@serve.zone/dcrouter 13.17.0 → 13.17.2

package/dist_ts/classes.storage-cert-manager.d.ts

@@ -0,0 +1,15 @@
+import * as plugins from './plugins.js';
+/**
+ * ICertManager implementation backed by smartdata document classes.
+ * Persists SmartAcme certificates via AcmeCertDoc so they
+ * survive process restarts without re-hitting ACME.
+ */
+export declare class StorageBackedCertManager implements plugins.smartacme.ICertManager {
+    constructor();
+    init(): Promise<void>;
+    retrieveCertificate(domainName: string): Promise<plugins.smartacme.Cert | null>;
+    storeCertificate(cert: plugins.smartacme.Cert): Promise<void>;
+    deleteCertificate(domainName: string): Promise<void>;
+    close(): Promise<void>;
+    wipe(): Promise<void>;
+}

package/dist_ts/classes.storage-cert-manager.js

@@ -0,0 +1,53 @@
+import * as plugins from './plugins.js';
+import { AcmeCertDoc } from './db/index.js';
+/**
+ * ICertManager implementation backed by smartdata document classes.
+ * Persists SmartAcme certificates via AcmeCertDoc so they
+ * survive process restarts without re-hitting ACME.
+ */
+export class StorageBackedCertManager {
+    constructor() { }
+    async init() { }
+    async retrieveCertificate(domainName) {
+        const doc = await AcmeCertDoc.findByDomain(domainName);
+        if (!doc)
+            return null;
+        return new plugins.smartacme.Cert({
+            id: doc.id,
+            domainName: doc.domainName,
+            created: doc.created,
+            privateKey: doc.privateKey,
+            publicKey: doc.publicKey,
+            csr: doc.csr,
+            validUntil: doc.validUntil,
+        });
+    }
+    async storeCertificate(cert) {
+        let doc = await AcmeCertDoc.findByDomain(cert.domainName);
+        if (!doc) {
+            doc = new AcmeCertDoc();
+            doc.id = cert.id;
+            doc.domainName = cert.domainName;
+        }
+        doc.created = cert.created;
+        doc.privateKey = cert.privateKey;
+        doc.publicKey = cert.publicKey;
+        doc.csr = cert.csr;
+        doc.validUntil = cert.validUntil;
+        await doc.save();
+    }
+    async deleteCertificate(domainName) {
+        const doc = await AcmeCertDoc.findByDomain(domainName);
+        if (doc) {
+            await doc.delete();
+        }
+    }
+    async close() { }
+    async wipe() {
+        const docs = await AcmeCertDoc.findAll();
+        for (const doc of docs) {
+            await doc.delete();
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5zdG9yYWdlLWNlcnQtbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3RzL2NsYXNzZXMuc3RvcmFnZS1jZXJ0LW1hbmFnZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxLQUFLLE9BQU8sTUFBTSxjQUFjLENBQUM7QUFDeEMsT0FBTyxFQUFFLFdBQVcsRUFBRSxNQUFNLGVBQWUsQ0FBQztBQUU1Qzs7OztHQUlHO0FBQ0gsTUFBTSxPQUFPLHdCQUF3QjtJQUNuQyxnQkFBZSxDQUFDO0lBRWhCLEtBQUssQ0FBQyxJQUFJLEtBQW1CLENBQUM7SUFFOUIsS0FBSyxDQUFDLG1CQUFtQixDQUFDLFVBQWtCO1FBQzFDLE1BQU0sR0FBRyxHQUFHLE1BQU0sV0FBVyxDQUFDLFlBQVksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUN2RCxJQUFJLENBQUMsR0FBRztZQUFFLE9BQU8sSUFBSSxDQUFDO1FBQ3RCLE9BQU8sSUFBSSxPQUFPLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQztZQUNoQyxFQUFFLEVBQUUsR0FBRyxDQUFDLEVBQUU7WUFDVixVQUFVLEVBQUUsR0FBRyxDQUFDLFVBQVU7WUFDMUIsT0FBTyxFQUFFLEdBQUcsQ0FBQyxPQUFPO1lBQ3BCLFVBQVUsRUFBRSxHQUFHLENBQUMsVUFBVTtZQUMxQixTQUFTLEVBQUUsR0FBRyxDQUFDLFNBQVM7WUFDeEIsR0FBRyxFQUFFLEdBQUcsQ0FBQyxHQUFHO1lBQ1osVUFBVSxFQUFFLEdBQUcsQ0FBQyxVQUFVO1NBQzNCLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxLQUFLLENBQUMsZ0JBQWdCLENBQUMsSUFBNEI7UUFDakQsSUFBSSxHQUFHLEdBQUcsTUFBTSxXQUFXLENBQUMsWUFBWSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUMxRCxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDVCxHQUFHLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQztZQUN4QixHQUFHLENBQUMsRUFBRSxHQUFHLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDakIsR0FBRyxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDO1FBQ25DLENBQUM7UUFDRCxHQUFHLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUM7UUFDM0IsR0FBRyxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDO1FBQ2pDLEdBQUcsQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQztRQUMvQixHQUFHLENBQUMsR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7UUFDbkIsR0FBRyxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDO1FBQ2pDLE1BQU0sR0FBRyxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ25CLENBQUM7SUFFRCxLQUFLLENBQUMsaUJBQWlCLENBQUMsVUFBa0I7UUFDeEMsTUFBTSxHQUFHLEdBQUcsTUFBTSxXQUFXLENBQUMsWUFBWSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBQ3ZELElBQUksR0FBRyxFQUFFLENBQUM7WUFDUixNQUFNLEdBQUcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNyQixDQUFDO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxLQUFLLEtBQW1CLENBQUM7SUFFL0IsS0FBSyxDQUFDLElBQUk7UUFDUixNQUFNLElBQUksR0FBRyxNQUFNLFdBQVcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUN6QyxLQUFLLE1BQU0sR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ3ZCLE1BQU0sR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ3JCLENBQUM7SUFDSCxDQUFDO0NBQ0YifQ==

package/dist_ts/config/classes.api-token-manager.d.ts

@@ -0,0 +1,44 @@
+import type { IStoredApiToken, IApiTokenInfo, TApiTokenScope } from '../../dist_ts_interfaces/data/route-management.js';
+export declare class ApiTokenManager {
+    private tokens;
+    constructor();
+    initialize(): Promise<void>;
+    /**
+     * Create a new API token. Returns the raw token value (shown once).
+     */
+    createToken(name: string, scopes: TApiTokenScope[], expiresInDays: number | null, createdBy: string): Promise<{
+        id: string;
+        rawToken: string;
+    }>;
+    /**
+     * Validate a raw token string. Returns the stored token if valid, null otherwise.
+     * Also updates lastUsedAt.
+     */
+    validateToken(rawToken: string): Promise<IStoredApiToken | null>;
+    /**
+     * Check if a token has a specific scope.
+     */
+    hasScope(token: IStoredApiToken, scope: TApiTokenScope): boolean;
+    /**
+     * List all tokens (safe info only, no hashes).
+     */
+    listTokens(): IApiTokenInfo[];
+    /**
+     * Revoke (delete) a token.
+     */
+    revokeToken(id: string): Promise<boolean>;
+    /**
+     * Roll (regenerate) a token's secret while keeping its identity.
+     * Returns the new raw token value (shown once).
+     */
+    rollToken(id: string): Promise<{
+        id: string;
+        rawToken: string;
+    } | null>;
+    /**
+     * Enable or disable a token.
+     */
+    toggleToken(id: string, enabled: boolean): Promise<boolean>;
+    private loadTokens;
+    private persistToken;
+}

package/dist_ts/config/classes.api-token-manager.js

@@ -0,0 +1,180 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { ApiTokenDoc } from '../db/index.js';
+const TOKEN_PREFIX_STR = 'dcr_';
+export class ApiTokenManager {
+    tokens = new Map();
+    constructor() { }
+    async initialize() {
+        await this.loadTokens();
+        if (this.tokens.size > 0) {
+            logger.log('info', `Loaded ${this.tokens.size} API token(s) from storage`);
+        }
+    }
+    // =========================================================================
+    // Token lifecycle
+    // =========================================================================
+    /**
+     * Create a new API token. Returns the raw token value (shown once).
+     */
+    async createToken(name, scopes, expiresInDays, createdBy) {
+        const id = plugins.uuid.v4();
+        const randomBytes = plugins.crypto.randomBytes(32);
+        const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
+        const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
+        const tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+        const now = Date.now();
+        const stored = {
+            id,
+            name,
+            tokenHash,
+            scopes,
+            createdAt: now,
+            expiresAt: expiresInDays != null ? now + expiresInDays * 86400000 : null,
+            lastUsedAt: null,
+            createdBy,
+            enabled: true,
+        };
+        this.tokens.set(id, stored);
+        await this.persistToken(stored);
+        logger.log('info', `API token '${name}' created (id: ${id})`);
+        return { id, rawToken };
+    }
+    /**
+     * Validate a raw token string. Returns the stored token if valid, null otherwise.
+     * Also updates lastUsedAt.
+     */
+    async validateToken(rawToken) {
+        if (!rawToken.startsWith(TOKEN_PREFIX_STR))
+            return null;
+        const hash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+        for (const stored of this.tokens.values()) {
+            if (stored.tokenHash === hash) {
+                if (!stored.enabled)
+                    return null;
+                if (stored.expiresAt !== null && stored.expiresAt < Date.now())
+                    return null;
+                // Update lastUsedAt (fire and forget)
+                stored.lastUsedAt = Date.now();
+                this.persistToken(stored).catch(() => { });
+                return stored;
+            }
+        }
+        return null;
+    }
+    /**
+     * Check if a token has a specific scope.
+     */
+    hasScope(token, scope) {
+        return token.scopes.includes(scope);
+    }
+    /**
+     * List all tokens (safe info only, no hashes).
+     */
+    listTokens() {
+        const result = [];
+        for (const stored of this.tokens.values()) {
+            result.push({
+                id: stored.id,
+                name: stored.name,
+                scopes: stored.scopes,
+                createdAt: stored.createdAt,
+                expiresAt: stored.expiresAt,
+                lastUsedAt: stored.lastUsedAt,
+                enabled: stored.enabled,
+            });
+        }
+        return result;
+    }
+    /**
+     * Revoke (delete) a token.
+     */
+    async revokeToken(id) {
+        if (!this.tokens.has(id))
+            return false;
+        const token = this.tokens.get(id);
+        this.tokens.delete(id);
+        const doc = await ApiTokenDoc.findById(id);
+        if (doc)
+            await doc.delete();
+        logger.log('info', `API token '${token.name}' revoked (id: ${id})`);
+        return true;
+    }
+    /**
+     * Roll (regenerate) a token's secret while keeping its identity.
+     * Returns the new raw token value (shown once).
+     */
+    async rollToken(id) {
+        const stored = this.tokens.get(id);
+        if (!stored)
+            return null;
+        const randomBytes = plugins.crypto.randomBytes(32);
+        const rawPayload = `${id}:${randomBytes.toString('base64url')}`;
+        const rawToken = `${TOKEN_PREFIX_STR}${rawPayload}`;
+        stored.tokenHash = plugins.crypto.createHash('sha256').update(rawToken).digest('hex');
+        await this.persistToken(stored);
+        logger.log('info', `API token '${stored.name}' rolled (id: ${id})`);
+        return { id, rawToken };
+    }
+    /**
+     * Enable or disable a token.
+     */
+    async toggleToken(id, enabled) {
+        const stored = this.tokens.get(id);
+        if (!stored)
+            return false;
+        stored.enabled = enabled;
+        await this.persistToken(stored);
+        logger.log('info', `API token '${stored.name}' ${enabled ? 'enabled' : 'disabled'} (id: ${id})`);
+        return true;
+    }
+    // =========================================================================
+    // Private
+    // =========================================================================
+    async loadTokens() {
+        const docs = await ApiTokenDoc.findAll();
+        for (const doc of docs) {
+            if (doc.id) {
+                this.tokens.set(doc.id, {
+                    id: doc.id,
+                    name: doc.name,
+                    tokenHash: doc.tokenHash,
+                    scopes: doc.scopes,
+                    createdAt: doc.createdAt,
+                    expiresAt: doc.expiresAt,
+                    lastUsedAt: doc.lastUsedAt,
+                    createdBy: doc.createdBy,
+                    enabled: doc.enabled,
+                });
+            }
+        }
+    }
+    async persistToken(stored) {
+        const existing = await ApiTokenDoc.findById(stored.id);
+        if (existing) {
+            existing.name = stored.name;
+            existing.tokenHash = stored.tokenHash;
+            existing.scopes = stored.scopes;
+            existing.createdAt = stored.createdAt;
+            existing.expiresAt = stored.expiresAt;
+            existing.lastUsedAt = stored.lastUsedAt;
+            existing.createdBy = stored.createdBy;
+            existing.enabled = stored.enabled;
+            await existing.save();
+        }
+        else {
+            const doc = new ApiTokenDoc();
+            doc.id = stored.id;
+            doc.name = stored.name;
+            doc.tokenHash = stored.tokenHash;
+            doc.scopes = stored.scopes;
+            doc.createdAt = stored.createdAt;
+            doc.expiresAt = stored.expiresAt;
+            doc.lastUsedAt = stored.lastUsedAt;
+            doc.createdBy = stored.createdBy;
+            doc.enabled = stored.enabled;
+            await doc.save();
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5hcGktdG9rZW4tbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL2NvbmZpZy9jbGFzc2VzLmFwaS10b2tlbi1tYW5hZ2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sZUFBZSxDQUFDO0FBQ3pDLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDdEMsT0FBTyxFQUFFLFdBQVcsRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBTzdDLE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxDQUFDO0FBRWhDLE1BQU0sT0FBTyxlQUFlO0lBQ2xCLE1BQU0sR0FBRyxJQUFJLEdBQUcsRUFBMkIsQ0FBQztJQUVwRCxnQkFBZSxDQUFDO0lBRVQsS0FBSyxDQUFDLFVBQVU7UUFDckIsTUFBTSxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDeEIsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUN6QixNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxVQUFVLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSw0QkFBNEIsQ0FBQyxDQUFDO1FBQzdFLENBQUM7SUFDSCxDQUFDO0lBRUQsNEVBQTRFO0lBQzVFLGtCQUFrQjtJQUNsQiw0RUFBNEU7SUFFNUU7O09BRUc7SUFDSSxLQUFLLENBQUMsV0FBVyxDQUN0QixJQUFZLEVBQ1osTUFBd0IsRUFDeEIsYUFBNEIsRUFDNUIsU0FBaUI7UUFFakIsTUFBTSxFQUFFLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxFQUFFLEVBQUUsQ0FBQztRQUM3QixNQUFNLFdBQVcsR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUNuRCxNQUFNLFVBQVUsR0FBRyxHQUFHLEVBQUUsSUFBSSxXQUFXLENBQUMsUUFBUSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7UUFDaEUsTUFBTSxRQUFRLEdBQUcsR0FBRyxnQkFBZ0IsR0FBRyxVQUFVLEVBQUUsQ0FBQztRQUVwRCxNQUFNLFNBQVMsR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBRXJGLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixNQUFNLE1BQU0sR0FBb0I7WUFDOUIsRUFBRTtZQUNGLElBQUk7WUFDSixTQUFTO1lBQ1QsTUFBTTtZQUNOLFNBQVMsRUFBRSxHQUFHO1lBQ2QsU0FBUyxFQUFFLGFBQWEsSUFBSSxJQUFJLENBQUMsQ0FBQyxDQUFDLEdBQUcsR0FBRyxhQUFhLEdBQUcsUUFBUSxDQUFDLENBQUMsQ0FBQyxJQUFJO1lBQ3hFLFVBQVUsRUFBRSxJQUFJO1lBQ2hCLFNBQVM7WUFDVCxPQUFPLEVBQUUsSUFBSTtTQUNkLENBQUM7UUFFRixJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxFQUFFLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDNUIsTUFBTSxJQUFJLENBQUMsWUFBWSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ2hDLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLGNBQWMsSUFBSSxrQkFBa0IsRUFBRSxHQUFHLENBQUMsQ0FBQztRQUM5RCxPQUFPLEVBQUUsRUFBRSxFQUFFLFFBQVEsRUFBRSxDQUFDO0lBQzFCLENBQUM7SUFFRDs7O09BR0c7SUFDSSxLQUFLLENBQUMsYUFBYSxDQUFDLFFBQWdCO1FBQ3pDLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDLGdCQUFnQixDQUFDO1lBQUUsT0FBTyxJQUFJLENBQUM7UUFFeEQsTUFBTSxJQUFJLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUVoRixLQUFLLE1BQU0sTUFBTSxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQztZQUMxQyxJQUFJLE1BQU0sQ0FBQyxTQUFTLEtBQUssSUFBSSxFQUFFLENBQUM7Z0JBQzlCLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTztvQkFBRSxPQUFPLElBQUksQ0FBQztnQkFDakMsSUFBSSxNQUFNLENBQUMsU0FBUyxLQUFLLElBQUksSUFBSSxNQUFNLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUU7b0JBQUUsT0FBTyxJQUFJLENBQUM7Z0JBRTVFLHNDQUFzQztnQkFDdEMsTUFBTSxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7Z0JBQy9CLElBQUksQ0FBQyxZQUFZLENBQUMsTUFBTSxDQUFDLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSxHQUFFLENBQUMsQ0FBQyxDQUFDO2dCQUMxQyxPQUFPLE1BQU0sQ0FBQztZQUNoQixDQUFDO1FBQ0gsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOztPQUVHO0lBQ0ksUUFBUSxDQUFDLEtBQXNCLEVBQUUsS0FBcUI7UUFDM0QsT0FBTyxLQUFLLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUN0QyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxVQUFVO1FBQ2YsTUFBTSxNQUFNLEdBQW9CLEVBQUUsQ0FBQztRQUNuQyxLQUFLLE1BQU0sTUFBTSxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQztZQUMxQyxNQUFNLENBQUMsSUFBSSxDQUFDO2dCQUNWLEVBQUUsRUFBRSxNQUFNLENBQUMsRUFBRTtnQkFDYixJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUk7Z0JBQ2pCLE1BQU0sRUFBRSxNQUFNLENBQUMsTUFBTTtnQkFDckIsU0FBUyxFQUFFLE1BQU0sQ0FBQyxTQUFTO2dCQUMzQixTQUFTLEVBQUUsTUFBTSxDQUFDLFNBQVM7Z0JBQzNCLFVBQVUsRUFBRSxNQUFNLENBQUMsVUFBVTtnQkFDN0IsT0FBTyxFQUFFLE1BQU0sQ0FBQyxPQUFPO2FBQ3hCLENBQUMsQ0FBQztRQUNMLENBQUM7UUFDRCxPQUFPLE1BQU0sQ0FBQztJQUNoQixDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsV0FBVyxDQUFDLEVBQVU7UUFDakMsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUFFLE9BQU8sS0FBSyxDQUFDO1FBQ3ZDLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBRSxDQUFDO1FBQ25DLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3ZCLE1BQU0sR0FBRyxHQUFHLE1BQU0sV0FBVyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUMzQyxJQUFJLEdBQUc7WUFBRSxNQUFNLEdBQUcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUM1QixNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxjQUFjLEtBQUssQ0FBQyxJQUFJLGtCQUFrQixFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBQ3BFLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOzs7T0FHRztJQUNJLEtBQUssQ0FBQyxTQUFTLENBQUMsRUFBVTtRQUMvQixNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUNuQyxJQUFJLENBQUMsTUFBTTtZQUFFLE9BQU8sSUFBSSxDQUFDO1FBRXpCLE1BQU0sV0FBVyxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ25ELE1BQU0sVUFBVSxHQUFHLEdBQUcsRUFBRSxJQUFJLFdBQVcsQ0FBQyxRQUFRLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztRQUNoRSxNQUFNLFFBQVEsR0FBRyxHQUFHLGdCQUFnQixHQUFHLFVBQVUsRUFBRSxDQUFDO1FBRXBELE1BQU0sQ0FBQyxTQUFTLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUN0RixNQUFNLElBQUksQ0FBQyxZQUFZLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDaEMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsY0FBYyxNQUFNLENBQUMsSUFBSSxpQkFBaUIsRUFBRSxHQUFHLENBQUMsQ0FBQztRQUNwRSxPQUFPLEVBQUUsRUFBRSxFQUFFLFFBQVEsRUFBRSxDQUFDO0lBQzFCLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxXQUFXLENBQUMsRUFBVSxFQUFFLE9BQWdCO1FBQ25ELE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ25DLElBQUksQ0FBQyxNQUFNO1lBQUUsT0FBTyxLQUFLLENBQUM7UUFDMUIsTUFBTSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDekIsTUFBTSxJQUFJLENBQUMsWUFBWSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ2hDLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLGNBQWMsTUFBTSxDQUFDLElBQUksS0FBSyxPQUFPLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsVUFBVSxTQUFTLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDakcsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsNEVBQTRFO0lBQzVFLFVBQVU7SUFDViw0RUFBNEU7SUFFcEUsS0FBSyxDQUFDLFVBQVU7UUFDdEIsTUFBTSxJQUFJLEdBQUcsTUFBTSxXQUFXLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDekMsS0FBSyxNQUFNLEdBQUcsSUFBSSxJQUFJLEVBQUUsQ0FBQztZQUN2QixJQUFJLEdBQUcsQ0FBQyxFQUFFLEVBQUUsQ0FBQztnQkFDWCxJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsRUFBRSxFQUFFO29CQUN0QixFQUFFLEVBQUUsR0FBRyxDQUFDLEVBQUU7b0JBQ1YsSUFBSSxFQUFFLEdBQUcsQ0FBQyxJQUFJO29CQUNkLFNBQVMsRUFBRSxHQUFHLENBQUMsU0FBUztvQkFDeEIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNO29CQUNsQixTQUFTLEVBQUUsR0FBRyxDQUFDLFNBQVM7b0JBQ3hCLFNBQVMsRUFBRSxHQUFHLENBQUMsU0FBUztvQkFDeEIsVUFBVSxFQUFFLEdBQUcsQ0FBQyxVQUFVO29CQUMxQixTQUFTLEVBQUUsR0FBRyxDQUFDLFNBQVM7b0JBQ3hCLE9BQU8sRUFBRSxHQUFHLENBQUMsT0FBTztpQkFDckIsQ0FBQyxDQUFDO1lBQ0wsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRU8sS0FBSyxDQUFDLFlBQVksQ0FBQyxNQUF1QjtRQUNoRCxNQUFNLFFBQVEsR0FBRyxNQUFNLFdBQVcsQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3ZELElBQUksUUFBUSxFQUFFLENBQUM7WUFDYixRQUFRLENBQUMsSUFBSSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUM7WUFDNUIsUUFBUSxDQUFDLFNBQVMsR0FBRyxNQUFNLENBQUMsU0FBUyxDQUFDO1lBQ3RDLFFBQVEsQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQztZQUNoQyxRQUFRLENBQUMsU0FBUyxHQUFHLE1BQU0sQ0FBQyxTQUFTLENBQUM7WUFDdEMsUUFBUSxDQUFDLFNBQVMsR0FBRyxNQUFNLENBQUMsU0FBUyxDQUFDO1lBQ3RDLFFBQVEsQ0FBQyxVQUFVLEdBQUcsTUFBTSxDQUFDLFVBQVUsQ0FBQztZQUN4QyxRQUFRLENBQUMsU0FBUyxHQUFHLE1BQU0sQ0FBQyxTQUFTLENBQUM7WUFDdEMsUUFBUSxDQUFDLE9BQU8sR0FBRyxNQUFNLENBQUMsT0FBTyxDQUFDO1lBQ2xDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ3hCLENBQUM7YUFBTSxDQUFDO1lBQ04sTUFBTSxHQUFHLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQztZQUM5QixHQUFHLENBQUMsRUFBRSxHQUFHLE1BQU0sQ0FBQyxFQUFFLENBQUM7WUFDbkIsR0FBRyxDQUFDLElBQUksR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDO1lBQ3ZCLEdBQUcsQ0FBQyxTQUFTLEdBQUcsTUFBTSxDQUFDLFNBQVMsQ0FBQztZQUNqQyxHQUFHLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQyxNQUFNLENBQUM7WUFDM0IsR0FBRyxDQUFDLFNBQVMsR0FBRyxNQUFNLENBQUMsU0FBUyxDQUFDO1lBQ2pDLEdBQUcsQ0FBQyxTQUFTLEdBQUcsTUFBTSxDQUFDLFNBQVMsQ0FBQztZQUNqQyxHQUFHLENBQUMsVUFBVSxHQUFHLE1BQU0sQ0FBQyxVQUFVLENBQUM7WUFDbkMsR0FBRyxDQUFDLFNBQVMsR0FBRyxNQUFNLENBQUMsU0FBUyxDQUFDO1lBQ2pDLEdBQUcsQ0FBQyxPQUFPLEdBQUcsTUFBTSxDQUFDLE9BQU8sQ0FBQztZQUM3QixNQUFNLEdBQUcsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUNuQixDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=

package/dist_ts/config/classes.db-seeder.d.ts

@@ -0,0 +1,25 @@
+import type { ReferenceResolver } from './classes.reference-resolver.js';
+import type { IRouteSecurity } from '../../dist_ts_interfaces/data/route-management.js';
+export interface ISeedData {
+    profiles?: Array<{
+        name: string;
+        description?: string;
+        security: IRouteSecurity;
+        extendsProfiles?: string[];
+    }>;
+    targets?: Array<{
+        name: string;
+        description?: string;
+        host: string | string[];
+        port: number;
+    }>;
+}
+export declare class DbSeeder {
+    private referenceResolver;
+    constructor(referenceResolver: ReferenceResolver);
+    /**
+     * Check if DB is empty and seed if configured.
+     * Called once during ConfigManagers service startup, after initialize().
+     */
+    seedIfEmpty(seedOnEmpty?: boolean, seedData?: ISeedData): Promise<void>;
+}

package/dist_ts/config/classes.db-seeder.js

@@ -0,0 +1,69 @@
+import { logger } from '../logger.js';
+export class DbSeeder {
+    referenceResolver;
+    constructor(referenceResolver) {
+        this.referenceResolver = referenceResolver;
+    }
+    /**
+     * Check if DB is empty and seed if configured.
+     * Called once during ConfigManagers service startup, after initialize().
+     */
+    async seedIfEmpty(seedOnEmpty, seedData) {
+        if (!seedOnEmpty)
+            return;
+        const existingProfiles = this.referenceResolver.listProfiles();
+        const existingTargets = this.referenceResolver.listTargets();
+        if (existingProfiles.length > 0 || existingTargets.length > 0) {
+            logger.log('info', 'DB already contains profiles/targets, skipping seed');
+            return;
+        }
+        logger.log('info', 'Seeding database with initial profiles and targets...');
+        const profilesToSeed = seedData?.profiles ?? DEFAULT_PROFILES;
+        const targetsToSeed = seedData?.targets ?? DEFAULT_TARGETS;
+        for (const p of profilesToSeed) {
+            await this.referenceResolver.createProfile({
+                name: p.name,
+                description: p.description,
+                security: p.security,
+                extendsProfiles: p.extendsProfiles,
+                createdBy: 'system-seed',
+            });
+        }
+        for (const t of targetsToSeed) {
+            await this.referenceResolver.createTarget({
+                name: t.name,
+                description: t.description,
+                host: t.host,
+                port: t.port,
+                createdBy: 'system-seed',
+            });
+        }
+        logger.log('info', `Seeded ${profilesToSeed.length} profile(s) and ${targetsToSeed.length} target(s)`);
+    }
+}
+const DEFAULT_PROFILES = [
+    {
+        name: 'PUBLIC',
+        description: 'Allow all traffic — no IP restrictions',
+        security: {
+            ipAllowList: ['*'],
+        },
+    },
+    {
+        name: 'STANDARD',
+        description: 'Standard internal access with common private subnets',
+        security: {
+            ipAllowList: ['192.168.0.0/16', '10.0.0.0/8', '127.0.0.1', '::1'],
+            maxConnections: 1000,
+        },
+    },
+];
+const DEFAULT_TARGETS = [
+    {
+        name: 'LOCALHOST',
+        description: 'Local machine on port 443',
+        host: '127.0.0.1',
+        port: 443,
+    },
+];
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5kYi1zZWVkZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9jb25maWcvY2xhc3Nlcy5kYi1zZWVkZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLGNBQWMsQ0FBQztBQW1CdEMsTUFBTSxPQUFPLFFBQVE7SUFDQztJQUFwQixZQUFvQixpQkFBb0M7UUFBcEMsc0JBQWlCLEdBQWpCLGlCQUFpQixDQUFtQjtJQUFHLENBQUM7SUFFNUQ7OztPQUdHO0lBQ0ksS0FBSyxDQUFDLFdBQVcsQ0FDdEIsV0FBcUIsRUFDckIsUUFBb0I7UUFFcEIsSUFBSSxDQUFDLFdBQVc7WUFBRSxPQUFPO1FBRXpCLE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFlBQVksRUFBRSxDQUFDO1FBQy9ELE1BQU0sZUFBZSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUU3RCxJQUFJLGdCQUFnQixDQUFDLE1BQU0sR0FBRyxDQUFDLElBQUksZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM5RCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxxREFBcUQsQ0FBQyxDQUFDO1lBQzFFLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsdURBQXVELENBQUMsQ0FBQztRQUU1RSxNQUFNLGNBQWMsR0FBdUMsUUFBUSxFQUFFLFFBQVEsSUFBSSxnQkFBZ0IsQ0FBQztRQUNsRyxNQUFNLGFBQWEsR0FBc0MsUUFBUSxFQUFFLE9BQU8sSUFBSSxlQUFlLENBQUM7UUFFOUYsS0FBSyxNQUFNLENBQUMsSUFBSSxjQUFjLEVBQUUsQ0FBQztZQUMvQixNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLENBQUM7Z0JBQ3pDLElBQUksRUFBRSxDQUFDLENBQUMsSUFBSTtnQkFDWixXQUFXLEVBQUUsQ0FBQyxDQUFDLFdBQVc7Z0JBQzFCLFFBQVEsRUFBRSxDQUFDLENBQUMsUUFBUTtnQkFDcEIsZUFBZSxFQUFFLENBQUMsQ0FBQyxlQUFlO2dCQUNsQyxTQUFTLEVBQUUsYUFBYTthQUN6QixDQUFDLENBQUM7UUFDTCxDQUFDO1FBRUQsS0FBSyxNQUFNLENBQUMsSUFBSSxhQUFhLEVBQUUsQ0FBQztZQUM5QixNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxZQUFZLENBQUM7Z0JBQ3hDLElBQUksRUFBRSxDQUFDLENBQUMsSUFBSTtnQkFDWixXQUFXLEVBQUUsQ0FBQyxDQUFDLFdBQVc7Z0JBQzFCLElBQUksRUFBRSxDQUFDLENBQUMsSUFBSTtnQkFDWixJQUFJLEVBQUUsQ0FBQyxDQUFDLElBQUk7Z0JBQ1osU0FBUyxFQUFFLGFBQWE7YUFDekIsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLFVBQVUsY0FBYyxDQUFDLE1BQU0sbUJBQW1CLGFBQWEsQ0FBQyxNQUFNLFlBQVksQ0FBQyxDQUFDO0lBQ3pHLENBQUM7Q0FDRjtBQUVELE1BQU0sZ0JBQWdCLEdBQXNEO0lBQzFFO1FBQ0UsSUFBSSxFQUFFLFFBQVE7UUFDZCxXQUFXLEVBQUUsd0NBQXdDO1FBQ3JELFFBQVEsRUFBRTtZQUNSLFdBQVcsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNuQjtLQUNGO0lBQ0Q7UUFDRSxJQUFJLEVBQUUsVUFBVTtRQUNoQixXQUFXLEVBQUUsc0RBQXNEO1FBQ25FLFFBQVEsRUFBRTtZQUNSLFdBQVcsRUFBRSxDQUFDLGdCQUFnQixFQUFFLFlBQVksRUFBRSxXQUFXLEVBQUUsS0FBSyxDQUFDO1lBQ2pFLGNBQWMsRUFBRSxJQUFJO1NBQ3JCO0tBQ0Y7Q0FDRixDQUFDO0FBRUYsTUFBTSxlQUFlLEdBQXFEO0lBQ3hFO1FBQ0UsSUFBSSxFQUFFLFdBQVc7UUFDakIsV0FBVyxFQUFFLDJCQUEyQjtRQUN4QyxJQUFJLEVBQUUsV0FBVztRQUNqQixJQUFJLEVBQUUsR0FBRztLQUNWO0NBQ0YsQ0FBQyJ9

package/dist_ts/config/classes.reference-resolver.d.ts

@@ -0,0 +1,80 @@
+import * as plugins from '../plugins.js';
+import type { ISourceProfile, INetworkTarget, IRouteMetadata, IRoute, IRouteSecurity } from '../../dist_ts_interfaces/data/route-management.js';
+export declare class ReferenceResolver {
+    private profiles;
+    private targets;
+    initialize(): Promise<void>;
+    createProfile(data: {
+        name: string;
+        description?: string;
+        security: IRouteSecurity;
+        extendsProfiles?: string[];
+        createdBy: string;
+    }): Promise<string>;
+    updateProfile(id: string, patch: Partial<Omit<ISourceProfile, 'id' | 'createdAt' | 'createdBy'>>): Promise<{
+        affectedRouteIds: string[];
+    }>;
+    deleteProfile(id: string, force: boolean, storedRoutes?: Map<string, IRoute>): Promise<{
+        success: boolean;
+        message?: string;
+    }>;
+    getProfile(id: string): ISourceProfile | undefined;
+    getProfileByName(name: string): ISourceProfile | undefined;
+    listProfiles(): ISourceProfile[];
+    getProfileUsage(storedRoutes: Map<string, IRoute>): Map<string, Array<{
+        id: string;
+        routeName: string;
+    }>>;
+    getProfileUsageForId(profileId: string, storedRoutes: Map<string, IRoute>): Array<{
+        id: string;
+        routeName: string;
+    }>;
+    createTarget(data: {
+        name: string;
+        description?: string;
+        host: string | string[];
+        port: number;
+        createdBy: string;
+    }): Promise<string>;
+    updateTarget(id: string, patch: Partial<Omit<INetworkTarget, 'id' | 'createdAt' | 'createdBy'>>): Promise<{
+        affectedRouteIds: string[];
+    }>;
+    deleteTarget(id: string, force: boolean, storedRoutes?: Map<string, IRoute>): Promise<{
+        success: boolean;
+        message?: string;
+    }>;
+    getTarget(id: string): INetworkTarget | undefined;
+    getTargetByName(name: string): INetworkTarget | undefined;
+    listTargets(): INetworkTarget[];
+    getTargetUsageForId(targetId: string, storedRoutes: Map<string, IRoute>): Array<{
+        id: string;
+        routeName: string;
+    }>;
+    /**
+     * Resolve references for a single route.
+     * Materializes source profile and/or network target into the route's fields.
+     * Returns the resolved route and updated metadata.
+     */
+    resolveRoute(route: plugins.smartproxy.IRouteConfig, metadata?: IRouteMetadata): {
+        route: plugins.smartproxy.IRouteConfig;
+        metadata: IRouteMetadata;
+    };
+    findRoutesByProfileRef(profileId: string): Promise<string[]>;
+    findRoutesByTargetRef(targetId: string): Promise<string[]>;
+    findRoutesByProfileRefSync(profileId: string, storedRoutes: Map<string, IRoute>): string[];
+    findRoutesByTargetRefSync(targetId: string, storedRoutes: Map<string, IRoute>): string[];
+    private resolveSourceProfile;
+    /**
+     * Merge two IRouteSecurity objects.
+     * `override` values take precedence over `base` values.
+     * For ipAllowList/ipBlockList: union arrays and deduplicate.
+     * For scalar/object fields: override wins if present.
+     */
+    private mergeSecurityFields;
+    private loadProfiles;
+    private loadTargets;
+    private persistProfile;
+    private persistTarget;
+    private clearProfileRefsOnRoutes;
+    private clearTargetRefsOnRoutes;
+}