolicy: { default: 'forceTarget', target: '127.0.0.1', allowList: ['192.168.1.*'] },
},
smartProxyConfig: {
routes: [
// π VPN-only: any VPN client can access
{
name: 'internal-app',
match: { domains: ['internal.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.50', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' },
},
vpn: { enabled: true },
},
// π VPN + tag-restricted: only 'engineering' tagged clients
{
name: 'eng-dashboard',
match: { domains: ['eng.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.51', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' },
},
vpn: { enabled: true, allowedServerDefinedClientTags: ['engineering'] },
// β alice + bob can access, carol cannot
},
// π Public: no VPN
{
name: 'public-site',
match: { domains: ['example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.10', port: 80 }],
tls: { mode: 'terminate', certificate: 'auto' },
},
},
],
},
});
Client Tags
SmartVPN distinguishes between two types of client tags:
Tag Type
Set By
Purpose
serverDefinedClientTags
Admin (via config or API)
Trusted β used for route access control
clientDefinedClientTags
Connecting client
Informational β displayed in dashboard, never used for security
Routes with
allowedServerDefinedClientTags only permit VPN clients whose admin-assigned tags match. Clients cannot influence their own server-defined tags.
Client Management via OpsServer
The OpsServer dashboard and API provide full VPN client lifecycle management:
Create client β generates WireGuard keypairs, assigns IP, returns a ready-to-use
.conf file
QR code β scan with the WireGuard mobile app (iOS/Android) for instant setup
Enable / Disable β toggle client access without deleting
Rotate keys β generate fresh keypairs (invalidates old ones)
Export config β download in WireGuard (
.conf), SmartVPN (
.json), or scan as QR code
Telemetry β per-client bytes sent/received, keepalives, rate limiting
Delete β remove a client and revoke access
Standard WireGuard clients on any platform (iOS, Android, macOS, Windows, Linux) can connect using the generated
.conf file or by scanning the QR code β no custom VPN software needed.
Certificate Management
DcRouter uses
@push.rocks/smartacme v9 for ACME certificate provisioning. smartacme v9 brings significant improvements over previous versions:
How It Works
When a
dnsChallenge is configured (e.g. with a Cloudflare API key), DcRouter creates a SmartAcme instance that handles DNS-01 challenges for automatic certificate provisioning. SmartProxy calls the
certProvisionFunction whenever a route needs a TLS certificate, and SmartAcme takes care of the rest.
const router = new DcRouter({
smartProxyConfig: {
routes: [
{
name: 'secure-app',
match: { domains: ['app.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '192.168.1.10', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' } // β triggers ACME provisioning
}
}
],
acme: { email: 'admin@example.com', enabled: true, useProduction: true }
},
tls: { contactEmail: 'admin@example.com' },
dnsChallenge: { cloudflareApiKey: process.env.CLOUDFLARE_API_KEY }
});
smartacme v9 Features
Feature
Description
Per-domain deduplication
Concurrent requests for the same domain share a single ACME operation
Global concurrency cap
Default 5 parallel ACME operations to prevent overload
Account rate limiting
Sliding window (250 orders / 3 hours) to stay within ACME provider limits
Structured errors
AcmeError with
isRetryable,
isRateLimited,
retryAfter fields
Clean shutdown
stop() properly destroys HTTP agents and DNS clients
Per-Domain Backoff
DcRouter's
CertProvisionScheduler adds per-domain exponential backoff on top of smartacme's built-in protections. If a DNS-01 challenge fails for a domain:
The failure is recorded (persisted to storage)
The domain enters backoff:
min(failuresΒ² Γ 1 hour, 24 hours)
Subsequent requests for that domain are rejected until the backoff expires
On success, the backoff is cleared
This prevents hammering ACME servers for domains with persistent issues (e.g. missing DNS delegation).
Fallback to HTTP-01
If DNS-01 fails, the
certProvisionFunction returns
'http01' to tell SmartProxy to fall back to HTTP-01 challenge validation. This provides a safety net for domains where DNS-01 isn't viable.
Certificate Storage
Certificates are persisted via the
StorageBackedCertManager which uses DcRouter's
StorageManager. This means certs survive restarts and don't need to be re-provisioned unless they expire.
Dashboard
The OpsServer includes a Certificates view showing:
All domains with their certificate status (valid, expiring, expired, failed)
Certificate source (ACME, provision function, static)
Expiry dates and issuer information
Backoff status for failed domains
One-click reprovisioning per domain
Certificate import and export
Storage & Caching
StorageManager
Provides a unified key-value interface with three backends:
// Filesystem backend
storage: { fsPath: '/var/lib/dcrouter/data' }
// Custom backend (Redis, S3, etc.)
storage: {
readFunction: async (key) => await redis.get(key),
writeFunction: async (key, value) => await redis.set(key, value)
}
// In-memory (development only β data lost on restart)
// Simply omit the storage config
Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state, remote ingress edge registrations.
Cache Database
An embedded MongoDB-compatible database (via smartdata + smartdb) for persistent caching with automatic TTL cleanup:
cacheConfig: {
enabled: true,
storagePath: '~/.serve.zone/dcrouter/tsmdb',
dbName: 'dcrouter',
cleanupIntervalHours: 1,
ttlConfig: {
emails: 30, // days
ipReputation: 1, // days
bounces: 30, // days
dkimKeys: 90, // days
suppression: 30 // days
}
}
Cached document types:
CachedEmail,
CachedIPReputation.
Security Features
IP Reputation Checking
Automatic IP reputation checks on inbound connections with configurable caching:
// IP reputation is checked automatically for inbound SMTP connections.
// Results are cached according to cacheConfig.ttlConfig.ipReputation.
Rate Limiting
Hierarchical rate limits with three levels of specificity:
// Global defaults (via emailConfig.defaults.rateLimits)
defaults: {
rateLimits: {
inbound: { messagesPerMinute: 50, connectionsPerIp: 5, recipientsPerMessage: 50 },
outbound: { messagesPerMinute: 100 }
}
}
// Per-domain overrides (in domain config)
{
domain: 'high-volume.com',
rateLimits: {
outbound: { messagesPerMinute: 500 } // Override for this domain
}
}
Precedence: Domain-specific > Pattern-specific > Global
Content Scanning
action: {
type: 'process',
options: {
contentScanning: true,
scanners: [
{ type: 'spam', threshold: 5.0, action: 'tag' },
{ type: 'virus', action: 'reject' },
{ type: 'attachment', blockedExtensions: ['.exe', '.bat', '.scr'], action: 'reject' }
]
}
}
OpsServer Dashboard
The OpsServer provides a web-based management interface served on port 3000 by default (configurable via
opsServerPort). It's built with modern web components using @design.estate/dees-catalog.
Dashboard Views
View
Description
π Overview
Real-time server stats, CPU/memory, connection counts, email throughput
π Network
Active connections, top IPs, throughput rates, SmartProxy metrics
π§ Email
Queue monitoring (queued/sent/failed), bounce records, security incidents
π£οΈ Routes
Merged route list (hardcoded + programmatic), create/edit/toggle/override routes
π API Tokens
Token management with scopes, create/revoke/roll/toggle
π Certificates
Domain-centric certificate overview, status, backoff info, reprovisioning, import/export
π RemoteIngress
Edge node management, connection status, token generation, enable/disable
π VPN
VPN client management, server status, create/toggle/export/rotate/delete clients
π‘ RADIUS
NAS client management, VLAN mappings, session monitoring, accounting
π Logs
Real-time log viewer with level filtering and search
βοΈ Configuration
Read-only view of current system configuration
π‘οΈ Security
IP reputation, rate limit status, blocked connections
API Endpoints
All management is done via TypedRequest over HTTP POST to
/typedrequest:
// Authentication
'adminLoginWithUsernameAndPassword' // Login with credentials β returns JWT identity
'verifyIdentity' // Verify JWT token validity
'adminLogout' // End admin session
// Statistics & Health
'getServerStatistics' // Uptime, CPU, memory, connections
'getHealthStatus' // System health check
'getCombinedMetrics' // All metrics in one call
// Email Operations
'getAllEmails' // List all emails (queued/sent/failed)
'getEmailDetail' // Full detail for a specific email
'resendEmail' // Re-queue a failed email
// Certificates
'getCertificateOverview' // Domain-centric certificate status
'reprovisionCertificate' // Reprovision by route name (legacy)
'reprovisionCertificateDomain' // Reprovision by domain (preferred)
'importCertificate' // Import a certificate
'exportCertificate' // Export a certificate
'deleteCertificate' // Delete a certificate
// Remote Ingress
'getRemoteIngresses' // List all edge registrations
'createRemoteIngress' // Register a new edge
'updateRemoteIngress' // Update edge settings
'deleteRemoteIngress' // Remove an edge
'regenerateRemoteIngressSecret' // Issue a new secret
'getRemoteIngressStatus' // Runtime status of all edges
'getRemoteIngressConnectionToken' // Generate a connection token for an edge
// Route Management (JWT or API token auth)
'getMergedRoutes' // List all routes (hardcoded + programmatic)
'createRoute' // Create a new programmatic route
'updateRoute' // Update a programmatic route
'deleteRoute' // Delete a programmatic route
'toggleRoute' // Enable/disable a programmatic route
'setRouteOverride' // Override a hardcoded route
'removeRouteOverride' // Remove a hardcoded route override
// API Token Management (admin JWT only)
'createApiToken' // Create API token β returns raw value once
'listApiTokens' // List all tokens (without secrets)
'revokeApiToken' // Delete an API token
'rollApiToken' // Regenerate token secret
'toggleApiToken' // Enable/disable a token
// Configuration (read-only)
'getConfiguration' // Current system config
// Logs
'getRecentLogs' // Retrieve system logs with filtering
'getLogStream' // Stream live logs
// VPN
'getVpnClients' // List all registered VPN clients
'getVpnStatus' // VPN server status (running, subnet, port, keys)
'createVpnClient' // Create client β returns WireGuard config (shown once)
'deleteVpnClient' // Remove a VPN client
'enableVpnClient' // Enable a disabled client
'disableVpnClient' // Disable a client
'rotateVpnClientKey' // Generate new keys (invalidates old ones)
'exportVpnClientConfig' // Export WireGuard (.conf) or SmartVPN (.json) config
'getVpnClientTelemetry' // Per-client bytes sent/received, keepalives
// RADIUS
'getRadiusSessions' // Active RADIUS sessions
'getRadiusClients' // List NAS clients
'getRadiusStatistics' // RADIUS stats
'setRadiusClient' // Add/update NAS client
'removeRadiusClient' // Remove NAS client
'getVlanMappings' // List VLAN mappings
'setVlanMapping' // Add/update VLAN mapping
'removeVlanMapping' // Remove VLAN mapping
'testVlanAssignment' // Test what VLAN a MAC gets
API Client
DcRouter ships with a typed, object-oriented API client for programmatic management of a running instance. Install it separately or import from the main package:
pnpm add @serve.zone/dcrouter-apiclient
# or import from the main package:
# import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
Quick Example
import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
const client = new DcRouterApiClient({ baseUrl: 'https://dcrouter.example.com' });
await client.login('admin', 'password');
// OO resource instances with methods
const { routes } = await client.routes.list();
await routes[0].toggle(false);
// Builder pattern for creation
const newRoute = await client.routes.build()
.setName('api-gateway')
.setMatch({ ports: 443, domains: ['api.example.com'] })
.setAction({ type: 'forward', targets: [{ host: 'backend', port: 8080 }] })
.setTls({ mode: 'terminate', certificate: 'auto' })
.save();
// Manage certificates
const { certificates, summary } = await client.certificates.list();
await certificates[0].reprovision();
// Create API tokens with builder
const token = await client.apiTokens.build()
.setName('ci-token')
.setScopes(['routes:read', 'routes:write'])
.setExpiresInDays(90)
.save();
console.log(token.tokenValue); // only available at creation
// Remote ingress edges
const edge = await client.remoteIngress.build()
.setName('edge-nyc-01')
.setListenPorts([80, 443])
.save();
const connToken = await edge.getConnectionToken();
// Read-only managers
const health = await client.stats.getHealth();
const config = await client.config.get();
const { logs } = await client.logs.getRecent({ level: 'error', limit: 50 });
Resource Managers
Manager
Operations
client.routes
list(),
create(),
build() β Route:
update(),
delete(),
toggle(),
setOverride(),
removeOverride()
client.certificates
list(),
import() β Certificate:
reprovision(),
delete(),
export()
client.apiTokens
list(),
create(),
build() β ApiToken:
revoke(),
roll(),
toggle()
client.remoteIngress
list(),
getStatuses(),
create(),
build() β RemoteIngress:
update(),
delete(),
regenerateSecret(),
getConnectionToken()
client.stats
getServer(),
getEmail(),
getDns(),
getSecurity(),
getConnections(),
getQueues(),
getHealth(),
getNetwork(),
getCombined()
client.config
get(section?)
client.logs
getRecent(),
getStream()
client.emails
list() β Email:
getDetail(),
resend()
client.radius
.clients,
.vlans,
.sessions sub-managers +
getStatistics(),
getAccountingSummary()
See the full API client documentation for detailed usage of every manager, builder, and resource class.
API Reference
DcRouter Class
import { DcRouter } from '@serve.zone/dcrouter';
const router = new DcRouter(options: IDcRouterOptions);
Methods
Method
Description
start(): Promise
Start all configured services
stop(): Promise
Gracefully stop all services
updateSmartProxyConfig(config): Promise
Hot-update SmartProxy routes
updateEmailConfig(config): Promise
Hot-update email configuration
updateEmailRoutes(routes): Promise
Update email routing rules at runtime
updateRadiusConfig(config): Promise
Hot-update RADIUS configuration
getStats(): any
Get real-time statistics from all services
Properties
Property
Type
Description
options
IDcRouterOptions
Current configuration
smartProxy
SmartProxy
SmartProxy instance
smartAcme
SmartAcme
SmartAcme v9 certificate manager instance
emailServer
UnifiedEmailServer
Email server instance (from smartmta)
dnsServer
DnsServer
DNS server instance
radiusServer
RadiusServer
RADIUS server instance
remoteIngressManager
RemoteIngressManager
Edge registration CRUD manager
tunnelManager
TunnelManager
Tunnel lifecycle and status manager
vpnManager
VpnManager
VPN server lifecycle and client CRUD manager
storageManager
StorageManager
Storage backend
opsServer
OpsServer
OpsServer/dashboard instance
metricsManager
MetricsManager
Metrics collector
cacheDb
CacheDb
Cache database instance
certProvisionScheduler
CertProvisionScheduler
Per-domain backoff scheduler for cert provisioning
certificateStatusMap
Map
Domain-keyed certificate status from SmartProxy events
Re-exported Types
DcRouter re-exports key types for convenience:
import {
DcRouter,
IDcRouterOptions,
UnifiedEmailServer,
type IUnifiedEmailServerOptions,
type IEmailRoute,
type IEmailDomainConfig,
type IHttp3Config,
} from '@serve.zone/dcrouter';
Sub-Modules
DcRouter is published as a monorepo with separately-installable interface and web packages:
Package
Description
Install
@serve.zone/dcrouter
Main package β the full router
pnpm add @serve.zone/dcrouter
@serve.zone/dcrouter-interfaces
TypedRequest interfaces for the OpsServer API
pnpm add @serve.zone/dcrouter-interfaces
@serve.zone/dcrouter-apiclient
OO API client with builder pattern
pnpm add @serve.zone/dcrouter-apiclient
@serve.zone/dcrouter-web
Web dashboard components
pnpm add @serve.zone/dcrouter-web
You can also import directly from the main package:
import { data, requests } from '@serve.zone/dcrouter/interfaces';
import { DcRouterApiClient } from '@serve.zone/dcrouter/apiclient';
Testing
DcRouter includes a comprehensive test suite covering all system components:
# Run all tests
pnpm test
# Run a specific test file
tstest test/test.jwt-auth.ts --verbose
# Run with extended timeout
tstest test/test.opsserver-api.ts --verbose --timeout 60
Test Coverage
Test File
Area
Tests
test.apiclient.ts
API client instantiation, builders, resource hydration, exports
18
test.contentscanner.ts
Content scanning (spam, phishing, malware, attachments)
13
test.dcrouter.email.ts
Email config, domain and route setup
4
test.dns-server-config.ts
DNS record parsing, grouping, extraction
5
test.dns-socket-handler.ts
DNS socket handler and route generation
6
test.errors.ts
Error classes, handler, retry utilities
5
test.http3-augmentation.ts
HTTP/3 route augmentation, qualification, opt-in/out, QUIC settings
20
test.ipreputationchecker.ts
IP reputation, DNSBL, caching, risk classification
10
test.jwt-auth.ts
JWT login, verification, logout, invalid credentials
8
test.opsserver-api.ts
Health, statistics, configuration, log APIs
8
test.protected-endpoint.ts
Admin auth, identity verification, public endpoints
8
test.storagemanager.ts
Memory, filesystem, custom backends, concurrency
8
Docker / OCI Container Deployment
DcRouter ships with a production-ready
Dockerfile and supports environment-variable-driven configuration for OCI container deployments. The container image includes tini as PID 1 (via the base image), proper health checks, and configurable resource limits. When
DCROUTER_MODE=OCI_CONTAINER is set, DcRouter automatically reads configuration from environment variables (and optionally from a JSON config file).
Running with Docker
docker run -d \
--ulimit nofile=65536:65536 \
-e DCROUTER_TLS_EMAIL=admin@example.com \
-e DCROUTER_PUBLIC_IP=203.0.113.1 \
-e DCROUTER_DNS_NS_DOMAINS=ns1.example.com,ns2.example.com \
-e DCROUTER_DNS_SCOPES=example.com \
-p 80:80 -p 443:443 -p 25:25 -p 587:587 -p 465:465 \
-p 53:53/udp -p 3000:3000 -p 8443:8443 \
code.foss.global/serve.zone/dcrouter:latest
β‘ Production tip: Always set
--ulimit nofile=65536:65536 for production deployments. DcRouter will log a warning at startup if the file descriptor limit is below 65536.
Environment Variables
Variable
Description
Default
Example
DCROUTER_MODE
Container mode (set automatically in image)
OCI_CONTAINER
β
DCROUTER_CONFIG_PATH
Path to JSON config file (env vars override)
β
/config/dcrouter.json
DCROUTER_BASE_DIR
Base data directory
~/.serve.zone/dcrouter
/data/dcrouter
DCROUTER_TLS_EMAIL
ACME contact email
β
admin@example.com
DCROUTER_TLS_DOMAIN
Primary TLS domain
β
example.com
DCROUTER_PUBLIC_IP
Public IP for DNS records
β
203.0.113.1
DCROUTER_PROXY_IPS
Comma-separated ingress proxy IPs
β
198.51.100.1,198.51.100.2
DCROUTER_DNS_NS_DOMAINS
Comma-separated nameserver domains
β
ns1.example.com,ns2.example.com
DCROUTER_DNS_SCOPES
Comma-separated authoritative domains
β
example.com,other.com
DCROUTER_EMAIL_HOSTNAME
SMTP server hostname
β
mail.example.com
DCROUTER_EMAIL_PORTS
Comma-separated email ports
β
25,587,465
DCROUTER_CACHE_ENABLED
Enable/disable cache database
true
false
DCROUTER_HEAP_SIZE
Node.js V8 heap size in MB
512
1024
DCROUTER_MAX_CONNECTIONS
Global max concurrent connections
50000
100000
DCROUTER_MAX_CONNECTIONS_PER_IP
Max connections per source IP
100
200
DCROUTER_CONNECTION_RATE_LIMIT
Max new connections/min per IP
600
1200
Exposed Ports
The container exposes all service ports:
Port(s)
Protocol
Service
80, 443
TCP
HTTP/HTTPS (SmartProxy)
25, 587, 465
TCP
SMTP, Submission, SMTPS
53
TCP/UDP
DNS
1812, 1813
UDP
RADIUS auth/acct
3000
TCP
OpsServer dashboard
8443
TCP
Remote ingress tunnels
51820
UDP
WireGuard VPN
29000β30000
TCP
Dynamic port range
Building the Image
pnpm run build:docker # Build the container image
pnpm run release:docker # Push to registry
The Docker build supports multi-platform (
linux/amd64,
linux/arm64) via tsdocker.
License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the license file.
Please note: The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
Trademarks
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
Company Information
Task Venture Capital GmbH
Registered at District Court Bremen HRB 35230 HB, Germany
For any legal inquiries or further information, please contact us via email at hello@task.vc.
By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
changelog.md for @serve.zone/dcrouter
2026-03-31 - 11.23.5 - fix(config)
correct VPN mandatory flag default handling in route config manager
Changes the VPN mandatory check so it only applies when explicitly set to true, matching the updated default behavior of false.
Prevents routes from being treated as VPN-mandatory when the setting is omitted.
2026-03-31 - 11.23.4 - fix(deps)
bump @push.rocks/smartvpn to 1.17.1
Updates the @push.rocks/smartvpn dependency from 1.16.5 to 1.17.1.
2026-03-31 - 11.23.3 - fix(ts_web)
update appstate to import interfaces from source TypeScript module path
Replaces the appstate interfaces import from ../dist_ts_interfaces/index.js with ../ts_interfaces/index.js.
Aligns the web app state module with the source interface location instead of the built distribution path.
2026-03-31 - 11.23.2 - fix(repo)
no changes to commit
2026-03-31 - 11.23.1 - fix(repo)
no changes to commit
2026-03-31 - 11.23.0 - feat(vpn)
support optional non-mandatory VPN route access and align route config with enabled semantics
rename route VPN configuration from
required to
enabled across code, docs, and examples
add
vpn.mandatory to control whether VPN allowlists replace or extend existing
security.ipAllowList rules
improve VPN client status matching in the ops view by falling back to assigned IP when client IDs differ
2026-03-31 - 11.22.0 - feat(vpn)
add VPN client editing and connected client visibility in ops server
Adds API support to list currently connected VPN clients and update client metadata without rotating keys
Updates the web VPN view to show live connection status, client detail telemetry, and separate enable/disable actions
Refreshes documentation for smart split tunnel behavior, QR code setup/export, and storage architecture
Bumps @push.rocks/smartvpn from 1.16.4 to 1.16.5
2026-03-31 - 11.21.5 - fix(routing)
apply VPN route allowlists dynamically after VPN clients load
Moves VPN security injection for hardcoded and programmatic routes into RouteConfigManager.applyRoutes() so allowlists are generated from current VPN client state.
Re-applies routes after starting the VPN manager to ensure tag-based ipAllowLists are available once VPN clients are loaded.
Avoids caching constructor routes with stale VPN security baked in while preserving HTTP/3 route augmentation.
2026-03-31 - 11.21.4 - fix(deps)
bump @push.rocks/smartvpn to 1.16.4
Updates the @push.rocks/smartvpn dependency from 1.16.3 to 1.16.4 in package.json.
2026-03-31 - 11.21.3 - fix(deps)
bump @push.rocks/smartvpn to 1.16.3
Updates the @push.rocks/smartvpn dependency from 1.16.2 to 1.16.3.
2026-03-31 - 11.21.2 - fix(deps)
bump @push.rocks/smartvpn to 1.16.2
Updates the @push.rocks/smartvpn dependency from 1.16.1 to 1.16.2 in package.json.
2026-03-31 - 11.21.1 - fix(vpn)
resolve VPN-gated route domains into per-client AllowedIPs with cached DNS lookups
Derive WireGuard AllowedIPs from DNS A records of matched vpn.required route domains instead of only configured public proxy IPs.
Cache resolved domain IPs for 5 minutes and fall back to stale results on DNS lookup failures.
Make per-client AllowedIPs generation asynchronous throughout VPN config export and regeneration flows.
2026-03-31 - 11.21.0 - feat(vpn)
add tag-aware WireGuard AllowedIPs for VPN-gated routes
compute per-client WireGuard AllowedIPs from server-defined client tags and VPN-required proxy routes
include the server public IP in AllowedIPs when a client can access VPN-gated domains so routed traffic reaches the proxy
preserve and inject WireGuard private keys in generated and exported client configs for valid exports
2026-03-31 - 11.20.1 - fix(vpn-manager)
persist WireGuard private keys for valid client exports and QR codes
Store each client's WireGuard private key when creating and rotating keys.
Inject the stored private key into exported WireGuard configs so generated configs are complete and scannable.
2026-03-30 - 11.20.0 - feat(vpn-ui)
add QR code export for WireGuard client configurations
adds a QR code action for newly created WireGuard configs in the VPN operations view
adds a QR code export option for existing VPN clients alongside file downloads
introduces qrcode and @types/qrcode dependencies and exposes the plugin for web UI use
2026-03-30 - 11.19.1 - fix(vpn)
configure SmartVPN client exports with explicit server endpoint and split-tunnel allowed IPs
Pass the configured WireGuard server endpoint directly to SmartVPN instead of rewriting generated client configs in dcrouter.
Set client allowed IPs to the VPN subnet so generated WireGuard configs default to split-tunnel routing.
Update documentation to reflect SmartVPN startup, dashboard/API coverage, and the new split-tunnel behavior.
Bump @push.rocks/smartvpn from 1.14.0 to 1.16.1 to support the updated VPN configuration flow.
2026-03-30 - 11.19.0 - feat(vpn)
document tag-based VPN access control, declarative clients, and destination policy options
Adds documentation for restricting VPN-protected routes with allowedServerDefinedClientTags.
Documents pre-defined VPN clients in configuration via vpnConfig.clients.
Describes destinationPolicy behavior for forceTarget, allow, and block traffic handling.
Updates interface docs to reflect serverDefinedClientTags and revised VPN server status fields.
2026-03-30 - 11.18.0 - feat(vpn-ui)
add format selection for VPN client config exports
Show an export modal that lets operators choose between WireGuard (.conf) and SmartVPN (.json) client configs.
Update VPN client row actions to read the selected item from actionData for toggle, export, rotate keys, and delete handlers.
2026-03-30 - 11.17.0 - feat(vpn)
expand VPN operations view with client management and config export actions
adds predefined VPN clients to the dev server configuration for local testing
adds table actions to create clients, export WireGuard configs, rotate client keys, toggle access, and delete clients
updates the VPN view layout and stats grid binding to match the current component API
2026-03-30 - 11.16.0 - feat(vpn)
add destination-based VPN routing policy and standardize socket proxy forwarding
replace configurable VPN forwarding mode with socket-based forwarding and always enable proxy protocol support to SmartProxy from localhost
add destinationPolicy configuration for controlling default VPN traffic handling, including forceTarget, allow, and block rules
remove forwarding mode reporting from VPN status APIs, logs, and ops UI to reflect the simplified VPN runtime model
update @push.rocks/smartvpn to 1.14.0 to support the new VPN routing behavior
2026-03-30 - 11.15.0 - feat(vpn)
add tag-based VPN route access control and support configured initial VPN clients
allow VPN-protected routes to restrict access to clients with matching server-defined tags instead of always permitting the full VPN subnet
create configured VPN clients automatically on startup and re-apply routes when VPN clients change
rename VPN client tag fields to serverDefinedClientTags across APIs, interfaces, handlers, and UI with legacy tag migration on load
upgrade @push.rocks/smartvpn from 1.12.0 to 1.13.0
2026-03-30 - 11.14.0 - feat(docs)
document VPN access control and add OpsServer VPN navigation
Adds comprehensive README documentation for VPN access control, configuration, operating modes, and client management
Updates TypeScript interface documentation with VPN-related route, client, status, telemetry, and API request types
Extends web dashboard documentation and router view list to include VPN management
2026-03-30 - 11.13.0 - feat(vpn)
add VPN server management and route-based VPN access control
introduces a VPN manager backed by @push.rocks/smartvpn with persisted server keys and client registrations
adds ops API handlers and typed request interfaces for VPN client lifecycle, status, config export, and telemetry
adds ops dashboard VPN view and application state for managing VPN clients from the web UI
supports vpn.required on routes by injecting VPN subnet allowlists into static and programmatic SmartProxy routes
configures SmartProxy to accept proxy protocol in VPN socket forwarding mode to preserve client tunnel IPs
2026-03-27 - 11.12.4 - fix(acme)
use X509 certificate expiry when reporting ACME certificate validity
Parse the actual X509 validTo value from the PEM public certificate and fall back to SmartAcme's stored expiry if parsing fails
Update reported certificate expiry data and event communication timestamps to use the verified validity date
Bump @push.rocks/smartacme to ^9.3.1 and @push.rocks/smartproxy to ^27.1.0
2026-03-27 - 11.12.3 - fix(dcrouter)
re-trigger auto certificate provisioning after SmartAcme becomes ready
clear certificate provisioning scheduler state before retrying startup-affected routes
use route updates to re-run certificate provisioning for all current auto-cert routes
remove the unused single-route domain lookup helper
2026-03-27 - 11.12.2 - fix(dcrouter)
guard auto certificate reprovisioning against unnamed routes
Only re-triggers certificate provisioning for auto-cert routes when a route name is present.
Prevents reprovision attempts from running with an undefined route name and reduces warning noise.
2026-03-27 - 11.12.1 - fix(dcrouter)
retry auto certificate provisioning after SmartAcme becomes ready
detects certificates that failed during startup before the DNS-01 provider was available
clears provisioning backoff and failed status for affected domains before retrying
re-triggers auto certificate provisioning for SmartProxy routes once SmartAcme is ready
2026-03-27 - 11.12.0 - feat(web-ui)
pause dashboard polling, sockets, and chart updates when the tab is hidden
replace interval-based auto-refresh with scheduled actions using visibility-aware auto-pause
disconnect and reconnect the TypedSocket on tab visibility changes to avoid background log buildup
batch pushed log entries per animation frame and add an in-flight refresh guard to reduce unnecessary re-renders and overlapping requests
update state subscriptions to use select() and document the new tab visibility optimization behavior
bump smartdb, smartproxy, smartstate, remoteingress, dees-element, and tstest dependencies
2026-03-26 - 11.11.0 - feat(docker,cache,proxy)
improve container runtime defaults and add configurable connection limits
replace the embedded cache backend integration from smartmongo LocalTsmDb to smartdb LocalSmartDb
add OCI container settings for heap size, threadpool size, expanded exposed ports, image metadata, and a direct node startup command
introduce startup checks for file descriptor limits and warn when container nofile limits are too low for production
set gateway-oriented SmartProxy default limits and allow max connections, per-IP connections, and rate limits to be configured through OCI environment variables
2026-03-26 - 11.10.7 - fix(sms)
update sms service to use async ProjectInfo initialization
Replace direct ProjectInfo construction with the async create() factory in the SMS service startup flow
Bump related dependencies including @push.rocks/projectinfo, @push.rocks/smartdata, @push.rocks/smartmongo, @serve.zone/remoteingress, and @git.zone/tstest
2026-03-26 - 11.10.6 - fix(typescript)
tighten TypeScript null safety and error handling across backend and ops UI
add explicit unknown error typing and safe message access in logging and handler code
mark deferred-initialized class properties with definite assignment assertions to satisfy stricter TypeScript checks
harden ops web state access and action return types with non-null assertions and explicit Promise state typing
update storage reads to allow missing values and align license file references with the lowercase license filename
2026-03-26 - 11.10.5 - fix(build)
rename smart tooling config to .smartconfig.json and update package references
Moves the shared tool configuration from npmextra.json to .smartconfig.json.
Updates package.json published files and documentation to reference the new config file.
Refreshes several development and runtime dependency versions alongside the config migration.
2026-03-24 - 11.10.4 - fix(monitoring)
handle multiple protocol cache entries per backend in metrics output
Group detected protocol cache entries by backend host and port so multiple domain-specific records are preserved.
Emit one backend metrics row per cached domain and avoid dropping unmatched protocol cache entries by tracking seen entries with a composite host:port:domain key.
Use cached protocol values when available while keeping backend-only rows for metrics without protocol cache data.
2026-03-23 - 11.10.3 - fix(deps)
bump tstest, smartmetrics, and taskbuffer to latest patch releases
update @git.zone/tstest from ^3.5.0 to ^3.5.1
update @push.rocks/smartmetrics from ^3.0.2 to ^3.0.3
update @push.rocks/taskbuffer from ^8.0.0 to ^8.0.2
2026-03-23 - 11.10.2 - fix(deps)
bump @api.global/typedserver to ^8.4.6 and @push.rocks/smartproxy to ^26.2.1
Updates @api.global/typedserver from ^8.4.2 to ^8.4.6
Updates @push.rocks/smartproxy from ^26.2.0 to ^26.2.1
2026-03-23 - 11.10.1 - fix(deps)
bump @push.rocks/smartproxy to ^26.2.0
Updates the @push.rocks/smartproxy dependency from ^26.1.0 to ^26.2.0 in package.json.
2026-03-23 - 11.10.0 - feat(monitoring)
add backend protocol metrics to network stats and ops dashboard
Expose backend protocol, connection, error, and suppression metrics in stats responses.
Add typed backend info interfaces and app state support for backend metrics.
Render a new backend protocols table in the ops network view with detail modal and suppression badges.
Update smartproxy and lik dependencies to support backend protocol metrics collection.
2026-03-21 - 11.9.1 - fix(lifecycle)
clean up service subscriptions, proxy retries, and stale runtime state on shutdown
unsubscribe from ServiceManager event streams and use one-time signal handlers to avoid duplicate shutdown execution
reset existing SmartProxy instances before retry setup and prune expired certificate backoff cache entries
add periodic sweeping and shutdown cleanup for stale RADIUS accounting sessions
2026-03-20 - 11.9.0 - feat(dcrouter)
add service manager lifecycle orchestration and health-based ops status reporting
register dcrouter components with a taskbuffer ServiceManager using dependencies, retries, and critical/optional service roles
update ops stats health output to reflect aggregated service manager state and per-service error or retry details
add @push.rocks/taskbuffer to shared plugins and project dependencies for service lifecycle management
2026-03-20 - 11.8.11 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.10
Updates the @push.rocks/smartproxy dependency from ^25.17.9 to ^25.17.10 in package.json
2026-03-20 - 11.8.10 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.9
Updates @push.rocks/smartproxy from ^25.17.8 to ^25.17.9 in package.json
2026-03-20 - 11.8.9 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.8
Updates the @push.rocks/smartproxy dependency from ^25.17.7 to ^25.17.8.
2026-03-20 - 11.8.8 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.7
Updates the @push.rocks/smartproxy dependency from ^25.17.4 to ^25.17.7 in package.json.
2026-03-20 - 11.8.7 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.4
updates @push.rocks/smartproxy from ^25.17.3 to ^25.17.4 in package.json
2026-03-20 - 11.8.6 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.3
updates @push.rocks/smartproxy from ^25.17.1 to ^25.17.3 in package.json
2026-03-20 - 11.8.5 - fix(deps)
bump @push.rocks/smartproxy to ^25.17.1
Updates the @push.rocks/smartproxy dependency from ^25.17.0 to ^25.17.1.
2026-03-20 - 11.8.4 - fix(deps)
bump @serve.zone/remoteingress to ^4.14.0
Updates the @serve.zone/remoteingress dependency from ^4.13.2 to ^4.14.0 in package.json.
2026-03-20 - 11.8.3 - fix(deps)
bump @serve.zone/remoteingress to ^4.13.2
Updates the @serve.zone/remoteingress dependency from ^4.13.1 to ^4.13.2.
2026-03-19 - 11.8.2 - fix(deps)
bump smartproxy and remoteingress dependencies
updates @push.rocks/smartproxy from ^25.16.3 to ^25.17.0
updates @serve.zone/remoteingress from ^4.13.0 to ^4.13.1
2026-03-19 - 11.8.1 - fix(dcrouter)
use constructor routes for remote ingress setup and bump smartproxy dependency
Switch remote ingress initialization to use constructorRoutes instead of smartProxyConfig routes so derived edge ports are based on the active route set.
Update @push.rocks/smartproxy from ^25.16.2 to ^25.16.3.
2026-03-19 - 11.8.0 - feat(remoteingress)
add UDP listen port derivation and edge configuration support
derive UDP ports from remote ingress routes using transport 'udp' or 'all'
expose effective UDP listen ports in allowed edge payloads and remote ingress interfaces
update @push.rocks/smartproxy to ^25.16.2
2026-03-19 - 11.7.1 - fix(deps)
bump @push.rocks/smartproxy to ^25.16.0
updates the smartproxy dependency from ^25.15.0 to ^25.16.0
2026-03-19 - 11.7.0 - feat(readme)
document HTTP/3 QUIC support and configuration options
Add a dedicated README section explaining default HTTP/3 route augmentation, qualification rules, and opt-out behavior.
Document the new global
http3 configuration shape and re-exported
IHttp3Config type.
Update TypeScript module documentation to include the built-in HTTP/3 augmentation module and exports.
2026-03-19 - 11.6.0 - feat(http3)
add automatic HTTP/3 route augmentation for qualifying HTTPS routes
introduce configurable HTTP/3 augmentation utilities for eligible SmartProxy routes on port 443
apply HTTP/3 settings to both constructor-defined and stored programmatic routes, with global and per-route opt-out support
export the HTTP/3 config type and add test coverage for qualification, augmentation behavior, and defaults
bump @push.rocks/smartproxy to ^25.15.0 for HTTP/3-related support
2026-03-19 - 11.5.1 - fix(project)
no changes to commit
2026-03-19 - 11.5.0 - feat(opsserver)
add configurable OpsServer port and update related tests and documentation
introduces an optional
opsServerPort configuration that overrides the default OpsServer port 3000
updates OpsServer startup logic to use the configured port
adjusts integration tests to run against dedicated OpsServer ports to avoid conflicts
documents the new OpsServer port option in the README and TypeScript docs
includes dependency updates and a remote ingress port range type refinement
2026-03-19 - 11.4.0 - feat(docs)
document OCI container deployment and enable verbose docker build scripts
adds a new README section covering Docker/OCI container deployment, environment variables, and image build/push commands
updates docker build and release npm scripts to pass the --verbose flag for more detailed output
2026-03-18 - 11.3.0 - feat(docker)
add OCI container startup configuration and migrate Docker release pipeline to tsdocker
adds OCI container mode startup that reads DcRouter options from environment variables and an optional JSON config file
simplifies the Docker image to a two-stage build with production dependencies only and Alpine runtime compatibility packages
updates Gitea workflows and npm scripts to use tsdocker for image build and release
2026-03-18 - 11.2.56 - fix(deps)
bump @serve.zone/remoteingress to ^4.9.0
Updates @serve.zone/remoteingress from ^4.8.18 to ^4.9.0 in package.json
2026-03-17 - 11.2.55 - fix(deps)
bump @serve.zone/catalog to ^2.7.0 and @serve.zone/remoteingress to ^4.8.18
updates @serve.zone/catalog from ^2.6.2 to ^2.7.0
updates @serve.zone/remoteingress from ^4.8.16 to ^4.8.18
2026-03-17 - 11.2.54 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.16
Updates @serve.zone/remoteingress from ^4.8.14 to ^4.8.16 in package.json.
2026-03-17 - 11.2.53 - fix(deps)
bump @push.rocks/smartproxy and @serve.zone/remoteingress patch versions
update @push.rocks/smartproxy from ^25.11.23 to ^25.11.24
update @serve.zone/remoteingress from ^4.8.13 to ^4.8.14
2026-03-17 - 11.2.52 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.13
Updates the @serve.zone/remoteingress dependency from ^4.8.12 to ^4.8.13.
2026-03-17 - 11.2.51 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.12
Updates @serve.zone/remoteingress from ^4.8.11 to ^4.8.12 in package.json
2026-03-17 - 11.2.50 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.11
updates @serve.zone/remoteingress from ^4.8.10 to ^4.8.11
2026-03-17 - 11.2.49 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.10
Updates @serve.zone/remoteingress from ^4.8.9 to ^4.8.10 in package.json
2026-03-17 - 11.2.48 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.9
Updates @serve.zone/remoteingress from ^4.8.7 to ^4.8.9 in package.json
2026-03-17 - 11.2.47 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.23
Updates the @push.rocks/smartproxy dependency from ^25.11.22 to ^25.11.23 in package.json
2026-03-17 - 11.2.46 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.22
Updates the @push.rocks/smartproxy dependency from ^25.11.21 to ^25.11.22 in package.json.
2026-03-17 - 11.2.45 - fix(deps)
bump @push.rocks/smartproxy and @serve.zone/remoteingress dependencies
update @push.rocks/smartproxy from ^25.11.20 to ^25.11.21
update @serve.zone/remoteingress from ^4.8.3 to ^4.8.7
2026-03-17 - 11.2.44 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.3
Updates @serve.zone/remoteingress from ^4.8.2 to ^4.8.3 in package.json
2026-03-17 - 11.2.43 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.2
Updates the @serve.zone/remoteingress dependency from ^4.8.1 to ^4.8.2.
2026-03-17 - 11.2.42 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.1
Updates @serve.zone/remoteingress from ^4.8.0 to ^4.8.1 in package.json
2026-03-17 - 11.2.41 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.20
Updates the @push.rocks/smartproxy dependency from ^25.11.19 to ^25.11.20 in package.json.
2026-03-17 - 11.2.40 - fix(deps)
bump @serve.zone/remoteingress to ^4.8.0
Updates the @serve.zone/remoteingress dependency from ^4.7.2 to ^4.8.0 in package.json.
2026-03-17 - 11.2.39 - fix(repository)
no changes to commit
2026-03-17 - 11.2.38 - fix(deps)
bump @serve.zone/remoteingress to ^4.7.2
Updates @serve.zone/remoteingress from ^4.7.0 to ^4.7.2 in package.json
2026-03-16 - 11.2.37 - fix(deps)
bump @serve.zone/remoteingress to ^4.7.0
updates the @serve.zone/remoteingress dependency from ^4.6.0 to ^4.7.0
2026-03-16 - 11.2.36 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.19
Updates the @push.rocks/smartproxy dependency from ^25.11.18 to ^25.11.19 in package.json
2026-03-16 - 11.2.35 - fix(deps)
bump @push.rocks/smartproxy, @serve.zone/catalog, and @serve.zone/remoteingress dependencies
updates @push.rocks/smartproxy from ^25.11.17 to ^25.11.18
updates @serve.zone/catalog from ^2.6.1 to ^2.6.2
updates @serve.zone/remoteingress from ^4.5.11 to ^4.6.0
2026-03-16 - 11.2.34 - fix(deps)
bump @push.rocks/smartproxy and @serve.zone/catalog patch versions
updates @push.rocks/smartproxy from ^25.11.16 to ^25.11.17
updates @serve.zone/catalog from ^2.6.0 to ^2.6.1
2026-03-16 - 11.2.33 - fix(deps)
bump smartproxy and remoteingress dependencies
update @push.rocks/smartproxy from ^25.11.14 to ^25.11.16
update @serve.zone/remoteingress from ^4.5.10 to ^4.5.11
2026-03-16 - 11.2.32 - fix(deps)
bump smartproxy and remoteingress dependencies
update @push.rocks/smartproxy from ^25.11.11 to ^25.11.14
update @serve.zone/remoteingress from ^4.5.9 to ^4.5.10
2026-03-16 - 11.2.31 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.11
Updates the @push.rocks/smartproxy dependency from ^25.11.10 to ^25.11.11 in package.json.
2026-03-16 - 11.2.30 - fix(deps)
bump @push.rocks/smartproxy and @serve.zone/catalog dependencies
update @push.rocks/smartproxy from ^25.11.9 to ^25.11.10
update @serve.zone/catalog from ^2.5.0 to ^2.6.0
2026-03-16 - 11.2.29 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.9
Updates @serve.zone/remoteingress from ^4.5.8 to ^4.5.9 in package.json
2026-03-16 - 11.2.28 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.8
Updates the @serve.zone/remoteingress dependency from ^4.5.7 to ^4.5.8.
2026-03-16 - 11.2.27 - fix(deps)
bump smartproxy and remoteingress dependencies
update @push.rocks/smartproxy from ^25.11.8 to ^25.11.9
update @serve.zone/remoteingress from ^4.5.5 to ^4.5.7
2026-03-16 - 11.2.26 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.5
Updates the @serve.zone/remoteingress dependency from ^4.5.4 to ^4.5.5.
2026-03-16 - 11.2.25 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.8
updates the smartproxy dependency from ^25.11.7 to ^25.11.8
2026-03-16 - 11.2.24 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.7
Updates the @push.rocks/smartproxy dependency from ^25.11.6 to ^25.11.7.
2026-03-16 - 11.2.23 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.6
Updates the @push.rocks/smartproxy dependency from ^25.11.5 to ^25.11.6.
2026-03-16 - 11.2.22 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.5
updates the @push.rocks/smartproxy dependency from ^25.11.4 to ^25.11.5
2026-03-15 - 11.2.21 - fix(deps)
bump @push.rocks/smartproxy to ^25.11.4
updates the @push.rocks/smartproxy dependency from ^25.11.3 to ^25.11.4
2026-03-15 - 11.2.20 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.4
Updates @serve.zone/remoteingress from ^4.5.3 to ^4.5.4 in package.json
2026-03-15 - 11.2.19 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.3
Updates the @serve.zone/remoteingress dependency from ^4.5.2 to ^4.5.3.
2026-03-15 - 11.2.18 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.2
Updates @serve.zone/remoteingress from ^4.5.1 to ^4.5.2 in package.json
2026-03-15 - 11.2.17 - fix(repo)
no changes to commit
2026-03-15 - 11.2.16 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.1
Updates @serve.zone/remoteingress from ^4.5.0 to ^4.5.1 in package dependencies.
2026-03-15 - 11.2.15 - fix(deps)
bump @serve.zone/remoteingress to ^4.5.0
Updates the @serve.zone/remoteingress dependency from ^4.4.1 to ^4.5.0.
2026-03-15 - 11.2.14 - fix(deps)
bump smartproxy and remoteingress patch dependencies
update @push.rocks/smartproxy from ^25.11.1 to ^25.11.3
update @serve.zone/remoteingress from ^4.4.0 to ^4.4.1
2026-03-15 - 11.2.13 - fix(deps)
bump runtime dependencies to latest compatible patch and minor versions
update @design.estate/dees-catalog from ^3.48.2 to ^3.48.5
update @push.rocks/smartproxy from ^25.10.7 to ^25.11.1
update @tsclass/tsclass from ^9.3.0 to ^9.4.0
update lru-cache from ^11.2.6 to ^11.2.7
2026-03-12 - 11.2.12 - fix(deps)
bump @push.rocks/smartproxy to ^25.10.7
Updates the @push.rocks/smartproxy dependency from ^25.10.6 to ^25.10.7 in package.json.
2026-03-12 - 11.2.11 - fix(deps)
bump @push.rocks/smartproxy to ^25.10.6
Updates the @push.rocks/smartproxy dependency from ^25.10.5 to ^25.10.6 in package.json
2026-03-12 - 11.2.10 - fix(deps)
bump @push.rocks/smartproxy to ^25.10.5
Updates the @push.rocks/smartproxy dependency from ^25.10.4 to ^25.10.5 in package.json.
2026-03-12 - 11.2.9 - fix(deps)
bump @push.rocks/smartproxy to ^25.10.4
Updates the @push.rocks/smartproxy dependency from ^25.10.3 to ^25.10.4.
2026-03-12 - 11.2.8 - fix(deps)
bump @design.estate/dees-element and @push.rocks/smartproxy patch versions
update @design.estate/dees-element from ^2.2.2 to ^2.2.3
update @push.rocks/smartproxy from ^25.10.2 to ^25.10.3
2026-03-12 - 11.2.7 - fix(deps)
bump @design.estate/dees-catalog and @push.rocks/smartproxy patch versions
update @design.estate/dees-catalog from ^3.48.1 to ^3.48.2
update @push.rocks/smartproxy from ^25.10.1 to ^25.10.2
2026-03-12 - 11.2.6 - fix(deps)
bump @design.estate/dees-catalog and @push.rocks/smartproxy patch versions
update @design.estate/dees-catalog from ^3.48.0 to ^3.48.1
update @push.rocks/smartproxy from ^25.10.0 to ^25.10.1
2026-03-12 - 11.2.5 - fix(repo)
no changes to commit
2026-03-12 - 11.2.4 - fix(repo)
no changes to commit
2026-03-12 - 11.2.3 - fix(deps)
bump package dependencies to latest compatible patch and minor releases
update @types/node to ^25.5.0
upgrade @design.estate/dees-catalog to ^3.48.0 and @design.estate/dees-element to ^2.2.2
bump @push.rocks/smartproxy to ^25.10.0
2026-03-11 - 11.2.2 - fix(deps)
update dependencies and devDependencies to newer patch/minor versions
devDependency @git.zone/tstest: ^3.3.0 -> ^3.3.2
devDependency @git.zone/tswatch: ^3.2.5 -> ^3.3.0
devDependency @types/node: ^25.3.5 -> ^25.4.0
dependency @design.estate/dees-catalog: ^3.43.3 -> ^3.47.0
dependency @design.estate/dees-element: ^2.1.6 -> ^2.2.1
dependency @push.rocks/smartproxy: ^25.9.2 -> ^25.9.3
2026-03-08 - 11.2.1 - fix(deps)
bump devDependency @git.zone/tstest to ^3.3.0 and dependency @push.rocks/smartproxy to ^25.9.2
Bumped devDependency @git.zone/tstest: ^3.2.0 -> ^3.3.0
Bumped dependency @push.rocks/smartproxy: ^25.9.1 -> ^25.9.2
Current package version: 11.2.0 β recommended patch release to 11.2.1
2026-03-06 - 11.2.0 - feat(apiclient)
add typed, object-oriented API client documentation and interfaces; document builders, resource managers, and new programmatic endpoints
Add new @serve.zone/dcrouter-apiclient documentation (ts_apiclient/readme.md) and publish ordering (ts_apiclient/tspublish.json).
Document OO resource classes, fluent builders, auth modes, examples, and API surface for routes, certificates, apiTokens, remoteIngress, stats, config, logs, emails, and radius.
Update main readme: add API Client section, list new client methods, add package entry for @serve.zone/dcrouter-apiclient, and add apiclient test coverage entry.
Update interfaces readme: add Route Management and API Token Management request interfaces and email method changes (getAllEmails, getEmailDetail).
API reference changes: consolidate email endpoints (getAllEmails/getEmailDetail), add route and api token management methods, rename getLogs to getRecentLogs and add getLogStream.
Update web docs to include route & API token management pages and ops view (ops-view-routes)
2026-03-06 - 11.1.0 - feat(apiclient)
add TypeScript API client (ts_apiclient) with resource managers and package exports
Add new ts_apiclient module providing DcRouterApiClient and resource managers: routes, certificates, api tokens, remote ingress, emails, stats, config, logs, and radius (with sub-managers).
Add resource classes and builders (Route, RemoteIngress, ApiToken, Certificate, Email) and convenience manager APIs for common operations.
Export apiclient in package.json (exports and files) and add ts_apiclient index and plugins wrapper for @api.global/typedrequest.
Add comprehensive tests for the API client (test/test.apiclient.ts).
Bump devDependencies: @git.zone/tsbuild -> ^4.3.0 and @types/node -> ^25.3.5
2026-03-05 - 11.0.51 - fix(build)
include HTML files in tsbundle output and bump tsbuild/tsbundle devDependencies
Add includeFiles: ["./html/**/*.html"] to bundler config in npmextra.json so HTML assets are included in the bundle
Bump devDependencies: @git.zone/tsbuild ^4.2.4 -> ^4.2.6, @git.zone/tsbundle ^2.9.0 -> ^2.9.1 (non-breaking tooling updates)
2026-03-05 - 11.0.50 - fix(devDependencies)
bump @git.zone/tsbuild to ^4.2.4
updated devDependency @git.zone/tsbuild from ^4.2.3 to ^4.2.4
no other package changes
2026-03-05 - 11.0.49 - fix(dcrouter)
no changes detected
No files changed in this commit
Working tree unchanged; no version bump required
2026-03-05 - 11.0.48 - fix(deps)
bump @git.zone/tsbuild to ^4.2.3
package.json: updated devDependency @git.zone/tsbuild from ^4.2.2 to ^4.2.3
2026-03-05 - 11.0.47 - fix(dcrouter)
no code changes; nothing to release
No files changed in this commit (git diff is empty)
No version bump required
2026-03-05 - 11.0.46 - fix(none)
no changes detected
Git diff reported no changes
No files were modified; no version bump required
2026-03-05 - 11.0.45 - fix(deps)
bump @git.zone/tsbuild to ^4.2.2
Updated @git.zone/tsbuild from ^4.2.1 to ^4.2.2 in package.json
2026-03-05 - 11.0.44 - fix(dev-deps)
bump @git.zone/tsbuild devDependency to ^4.2.1
Updated package.json devDependency @git.zone/tsbuild from ^4.2.0 to ^4.2.1
Non-breaking patch update for build tool dependency
2026-03-05 - 11.0.43 - fix(dcrouter)
no changes detected; nothing to release
Git diff reported no changes
No files were modified, so no version bump is recommended
2026-03-05 - 11.0.42 - fix(dcrouter)
empty commit β no changes
No files were modified in this commit
No version bump required
2026-03-05 - 11.0.41 - fix(deps)
bump devDependency @git.zone/tsbuild to ^4.2.0
Updated @git.zone/tsbuild from ^4.1.26 to ^4.2.0
Change made in package.json under devDependencies
No source code changes β dev tooling dependency bump
2026-03-05 - 11.0.40 - fix(deps)
bump @git.zone/tsbuild devDependency to ^4.1.26
Updated devDependency @git.zone/tsbuild: ^4.1.25 β ^4.1.26 in package.json
Build tooling/dev dependency bump only; no runtime or API changes
2026-03-05 - 11.0.39 - fix(devDependencies)
bump @git.zone/tsbuild devDependency to ^4.1.25
Updated devDependency @git.zone/tsbuild from ^4.1.24 to ^4.1.25 in package.json
Only a devDependency was changed; no runtime dependencies or source files modified
Current package version is 11.0.38; recommend a patch release
2026-03-05 - 11.0.38 - fix(deps)
bump @git.zone/tsbuild to ^4.1.24
Updated @git.zone/tsbuild in devDependencies from ^4.1.23 to ^4.1.24
Dev tooling dependency bump; no runtime or API changes expected
2026-03-05 - 11.0.37 - fix(dcrouter)
bump patch version (no changes detected)
No files changed in the provided diff
Current package version is 11.0.36 (package.json)
Recommend a patch bump to record a new release if desired
2026-03-05 - 11.0.36 - fix(repo)
no changes detected; no release necessary
Diff contains no changes
No files were modified β skip version bump
2026-03-05 - 11.0.35 - fix(dev-deps)
bump @git.zone/tsbuild devDependency to ^4.1.23
Updated devDependency @git.zone/tsbuild from ^4.1.22 to ^4.1.23 in package.json
2026-03-05 - 11.0.34 - fix(dcrouter)
empty diff β no changes detected; no version bump suggested
No file changes in the provided git diff
Current package.json version is 11.0.33 β keep unchanged
2026-03-05 - 11.0.33 - fix(build)
bump @git.zone/tsbuild to ^4.1.22
Updated devDependency @git.zone/tsbuild from ^4.1.21 to ^4.1.22
Change affects build tooling only (devDependencies) β no runtime or API changes expected
2026-03-05 - 11.0.32 - fix(dev-deps)
bump @git.zone/tsbuild devDependency to ^4.1.21
Updated package.json devDependency @git.zone/tsbuild from ^4.1.20 to ^4.1.21
Change affects development tooling only (no runtime/source changes)
Bump package patch version from 11.0.31 to 11.0.32 recommended
2026-03-05 - 11.0.31 - fix(deps)
bump @git.zone/tsbuild devDependency to ^4.1.20
Updated devDependency @git.zone/tsbuild from ^4.1.19 to ^4.1.20
2026-03-05 - 11.0.30 - fix(devDependencies)
bump @git.zone/tsbuild devDependency to ^4.1.19
Updated @git.zone/tsbuild from ^4.1.18 to ^4.1.19 in package.json
Change is limited to devDependencies (build toolchain) and should not affect runtime behavior
2026-03-05 - 11.0.29 - fix(build)
bump @git.zone/tsbuild devDependency to ^4.1.18
Updated @git.zone/tsbuild from ^4.1.17 to ^4.1.18
Change is a devDependency update only; no runtime behavior expected to change
Recommend patch version bump
2026-03-05 - 11.0.28 - fix(devDependencies)
bump @git.zone/tsbuild devDependency to ^4.1.17
package.json: updated @git.zone/tsbuild from ^4.1.16 to ^4.1.17 (devDependency)
2026-03-05 - 11.0.27 - fix(deps)
bump @git.zone/tsbuild to ^4.1.16
Updated devDependency @git.zone/tsbuild from ^4.1.15 to ^4.1.16 in package.json
No runtime code or dependency changes; only a dev/build tool bump
2026-03-05 - 11.0.26 - fix(devDependencies)
bump @git.zone/tsbuild devDependency to ^4.1.15
Updated devDependency @git.zone/tsbuild from ^4.1.14 to ^4.1.15 in package.json
No runtime changes; development tooling update only
2026-03-05 - 11.0.25 - fix(logger)
remove build verification comment from logger export
Removed parenthetical '(build verification)' from export comment in ts/logger.ts
No functional changes β this is a comment-only cleanup
2026-03-05 - 11.0.24 - fix(dcrouter)
no changes detected β no release necessary
No files changed in the provided diff; no code, docs, or dependency updates to release.
2026-03-05 - 11.0.23 - fix(deps)
bump @git.zone/tsbuild devDependency to ^4.1.14
Updated devDependency @git.zone/tsbuild from ^4.1.13 to ^4.1.14 in package.json
Change affects build tooling only (devDependencies); no production code changes
2026-03-05 - 11.0.22 - fix(deps)
bump @git.zone/tsbuild devDependency to ^4.1.13
Updated @git.zone/tsbuild from ^4.1.9 to ^4.1.13 in devDependencies
No runtime code changes; build/dev dependency update only
2026-03-05 - 11.0.21 - fix()
no changes detected
No files changed in this diff; no release required.
2026-03-05 - 11.0.20 - fix(logger)
annotate singleton logger export comment for build verification
Changed comment in ts/logger.ts to add '(build verification)'
No functional code changes; only a comment update
Intended to mark the export for build verification purposes
2026-03-05 - 11.0.19 - fix(dcrouter)
no changes
No files changed in this commit.
Package version remains 11.0.18.
2026-03-05 - 11.0.18 - fix(dcrouter)
no changes detected; no version bump required
Git diff contains no changes β nothing to release
2026-03-05 - 11.0.17 - fix(dcrouter)
no changes detected in diff; no code or documentation updates
No files changed in this diff
No code, tests, or documentation modified; no release required
2026-03-05 - 11.0.16 - fix(dcrouter)
noop commit: no changes detected
No files changed in this diff.
No code or configuration modifications detected.
2026-03-05 - 11.0.15 - fix()
no changes detected; no version bump necessary
Diff contains no changes; no files were modified
2026-03-05 - 11.0.14 - fix(dcrouter)
no changes detected
Provided git diff contains no changes; nothing to release or bump
Create a commit only if an empty/placeholder commit is intentionally required
2026-03-05 - 11.0.13 - fix()
no code changes
No files were changed in this commit.
2026-03-05 - 11.0.12 - fix(dcrouter)
no changes detected β nothing to commit
Diff reported: No changes
No files were modified or staged; no functional or documentation changes to release
2026-03-05 - 11.0.11 - fix(deps)
bump @git.zone/tsbuild devDependency to ^4.1.9
Updated @git.zone/tsbuild from ^4.1.4 to ^4.1.9 in package.json
2026-03-05 - 11.0.10 - fix(playwright-mcp)
remove committed Playwright artifacts and add .playwright-mcp/ to .gitignore
Added .playwright-mcp/ to .gitignore to avoid committing transient Playwright outputs
Removed many Playwright-generated logs, screenshots and console dumps under .playwright-mcp/ to reduce repository noise/size
Prevents accidental check-in of large test artifacts generated by Playwright runs
2026-03-05 - 11.0.9 - fix(devDependencies)
bump @git.zone/tsbuild devDependency to ^4.1.4
package.json: Updated @git.zone/tsbuild from ^4.1.3 to ^4.1.4
2026-03-05 - 11.0.8 - fix()
no changes detected
No files changed in this commit
No version bump recommended
2026-03-05 - 11.0.7 - fix(deps)
bump @git.zone/tsbuild to ^4.1.3 and @push.rocks/lik to ^6.3.1
Updated devDependency @git.zone/tsbuild from ^4.1.2 to ^4.1.3 in package.json
Updated dependency @push.rocks/lik from ^6.2.2 to ^6.3.1 in package.json
Changes are non-breaking dependency bumps; no source code changes
2026-03-04 - 11.0.5 - fix(none)
no changes detected; nothing to release
Diff contained no changes
No files modified; no version bump required
2026-03-04 - 11.0.4 - fix()
no changes
No files changed in the provided diff; no release or version bump required.
2026-03-04 - 11.0.3 - fix()
no changes detected
Diff shows no file changes; no code changes to release.
2026-03-04 - 11.0.2 - fix(dcrouter)
no changes detected; no files were modified
diff was empty
no source or package changes detected
2026-03-04 - 11.0.1 - fix(auth)
treat expired JWTs as no identity, improve logout and token verification flow, and bump deps
App: getActionContext now treats expired JWTs as null to avoid using stale identities for requests.
Logout action always clears local login state; server-side adminLogout is attempted only when a valid identity exists.
Dashboard: verify persisted JWT with server (verifyIdentity) on startup; if verification fails, clear state and show login.
Auto-refresh: on combined refresh failure, detect auth-related errors (invalid/unauthorized/401), dispatch logout and reload to force re-login.
Deps: bumped devDependencies @git.zone/tstest (^3.2.0) and @git.zone/tswatch (^3.2.5); added runtime dependency @push.rocks/lik (^6.2.2).
Tests/artifacts: added Playwright console logs and page screenshots (test artifacts) to the commit.
2026-03-03 - 11.0.0 - BREAKING CHANGE(opsserver)
Require authentication for OpsServer endpoints, split handlers into authenticated view/admin routers, and make identity required on many TypedRequest interfaces
Added viewRouter and adminRouter to OpsServer and wired middleware to enforce identity/admin checks (requireValidIdentity, requireAdminIdentity).
Moved handlers to appropriate routers (viewRouter for read endpoints, adminRouter for write/admin endpoints) instead of registering on the unauthenticated main typedrouter.
Made identity a required field on numerous ts_interfaces request types (breaking change to request typings).
Refactored ApiTokenHandler to register directly on adminRouter and use dataArg.identity.userId (no per-handler admin checks needed thanks to middleware).
Updated tests: added admin login to obtain identity, adjusted protected endpoint tests to expect rejection when unauthenticated, and adapted other tests to pass identity where required.
Added IReq_GetNetworkStats request/response typings to ts_interfaces/requests/stats.ts.
Bumped dependencies: @api.global/typedrequest ^3.3.0 and @api.global/typedserver ^8.4.2.
2026-03-03 - 10.1.9 - fix(deps)
bump @push.rocks/smartproxy to ^25.9.1
Updated package.json dependency @push.rocks/smartproxy from ^25.9.0 to ^25.9.1
No other code changes; current package version is 10.1.8, recommend a patch release
2026-03-03 - 10.1.8 - fix(deps)
bump dependencies: @push.rocks/smartmetrics to ^3.0.2, @push.rocks/smartproxy to ^25.9.0, @serve.zone/remoteingress to ^4.4.0
@push.rocks/smartmetrics: 3.0.1 -> 3.0.2 (patch)
@push.rocks/smartproxy: 25.8.5 -> 25.9.0 (minor)
@serve.zone/remoteingress: 4.3.0 -> 4.4.0 (minor)
2026-03-03 - 10.1.7 - fix(ops-view-apitokens)
use correct lucide icon name for roll/rotate actions in API tokens view
Updated iconName from 'lucide:rotate-cw' to 'lucide:rotateCw' in ts_web/elements/ops-view-apitokens.ts (two occurrences) to match lucide icon naming and ensure icons render correctly
Non-functional UI fix; no API or behavior changes
2026-03-02 - 10.1.6 - fix(ts_web)
use actionContext for dispatches in web state actions and bump @push.rocks/smartstate to ^2.2.0
Action handlers in ts_web/appstate.ts now accept an actionContext parameter and call await actionContext.dispatch(...) instead of using statePartArg.dispatchAction(...).
Handlers return the awaited dispatch result (ensuring callers receive refreshed state) instead of returning the previous statePartArg.getState().
Dependency bumped in package.json: @push.rocks/smartstate from ^2.1.1 to ^2.2.0.
Playwright artifacts (logs and page screenshots) were added under .playwright-mcp.
2026-03-02 - 10.1.5 - fix(monitoring)
use a per-second ring buffer for DNS query metrics, improve DNS logging rate limiting and security event aggregation, and bump smartmta dependency
Replace unbounded query timestamp array with a fixed-size per-second Int32Array ring buffer (300s) to calculate queries-per-second with O(1) updates and bounded memory
Add incrementQueryRing and getQueryRingSum helpers to correctly zero stale slots and sum recent seconds
Change metrics cache interval from 200ms to 1000ms to better match dashboard polling and reduce update frequency
Refactor DNS adaptive logging to use per-second counters (dnsLogWindowSecond / dnsLogWindowCount) instead of timestamp arrays to avoid per-query array filtering and improve rate limiting accuracy; reset counters on flush
Security logger: avoid mutating source when sorting/filtering, and implement single-pass aggregation with optional time-window filtering for byLevel/byType/top lists
Bump dependency @push.rocks/smartmta from ^5.3.0 to ^5.3.1
2026-03-02 - 10.1.4 - fix(no-changes)
no changes detected; no version bump required
package version is 10.1.3
git diff contains no changes
2026-03-02 - 10.1.3 - fix(deps)
bump @api.global/typedrequest to ^3.2.7
Updated @api.global/typedrequest from ^3.2.6 to ^3.2.7 in package.json
Dependency patch bump only β no source code changes detected
Current package version 10.1.2 -> recommended next version 10.1.3 (patch)
2026-03-01 - 10.1.2 - fix(core)
improve shutdown cleanup, socket/stream robustness, and memory/cache handling
Reset security singletons and CacheDb on shutdown to allow GC (SecurityLogger, ContentScanner, IPReputationChecker, CacheDb).
Add DNS socket 'error' handler and only destroy socket when not already destroyed to avoid uncaught exceptions.
Move pruning of dnsMetrics.queryTimestamps to a periodic interval to avoid O(n) work on every query.
Debounce IPReputationChecker cache saves (save timer + reset on instance reset) to reduce IO and prevent duplicate saves.
Fix virtualStream send timeout handling by keeping/clearing a timeout handle to avoid leaks and hung promises.
Add memory store eviction in StorageManager to cap entries (MAX_MEMORY_ENTRIES) and evict oldest entries when exceeded.
Add terminal-ready timeout in ops-view-logs to avoid blocking UI initialization if xterm CDN fails to initialize.
Bump dev dependency @types/node and push.rocks/smartstate versions.
2026-02-27 - 10.1.1 - fix(ops-view-apitokens)
replace lucide:refresh-cw with lucide:rotate-cw for Roll action icon
Updated ts_web/elements/ops-view-apitokens.ts: changed iconName in two locations to 'lucide:rotate-cw' for the Roll/Roll Token actions.
UI-only change β no functional or API behavior modified.
Current package version is 10.1.0; recommended patch bump to 10.1.1.
2026-02-27 - 10.1.0 - feat(api-tokens)
add ability to roll (regenerate) API token secrets and UI to display the newly generated token once
Server: added ApiTokenManager.rollToken(id) to regenerate a token secret, update its hash, persist it and log the action.
Server: added opsserver handler 'rollApiToken' which requires admin identity and returns the new raw token value (shown once) or error messages.
API: added typed request interface IReq_RollApiToken for the rollApiToken RPC.
Web: added appstate.rollApiToken wrapper to call the new typed request.
UI: ops-view-apitokens updated with a 'Roll' action and a modal flow to confirm rolling, call the API, refresh token list, and present the new token value to copy (token value is shown only once).
Security: operation is admin-only and the raw token is returned only once after rolling.
2026-02-27 - 10.0.0 - BREAKING CHANGE(remote-ingress)
replace tlsConfigured boolean with tlsMode ('custom' | 'acme' | 'self-signed') and compute TLS mode server-side
Server: compute remoteIngress.tlsMode = 'custom' when custom certPath/keyPath provided; else attempt to detect ACME by checking stored certs for hubDomain; default to 'self-signed' as fallback.
API: replaced remoteIngress.tlsConfigured:boolean with tlsMode:'custom'|'acme'|'self-signed' β this is a breaking change for consumers of the config API.
UI: ops view updated to display TLS Mode as a badge instead of a boolean "TLS Configured" field.
Action required: update clients and integrations to read remoteIngress.tlsMode instead of tlsConfigured.
2026-02-26 - 9.3.0 - feat(remoteingress)
add TLS certificate resolution and passthrough for RemoteIngress tunnel
Resolve TLS certs for the RemoteIngress tunnel with priority: explicit certPath/keyPath files β stored ACME cert for hubDomain β fallback to self-signed
Expose tls option on ITunnelManagerConfig and forward certPem/keyPem into hub.start so the hub can use the provided TLS materials
Add logging for cert selection and file read failures
Bump dependency @serve.zone/remoteingress from ^4.2.0 to ^4.3.0
2026-02-26 - 9.2.0 - feat(remoteingress)
expose connected edge IPs and detected public IP; resolve proxy IPs from SmartProxy and improve ops UI
Add detectedPublicIp to DC Router and populate it when a configured or auto-discovered public IP is chosen
Use dcRouter.detectedPublicIp as a fallback for system.publicIp in the config handler
Resolve proxy IPs from SmartProxy runtime settings when opts.proxyIps is not provided
TunnelManager: capture peerAddr on edgeConnected and from Rust heartbeats, store per-edge publicIp, and add getConnectedEdgeIps()
Expose connectedEdgeIps in the config API and return it in remoteIngress config
Ops UI: show Connected Edge IPs, annotate 127.0.0.1 proxy IP as 'Remote Ingress' when applicable, and refresh remote ingress data during combined refresh when viewing remoteingress
Bump dependency @serve.zone/remoteingress to ^4.2.0
2026-02-26 - 9.1.10 - fix(deps)
bump @push.rocks/smartproxy to ^25.8.5
package.json: @push.rocks/smartproxy version updated from ^25.8.4 to ^25.8.5
No other files changed
2026-02-26 - 9.1.9 - fix(deps(smartmta))
bump @push.rocks/smartmta to ^5.3.0
Updated @push.rocks/smartmta from ^5.2.6 to ^5.3.0 in package.json
Patch release recommended (no source code changes)
2026-02-26 - 9.1.8 - fix(deps)
bump @serve.zone/remoteingress to ^4.1.0
Updated dependency @serve.zone/remoteingress from ^4.0.1 to ^4.1.0 in package.json
Non-breaking dependency update; recommend patch version bump
2026-02-26 - 9.1.7 - fix(dcrouter)
bump @push.rocks/smartproxy to ^25.8.4 and remove custom smartProxy timeout/connection lifetime settings from dcrouter
Bumped dependency @push.rocks/smartproxy from ^25.8.3 to ^25.8.4 in package.json
Removed explicit smartProxy options: socketTimeout, inactivityTimeout, keepAliveInactivityMultiplier, extendedKeepAliveLifetime, and maxConnectionLifetime from ts/classes.dcrouter.ts
2026-02-26 - 9.1.6 - fix(cleanup)
prevent event listener and log stream leaks, tighten smartProxy connection timeouts, and improve graceful shutdown behavior
Tightened smartProxy connection timeouts and lifetimes (5m socketTimeout, 10m inactivityTimeout, keep-alive multiplier, 1h extendedKeepAliveLifetime, 4h maxConnectionLifetime).
Remove event listeners before stopping services to avoid leaks (smartProxy, emailServer, dnsServer, remote ingress hub).
OpsServer.stop now invokes logsHandler.cleanup to tear down active log streams and avoid duplicate push destinations.
LogsHandler rewritten to use a module-level singleton push destination, track active stream stop callbacks, add cleanup(), guard against hung VirtualStream.sendData with a 10s timeout, and ensure intervals are cleared on stop.
updateSmartProxyConfig removes listeners on the old instance before stopping it.
Dependency bumps: @api.global/typedsocket ^4.1.2, @push.rocks/smartdata ^7.1.0, @push.rocks/smartmta ^5.2.6, @push.rocks/smartproxy ^25.8.3.
2026-02-26 - 9.1.5 - fix(remoteingress)
Reconcile tunnel manager edge statuses with authoritative Rust hub periodically; update active tunnel counts and heartbeats, add missed edges, remove stale entries, and clear reconcile interval on stop
Add reconcile() to sync TS-side edgeStatuses with hub.getStatus and overwrite activeTunnels with the authoritative activeStreams.
Start a periodic reconcile (setInterval every 15s) and store the interval handle on the tunnel manager.
Clear the reconcile interval in stop() to avoid background timers; remove edgeStatuses entries that are no longer connected in Rust.
Bump dependency @serve.zone/remoteingress from ^4.0.0 to ^4.0.1.
2026-02-25 - 9.1.4 - fix(deps)
bump @push.rocks/smartproxy to ^25.8.1
Updated package.json dependency @push.rocks/smartproxy from ^25.8.0 to ^25.8.1
2026-02-24 - 9.1.3 - fix(deps)
bump @api.global/typedserver to ^8.4.0 and @push.rocks/smartproxy to ^25.8.0
Updated @api.global/typedserver from ^8.3.1 to ^8.4.0
Updated @push.rocks/smartproxy from ^25.7.9 to ^25.8.0
2026-02-24 - 9.1.2 - fix(deps)
bump dependency versions for build and runtime packages
@git.zone/tsbundle: ^2.8.3 -> ^2.9.0
@git.zone/tswatch: ^3.1.0 -> ^3.2.0
@api.global/typedserver: ^8.3.0 -> ^8.3.1
@design.estate/dees-catalog: ^3.43.2 -> ^3.43.3
2026-02-23 - 9.1.1 - fix(dcrouter)
no changes detected β no files modified, no release necessary
Git diff contained no changes
No files added, modified, or deleted
2026-02-23 - 9.1.0 - feat(ops-dashboard)
add lucide icons to Ops dashboard view tabs
Added iconName property to 10 view tabs in ts_web/elements/ops-dashboard.ts to enable icons in the UI
Icon mappings: Overview -> lucide:layoutDashboard, Configuration -> lucide:settings, Network -> lucide:network, Emails -> lucide:mail, Logs -> lucide:scrollText, Routes -> lucide:route, ApiTokens -> lucide:key, Security -> lucide:shield, Certificates -> lucide:badgeCheck, RemoteIngress -> lucide:globe
Improves visual clarity of dashboard navigation
2026-02-23 - 9.0.0 - BREAKING CHANGE(opsserver)
Return structured configuration (IConfigData) from opsserver and update UI to render detailed config sections
Introduce IConfigData interface with typed sections: system, smartProxy, email, dns, tls, cache, radius, remoteIngress.
Replace ConfigHandler.getConfiguration implementation to assemble and return IConfigData (changes API response shape for getConfiguration).
Refactor frontend: update appstate types and ops-view-config to render the new config sections, use @serve.zone/catalog IConfigField/IConfigSectionAction, add uptime formatting and remote ingress UI.
Fix ops-view-apitokens form handling to correctly read dees-input-tags values.
Update tests to expect new configuration fields.
Bump dependency @serve.zone/catalog to ^2.5.0.
2026-02-23 - 8.1.0 - feat(route-management)
add programmatic route management API with API tokens and admin UI
Introduce RouteConfigManager to persist and manage programmatic routes and hardcoded-route overrides
Add ApiTokenManager to create, validate, list, toggle and revoke API tokens (stored hashed)
New OpsServer TypedRequest handlers: RouteManagementHandler (getMergedRoutes, create/update/delete/toggle routes, set/remove overrides) and ApiTokenHandler (create/list/revoke/toggle tokens)
DcRouter integration: initialize routeConfigManager and apiTokenManager, expose getConstructorRoutes and re-apply programmatic routes after SmartProxy restarts
Front-end additions: new 'Routes' and 'ApiTokens' views and UI components (ops-view-routes, ops-view-apitokens), router and appstate actions to fetch/manage routes and tokens
New TS interfaces and request types for route-management and API tokens, plus storage schemas for persisted routes, overrides and tokens
Bump dependency @serve.zone/catalog to ^2.3.0
2026-02-22 - 8.0.0 - BREAKING CHANGE(email-ops)
migrate email operations to catalog-compatible email model and simplify UI/router
Add @serve.zone/catalog dependency and import (szCatalog) in web plugins
Replace queue-based typedrequest methods with catalog APIs: getQueuedEmails / getSentEmails / getFailedEmails => getAllEmails and getEmailDetail (request/response shapes changed)
Update TypeScript interfaces: IEmailQueueItem/IBounceRecord/ISecurityIncident etc. replaced by IEmail, IEmailDetail, ISmtpLogEntry, IConnectionInfo, IAuthenticationResults (breaking type changes)
Frontend state and actions consolidated: emailOps state now holds emails array; multiple fetch actions removed and replaced by fetchAllEmailsAction and getEmailDetail usage
UI components updated: ops-view-emails switched to list/detail view and now requests email detail via new API; router no longer exposes email folder routes and email-folder navigation removed
Ops server handler refactored to return catalog-style emails and email detail; added status mapping and size formatting helpers
2026-02-21 - 7.4.3 - fix(logging)
add adaptive rate-limited DNS query logging, flush pending DNS logs on shutdown, and enhance email delivery logging
Introduce adaptive DNS logging: allow up to 2 individual DNS query logs per second, then aggregate further queries and emit a batched summary (dnsLogWindow, dnsBatchCount, dnsBatchTimer) with a 5s flush.
Flush pending DNS batch on stop() and log final DNS batch count during shutdown.
Enhance email observability by logging deliveryStart, deliverySuccess, deliveryFailed and bounceProcessed events alongside existing MetricsManager tracking.
Dependency bump: @design.estate/dees-catalog updated from ^3.43.1 to ^3.43.2.
Non-breaking change; intended as a patch release.
2026-02-21 - 7.4.2 - fix(monitoring,remoteingress,web)
Prune old metrics buckets periodically, clear metrics caches on shutdown, simplify edge disconnect handling, and optimize network view data updates
Call pruneOldBuckets() each minute to proactively remove stale time-series buckets in MetricsManager
Clear metricsCache, emailMinuteBuckets and dnsMinuteBuckets when MetricsManager stops to avoid stale state on shutdown
On edgeDisconnected remove the edgeStatuses entry instead of mutating an existing record (more explicit cleanup)
Remove unused traffic-timer variables and move requestsPerSec history updates from render() into updateNetworkData() to avoid unnecessary re-renders
Optimize traffic data array updates by shifting in-place then reassigning arrays to preserve Lit reactivity and reduce intermediate allocations
2026-02-21 - 7.4.1 - fix(dcrouter)
replace console logging with structured logger, improve metrics logging, add terminal-ready wait in ops UI, bump dees-catalog patch
Replace console.log/console.error calls in classes.dcrouter.ts with structured logger.log (info/debug/error) including contextual data and stringified errors
MetricsManager: create a dedicated Smartlog instance (metricsLogger) for SmartMetrics and use shared logger for lifecycle events (start/stop)
SmartProxy/ACME: convert startup/stop/cert events and error logging to structured logs; include generated route and cert metadata where relevant
Shutdown/startup flows: unify service start/stop/error messages through logger to provide consistent, structured output
UI change: ops-view-logs now waits for xterm terminalReady before pushing initial logs to avoid race conditions
Bump dependency @design.estate/dees-catalog from 3.43.0 to 3.43.1
2026-02-21 - 7.4.0 - feat(opsserver)
add real-time log push to ops dashboard and recent DNS query tracking
Export baseLogger and add a log destination that pushes log entries to connected ops_dashboard TypedSocket clients (ts/opsserver/handlers/logs.handler.ts, ts/logger.ts).
Introduce a new TypedRequest (pushLogEntry) interface for serverβclient log pushes (ts_interfaces/requests/logs.ts) and wire client handling in the web UI (ts_web/appstate.ts, ts_web/plugins.ts).
Add TypedSocket client connection lifecycle to the web app, stream pushed log entries into app state and update log views incrementally (ts_web/appstate.ts, ts_web/elements/ops-view-logs.ts).
MetricsManager now records recent DNS queries (timestamp, domain, type, answered, responseTimeMs) and exposes them via stats endpoints for display in the UI (ts/monitoring/classes.metricsmanager.ts, ts/opsserver/handlers/stats.handler.ts, ts_interfaces/data/stats.ts).
UI overview now displays DNS query entries and uses answered flag to set log level (ts_web/elements/ops-view-overview.ts).
Add import/export for typedsocket in web plugins to enable real-time push (ts_web/plugins.ts).
Bump dependency @push.rocks/smartproxy patch version ^25.7.8 β ^25.7.9 (package.json).
2026-02-20 - 7.3.0 - feat(dcrouter)
Wire DNS server 'query' events to MetricsManager for time-series tracking and bump @push.rocks/smartdns to ^7.9.0
Add dnsServer 'query' event listener that iterates event.questions and calls metricsManager.trackDnsQuery(question.type, question.name, false, event.responseTimeMs).
Listener is guarded by a metricsManager existence check to avoid runtime errors when metrics are not configured.
Bump dependency @push.rocks/smartdns from ^7.8.1 to ^7.9.0 in package.json.
2026-02-20 - 7.2.0 - feat(logs)
replace custom logs list with dees-chart-log component and push logs to chart, add log mapping and lifecycle sync, and bump smartlog dependency
Replaced the legacy in-component log list and styling with a dees-chart-log element to render application logs.
Added updated() lifecycle handler to push new logs to the chart and new helper methods pushLogsToChart() and getMappedLogEntries() to map log entries to the chart's expected format.
Removed the streaming toggle, getActiveFilters(), legacy CSS for the log list, and the old per-entry rendering markup.
Added explicit typing for dropdown @selectedOption handlers (e: any).
Bumped dependency @push.rocks/smartlog from ^3.2.0 to ^3.2.1 in package.json.
2026-02-19 - 7.1.0 - feat(ops/monitoring)
add in-memory log buffer, metrics time-series and ops UI integration
bump @push.rocks/smartlog to ^3.2.0
introduce SmartlogDestinationBuffer (logBuffer) and wire it into the base logger to provide an in-memory log store for the Ops UI
implement minute-resolution time-series buckets in MetricsManager with increment/prune helpers and new APIs getEmailTimeSeries and getDnsTimeSeries
sync security counters from SecurityLogger and expose recent security events via StatsHandler
wire email delivery lifecycle events and bounce processing to MetricsManager for tracking sent/received/failed metrics
LogsHandler now queries the in-memory log buffer, maps smartlog levels/categories, supports search/level/time-range filtering and pagination
UI updates: ops-view-overview, ops-view-logs and ops-view-security consume time-series and recent events to render charts, tables and filters
2026-02-19 - 7.0.1 - fix(monitoring)
Use smartMetrics cpuPercentage for cpuUsage.user and update smartmetrics and smartproxy dependencies
Switch cpuUsage.user from parseFloat(smartMetricsData.cpuUsageText) to smartMetricsData.cpuPercentage to align with smartmetrics v3 API
Bump @push.rocks/smartmetrics from ^2.0.10 to ^3.0.1
Bump @push.rocks/smartproxy from ^25.7.6 to ^25.7.8
2026-02-19 - 7.0.0 - BREAKING CHANGE(deps)
bump dependencies: @serve.zone/remoteingress to ^4.0.0 (breaking), @push.rocks/smartproxy to ^25.7.6, @types/node to ^25.3.0
Updated @serve.zone/remoteingress from ^3.3.0 to ^4.0.0 β major breaking change; may require code changes to adapt to new API.
Updated @push.rocks/smartproxy from ^25.7.3 to ^25.7.6 β patch update (non-breaking).
Updated @types/node from ^25.2.3 to ^25.3.0 β patch update (non-breaking).
Current package version is 6.13.2; recommend bumping to 7.0.0 due to the breaking dependency upgrade.
2026-02-19 - 6.13.2 - fix(runtime)
prevent memory leaks and improve shutdown/stream handling across services
Add CertProvisionScheduler.clear() to reset in-memory backoff cache and call it during DcRouter shutdown
Stop any existing SmartAcme instance before creating a new one (await stop and log errors) to avoid duplicate running instances
Null out many DcRouter service references and clear certificateStatusMap on shutdown to allow GC of stopped services
Cap emailMetrics.recipients map size and trim to ~80% of MAX_TOP_DOMAINS to prevent unbounded growth
Await virtualStream.sendData in logs follow handler and clear the interval if the stream errors/closes to avoid interval leaks
Limit normalizedMacCache size and evict oldest entries when it exceeds 10000 to prevent unbounded cache growth
2026-02-18 - 6.13.1 - fix(dcrouter)
enable PROXY protocol v1 handling for SmartProxy when remoteIngress is enabled to preserve client IPs
Set smartProxyConfig.acceptProxyProtocol = true when options.remoteIngressConfig.enabled
Whitelist loopback address by setting smartProxyConfig.proxyIPs = ['127.0.0.1']
Only applies when remoteIngress is enabled; used to accept tunneled connections forwarded by the hub to preserve original client IPs
2026-02-18 - 6.13.0 - feat(remoteingress)
include listenPorts for allowed edges sent to the Rust hub and always resync allowed edges when edge properties change
getAllowedEdges now returns listenPorts for each allowed edge (uses getEffectiveListenPorts)
remoteingress handler now calls tunnelManager.syncAllowedEdges() whenever tunnelManager exists so ports/tags/enabled changes are propagated
Improves Rust hub routing by providing per-edge listening ports and ensuring allowed-edge list is kept up-to-date
2026-02-18 - 6.12.0 - feat(remote-ingress)
add Remote Ingress hub integration, OpsServer UI, APIs, and docs
Integrates RemoteIngress (hub/tunnel) into DcRouter: runtime manager, tunnel manager and Rust data plane references added
Bumps dependency @serve.zone/remoteingress to ^3.3.0
Adds configuration defaults and IDcRouterOptions.remoteIngressConfig with tunnelPort/hubDomain/tls fields
Introduces OpsServer API endpoints and TypedRequest methods for remote ingress: getRemoteIngresses, createRemoteIngress, updateRemoteIngress, deleteRemoteIngress, regenerateRemoteIngressSecret, getRemoteIngressStatus, getRemoteIngressConnectionToken
UI updates: new Remote Ingress dashboard view, connection token generation & copy (clipboard API + fallback), auto-derived ports display, and toast notifications
State/API rename: newEdgeSecret -> newEdgeId and clearNewEdgeIdAction; appstate fetchConnectionToken usage
Documentation: README, ts/ and ts_web readmes, and ts_interfaces updated with interfaces and examples for Remote Ingress
Minor UI icon updates (search -> fa:magnifyingGlass, clipboard icon casing) and other doc/README improvements
2026-02-18 - 6.11.0 - feat(remoteingress)
add ability to generate remote ingress connection tokens and UI copy action; add hubDomain config option; update remoteingress dependency to ^3.1.1
Add server typed handler 'getRemoteIngressConnectionToken' to generate an encoded connection token containing hubHost, hubPort, edgeId and secret.
Add request interface IReq_GetRemoteIngressConnectionToken for typed requests.
Add fetchConnectionToken helper in web appstate and a 'Copy Token' action in ops-view-remoteingress to copy tokens to the clipboard with toast feedback.
Add hubDomain option to remoteIngressConfig in dcrouter options so an external hostname can be embedded in connection tokens.
Bump dependency @serve.zone/remoteingress from ^3.0.4 to ^3.1.1 in package.json.
2026-02-17 - 6.10.0 - feat(ops-view-certificates)
Make Export and Delete actions available inline (inRow) as well as in the context menu; bump @design.estate/dees-catalog to ^3.43.0
Added 'inRow' to action types for 'Export' and 'Delete' in ts_web/elements/ops-view-certificates.ts to expose actions inline in the row
Updated dependency @design.estate/dees-catalog from ^3.42.2 to ^3.43.0 in package.json
2026-02-17 - 6.9.0 - feat(certificates)
add certificate import, export, and deletion support (server handlers, request types, and UI)
Add typed request handlers in opsserver: deleteCertificate, exportCertificate, importCertificate (ts/opsserver/handlers/certificate.handler.ts)
Implement deleteCertificate/exportCertificate/importCertificate functions handling storage paths, in-memory status map updates, backoff clearing, validation, and SmartAcme-compatible /certs/ and /proxy-certs/ formats
Add request interfaces IReq_DeleteCertificate, IReq_ExportCertificate, IReq_ImportCertificate (ts_interfaces/requests/certificate.ts)
Add web app actions deleteCertificateAction, importCertificateAction and fetchCertificateExport to call new typed requests (ts_web/appstate.ts)
Update certificates UI to support Import, Export, and Delete actions and add downloadJsonFile helper (ts_web/elements/ops-view-certificates.ts)
2026-02-17 - 6.8.0 - feat(remote-ingress)
support auto-deriving ports for remote ingress edges and expose manual/derived port breakdown in API and UI
Add autoDerivePorts flag to IRemoteIngress with default true and migration to set existing stored edges to autoDerivePorts = true
RemoteIngressManager: getEffectiveListenPorts now returns the union of manual + derived ports when autoDerivePorts is enabled; added getPortBreakdown to return manual vs derived lists
API handlers updated: create/update requests accept autoDerivePorts; responses now include effectiveListenPorts, manualPorts, and derivedPorts (secrets still masked)
Web UI updated: create and edit dialogs include an Auto-derive checkbox; port badges now visually distinguish manual vs derived ports; added updateRemoteIngressAction
Non-breaking change: new field defaults to true so existing behavior is preserved
2026-02-17 - 6.7.0 - feat(remote-ingress)
Support auto-derived effective listen ports, make listenPorts optional, add toggle action and refine remote ingress creation/management UI
Add effectiveListenPorts?: number[] to IRemoteIngress interface (present in API responses)
Make createRemoteIngressAction.listenPorts optional and update creation modal to allow empty ports (auto-derived)
Add toggleRemoteIngressAction to enable/disable remote ingress edges and wire up Enable/Disable row/context-menu actions
Update getPortsHtml to prefer manual listenPorts, fall back to effectiveListenPorts, show '(auto)' when derived and 'none' when no ports
Standardize UI actions to use inRow/contextmenu and actionFunc signatures; update create modal to use explicit Cancel/Create menu options and collect form data programmatically
2026-02-17 - 6.6.1 - fix(icons)
standardize icon identifiers to lucide-prefixed names across operational views
Replaced legacy/ambiguous icon names with 'lucide:...' identifiers in four UI modules: ts_web/elements/ops-view-certificates.ts, ops-view-network.ts, ops-view-overview.ts, and ops-view-security.ts.
Updated common action/menu icons (e.g. arrowsRotate -> lucide:RefreshCw, magnifyingGlass -> lucide:Search, copy -> lucide:Copy, fileExport -> lucide:FileOutput).
Mapped dashboard/tile icons to lucide equivalents (e.g. server -> lucide:Server, networkWired/sitemap -> lucide:Network, download/upload -> lucide:Download/Upload, microchip/memory -> lucide:Cpu/MemoryStick).
Normalized alert and status icons to lucide names (e.g. triangleExclamation -> lucide:TriangleAlert, shield/userShield -> lucide:Shield/ShieldCheck, clock/clockRotateLeft -> lucide:Clock/History).
2026-02-17 - 6.6.0 - feat(remoteingress)
derive effective remote ingress listen ports from route configs and expose them via ops API
Derive listen ports from SmartProxy route configs with remoteIngress.enabled; supports optional edgeFilter to target edges by id or tags.
Add RemoteIngressManager.setRoutes(), derivePortsForEdge(), and getEffectiveListenPorts() which falls back to manual listenPorts when present.
dcrouter now supplies route configs to RemoteIngressManager during initialization and when updating SmartProxy configuration to keep derived ports in sync.
Ops API now returns effectiveListenPorts for edges; createRemoteIngress.listenPorts is optional and createEdge defaults listenPorts to an empty array.
Bump dependency @serve.zone/remoteingress to ^3.0.4 to align types/behavior.
2026-02-16 - 6.5.0 - feat(ops-view-remoteingress)
add 'Create Edge Node' header action to remote ingress table and remove duplicate createNewAction
Add a 'Create Edge Node' header action in dataActions that opens DeesModal to collect name, listenPorts and tags
Parse comma-separated listenPorts into integer array and normalize optional tags
Dispatch appstate.createRemoteIngressAction with the collected payload
Remove the previously duplicated createNewAction prop from the dees-table
2026-02-16 - 6.4.5 - fix(remoteingress)
mark remote ingress data actions as row actions and bump @design.estate/dees-catalog dependency
Add type:['row'] to 'Regenerate Secret' and 'Delete' dataActions in ts_web/elements/ops-view-remoteingress.ts to ensure they are treated as row actions in the UI
Bump @design.estate/dees-catalog from ^3.42.0 to ^3.42.2 in package.json
2026-02-16 - 6.4.4 - fix(deps)
bump @push.rocks/smartproxy to ^25.7.3
Updated @push.rocks/smartproxy from ^25.7.2 to ^25.7.3 in package.json
2026-02-16 - 6.4.3 - fix(deps)
bump @push.rocks/smartproxy to ^25.7.2
Updated package.json: @push.rocks/smartproxy ^25.7.1 -> ^25.7.2 (patch dependency update)
2026-02-16 - 6.4.2 - fix(smartproxy)
bump @push.rocks/smartproxy to ^25.7.1
Updated dependency @push.rocks/smartproxy from ^25.7.0 to ^25.7.1 in package.json
No other source changes; dependency patch bump only
2026-02-16 - 6.4.1 - fix(deps)
bump dependencies: @push.rocks/smartproxy to ^25.7.0 and @serve.zone/remoteingress to ^3.0.2
Bumped @push.rocks/smartproxy from ^25.5.0 to ^25.7.0
Bumped @serve.zone/remoteingress from ^3.0.1 to ^3.0.2
Package current version is 6.4.0 β recommended patch release
2026-02-16 - 6.4.0 - feat(remoteingress)
add Remote Ingress hub and management for edge tunnel nodes, including backend managers, tunnel hub integration, opsserver handlers, typedrequest APIs, and web UI
Introduce RemoteIngressManager for CRUD and persistent storage of edge registrations
Introduce TunnelManager to run the RemoteIngressHub, track connected edge statuses, and sync allowed edges to the hub
Integrate remote ingress into DcRouter (options.remoteIngressConfig, setupRemoteIngress, startup/shutdown handling, and startup summary)
Add OpsServer RemoteIngressHandler exposing typedrequest APIs (create/update/delete/regenerate/get/status)
Add web UI: Remote Ingress view, app state parts, actions and components to manage edges and display runtime statuses
Add typedrequest and data interfaces for remoteingress and export the remoteingress module; add @serve.zone/remoteingress dependency in package.json
2026-02-16 - 6.3.0 - feat(dcrouter)
add configurable baseDir and centralized path resolution; use resolved data paths for storage, cache and DNS
Introduce IDcRouterOptions.baseDir to allow configuring base directory for dcrouter data (defaults to ~/.serve.zone/dcrouter).
Add DcRouter.resolvedPaths and resolvePaths(baseDir) in ts/paths.ts to centralize computation of dcrouterHomeDir, dataDir, defaultTsmDbPath, defaultStoragePath and dnsRecordsDir.
Use resolvedPaths throughout DcRouter: default filesystem storage fsPath, CacheDb storagePath, and DNS records loading now reference resolved paths.
Replace ensureDirectories() behavior with ensureDataDirectories(resolvedPaths) to only create data-related directories; keep legacy ensureDirectories wrapper delegating to the new function.
Simplify paths module by removing unused legacy path constants and adding a focused API for path resolution and directory creation.
Remove an unused import (paths) in contentscanner, cleaning up imports.
2026-02-16 - 6.2.4 - fix(deps)
bump @push.rocks/smartproxy to ^25.5.0
Updated @push.rocks/smartproxy from ^25.4.0 to ^25.5.0 in package.json
2026-02-16 - 6.2.3 - fix(dcrouter)
persist proxy certificate validity dates and improve certificate status initialization
Bump @push.rocks/smartacme dependency from ^9.0.0 to ^9.1.3
Store validFrom and validUntil alongside proxy cert entries (/proxy-certs) when saving, extracting values by parsing PEM where possible
Use stored cert entries (domain, publicKey, validUntil, validFrom) to populate certificateStatusMap at startup
Fallback to SmartAcme /certs/ metadata and finally to parsing X.509 from stored PEM to determine expiry/issuedAt when initializing status
Update opsserver certificate handler to parse publicKey PEM from cert-store and set expiry/issuedAt and issuer accordingly
Adjust variable names and logging to reflect stored cert entry usage
2026-02-16 - 6.2.2 - fix(certs)
Populate certificate status for cert-store-loaded certificates after SmartProxy startup and check proxy-certs in opsserver certificate handler
Track domains loaded from storageManager '/proxy-certs/' and populate certificateStatusMap with status, routeNames, expiryDate and issuedAt (when available) after SmartProxy starts
Opsserver certificate handler now falls back to '/proxy-certs/{domain}' if '/certs/{cleanDomain}' is missing and marks cert-store-only entries as valid with issuer 'cert-store'
Bump @push.rocks/smartproxy dependency from ^25.3.1 to ^25.4.0
2026-02-16 - 6.2.1 - fix(smartacme,storage)
Respect wildcard domain requests when retrieving certificates and treat empty/whitespace storage values as null in getJSON
Pass includeWildcard flag to smartAcme.getCertificateForDomain to avoid incorrectly including/excluding wildcard certificates based on whether the requested domain itself is a wildcard
Detect wildcard domains via domain.startsWith('*.') and set includeWildcard to false for wildcard requests
Treat empty or whitespace-only stored values as null in StorageManager.getJSON to avoid parsing empty strings as JSON and potential errors
2026-02-16 - 6.2.0 - feat(ts_web)
add Certificate Management documentation and ops-view-certificates reference
Adds a new 'Certificate Management' section to ts_web/readme.md describing domain-centric overview, certificate sources (ACME/provision/static), expiry monitoring, per-domain backoff, and one-click reprovisioning
Adds ops-view-certificates.ts entry to the ops UI file list
Documents new route mapping '/certificates' in the readme navigation
2026-02-16 - 6.1.0 - feat(certs)
integrate smartacme v9 for ACME certificate provisioning and add certificate management features, docs, dashboard views, API endpoints, and per-domain backoff scheduler
Bump dependency: @push.rocks/smartacme -> ^9.0.0
Add Certificate Management documentation, examples, and a new Certificates view in the OpsServer dashboard (status, source, expiry, backoff, oneβclick reprovision)
Integrate smartacme v9 features: per-domain deduplication, global concurrency control, account rate limiting, structured errors, and clean shutdown behavior
Introduce per-domain exponential backoff persisted via StorageManager (CertProvisionScheduler) and remove the older serial stagger queue (smartacme v9 handles concurrency/deduping)
Expose new typedrequest API methods: getCertificateOverview, reprovisionCertificate (legacy), reprovisionCertificateDomain (preferred)
DcRouter now surfaces smartAcme, certProvisionScheduler, and certificateStatusMap; cert provisioning paths call smartAcme directly and clear backoff on success
Docs updated to note parallel shutdown/cleanup of HTTP agents and DNS clients
2026-02-15 - 6.0.0 - BREAKING CHANGE(certs)
Introduce domain-centric certificate provisioning with per-domain exponential backoff and a staggered serial scheduler; add domain-based reprovision API and UI backoff display; change certificate overview API to be domain-first and include backoff info; bump related deps.
Add CertProvisionScheduler: persistent per-domain exponential backoff, retry calculation, and an in-memory serial stagger queue.
Integrate scheduler with SmartAcme certProvisionFunction: enqueue provisions, clear backoff on success, record failures to drive backoff.
Switch certificate event tracking to be keyed by domain (certificateStatusMap now keyed by domain) and add findRouteNamesForDomain helper.
BREAKING: ICertificateInfo shape changed β replaced routeName/domains with domain and routeNames; added optional backoffInfo (failures, retryAfter, lastError).
Add domain-based reprovision endpoint (reprovisionCertificateDomain) while retaining legacy route-based reprovision for backward compatibility (internal rename to reprovisionCertificateByRoute).
Web UI updated to domain-centric certificate overview, displays route pills, backoff indicator and retry timing, and uses domain-based reprovision action.
Dependency bumps: @push.rocks/smartlog -> ^3.1.11, @push.rocks/smartproxy -> ^25.3.1.
2026-02-14 - 5.5.0 - feat(certs)
persist ACME certificates in StorageManager, add storage-backed cert manager, default storage to filesystem, and improve certificate status reporting
Add StorageBackedCertManager to persist SmartAcme certificates under /certs/ via StorageManager
Default storage to filesystem path (dcrouterHomeDir/storage) when options.storage is not provided
Wire SmartAcme to use StorageBackedCertManager and provide SmartProxy certStore handlers that load/save/remove certs under /proxy-certs/
Ops server certificate handler reads persisted cert data to report expiry/issued dates and treats acme/provision-function routes with no cert data as provisioning
Bump @push.rocks/smartproxy dependency to ^25.3.0
2026-02-14 - 5.4.6 - fix(deps)
bump @push.rocks/smartproxy dependency to ^25.2.2
Updated dependency @push.rocks/smartproxy: ^25.2.0 β ^25.2.2
Change is a dependency-only patch update, no source code modifications
Current package version is 5.4.5; recommend a patch release
2026-02-14 - 5.4.5 - fix(dcrouter)
bump patch for release pipeline consistency - no code changes
current version: 5.4.4 (from package.json)
git diff: no changes detected
recommend patch bump to trigger release artifacts if required
2026-02-14 - 5.4.4 - fix(deps)
bump @push.rocks/smartproxy to ^25.2.0
Updated @push.rocks/smartproxy from ^25.1.0 to ^25.2.0 (patch, non-breaking).
Current package version is 5.4.3; recommend a patch release to 5.4.4.
2026-02-14 - 5.4.3 - fix(dependencies)
bump @push.rocks/smartproxy to ^25.1.0
Updated @push.rocks/smartproxy from ^25.0.0 to ^25.1.0 in package.json
2026-02-13 - 5.4.2 - fix(dcrouter)
improve domain pattern matching to support routing-glob and wildcard patterns and use matching logic when resolving routes
Support routing-glob patterns beginning with '*' (e.g. *example.com) to match base domain, wildcard form, and subdomains
Treat standard wildcard patterns ('*.example.com') as matching both the base domain (example.com) and its subdomains
Use isDomainMatch when resolving routes instead of exact array includes to allow pattern matching
Normalize domain and pattern to lowercase and simplify equality checks
2026-02-13 - 5.4.1 - fix(network,dcrouter)
Always register SmartProxy certificate event handlers and include total bytes + improved connection metrics in network stats/UI
Always register SmartProxy 'certificate-issued', 'certificate-renewed', and 'certificate-failed' handlers (previously only registered when acmeConfig was present) so certificate events are processed regardless of provisioning path.
Add totalBytes (in/out) to network stats and propagate it through ts_interfaces and app state so total data transferred is available to the UI.
Combine metricsManager.getNetworkStats with collectServerStats to compute activeConnections and adjust connectionDetails/TopEndpoints handling.
Update ops UI to display totalBytes in throughput cards and remove a redundant network-specific auto-refresh fetch.
Type and state updates: ts_interfaces/data/stats.ts and ts_web/appstate.ts updated with totalBytes and initialization/default mapping adjusted.
2026-02-13 - 5.4.0 - feat(certificates)
include certificate source/issuer and Rust-side status checks; pass eventComms into certProvisionFunction and record expiry information
bump @push.rocks/smartproxy dependency to ^25.0.0
add optional 'source' field to certificate status and propagate event.source when certificates are issued, renewed, or failed
change smartProxy.certProvisionFunction signature to accept eventComms; use it to log attempts, set source and expiryDate, and fall back to http-01 on DNS-01 failure
make buildCertificateOverview async and query smartProxy.getCertificateStatus for a route when event-based status is unknown
improve logging to include certificate source and more contextual messages
2026-02-13 - 5.3.0 - feat(certificates)
add certificate overview and reprovisioning in ops UI and API; track SmartProxy certificate events
Add CertificateHandler with typedrequest endpoints: getCertificateOverview and reprovisionCertificate
Introduce ICertificateInfo and request/response interfaces for certificate operations
Frontend: add certificate state part, actions (fetchCertificateOverview, reprovisionCertificate), router view, and ops-view-certificates component
DcRouter: add certificateStatusMap, listen to SmartProxy certificate-issued/renewed/failed events, and add findRouteNameForDomain helper
Bump dependency @push.rocks/smartproxy to ^24.0.0
2026-02-13 - 5.2.0 - feat(monitoring)
add throughput metrics and expose them in ops UI
MetricsManager now reports bytesInPerSecond and bytesOutPerSecond as part of throughput
Extended IServerStats with requestsPerSecond and throughput {bytesIn, bytesOut, bytesInPerSecond, bytesOutPerSecond}
Stats handler updated to include requestsPerSecond and throughput; fallback stats initialize throughput fields to zero
Web UI ops overview displays Throughput In/Out (bits/s) and total bytes with new formatting helper
Bumped dependency @push.rocks/smartproxy to ^23.1.6
2026-02-13 - 5.1.0 - feat(acme)
Integrate SmartAcme DNS-01 handling and add certificate provisioning for SmartProxy
Add smartAcme property and lifecycle management (start/stop) in DcRouter
Create SmartAcme instance when DNS challenge handlers are present and wire certProvisionFunction to SmartProxy to return certificates for domains
Fall back to http-01 provisioning on SmartAcme errors for a domain
Stop SmartAcme during shutdown sequence to clean up resources
Bump dependency @push.rocks/smartproxy to ^23.1.5
2026-02-13 - 5.0.7 - fix(deps)
bump @push.rocks/smartdns to ^7.8.1 and @push.rocks/smartmta to ^5.2.2
package.json: updated @push.rocks/smartdns from ^7.8.0 to ^7.8.1 (patch)
package.json: updated @push.rocks/smartmta from ^5.2.1 to ^5.2.2 (patch)
2026-02-12 - 5.0.6 - fix(deps)
bump @push.rocks/smartproxy to ^23.1.4
package.json: @push.rocks/smartproxy ^23.1.2 β ^23.1.4
Dependency-only version bump, no source code changes
2026-02-12 - 5.0.5 - fix(dcrouter)
remove legacy handling of emailConfig.routes that added domain-based routes
Removed loop that added domain-based email routes from emailConfig.routes into emailRoutes
Previously created match.domains by extracting the recipient domain (split on '@') and defaulted forward target port to 25
Removed creation of TLS passthrough configuration for those forwarded routes
This prevents duplicate or incorrect domain-based routes being appended during email route construction
2026-02-12 - 5.0.4 - fix(cache)
use user-writable ~/.serve.zone/dcrouter for TsmDB and centralize data path logic
Default TsmDB storage changed from /etc/dcrouter/tsmdb to ~/.serve.zone/dcrouter/tsmdb
Introduced dcrouterHomeDir, dataDir, and defaultTsmDbPath in ts/paths.ts
CacheDb now defaults to defaultTsmDbPath when no storagePath is provided
DcRouter initialization updated to use paths.defaultTsmDbPath; README and readme.hints updated to document the new defaults
Avoids /etc permission issues and prevents starting a real MongoDB process in tests by using a user-writable default path
2026-02-12 - 5.0.3 - fix(packaging)
add files whitelist to package.json and remove Playwright-generated screenshots
Add a "files" array to package.json to control published package contents (includes ts/, ts_web/, dist/, dist_*/**, dist_ts/, dist_ts_web/, assets/, cli.js, npmextra.json, readme.md).
Remove multiple .playwright-mcp/*.png screenshot files (clean up Playwright test artifacts and reduce repository noise/size).
2026-02-12 - 5.0.2 - fix(docs)
update documentation and packaging configuration: document smartmta/smartdns integrations, adjust API method names, and add release registry info
README: document SmartDNS as Rust-powered DNS engine and smartmta as TypeScript+Rust MTA; add Rust-powered architecture section and component package table
README: update Node.js requirement from 18+ to 20+; replace embedded cache DB TsmDb with LocalTsmDb and reduce listed cached document types
README & ts_interfaces: rename typedrequest API adminLogin -> adminLoginWithUsernameAndPassword and add/clarify several API methods (logout, suppression management, RADIUS client/VLAN helpers)
README: update test instructions, change test file references and add a test coverage table
npmextra.json: re-key package configs (@git.zone/cli, @ship.zone/szci), tidy watch array formatting, and add release.registries and accessLevel for publishing
2026-02-11 - 5.0.1 - fix(deps/tests)
bump two dependencies and disable cache in tests
Bumped @api.global/typedrequest from ^3.2.5 to ^3.2.6
Bumped @push.rocks/smartradius from ^1.1.0 to ^1.1.1
Disabled cache in tests by adding cacheConfig: { enabled: false } to DcRouter instantiation in test/test.jwt-auth.ts, test/test.opsserver-api.ts, and test/test.protected-endpoint.ts
2026-02-11 - 5.0.0 - BREAKING CHANGE(mta)
migrate internal MTA to @push.rocks/smartmta and remove legacy mail/deliverability implementation
Replace ~27k LOC custom MTA (ts/mail/, ts/deliverability/) with @push.rocks/smartmta v5.2.1 (TypeScript+Rust hybrid)
Remove many SMTP client/server test suites and test helpers; testing approach and fixtures changed/removed
Upgrade dependencies: @push.rocks/smartproxy -> 23.1.2, @push.rocks/smartdns -> 7.8.0, add @push.rocks/smartmta@5.2.1; bump other minor deps
API differences: updateEmailRoutes() replaces updateRoutes(); UnifiedEmailServer exposes dkimCreator publicly; bounce/suppression APIs moved to emailServer.* helpers; Email class and IAttachment types moved into @push.rocks/smartmta exports
SmartProxy route validation stricter: forward actions must use targets (array) instead of target (singular) β tests/configs updated accordingly
DKIM generation/serving moved to smartmta (dcrouter no longer manages DKIM keys directly)
2026-02-10 - 4.1.1 - fix(smartproxy)
upgrade @push.rocks/smartproxy to ^23.1.0 and adapt code/tests for its async getStatistics() API
Bumped dependency @push.rocks/smartproxy 22.4.2 β 23.1.0 in package.json
Changed ts/monitoring/classes.metricsmanager.ts to await smartProxy.getStatistics() (was synchronous)
Updated multiple tests to set cacheConfig: { enabled: false } and added socketTimeouts where appropriate
Improved SMTP test servers: handle multi-line input, drop data for packet-loss simulation, and ignore socket errors to make tests more robust
Added migration notes to readme.hints.md documenting SmartProxy v23.1.0 changes (async getStatistics, Rust proxy behavior)
2026-02-10 - 4.1.0 - feat(cache)
add persistent smartdata-backed cache with LocalTsmDb, cache cleaner, and DcRouter integration
Introduce CacheDb and CacheCleaner using @push.rocks/smartdata and @push.rocks/smartmongo (LocalTsmDb) for persistent caching
Integrate cache initialization, console summary, and graceful shutdown into DcRouter (options.cacheConfig and setupCacheDb())
Require svDb() decorators on concrete cache document classes; remove decorators from the abstract CachedDocument base class
Switch CacheCleaner to smartdata getInstances() + per-document delete() instead of deleteMany
Adapt to LocalTsmDb API changes (folderPath option and start() returning connectionUri) and initialize SmartdataDb with mongoDbUrl/mongoDbName
Remove experimentalDecorators and emitDecoratorMetadata from tsconfig to use TC39 Stage 3 decorators (smartdata v7+ compatibility)
Add package.json exports mapping (remove main/typings entries) to expose dist entry points
Add README documentation for the Smartdata Cache System and configuration/usage examples
2026-02-03 - 4.0.0 - BREAKING CHANGE(config)
convert configuration management to read-only; remove updateConfiguration endpoint and client-side editing
Removed server-side 'updateConfiguration' TypedHandler and the private updateConfiguration() method; getConfiguration remains as a read-only handler.
Removed IReq_UpdateConfiguration interface from request typings; IReq_GetConfiguration marked as read-only.
Removed client-side editing functionality: ops-view-config editing state and methods, Edit/Save/Cancel buttons, and updateConfigurationAction; ops-view-config enhanced to display read-only configuration (badges for booleans, array pills, icons, formatted numbers/bytes, empty states, etc.).
Tests updated: replaced configuration update tests with verifyIdentity tests and added a read-only configuration access test.
Documentation updated to reflect configuration is read-only (readme.md, ts_web/readme.md, ts_interfaces/readme.md, readme.hints.md).
Dependencies adjusted: bumped @push.rocks/smartdata to ^7.0.15 and added @push.rocks/smartmongo ^5.1.0; ts/plugins updated to import/export smartmongo.
2026-02-02 - 3.1.0 - feat(web)
determine initial UI view from URL and wire selected view to appdash; add interface and web README files; bump various dependencies
UI: derive initial active view from window.location.pathname so the dashboard supports deep linking and bookmarks (ts_web/appstate.ts)
UI: pass selectedView to dees-simple-appdash by adding a currentViewTab getter in ops-dashboard (ts_web/elements/ops-dashboard.ts)
Docs: add TypeScript interfaces README for @serve.zone/dcrouter-interfaces (ts_interfaces/readme.md)
Docs: add/update web module README detailing features, routing, and build instructions (ts_web/readme.md) and expand main project README
Deps: bump multiple dependencies in package.json (notable bumps: @api.global/typedrequest -> ^3.2.5, @design.estate/dees-catalog -> ^3.42.0, @design.estate/dees-element -> ^2.1.6, @push.rocks/projectinfo -> ^5.0.2, @push.rocks/smartdata -> ^5.16.7, @push.rocks/smartpromise -> ^4.2.3, @push.rocks/smartradius -> ^1.1.0, @push.rocks/smartstate -> ^2.0.30, mailauth -> ^4.12.1)
2026-02-01 - 3.0.0 - BREAKING CHANGE(deps)
upgrade major dependencies, migrate action.target to action.targets (array), adapt to SmartRequest API changes, and add RADIUS server support
Bumped many major dependencies: @api.global/typedserver 3.x β 8.3.0, @api.global/typedsocket 3.x β 4.1.0, @apiclient.xyz/cloudflare 6.x β 7.1.0, @design.estate/dees-catalog 1.x β 3.41.4, @push.rocks/smartpath 5.x β 6.x, @push.rocks/smartproxy 19.x β 22.x, @push.rocks/smartrequest 2.x β 5.x, uuid 11.x β 13.x, @types/node 25.1.0 β 25.2.0
2026-02-01 - 2.13.0 - feat(radius)
add RADIUS server with MAC authentication (MAB), VLAN assignment, accounting and OpsServer API handlers
Introduce full RADIUS module under ts/radius: classes.radius.server, classes.vlan.manager, classes.accounting.manager (authentication, VLAN mapping, OUI patterns, accounting, persistence).
Integrate RADIUS into DcRouter: add radiusConfig option, setupRadiusServer(), updateRadiusConfig(), start/stop lifecycle handling and startup summary output.
Add OpsServer RadiusHandler (ts/opsserver/handlers/radius.handler.ts) exposing TypedRequest endpoints for client management, VLAN mappings, accounting reports and statistics.
Add typed request interfaces for RADIUS under ts_interfaces/requests/radius.ts and export them from the requests index.
Wire smartradius into plugins (ts/plugins.ts) and export the new module; export RADIUS from ts/index.ts and re-export RADIUS types from classes.dcrouter.
Update package.json & npmextra.json: add tswatch script and dev watcher configuration, add @push.rocks/smartradius dependency and a test_watch/devserver.ts dev server entrypoint.
Refactor several web UI components (ops-dashboard, ops-view-*) to use 'accessor' for @state properties (small UI state API adjustments).
Documentation: update readme.hints.md with RADIUS integration notes and examples.
2026-02-01 - 2.12.6 - fix(tests)
update tests and test helpers to current email/DNS APIs, use non-privileged ports, and improve robustness and resilience
Email tests: switch to IEmailConfig properties (domains, routes), use router.emailServer (not unifiedEmailServer), change to non-privileged ports (e.g. 2525) and use fs.rmSync for cleanup.
SMTP client helper: add pool and domain options; adjust tests to use STARTTLS (secure: false) and tolerate TLS/cipher negotiation failures with try/catch fallbacks.
DNS tests: replace dnsDomain with dnsNsDomains and dnsScopes; test route generation without starting services, verify route names/domains, and create socket handlers without binding privileged ports.
Socket-handler tests: use high non-standard ports for route/handler tests, verify route naming (email-port--route), ensure handlers are functions and handle errors gracefully without starting full routers.
Integration/storage/rate-limit tests: add waits for async persistence, create/cleanup test directories, return and manage test server instances, relax strict assertions (memory threshold, rate-limiting enforcement) and make tests tolerant of implementation differences.
Misc: use getAvailablePort in perf test setup, export tap.start() where appropriate, and generally make tests less brittle by adding try/catch, fallbacks and clearer logs for expected non-deterministic behavior.
2026-02-01 - 2.12.5 - fix(mail)
migrate filesystem helpers to fsUtils, update DKIM and mail APIs, harden SMTP client, and bump dependencies
Introduce plugins.fsUtils compatibility layer and replace usages of plugins.smartfile.* with plugins.fsUtils.* across storage, routing, deliverability, and paths to support newer smartfile behaviour
Update DKIM signing/verifying to new mailauth API: use signingDomain/selector/privateKey and read keys from dkimCreator before signing; adjust verifier fields to use signingDomain
Harden SMTP client CommandHandler: add MAX_BUFFER_SIZE, socket close/error handlers, robust cleanup, clear response buffer, and adjust command/data timeouts; reduce default SOCKET_TIMEOUT to 45s
Use SmartFileFactory for creating SmartFile attachments and update saving/loading to use fsUtils async/sync helpers
Switch test runners to export default tap.start(), relax some memory-test thresholds, and add test helper methods (recordAuthFailure, recordError)
Update package.json: simplify bundle script and bump multiple devDependencies/dependencies to compatible versions
2025-01-29 - 2.13.0 - feat(socket-handler)
Implement socket-handler mode for DNS and email services, enabling direct socket passing from SmartProxy
Add
dnsDomain configuration option that automatically sets up DNS server with DNS-over-HTTPS (DoH) support
Implement socket-handler mode for email services with
useSocketHandler flag in email configuration
Update SmartProxy route generation to create socket-handler actions instead of port forwarding
Add automatic route creation for DNS paths
/dns-query and
/resolve when dnsDomain is configured
Enhance UnifiedEmailServer with
handleSocket method for direct socket processing
Configure DnsServer with
manualHttpsMode: true to prevent HTTPS port binding while enabling DoH
Improve performance by eliminating internal port forwarding overhead
Update documentation with socket-handler mode configuration and benefits
2025-05-16 - 2.12.0 - feat(smartproxy)
Update documentation and configuration guides to adopt new route-based SmartProxy architecture
Revise SmartProxy implementation hints in readme.hints.md to describe route-based configuration with glob pattern matching
Add migration examples showing transition from old direct configuration to new route-based style
Update DcRouter and SMTP port configuration to generate SmartProxy routes for email handling (ports 25, 587, 465 mapped to internal services)
Enhance integration documentation with examples for HTTP and email services using the new SmartProxy routes
2025-05-16 - 2.11.2 - fix(dependencies)
Update dependency versions and adjust test imports to use new packages
Upgraded @git.zone/tsbuild from ^2.3.2 to ^2.5.1
Upgraded @git.zone/tstest/tapbundle from ^1.0.88 to ^1.9.0 and replaced @push.rocks/tapbundle imports in tests
Upgraded @push.rocks/smartlog from ^3.0.3 to ^3.1.2
Upgraded @push.rocks/smartproxy from ^10.2.0 to ^18.1.0
Upgraded mailauth from ^4.8.4 to ^4.8.5
2025-05-08 - 2.11.1 - fix(platform)
Update commit info with no functional changes; regenerated commit information.
2025-05-08 - 2.11.0 - feat(platformservice)
Expose DcRouter and update package visibility. Changed package.json 'private' flag from true to false to allow public publication, and added export of DcRouter in ts/index.ts for improved API accessibility.
Changed package.json: set 'private' to false
Added export for DcRouter in ts/index.ts
2025-05-08 - 2.10.0 - feat(config): Implement standardized configuration system
Create a comprehensive configuration system with validation, defaults, and documentation
Added consistent configuration interfaces across all services
Implemented validation for all configuration objects with detailed error reporting
Added default values for optional configuration parameters
Created an extensive documentation system for configuration options
Added migration helpers for managing configuration format changes
Enhanced platform service to load configuration from multiple sources (file, environment, code)
Updated email and SMS services to use the new configuration system
2025-05-08 - 2.9.0 - feat(errors): Implement comprehensive error handling system
Enhance error handling with structured errors, consistent patterns, and improved logging
Added domain-specific error classes for better error categorization and handling
Created comprehensive error codes for all service types (email, MTA, security, etc.)
Implemented detailed error context with severity, category, and recoverability classification
Added utilities for error conversion, formatting, and handling with automatic retry mechanisms
Enhanced logging with correlation tracking, context support, and structured data
Created middleware for handling errors in HTTP requests with proper status code mapping
Added retry with exponential backoff for transient failures
2025-05-08 - 2.8.9 - fix(types)
Fix TypeScript build errors and improve API type safety across platformservice interfaces
Fixed interface placement in EmailService and MtaConnector classes
Aligned DeliveryStatus enum and updated ApiManager handlers with proper type-safe signatures
Added comprehensive TypeScript interfaces for ISendEmailOptions, ITemplateContext, IValidateEmailOptions, IValidationResult, and IEmailServiceStats
Removed circular dependencies in type definitions and added proper type assertions
Improved test stability by handling race conditions in SenderReputationMonitor and IPWarmupManager; external DNS lookups are disabled under test environment
2025-05-08 - 2.8.8 - fix(types): Fix TypeScript build errors and improve API interfaces
Fix TypeScript build errors caused by interface placement and improve API type alignment
Fixed interface placement in EmailService and MtaConnector classes
Aligned DeliveryStatus enum with EmailSendJob implementation
Added proper method signatures for API endpoint handlers in ApiManager class
Updated getStats and checkEmailStatus methods to conform to API contracts
Implemented type-safe return values for all API methods
Fixed circular dependencies in type definitions
Added proper type assertion where needed to satisfy TypeScript compiler
2025-05-08 - 2.8.7 - feat(types): Add comprehensive TypeScript interfaces for API types
Improve type safety across the platform by adding detailed TypeScript interfaces for APIs
Added ISendEmailOptions interface with complete documentation for email sending options
Created ITemplateContext interface for email template rendering with full type safety
Added IValidateEmailOptions and IValidationResult interfaces for email validation
Improved IEmailServiceStats interface with detailed statistics types
Added IEmailStatusResponse and IEmailStatusDetails interfaces for MTA status checking
Updated sendEmail and other methods to use these new interfaces instead of 'any'
Removed need for type assertions in various components
2025-05-08 - 2.8.6 - fix(tests)
fix: Improve test stability by handling race conditions in SenderReputationMonitor and IPWarmupManager. Disable filesystem operations and external DNS lookups during tests by checking NODE_ENV, add proper cleanup of singleton instances and active timeouts to ensure consistent test environment.
Bumped version from 2.8.4 to 2.8.5 in package.json and changelog.md
Improved SenderReputationMonitor to skip filesystem operations and DNS record loading when NODE_ENV is set to test
Added cleanup of singleton instances and active timeouts in test files
Updated readme.plan.md with roadmap items for test stability
2025-05-08 - 2.8.5 - fix(tests): Improve test stability by fixing race conditions
Enhance the SenderReputationMonitor tests to prevent race conditions and make tests more reliable
Modified SenderReputationMonitor to detect test environment and disable filesystem operations
Added proper cleanup of singleton instances and timeouts between tests
Disabled DNS lookups during tests to prevent external dependencies
Set a consistent test environment using NODE_ENV=test
Made all tests independent of each other to prevent shared state issues
2025-05-08 - 2.8.4 - fix(mail)
refactor(mail): Remove Mailgun references from PlatformService. Update keywords, error messages, and documentation to use MTA exclusively.
Removed Mailgun integration from keywords in package.json and npmextra.json
Updated EmailService to remove Mailgun API key usage and reference MTA instead
Updated changelog.md and readme.md to reflect removal of Mailgun and update examples
Revised error messages to mention 'MTA not configured' instead of generic provider errors
Updated readme.plan.md to document Mailgun removal
2025-05-08 - 2.8.3 - refactor(mail): Remove Mailgun references
Remove all Mailgun references from the codebase since it's no longer used as an email provider
Removed "mailgun integration" from keywords in package.json and npmextra.json
Updated comments and documentation in EmailService to remove Mailgun mentions
Updated error messages to reference MTA instead of generic email providers
Updated the readme email example to use PlatformService reference instead of Mailgun API key
2025-05-08 - 2.8.2 - fix(tests)
Fix outdated import paths in test files for dcrouter and ratelimiter modules
Updated dcrouter import from '../ts/dcrouter/index.js' to '../ts/classes.dcrouter.js'
Updated ratelimiter import from '../ts/mta/classes.ratelimiter.js' to '../ts/mail/delivery/classes.ratelimiter.js'
2025-05-08 - 2.8.1 - fix(readme)
Update readme with consolidated email system improvements and modular directory structure
Clarify that the platform now organizes email functionality into distinct directories (mail/core, mail/delivery, mail/routing, mail/security, mail/services) and update the diagram and key features list accordingly. Adjust code examples to reflect explicit module imports and the use of SzPlatformService.
Changed description of consolidated email configuration to include 'streamlined directory structure'.
Updated mermaid diagram to show 'Mail System Structure' with separate components for core, delivery, routing, security, and services.
Modified key features list to document modular directory structure.
Revised code sample imports to use explicit paths and SzPlatformService.
2025-05-08 - 2.8.0 - feat(docs)
Update documentation to include consolidated email handling and patternβbased routing details
Extended MTA section to describe the new unified email processing system with forward, MTA, and process modes
Updated system diagram to reflect DcRouter integration with UnifiedEmailServer, DeliveryQueue, DeliverySystem, and RateLimiter
Revised readme.plan.md checklists to mark completed features in core architecture, multiβmodal processing, unified queue, and DcRouter integration
2025-05-08 - 2.7.0 - feat(dcrouter)
Implement unified email configuration with patternβbased routing and consolidated email processing. Migrate SMTP forwarding and storeβandβforward into a single, configuration-driven system that supports glob pattern matching in domain rules.
Introduced IEmailConfig interface to consolidate MTA, forwarding, and processing settings.
Added pattern-based domain routing with glob patterns (e.g., '@example.com', '@*.example.net').
Reworked DcRouter integration to expose unified email handling and updated readme.plan.md and changelog.md accordingly.
Removed deprecated SMTP forwarding components in favor of the consolidated approach.
2025-05-08 - 2.7.0 - feat(dcrouter)
Implement consolidated email configuration with pattern-based routing
Added new pattern-based email routing with glob patterns (e.g.,
*@task.vc,
*@*.example.net)
Consolidated all email functionality (MTA, forwarding, processing) under a unified
emailConfig interface
Implemented domain router with pattern specificity calculation for most accurate matching
Removed deprecated components (SMTP forwarding, Store-and-Forward) in favor of the unified approach
Updated DcRouter tests to use the new consolidated email configuration pattern
Enhanced inline documentation with detailed interface definitions and configuration examples
Updated implementation plan with comprehensive component designs for the unified email system
2025-05-07 - 2.6.0 - feat(dcrouter)
Implement integrated DcRouter with comprehensive SmartProxy configuration, enhanced SMTP processing, and robust storeβandβforward email routing
Marked completion of tasks in readme.plan.md with [x] flags for SMTP server setup, email processing pipeline, queue management, and delivery system.
Reworked DcRouter to use direct SmartProxy configuration, separating smtpConfig and smtpForwarding approaches.
Added new components for delivery queue and delivery system with persistent storage support.
Improved SMTP server implementation with TLS support, event handlers for connection, authentication, sender/recipient validation, and data processing.
Refined domain-based routing and transformation logic in EmailProcessor with metrics and logging.
Updated exported modules in dcrouter index to include SMTP storeβandβforward components.
Enhanced inline documentation and code comments for configuration interfaces and integration details.
2025-05-07 - 2.5.0 - feat(dcrouter)
Enhance DcRouter configuration and update documentation
Added new implementation hints (readme.hints.md) and planning documentation (readme.plan.md) outlining removal of SzPlatformService dependency and improvements in SMTP forwarding, domain routing, and certificate management.
Introduced new interfaces: ISmtpForwardingConfig and IDomainRoutingConfig for precise SMTP and HTTP domain routing configuration.
Refactored DcRouter classes to support direct integration with SmartProxy and enhanced MTA functionality, including SMTP port configuration and improved TLS handling.
Updated supporting modules such as SmtpPortConfig and EmailDomainRouter to provide better routing and security options.
Enhanced test coverage across dcrouter, rate limiter, IP warmup manager, and email authentication, ensuring backward compatibility and improved quality.
2025-05-07 - 2.4.2 - fix(tests)
Update test assertions and singleton instance references in DMARC, integration, and IP warmup manager tests
In test.emailauth.ts, update expected DMARC policy from 'none' to 'reject' and verify actualPolicy and action accordingly
In test.integration.ts, remove deprecated casting and adjust dedicated policy naming (use 'dedicated' instead of 'dedicatedDomain')
In test.ipwarmupmanager.ts and test.reputationmonitor.ts, replace singleton reset from '_instance' to 'instance' for proper instance access
Update round robin allocation tests to verify IP cycle returns one of the available IPs
Enhance daily limit tests by verifying getBestIPForSending returns null when limit is reached
General refactoring across tests for improved clarity and consistency
2025-05-07 - 2.4.1 - fix(tests)
Update test assertions and refine service interfaces
Converted outdated chai assertions to use tap's toBeTruthy, toEqual, and toBeGreaterThan methods in multiple test files
Appended tap.stopForcefully() tests to ensure proper cleanup in test suites
Added stop() method to PlatformService for graceful shutdown
Exposed certificate property in MtaService from private to public
Refactored dcrouter smartProxy configuration to better handle MTA service integration and certificate provisioning
2025-05-07 - 2.4.0 - feat(email)
Enhance email integration by updating @push.rocks/smartmail to ^2.1.0 and improving the entire email stack including validation, DKIM verification, templating, MIME conversion, and attachment handling.
Updated smartmail dependency from ^2.0.1 to ^2.1.0 in package.json
Enhanced EmailValidator with comprehensive checks (syntax, MX, disposable and role validations)
Refactored TemplateManager to support dynamic variable substitution and loading templates from directory
Improved conversion between internal Email and smartmail.Smartmail, streamlining MIME handling and attachment mapping
Augmented DKIM verification with caching and custom header injection for improved security reporting
Updated readme.plan.md with detailed roadmap for further performance, security, analytics, and deliverability enhancements
Expanded test suite to cover smartmail integration, validation, templating, and conversion between formats
2025-05-04 - 1.0.10 to 1.0.8 - core
Applied core fixes across several versions on this day.
Fixed core issues in versions 1.0.10, 1.0.9, and 1.0.8
2024-04-01 - 1.0.7 - core
Applied a core fix.
Fixed core functionality for version 1.0.7
2024-03-19 - 1.0.6 - core
Applied a core fix.
Fixed core functionality for version 1.0.6
2024-02-16 - 1.0.5 to 1.0.2 - core
Applied multiple core fixes in a contiguous range of versions.
Fixed core functionality for versions 1.0.5, 1.0.4, 1.0.3, and 1.0.2
2024-02-15 - 1.0.1 - core
Applied a core fix.
Fixed core functionality for version 1.0.1
βββββββββββββββββββββββ
Note: Versions that only contained version bumps (for example, 1.0.11 and the plain "1.0.x" commits) have been omitted from individual entries and are implicitly included in the version ranges above.