@serve.zone/dcrouter 12.2.6 → 12.4.0

package/readme.md

@@ -93,10 +93,11 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **Socket-handler mode** — direct socket passing eliminates internal port hops
 - **Real-time metrics** via SmartMetrics (CPU, memory, connections, throughput)
 
-### 💾 Persistent Storage & Caching
-- **Multiple storage backends**: filesystem, custom functions, or in-memory
-- **Embedded cache database** via smartdata + smartdb (MongoDB-compatible)
+### 💾 Unified Database
+- **Two deployment modes**: embedded LocalSmartDb (zero-config) or external MongoDB
+- **15 document classes** covering routes, certs, VPN, RADIUS, security profiles, network targets, and caches
 - **Automatic TTL-based cleanup** for cached emails and IP reputation data
+- **Reusable references** — security profiles and network targets that propagate changes to all referencing routes
 
 ### 🖥️ OpsServer Dashboard
 - **Web-based management interface** with real-time monitoring
@@ -104,7 +105,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - **Live views** for connections, email queues, DNS queries, RADIUS sessions, certificates, remote ingress edges, VPN clients, and security events
 - **Domain-centric certificate overview** with backoff status and one-click reprovisioning
 - **Remote ingress management** with connection token generation and one-click copy
-- **Read-only configuration display** — DcRouter is configured through code
+- **Security profiles & network targets** — reusable security configurations and host:port targets with propagation to referencing routes
+- **Global warning banners** when database is disabled (management features unavailable)
+- **Read-only configuration display** for system overview
 - **Smart tab visibility handling** — auto-pauses all polling, WebSocket connections, and chart updates when the browser tab is hidden, preventing resource waste and tab freezing
 
 ### 🔧 Programmatic API Client
@@ -269,11 +272,8 @@ const router = new DcRouter({
     ],
   },
 
-  // Persistent storage
-  storage: { fsPath: '/var/lib/dcrouter/data' },
-
-  // Cache database
-  cacheConfig: { enabled: true, storagePath: '~/.serve.zone/dcrouter/tsmdb' },
+  // Unified database (embedded LocalSmartDb or external MongoDB)
+  dbConfig: { enabled: true },
 
   // TLS & ACME
   tls: { contactEmail: 'admin@example.com' },
@@ -311,8 +311,7 @@ graph TB
         CM[Certificate Manager<br/><i>smartacme v9</i>]
         OS[OpsServer Dashboard]
         MM[Metrics Manager]
-        SM[Storage Manager]
-        CD[Cache Database]
+        DB2[DcRouterDb<br/><i>smartdata + smartdb</i>]
     end
 
     subgraph "Backend Services"
@@ -339,8 +338,7 @@ graph TB
     DC --> CM
     DC --> OS
     DC --> MM
-    DC --> SM
-    DC --> CD
+    DC --> DB2
 
     SP --> WEB
     SP --> API
@@ -365,8 +363,7 @@ graph TB
 | **RemoteIngress** | `@serve.zone/remoteingress` | Distributed edge tunneling with Rust data plane and TS management |
 | **OpsServer** | `@api.global/typedserver` | Web dashboard + TypedRequest API for monitoring and management |
 | **MetricsManager** | `@push.rocks/smartmetrics` | Real-time metrics collection (CPU, memory, email, DNS, security) |
-| **StorageManager** | built-in | Pluggable key-value storage (filesystem, custom, or in-memory) |
-| **CacheDb** | `@push.rocks/smartdb` | Embedded MongoDB-compatible database (LocalSmartDb) for persistent caching |
+| **DcRouterDb** | `@push.rocks/smartdata` + `@push.rocks/smartdb` | Unified database — embedded LocalSmartDb or external MongoDB for all persistence |
 
 ### How It Works
 
@@ -509,24 +506,16 @@ interface IDcRouterOptions {
   };
   dnsChallenge?: { cloudflareApiKey?: string };
 
-  // ── Storage & Caching ─────────────────────────────────────────
-  storage?: {
-    fsPath?: string;
-    readFunction?: (key: string) => Promise<string>;
-    writeFunction?: (key: string, value: string) => Promise<void>;
-  };
-  cacheConfig?: {
+  // ── Database ────────────────────────────────────────────────────
+  /** Unified database for all persistence (routes, certs, VPN, RADIUS, etc.) */
+  dbConfig?: {
     enabled?: boolean;                   // default: true
+    mongoDbUrl?: string;                 // External MongoDB URL (omit for embedded LocalSmartDb)
     storagePath?: string;                // default: '~/.serve.zone/dcrouter/tsmdb'
     dbName?: string;                     // default: 'dcrouter'
     cleanupIntervalHours?: number;       // default: 1
-    ttlConfig?: {
-      emails?: number;                   // default: 30 days
-      ipReputation?: number;             // default: 1 day
-      bounces?: number;                  // default: 30 days
-      dkimKeys?: number;                 // default: 90 days
-      suppression?: number;              // default: 30 days
-    };
+    seedOnEmpty?: boolean;               // Seed default profiles/targets if DB is empty
+    seedData?: object;                   // Custom seed data
   };
 }
 ```
@@ -1213,49 +1202,55 @@ The OpsServer includes a **Certificates** view showing:
 - One-click reprovisioning per domain
 - Certificate import and export
 
-## Storage & Caching
+## Storage & Database
 
-### StorageManager
+DcRouter uses a **unified database** (`DcRouterDb`) powered by [`@push.rocks/smartdata`](https://code.foss.global/push.rocks/smartdata) + [`@push.rocks/smartdb`](https://code.foss.global/push.rocks/smartdb) for all persistence. It supports two modes:
 
-Provides a unified key-value interface with three backends:
+### Embedded LocalSmartDb (Default)
 
-```typescript
-// Filesystem backend
-storage: { fsPath: '/var/lib/dcrouter/data' }
+Zero-config, file-based MongoDB-compatible database — no external services needed:
 
-// Custom backend (Redis, S3, etc.)
-storage: {
-  readFunction: async (key) => await redis.get(key),
-  writeFunction: async (key, value) => await redis.set(key, value)
-}
-
-// In-memory (development only — data lost on restart)
-// Simply omit the storage config
+```typescript
+dbConfig: { enabled: true }
+// Data stored at ~/.serve.zone/dcrouter/tsmdb by default
 ```
 
-Used for: TLS certificates, DKIM keys, email routes, bounce/suppression lists, IP reputation data, domain configs, cert backoff state, remote ingress edge registrations.
+### External MongoDB
 
-### Cache Database
-
-An embedded MongoDB-compatible database (via smartdata + smartdb) for persistent caching with automatic TTL cleanup:
+Connect to an existing MongoDB instance:
 
 ```typescript
-cacheConfig: {
+dbConfig: {
   enabled: true,
-  storagePath: '~/.serve.zone/dcrouter/tsmdb',
+  mongoDbUrl: 'mongodb://localhost:27017',
   dbName: 'dcrouter',
-  cleanupIntervalHours: 1,
-  ttlConfig: {
-    emails: 30,         // days
-    ipReputation: 1,    // days
-    bounces: 30,        // days
-    dkimKeys: 90,       // days
-    suppression: 30     // days
-  }
 }
 ```
 
-Cached document types: `CachedEmail`, `CachedIPReputation`.
+### Disabling the Database
+
+For static, constructor-only deployments where no runtime management is needed:
+
+```typescript
+dbConfig: { enabled: false }
+// Routes come exclusively from constructor config — no CRUD, no persistence
+// OpsServer still runs but management features are disabled
+```
+
+### What's Stored
+
+DcRouterDb persists all runtime state across 15 document classes:
+
+| Category | Documents | Purpose |
+|----------|-----------|---------|
+| **Routes** | `StoredRouteDoc`, `RouteOverrideDoc` | Programmatic routes and hardcoded route overrides |
+| **Certificates** | `ProxyCertDoc`, `AcmeCertDoc`, `CertBackoffDoc` | TLS certs, ACME state, per-domain backoff |
+| **Auth** | `ApiTokenDoc` | API token storage |
+| **Remote Ingress** | `RemoteIngressEdgeDoc` | Edge node registrations |
+| **VPN** | `VpnServerKeysDoc`, `VpnClientDoc` | Server keys and client registrations |
+| **RADIUS** | `VlanMappingsDoc`, `AccountingSessionDoc` | VLAN mappings and accounting sessions |
+| **References** | `SecurityProfileDoc`, `NetworkTargetDoc` | Reusable security profiles and network targets |
+| **Cache** | `CachedEmailDoc`, `CachedIpReputationDoc` | TTL-based caches with automatic cleanup |
 
 ## Security Features
 
@@ -1324,6 +1319,8 @@ The OpsServer provides a web-based management interface served on port 3000 by d
 | 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning, import/export |
 | 🌍 **RemoteIngress** | Edge node management, connection status, token generation, enable/disable |
 | 🔐 **VPN** | VPN client management, server status, create/toggle/export/rotate/delete clients |
+| 🛡️ **Security Profiles** | Reusable security configurations (IP allow/block lists, rate limits) |
+| 🎯 **Network Targets** | Reusable host:port destinations for route references |
 | 📡 **RADIUS** | NAS client management, VLAN mappings, session monitoring, accounting |
 | 📜 **Logs** | Real-time log viewer with level filtering and search |
 | ⚙️ **Configuration** | Read-only view of current system configuration |
@@ -1410,6 +1407,22 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'setVlanMapping'                       // Add/update VLAN mapping
 'removeVlanMapping'                    // Remove VLAN mapping
 'testVlanAssignment'                   // Test what VLAN a MAC gets
+
+// Security Profiles
+'getSecurityProfiles'                  // List all security profiles
+'getSecurityProfile'                   // Get a single profile by ID
+'createSecurityProfile'                // Create a reusable security profile
+'updateSecurityProfile'                // Update a profile (propagates to referencing routes)
+'deleteSecurityProfile'                // Delete a profile (with optional force)
+'getSecurityProfileUsage'              // Get routes referencing a profile
+
+// Network Targets
+'getNetworkTargets'                    // List all network targets
+'getNetworkTarget'                     // Get a single target by ID
+'createNetworkTarget'                  // Create a reusable host:port target
+'updateNetworkTarget'                  // Update a target (propagates to referencing routes)
+'deleteNetworkTarget'                  // Delete a target (with optional force)
+'getNetworkTargetUsage'                // Get routes referencing a target
 ```
 
 ## API Client
@@ -1518,12 +1531,12 @@ const router = new DcRouter(options: IDcRouterOptions);
 | `remoteIngressManager` | `RemoteIngressManager` | Edge registration CRUD manager |
 | `tunnelManager` | `TunnelManager` | Tunnel lifecycle and status manager |
 | `vpnManager` | `VpnManager` | VPN server lifecycle and client CRUD manager |
-| `storageManager` | `StorageManager` | Storage backend |
 | `opsServer` | `OpsServer` | OpsServer/dashboard instance |
 | `metricsManager` | `MetricsManager` | Metrics collector |
-| `cacheDb` | `CacheDb` | Cache database instance |
-| `certProvisionScheduler` | `CertProvisionScheduler` | Per-domain backoff scheduler for cert provisioning |
-| `certificateStatusMap` | `Map<string, ...>` | Domain-keyed certificate status from SmartProxy events |
+| `dcRouterDb` | `DcRouterDb` | Unified database instance (smartdata + smartdb) |
+| `routeConfigManager` | `RouteConfigManager` | Programmatic route CRUD manager |
+| `apiTokenManager` | `ApiTokenManager` | API token management |
+| `referenceResolver` | `ReferenceResolver` | Security profile and network target resolver |
 
 ### Re-exported Types
 
@@ -1589,7 +1602,8 @@ tstest test/test.opsserver-api.ts --verbose --timeout 60
 | `test.jwt-auth.ts` | JWT login, verification, logout, invalid credentials | 8 |
 | `test.opsserver-api.ts` | Health, statistics, configuration, log APIs | 8 |
 | `test.protected-endpoint.ts` | Admin auth, identity verification, public endpoints | 8 |
-| `test.storagemanager.ts` | Memory, filesystem, custom backends, concurrency | 8 |
+| `test.reference-resolver.ts` | Security profiles, network targets, route resolution | 20 |
+| `test.security-profiles-api.ts` | Profile/target API endpoints, auth enforcement | 13 |
 
 ## Docker / OCI Container Deployment
 

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '12.2.6',
+  version: '12.4.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '12.2.6',
+  version: '12.4.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate.ts

@@ -1441,6 +1441,37 @@ export const createRouteAction = routeManagementStatePart.createAction<{
   }
 });
 
+export const updateRouteAction = routeManagementStatePart.createAction<{
+  id: string;
+  route?: any;
+  enabled?: boolean;
+  metadata?: any;
+}>(async (statePartArg, dataArg, actionContext): Promise<IRouteManagementState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateRoute
+    >('/typedrequest', 'updateRoute');
+
+    await request.fire({
+      identity: context.identity!,
+      id: dataArg.id,
+      route: dataArg.route,
+      enabled: dataArg.enabled,
+      metadata: dataArg.metadata,
+    });
+
+    return await actionContext!.dispatch(fetchMergedRoutesAction, null);
+  } catch (error: unknown) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update route',
+    };
+  }
+});
+
 export const deleteRouteAction = routeManagementStatePart.createAction<string>(
   async (statePartArg, routeId, actionContext): Promise<IRouteManagementState> => {
     const context = getActionContext();

package/ts_web/elements/ops-dashboard.ts

@@ -2,7 +2,6 @@ import * as plugins from '../plugins.js';
 import * as appstate from '../appstate.js';
 import * as interfaces from '../../dist_ts_interfaces/index.js';
 import { appRouter } from '../router.js';
-
 import {
   DeesElement,
   css,
@@ -43,6 +42,12 @@ export class OpsDashboard extends DeesElement {
     theme: 'light',
   };
 
+  @state() accessor configState: appstate.IConfigState = {
+    config: null,
+    isLoading: false,
+    error: null,
+  };
+
   // Store viewTabs as a property to maintain object references
   private viewTabs = [
     {
@@ -112,6 +117,20 @@ export class OpsDashboard extends DeesElement {
     },
   ];
 
+  private get globalMessages() {
+    const messages: Array<{ id: string; type: string; message: string; dismissible?: boolean }> = [];
+    const config = this.configState.config;
+    if (config && !config.cache.enabled) {
+      messages.push({
+        id: 'db-disabled',
+        type: 'warning',
+        message: 'Database is disabled. Creating and editing routes, profiles, targets, and API tokens is not available.',
+        dismissible: false,
+      });
+    }
+    return messages;
+  }
+
   /**
    * Get the current view tab based on the UI state's activeView.
    * Used to pass the correct selectedView to dees-simple-appdash on initial render.
@@ -137,6 +156,14 @@ export class OpsDashboard extends DeesElement {
       });
     this.rxSubscriptions.push(loginSubscription);
     
+    // Subscribe to config state (for global warnings)
+    const configSubscription = appstate.configStatePart
+      .select((stateArg) => stateArg)
+      .subscribe((configState) => {
+        this.configState = configState;
+      });
+    this.rxSubscriptions.push(configSubscription);
+
     // Subscribe to UI state
     const uiSubscription = appstate.uiStatePart
       .select((stateArg) => stateArg)
@@ -205,6 +232,7 @@ export class OpsDashboard extends DeesElement {
             name="DCRouter OpsServer"
             .viewTabs=${this.viewTabs}
             .selectedView=${this.currentViewTab}
+            .globalMessages=${this.globalMessages}
           >
           </dees-simple-appdash>
         </dees-simple-login>

package/ts_web/elements/ops-view-network.ts

@@ -287,27 +287,17 @@ export class OpsViewNetwork extends DeesElement {
             {
               name: 'Inbound',
               data: this.trafficDataIn,
-              color: '#22c55e', // Green for download
+              color: '#22c55e',
             },
             {
               name: 'Outbound',
               data: this.trafficDataOut,
-              color: '#8b5cf6', // Purple for upload
+              color: '#8b5cf6',
             }
           ]}
-          .stacked=${false}
+          .realtimeMode=${true}
+          .rollingWindow=${300000}
           .yAxisFormatter=${(val: number) => `${val} Mbit/s`}
-          .tooltipFormatter=${(point: any) => {
-            const mbps = point.y || 0;
-            const seriesName = point.series?.name || 'Throughput';
-            const timestamp = new Date(point.x).toLocaleTimeString();
-            return `
-              <div style="padding: 8px;">
-                <div style="font-weight: bold; margin-bottom: 4px;">${timestamp}</div>
-                <div>${seriesName}: ${mbps.toFixed(2)} Mbit/s</div>
-              </div>
-            `;
-          }}
         ></dees-chart-area>
 
         <!-- Top IPs Section -->

package/ts_web/elements/ops-view-overview.ts

@@ -121,11 +121,15 @@ export class OpsViewOverview extends DeesElement {
           <dees-chart-area
             .label=${'Email Traffic (24h)'}
             .series=${this.getEmailTrafficSeries()}
+            .realtimeMode=${true}
+            .rollingWindow=${86400000}
             .yAxisFormatter=${(val: number) => `${val}`}
           ></dees-chart-area>
           <dees-chart-area
             .label=${'DNS Queries (24h)'}
             .series=${this.getDnsQuerySeries()}
+            .realtimeMode=${true}
+            .rollingWindow=${86400000}
             .yAxisFormatter=${(val: number) => `${val}`}
           ></dees-chart-area>
           <dees-chart-log

package/ts_web/elements/ops-view-routes.ts

@@ -204,7 +204,10 @@ export class OpsViewRoutes extends DeesElement {
           ? html`
               <sz-route-list-view
                 .routes=${szRoutes}
+                .showActionsFilter=${(route: any) => route.tags?.includes('programmatic') ?? false}
                 @route-click=${(e: CustomEvent) => this.handleRouteClick(e)}
+                @route-edit=${(e: CustomEvent) => this.handleRouteEdit(e)}
+                @route-delete=${(e: CustomEvent) => this.handleRouteDelete(e)}
               ></sz-route-list-view>
             `
           : html`
@@ -337,6 +340,162 @@ export class OpsViewRoutes extends DeesElement {
     }
   }
 
+  private async handleRouteEdit(e: CustomEvent) {
+    const clickedRoute = e.detail;
+    if (!clickedRoute) return;
+
+    const merged = this.routeState.mergedRoutes.find(
+      (mr) => mr.route.name === clickedRoute.name,
+    );
+    if (!merged || !merged.storedRouteId) return;
+
+    this.showEditRouteDialog(merged);
+  }
+
+  private async handleRouteDelete(e: CustomEvent) {
+    const clickedRoute = e.detail;
+    if (!clickedRoute) return;
+
+    const merged = this.routeState.mergedRoutes.find(
+      (mr) => mr.route.name === clickedRoute.name,
+    );
+    if (!merged || !merged.storedRouteId) return;
+
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    await DeesModal.createAndShow({
+      heading: `Delete Route: ${merged.route.name}`,
+      content: html`
+        <div style="color: #ccc; padding: 8px 0;">
+          <p>Are you sure you want to delete this route? This action cannot be undone.</p>
+        </div>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Delete',
+          iconName: 'lucide:trash-2',
+          action: async (modalArg: any) => {
+            await appstate.routeManagementStatePart.dispatchAction(
+              appstate.deleteRouteAction,
+              merged.storedRouteId!,
+            );
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
+  private async showEditRouteDialog(merged: interfaces.data.IMergedRoute) {
+    const { DeesModal } = await import('@design.estate/dees-catalog');
+    const profiles = this.profilesTargetsState.profiles;
+    const targets = this.profilesTargetsState.targets;
+
+    const profileOptions = [
+      { key: '', option: '(none — inline security)' },
+      ...profiles.map((p) => ({
+        key: p.id,
+        option: `${p.name}${p.description ? ' — ' + p.description : ''}`,
+      })),
+    ];
+    const targetOptions = [
+      { key: '', option: '(none — inline target)' },
+      ...targets.map((t) => ({
+        key: t.id,
+        option: `${t.name} (${Array.isArray(t.host) ? t.host.join(',') : t.host}:${t.port})`,
+      })),
+    ];
+
+    const route = merged.route;
+    const currentPorts = Array.isArray(route.match.ports)
+      ? route.match.ports.map((p: any) => typeof p === 'number' ? String(p) : `${p.from}-${p.to}`).join(', ')
+      : String(route.match.ports);
+    const currentDomains = route.match.domains
+      ? (Array.isArray(route.match.domains) ? route.match.domains.join(', ') : route.match.domains)
+      : '';
+    const firstTarget = route.action.targets?.[0];
+    const currentTargetHost = firstTarget
+      ? (Array.isArray(firstTarget.host) ? firstTarget.host[0] : firstTarget.host)
+      : '';
+    const currentTargetPort = firstTarget?.port != null ? String(firstTarget.port) : '';
+
+    await DeesModal.createAndShow({
+      heading: `Edit Route: ${route.name}`,
+      content: html`
+        <dees-form>
+          <dees-input-text .key=${'name'} .label=${'Route Name'} .value=${route.name || ''} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'ports'} .label=${'Ports (comma-separated)'} .value=${currentPorts} .required=${true}></dees-input-text>
+          <dees-input-text .key=${'domains'} .label=${'Domains (comma-separated, optional)'} .value=${currentDomains}></dees-input-text>
+          <dees-input-dropdown .key=${'securityProfileRef'} .label=${'Security Profile'} .options=${profileOptions} .selectedKey=${merged.metadata?.securityProfileRef || ''}></dees-input-dropdown>
+          <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions} .selectedKey=${merged.metadata?.networkTargetRef || ''}></dees-input-dropdown>
+          <dees-input-text .key=${'targetHost'} .label=${'Target Host (if no target selected)'} .value=${currentTargetHost}></dees-input-text>
+          <dees-input-text .key=${'targetPort'} .label=${'Target Port (if no target selected)'} .value=${currentTargetPort}></dees-input-text>
+        </dees-form>
+      `,
+      menuOptions: [
+        {
+          name: 'Cancel',
+          iconName: 'lucide:x',
+          action: async (modalArg: any) => await modalArg.destroy(),
+        },
+        {
+          name: 'Save',
+          iconName: 'lucide:check',
+          action: async (modalArg: any) => {
+            const form = modalArg.shadowRoot?.querySelector('.content')?.querySelector('dees-form');
+            if (!form) return;
+            const formData = await form.collectFormData();
+            if (!formData.name || !formData.ports) return;
+
+            const ports = formData.ports.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p));
+            const domains = formData.domains
+              ? formData.domains.split(',').map((d: string) => d.trim()).filter(Boolean)
+              : undefined;
+
+            const updatedRoute: any = {
+              name: formData.name,
+              match: {
+                ports,
+                ...(domains && domains.length > 0 ? { domains } : {}),
+              },
+              action: {
+                type: 'forward',
+                targets: [
+                  {
+                    host: formData.targetHost || 'localhost',
+                    port: parseInt(formData.targetPort, 10) || 443,
+                  },
+                ],
+              },
+            };
+
+            const metadata: any = {};
+            if (formData.securityProfileRef) {
+              metadata.securityProfileRef = formData.securityProfileRef;
+            }
+            if (formData.networkTargetRef) {
+              metadata.networkTargetRef = formData.networkTargetRef;
+            }
+
+            await appstate.routeManagementStatePart.dispatchAction(
+              appstate.updateRouteAction,
+              {
+                id: merged.storedRouteId!,
+                route: updatedRoute,
+                metadata: Object.keys(metadata).length > 0 ? metadata : undefined,
+              },
+            );
+            await modalArg.destroy();
+          },
+        },
+      ],
+    });
+  }
+
   private async showCreateRouteDialog() {
     const { DeesModal } = await import('@design.estate/dees-catalog');
     const profiles = this.profilesTargetsState.profiles;

package/ts_web/readme.md

@@ -68,6 +68,12 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - API token creation, revocation, and scope management
 - Routes tab and API Tokens tab in unified view
 
+### 🛡️ Security Profiles & Network Targets
+- Create, edit, and delete reusable security profiles (IP allow/block lists, rate limits, max connections)
+- Create, edit, and delete reusable network targets (host:port destinations)
+- In-row and context menu actions for quick editing
+- Changes propagate automatically to all referencing routes
+
 ### ⚙️ Configuration
 - Read-only display of current system configuration
 - Status badges for boolean values (enabled/disabled)