@serve.zone/dcrouter 12.10.0 → 13.0.0

package/ts/db/documents/classes.target-profile.doc.ts

@@ -0,0 +1,52 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { ITargetProfileTarget } from '../../../ts_interfaces/data/target-profile.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class TargetProfileDoc extends plugins.smartdata.SmartDataDbDoc<TargetProfileDoc, TargetProfileDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public domains?: string[];
+
+  @plugins.smartdata.svDb()
+  public targets?: ITargetProfileTarget[];
+
+  @plugins.smartdata.svDb()
+  public routeRefs?: string[];
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<TargetProfileDoc | null> {
+    return await TargetProfileDoc.getInstance({ id });
+  }
+
+  public static async findByName(name: string): Promise<TargetProfileDoc | null> {
+    return await TargetProfileDoc.getInstance({ name });
+  }
+
+  public static async findAll(): Promise<TargetProfileDoc[]> {
+    return await TargetProfileDoc.getInstances({});
+  }
+}

package/ts/db/documents/classes.vpn-client.doc.ts

@@ -13,7 +13,7 @@ export class VpnClientDoc extends plugins.smartdata.SmartDataDbDoc<VpnClientDoc,
   public enabled!: boolean;
 
   @plugins.smartdata.svDb()
-  public serverDefinedClientTags?: string[];
+  public targetProfileIds?: string[];
 
   @plugins.smartdata.svDb()
   public description?: string;

package/ts/db/documents/index.ts

@@ -6,7 +6,8 @@ export * from './classes.cached.ip.reputation.js';
 export * from './classes.stored-route.doc.js';
 export * from './classes.route-override.doc.js';
 export * from './classes.api-token.doc.js';
-export * from './classes.security-profile.doc.js';
+export * from './classes.source-profile.doc.js';
+export * from './classes.target-profile.doc.js';
 export * from './classes.network-target.doc.js';
 
 // VPN document classes

package/ts/opsserver/classes.opsserver.ts

@@ -29,7 +29,8 @@ export class OpsServer {
   private routeManagementHandler!: handlers.RouteManagementHandler;
   private apiTokenHandler!: handlers.ApiTokenHandler;
   private vpnHandler!: handlers.VpnHandler;
-  private securityProfileHandler!: handlers.SecurityProfileHandler;
+  private sourceProfileHandler!: handlers.SourceProfileHandler;
+  private targetProfileHandler!: handlers.TargetProfileHandler;
   private networkTargetHandler!: handlers.NetworkTargetHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
@@ -90,7 +91,8 @@ export class OpsServer {
     this.routeManagementHandler = new handlers.RouteManagementHandler(this);
     this.apiTokenHandler = new handlers.ApiTokenHandler(this);
     this.vpnHandler = new handlers.VpnHandler(this);
-    this.securityProfileHandler = new handlers.SecurityProfileHandler(this);
+    this.sourceProfileHandler = new handlers.SourceProfileHandler(this);
+    this.targetProfileHandler = new handlers.TargetProfileHandler(this);
     this.networkTargetHandler = new handlers.NetworkTargetHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');

package/ts/opsserver/handlers/index.ts

@@ -10,5 +10,6 @@ export * from './remoteingress.handler.js';
 export * from './route-management.handler.js';
 export * from './api-token.handler.js';
 export * from './vpn.handler.js';
-export * from './security-profile.handler.js';
+export * from './source-profile.handler.js';
+export * from './target-profile.handler.js';
 export * from './network-target.handler.js';

package/ts/opsserver/handlers/{security-profile.handler.ts → source-profile.handler.ts}

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
 
-export class SecurityProfileHandler {
+export class SourceProfileHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
 
   constructor(private opsServerRef: OpsServer) {
@@ -40,12 +40,12 @@ export class SecurityProfileHandler {
   }
 
   private registerHandlers(): void {
-    // Get all security profiles
+    // Get all source profiles
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityProfiles>(
-        'getSecurityProfiles',
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfiles>(
+        'getSourceProfiles',
         async (dataArg) => {
-          await this.requireAuth(dataArg, 'profiles:read');
+          await this.requireAuth(dataArg, 'source-profiles:read');
           const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
           if (!resolver) {
             return { profiles: [] };
@@ -55,12 +55,12 @@ export class SecurityProfileHandler {
       ),
     );
 
-    // Get a single security profile
+    // Get a single source profile
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityProfile>(
-        'getSecurityProfile',
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfile>(
+        'getSourceProfile',
         async (dataArg) => {
-          await this.requireAuth(dataArg, 'profiles:read');
+          await this.requireAuth(dataArg, 'source-profiles:read');
           const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
           if (!resolver) {
             return { profile: null };
@@ -70,12 +70,12 @@ export class SecurityProfileHandler {
       ),
     );
 
-    // Create a security profile
+    // Create a source profile
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSecurityProfile>(
-        'createSecurityProfile',
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSourceProfile>(
+        'createSourceProfile',
         async (dataArg) => {
-          const userId = await this.requireAuth(dataArg, 'profiles:write');
+          const userId = await this.requireAuth(dataArg, 'source-profiles:write');
           const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
           if (!resolver) {
             return { success: false, message: 'Reference resolver not initialized' };
@@ -92,12 +92,12 @@ export class SecurityProfileHandler {
       ),
     );
 
-    // Update a security profile
+    // Update a source profile
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSecurityProfile>(
-        'updateSecurityProfile',
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSourceProfile>(
+        'updateSourceProfile',
         async (dataArg) => {
-          await this.requireAuth(dataArg, 'profiles:write');
+          await this.requireAuth(dataArg, 'source-profiles:write');
           const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
           const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
           if (!resolver || !manager) {
@@ -121,12 +121,12 @@ export class SecurityProfileHandler {
       ),
     );
 
-    // Delete a security profile
+    // Delete a source profile
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSecurityProfile>(
-        'deleteSecurityProfile',
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSourceProfile>(
+        'deleteSourceProfile',
         async (dataArg) => {
-          await this.requireAuth(dataArg, 'profiles:write');
+          await this.requireAuth(dataArg, 'source-profiles:write');
           const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
           const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
           if (!resolver || !manager) {
@@ -149,12 +149,12 @@ export class SecurityProfileHandler {
       ),
     );
 
-    // Get routes using a security profile
+    // Get routes using a source profile
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityProfileUsage>(
-        'getSecurityProfileUsage',
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfileUsage>(
+        'getSourceProfileUsage',
         async (dataArg) => {
-          await this.requireAuth(dataArg, 'profiles:read');
+          await this.requireAuth(dataArg, 'source-profiles:read');
           const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
           const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
           if (!resolver || !manager) {

package/ts/opsserver/handlers/target-profile.handler.ts

@@ -0,0 +1,155 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class TargetProfileHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all target profiles
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTargetProfiles>(
+        'getTargetProfiles',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'target-profiles:read');
+          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
+          if (!manager) {
+            return { profiles: [] };
+          }
+          return { profiles: manager.listProfiles() };
+        },
+      ),
+    );
+
+    // Get a single target profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTargetProfile>(
+        'getTargetProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'target-profiles:read');
+          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
+          if (!manager) {
+            return { profile: null };
+          }
+          return { profile: manager.getProfile(dataArg.id) || null };
+        },
+      ),
+    );
+
+    // Create a target profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateTargetProfile>(
+        'createTargetProfile',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'target-profiles:write');
+          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
+          if (!manager) {
+            return { success: false, message: 'Target profile manager not initialized' };
+          }
+          const id = await manager.createProfile({
+            name: dataArg.name,
+            description: dataArg.description,
+            domains: dataArg.domains,
+            targets: dataArg.targets,
+            routeRefs: dataArg.routeRefs,
+            createdBy: userId,
+          });
+          return { success: true, id };
+        },
+      ),
+    );
+
+    // Update a target profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateTargetProfile>(
+        'updateTargetProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'target-profiles:write');
+          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
+          if (!manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+          await manager.updateProfile(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            domains: dataArg.domains,
+            targets: dataArg.targets,
+            routeRefs: dataArg.routeRefs,
+          });
+          // Re-apply routes to update VPN access
+          this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
+          return { success: true };
+        },
+      ),
+    );
+
+    // Delete a target profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteTargetProfile>(
+        'deleteTargetProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'target-profiles:write');
+          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
+          if (!manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+          const result = await manager.deleteProfile(dataArg.id, dataArg.force);
+          if (result.success) {
+            // Re-apply routes to update VPN access
+            this.opsServerRef.dcRouterRef.routeConfigManager?.applyRoutes();
+          }
+          return result;
+        },
+      ),
+    );
+
+    // Get VPN clients using a target profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetTargetProfileUsage>(
+        'getTargetProfileUsage',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'target-profiles:read');
+          const manager = this.opsServerRef.dcRouterRef.targetProfileManager;
+          if (!manager) {
+            return { clients: [] };
+          }
+          return { clients: await manager.getProfileUsage(dataArg.id) };
+        },
+      ),
+    );
+  }
+}

package/ts/opsserver/handlers/vpn.handler.ts

@@ -25,7 +25,7 @@ export class VpnHandler {
           const clients = manager.listClients().map((c) => ({
             clientId: c.clientId,
             enabled: c.enabled,
-            serverDefinedClientTags: c.serverDefinedClientTags,
+            targetProfileIds: c.targetProfileIds,
             description: c.description,
             assignedIp: c.assignedIp,
             createdAt: c.createdAt,
@@ -120,7 +120,7 @@ export class VpnHandler {
           try {
             const bundle = await manager.createClient({
               clientId: dataArg.clientId,
-              serverDefinedClientTags: dataArg.serverDefinedClientTags,
+              targetProfileIds: dataArg.targetProfileIds,
               description: dataArg.description,
               forceDestinationSmartproxy: dataArg.forceDestinationSmartproxy,
               destinationAllowList: dataArg.destinationAllowList,
@@ -142,7 +142,7 @@ export class VpnHandler {
               client: {
                 clientId: bundle.entry.clientId,
                 enabled: bundle.entry.enabled ?? true,
-                serverDefinedClientTags: bundle.entry.serverDefinedClientTags,
+                targetProfileIds: persistedClient?.targetProfileIds,
                 description: bundle.entry.description,
                 assignedIp: bundle.entry.assignedIp,
                 createdAt: Date.now(),
@@ -179,7 +179,7 @@ export class VpnHandler {
           try {
             await manager.updateClient(dataArg.clientId, {
               description: dataArg.description,
-              serverDefinedClientTags: dataArg.serverDefinedClientTags,
+              targetProfileIds: dataArg.targetProfileIds,
               forceDestinationSmartproxy: dataArg.forceDestinationSmartproxy,
               destinationAllowList: dataArg.destinationAllowList,
               destinationBlockList: dataArg.destinationBlockList,

package/ts/vpn/classes.vpn-manager.ts

@@ -14,7 +14,7 @@ export interface IVpnManagerConfig {
   /** Pre-defined VPN clients created on startup (idempotent — skips already-persisted clients) */
   initialClients?: Array<{
     clientId: string;
-    serverDefinedClientTags?: string[];
+    targetProfileIds?: string[];
     description?: string;
   }>;
   /** Called when clients are created/deleted/toggled — triggers route re-application */
@@ -26,10 +26,10 @@ export interface IVpnManagerConfig {
     allowList?: string[];
     blockList?: string[];
   };
-  /** Compute per-client AllowedIPs based on the client's server-defined tags.
+  /** Compute per-client AllowedIPs based on the client's target profile IDs.
    *  Called at config generation time (create/export). Returns CIDRs for WireGuard AllowedIPs.
    *  When not set, defaults to [subnet]. */
-  getClientAllowedIPs?: (clientTags: string[]) => Promise<string[]>;
+  getClientAllowedIPs?: (targetProfileIds: string[]) => Promise<string[]>;
   /** Forwarding mode: 'socket' (default, userspace NAT), 'bridge' (L2 bridge to host LAN),
    *  or 'hybrid' (socket default, bridge for clients with useHostIp=true) */
   forwardingMode?: 'socket' | 'bridge' | 'hybrid';
@@ -90,7 +90,6 @@ export class VpnManager {
         publicKey: client.noisePublicKey,
         wgPublicKey: client.wgPublicKey,
         enabled: client.enabled,
-        serverDefinedClientTags: client.serverDefinedClientTags,
         description: client.description,
         assignedIp: client.assignedIp,
         expiresAt: client.expiresAt,
@@ -163,7 +162,7 @@ export class VpnManager {
         if (!this.clients.has(initial.clientId)) {
           const bundle = await this.createClient({
             clientId: initial.clientId,
-            serverDefinedClientTags: initial.serverDefinedClientTags,
+            targetProfileIds: initial.targetProfileIds,
             description: initial.description,
           });
           logger.log('info', `VPN: Created initial client '${initial.clientId}' (IP: ${bundle.entry.assignedIp})`);
@@ -197,7 +196,7 @@ export class VpnManager {
    */
   public async createClient(opts: {
     clientId: string;
-    serverDefinedClientTags?: string[];
+    targetProfileIds?: string[];
     description?: string;
     forceDestinationSmartproxy?: boolean;
     destinationAllowList?: string[];
@@ -214,13 +213,12 @@ export class VpnManager {
 
     const bundle = await this.vpnServer.createClient({
       clientId: opts.clientId,
-      serverDefinedClientTags: opts.serverDefinedClientTags,
       description: opts.description,
     });
 
-    // Override AllowedIPs with per-client values based on tag-matched routes
+    // Override AllowedIPs with per-client values based on target profiles
     if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(opts.serverDefinedClientTags || []);
+      const allowedIPs = await this.config.getClientAllowedIPs(opts.targetProfileIds || []);
       bundle.wireguardConfig = bundle.wireguardConfig.replace(
         /AllowedIPs\s*=\s*.+/,
         `AllowedIPs = ${allowedIPs.join(', ')}`,
@@ -231,7 +229,7 @@ export class VpnManager {
     const doc = new VpnClientDoc();
     doc.clientId = bundle.entry.clientId;
     doc.enabled = bundle.entry.enabled ?? true;
-    doc.serverDefinedClientTags = bundle.entry.serverDefinedClientTags;
+    doc.targetProfileIds = opts.targetProfileIds;
     doc.description = bundle.entry.description;
     doc.assignedIp = bundle.entry.assignedIp;
     doc.noisePublicKey = bundle.entry.publicKey;
@@ -332,11 +330,11 @@ export class VpnManager {
   }
 
   /**
-   * Update a client's metadata (description, tags) without rotating keys.
+   * Update a client's metadata (description, target profiles) without rotating keys.
    */
   public async updateClient(clientId: string, update: {
     description?: string;
-    serverDefinedClientTags?: string[];
+    targetProfileIds?: string[];
     forceDestinationSmartproxy?: boolean;
     destinationAllowList?: string[];
     destinationBlockList?: string[];
@@ -349,7 +347,7 @@ export class VpnManager {
     const client = this.clients.get(clientId);
     if (!client) throw new Error(`Client not found: ${clientId}`);
     if (update.description !== undefined) client.description = update.description;
-    if (update.serverDefinedClientTags !== undefined) client.serverDefinedClientTags = update.serverDefinedClientTags;
+    if (update.targetProfileIds !== undefined) client.targetProfileIds = update.targetProfileIds;
     if (update.forceDestinationSmartproxy !== undefined) client.forceDestinationSmartproxy = update.forceDestinationSmartproxy;
     if (update.destinationAllowList !== undefined) client.destinationAllowList = update.destinationAllowList;
     if (update.destinationBlockList !== undefined) client.destinationBlockList = update.destinationBlockList;
@@ -409,10 +407,10 @@ export class VpnManager {
         );
       }
 
-      // Override AllowedIPs with per-client values based on tag-matched routes
+      // Override AllowedIPs with per-client values based on target profiles
       if (this.config.getClientAllowedIPs) {
-        const clientTags = persisted?.serverDefinedClientTags || [];
-        const allowedIPs = await this.config.getClientAllowedIPs(clientTags);
+        const profileIds = persisted?.targetProfileIds || [];
+        const allowedIPs = await this.config.getClientAllowedIPs(profileIds);
         config = config.replace(
           /AllowedIPs\s*=\s*.+/,
           `AllowedIPs = ${allowedIPs.join(', ')}`,
@@ -423,22 +421,6 @@ export class VpnManager {
     return config;
   }
 
-  // ── Tag-based access control ───────────────────────────────────────────
-
-  /**
-   * Get assigned IPs for all enabled clients matching any of the given server-defined tags.
-   */
-  public getClientIpsForServerDefinedTags(tags: string[]): string[] {
-    const ips: string[] = [];
-    for (const client of this.clients.values()) {
-      if (!client.enabled || !client.assignedIp) continue;
-      if (client.serverDefinedClientTags?.some(t => tags.includes(t))) {
-        ips.push(client.assignedIp);
-      }
-    }
-    return ips;
-  }
-
   // ── Status and telemetry ───────────────────────────────────────────────
 
   /**
@@ -548,12 +530,6 @@ export class VpnManager {
   private async loadPersistedClients(): Promise<void> {
     const docs = await VpnClientDoc.findAll();
     for (const doc of docs) {
-      // Migrate legacy `tags` → `serverDefinedClientTags`
-      if (!doc.serverDefinedClientTags && (doc as any).tags) {
-        doc.serverDefinedClientTags = (doc as any).tags;
-        (doc as any).tags = undefined;
-        await doc.save();
-      }
       this.clients.set(doc.clientId, doc);
     }
     if (this.clients.size > 0) {

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '12.10.0',
+  version: '13.0.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }