npm - @serve.zone/dcrouter - Versions diffs - 13.25.0 → 13.26.0 - Mend

@serve.zone/dcrouter 13.25.0 → 13.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/.smartconfig.json +3 -11
package/dist_serve/bundle.js +4046 -3552
package/dist_ts/00_commitinfo_data.js +1 -1
package/dist_ts/classes.dcrouter.d.ts +2 -1
package/dist_ts/classes.dcrouter.js +6 -4
package/dist_ts/config/classes.api-token-manager.d.ts +2 -2
package/dist_ts/config/classes.api-token-manager.js +31 -3
package/dist_ts/config/classes.route-config-manager.d.ts +1 -0
package/dist_ts/config/classes.route-config-manager.js +38 -1
package/dist_ts/db/documents/classes.api-token.doc.d.ts +2 -1
package/dist_ts/db/documents/classes.api-token.doc.js +8 -2
package/dist_ts/email/classes.email-domain.manager.d.ts +4 -1
package/dist_ts/email/classes.email-domain.manager.js +30 -1
package/dist_ts/email/classes.workapp-mail-manager.d.ts +35 -0
package/dist_ts/email/classes.workapp-mail-manager.js +273 -0
package/dist_ts/email/index.d.ts +1 -0
package/dist_ts/email/index.js +2 -1
package/dist_ts/opsserver/classes.opsserver.d.ts +1 -0
package/dist_ts/opsserver/classes.opsserver.js +3 -1
package/dist_ts/opsserver/handlers/admin.handler.js +9 -4
package/dist_ts/opsserver/handlers/api-token.handler.js +2 -2
package/dist_ts/opsserver/handlers/certificate.handler.d.ts +4 -0
package/dist_ts/opsserver/handlers/certificate.handler.js +41 -11
package/dist_ts/opsserver/handlers/index.d.ts +1 -0
package/dist_ts/opsserver/handlers/index.js +2 -1
package/dist_ts/opsserver/handlers/workhoster.handler.d.ts +26 -0
package/dist_ts/opsserver/handlers/workhoster.handler.js +402 -0
package/dist_ts_apiclient/classes.dcrouterapiclient.d.ts +2 -0
package/dist_ts_apiclient/classes.dcrouterapiclient.js +4 -1
package/dist_ts_apiclient/classes.workhoster.d.ts +14 -0
package/dist_ts_apiclient/classes.workhoster.js +29 -0
package/dist_ts_apiclient/index.d.ts +1 -0
package/dist_ts_apiclient/index.js +2 -1
package/dist_ts_interfaces/data/index.d.ts +1 -0
package/dist_ts_interfaces/data/index.js +2 -1
package/dist_ts_interfaces/data/route-management.d.ts +38 -1
package/dist_ts_interfaces/data/workhoster.d.ts +131 -0
package/dist_ts_interfaces/data/workhoster.js +2 -0
package/dist_ts_interfaces/requests/api-tokens.d.ts +2 -1
package/dist_ts_interfaces/requests/certificate.d.ts +12 -6
package/dist_ts_interfaces/requests/index.d.ts +1 -0
package/dist_ts_interfaces/requests/index.js +2 -1
package/dist_ts_interfaces/requests/workhoster.d.ts +98 -0
package/dist_ts_interfaces/requests/workhoster.js +2 -0
package/dist_ts_migrations/index.js +8 -2
package/dist_ts_web/00_commitinfo_data.js +1 -1
package/dist_ts_web/appstate.d.ts +1 -1
package/dist_ts_web/appstate.js +3 -2
package/dist_ts_web/elements/access/ops-view-apitokens.d.ts +1 -0
package/dist_ts_web/elements/access/ops-view-apitokens.js +58 -3
package/package.json +24 -23
package/readme.md +108 -128
package/ts/00_commitinfo_data.ts +1 -1
package/ts/classes.dcrouter.ts +5 -3
package/ts/config/classes.api-token-manager.ts +32 -1
package/ts/config/classes.route-config-manager.ts +37 -0
package/ts/db/documents/classes.api-token.doc.ts +4 -1
package/ts/email/classes.email-domain.manager.ts +33 -1
package/ts/email/classes.workapp-mail-manager.ts +343 -0
package/ts/email/index.ts +1 -0
package/ts/opsserver/classes.opsserver.ts +3 -1
package/ts/opsserver/handlers/admin.handler.ts +11 -4
package/ts/opsserver/handlers/api-token.handler.ts +1 -0
package/ts/opsserver/handlers/certificate.handler.ts +45 -12
package/ts/opsserver/handlers/index.ts +2 -1
package/ts/opsserver/handlers/workhoster.handler.ts +490 -0
package/ts/readme.md +2 -2
package/ts_apiclient/classes.dcrouterapiclient.ts +3 -0
package/ts_apiclient/classes.workhoster.ts +49 -0
package/ts_apiclient/index.ts +1 -0
package/ts_apiclient/readme.md +54 -44
package/ts_web/00_commitinfo_data.ts +1 -1
package/ts_web/appstate.ts +7 -1
package/ts_web/elements/access/ops-view-apitokens.ts +58 -3
package/ts_web/readme.md +36 -19

package/ts/opsserver/handlers/certificate.handler.ts CHANGED Viewed

@@ -26,21 +26,51 @@ export function deriveCertDomainName(domain: string): string | undefined {
 }
 export class CertificateHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
   constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter?.addTypedRouter(this.typedrouter);
     this.registerHandlers();
   }
-  private registerHandlers(): void {
-    const viewRouter = this.opsServerRef.viewRouter;
-    const adminRouter = this.opsServerRef.adminRouter;
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
-    // ---- Read endpoints (viewRouter — valid identity required via middleware) ----
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+  private registerHandlers(): void {
+    const router = this.typedrouter;
     // Get Certificate Overview
-    viewRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetCertificateOverview>(
         'getCertificateOverview',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:read');
           const certificates = await this.buildCertificateOverview();
           const summary = this.buildSummary(certificates);
           return { certificates, summary };
@@ -48,53 +78,56 @@ export class CertificateHandler {
       )
     );
-    // ---- Write endpoints (adminRouter — admin identity required via middleware) ----
     // Legacy route-based reprovision (backward compat)
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificate>(
         'reprovisionCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.reprovisionCertificateByRoute(dataArg.routeName);
         }
       )
     );
     // Domain-based reprovision (preferred)
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificateDomain>(
         'reprovisionCertificateDomain',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.reprovisionCertificateDomain(dataArg.domain, dataArg.forceRenew);
         }
       )
     );
     // Delete certificate
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteCertificate>(
         'deleteCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.deleteCertificate(dataArg.domain);
         }
       )
     );
     // Export certificate
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ExportCertificate>(
         'exportCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:read');
           return this.exportCertificate(dataArg.domain);
         }
       )
     );
     // Import certificate
-    adminRouter.addTypedHandler(
+    router.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ImportCertificate>(
         'importCertificate',
         async (dataArg) => {
+          await this.requireAuth(dataArg, 'certificates:write');
           return this.importCertificate(dataArg.cert);
         }
       )

package/ts/opsserver/handlers/index.ts CHANGED Viewed

@@ -18,4 +18,5 @@ export * from './dns-provider.handler.js';
 export * from './domain.handler.js';
 export * from './dns-record.handler.js';
 export * from './acme-config.handler.js';
-export * from './email-domain.handler.js';
+export * from './email-domain.handler.js';
+export * from './workhoster.handler.js';

package/ts/opsserver/handlers/workhoster.handler.ts ADDED Viewed

@@ -0,0 +1,490 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+type TAuthContext = {
+  userId: string;
+  isAdmin: boolean;
+  token?: interfaces.data.IStoredApiToken;
+};
+export class WorkHosterHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<TAuthContext> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return { userId: request.identity.userId, isAdmin: true };
+      } catch { /* fall through */ }
+    }
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return { userId: token.createdBy, isAdmin: token.policy?.role === 'admin', token };
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayCapabilities>(
+        'getGatewayCapabilities',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'gateway-clients:read');
+          return { capabilities: this.getGatewayCapabilities() };
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDomains>(
+        'getGatewayClientDomains',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
+          this.assertCapability(auth, 'readDomains');
+          return { domains: await this.listGatewayClientDomains(auth, dataArg.gatewayClientId) };
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDnsRecords>(
+        'getGatewayClientDnsRecords',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
+          this.assertCapability(auth, 'readDnsRecords');
+          return { records: await this.listGatewayClientDnsRecords(auth, dataArg.gatewayClientId) };
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetWorkHosterDomains>(
+        'getWorkHosterDomains',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'workhosters:read');
+          this.assertCapability(auth, 'readDomains');
+          return { domains: await this.listGatewayClientDomains(auth) };
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncGatewayClientRoute>(
+        'syncGatewayClientRoute',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:write');
+          this.assertCapability(auth, 'syncRoutes');
+          return await this.syncGatewayClientRoute(auth, dataArg.ownership, dataArg.route, dataArg.enabled, dataArg.delete);
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppRoute>(
+        'syncWorkAppRoute',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'workhosters:write');
+          this.assertCapability(auth, 'syncRoutes');
+          const ownership: interfaces.data.IGatewayClientOwnership = {
+            gatewayClientType: dataArg.ownership.workHosterType,
+            gatewayClientId: dataArg.ownership.workHosterId,
+            appId: dataArg.ownership.workAppId,
+            hostname: dataArg.ownership.hostname,
+          };
+          return await this.syncGatewayClientRoute(auth, ownership, dataArg.route, dataArg.enabled, dataArg.delete);
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetWorkAppMailIdentities>(
+        'getWorkAppMailIdentities',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'workhosters:read');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) return { identities: [] };
+          return { identities: await manager.listMailIdentities(dataArg.ownership) };
+        },
+      ),
+    );
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppMailIdentity>(
+        'syncWorkAppMailIdentity',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'workhosters:write');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) {
+            return { success: false, message: 'WorkApp mail manager not initialized' };
+          }
+          try {
+            return await manager.syncMailIdentity(dataArg, auth.userId);
+          } catch (error) {
+            return { success: false, message: (error as Error).message };
+          }
+        },
+      ),
+    );
+  }
+  private getGatewayCapabilities(): interfaces.data.IGatewayCapabilities {
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    return {
+      routes: {
+        read: Boolean(dcRouter.routeConfigManager),
+        write: Boolean(dcRouter.routeConfigManager),
+        idempotentSync: Boolean(dcRouter.routeConfigManager),
+      },
+      domains: {
+        read: Boolean(dcRouter.dnsManager),
+        write: Boolean(dcRouter.dnsManager),
+      },
+      certificates: {
+        read: Boolean(dcRouter.smartProxy),
+        export: Boolean(dcRouter.smartProxy),
+        forceRenew: Boolean(dcRouter.smartProxy),
+      },
+      email: {
+        domains: Boolean(dcRouter.emailDomainManager),
+        inbound: Boolean(dcRouter.emailServer),
+        outbound: Boolean(dcRouter.emailServer),
+      },
+      remoteIngress: {
+        enabled: Boolean(dcRouter.options.remoteIngressConfig?.enabled),
+      },
+      dns: {
+        authoritative: Boolean(dcRouter.options.dnsScopes?.length),
+        providerManaged: Boolean(dcRouter.dnsManager),
+      },
+      http3: {
+        enabled: dcRouter.options.http3?.enabled !== false,
+      },
+    };
+  }
+  private buildExternalKey(ownership: interfaces.data.IWorkAppRouteOwnership): string {
+    return [
+      ownership.workHosterType,
+      ownership.workHosterId,
+      ownership.workAppId,
+      ownership.hostname,
+    ].map((part) => part.trim()).join(':');
+  }
+  private assertCapability(
+    auth: TAuthContext,
+    capability: keyof NonNullable<interfaces.data.IApiTokenPolicy['capabilities']>,
+  ): void {
+    if (auth.isAdmin) return;
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient') return;
+    if (policy.capabilities?.[capability] === true) return;
+    throw new plugins.typedrequest.TypedResponseError(`token capability missing: ${capability}`);
+  }
+  private resolveGatewayClientId(auth: TAuthContext, requestedId?: string): string | undefined {
+    const policyClient = auth.token?.policy?.gatewayClient;
+    if (!policyClient) return requestedId;
+    if (requestedId && requestedId !== policyClient.id) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token cannot access another gateway client');
+    }
+    return policyClient.id;
+  }
+  private assertGatewayClientOwnership(auth: TAuthContext, ownership: interfaces.data.IGatewayClientOwnership): void {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient') return;
+    if (!policy.gatewayClient) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token is missing gatewayClient binding');
+    }
+    if (ownership.gatewayClientType !== policy.gatewayClient.type || ownership.gatewayClientId !== policy.gatewayClient.id) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+    }
+    if (!this.matchesHostnamePatterns(ownership.hostname, policy.hostnamePatterns || [])) {
+      throw new plugins.typedrequest.TypedResponseError('hostname is outside token policy');
+    }
+  }
+  private assertRouteTargetsAllowed(auth: TAuthContext, route?: interfaces.data.IDcRouterRouteConfig): void {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient' || !route) return;
+    const allowedTargets = policy.allowedRouteTargets || [];
+    if (allowedTargets.length === 0) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token has no allowed route targets');
+    }
+    const targets = ((route.action as any)?.targets || []) as Array<{ host?: string; port?: number }>;
+    for (const target of targets) {
+      const host = String(target.host || '').trim().toLowerCase();
+      const port = Number(target.port);
+      const allowed = allowedTargets.some((allowedTarget) => {
+        return allowedTarget.host.trim().toLowerCase() === host && allowedTarget.ports.includes(port);
+      });
+      if (!allowed) {
+        throw new plugins.typedrequest.TypedResponseError(`route target is outside token policy: ${host}:${port}`);
+      }
+    }
+  }
+  private matchesHostnamePatterns(hostname: string, patterns: string[]): boolean {
+    const normalizedHostname = hostname.trim().toLowerCase();
+    if (!normalizedHostname) return false;
+    for (const pattern of patterns) {
+      const normalizedPattern = pattern.trim().toLowerCase();
+      if (!normalizedPattern) continue;
+      if (normalizedPattern === normalizedHostname) return true;
+      if (normalizedPattern.startsWith('*.')) {
+        const suffix = normalizedPattern.slice(2);
+        if (!normalizedHostname.endsWith(`.${suffix}`)) continue;
+        const prefix = normalizedHostname.slice(0, -(suffix.length + 1));
+        if (prefix && !prefix.includes('.')) return true;
+      }
+    }
+    return false;
+  }
+  private getRouteHostnames(route: interfaces.data.IDcRouterRouteConfig): string[] {
+    const domains = (route.match as any)?.domains;
+    if (Array.isArray(domains)) {
+      return domains.map((domain) => String(domain).trim().toLowerCase()).filter(Boolean);
+    }
+    if (typeof domains === 'string') {
+      return domains.split(',').map((domain) => domain.trim().toLowerCase()).filter(Boolean);
+    }
+    return [];
+  }
+  private getOwnedRoutes(gatewayClientId?: string): interfaces.data.IMergedRoute[] {
+    const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+    if (!manager) return [];
+    return manager.getMergedRoutes().routes.filter((route) => {
+      const metadata = route.metadata;
+      if (!metadata) return false;
+      const ownerType = metadata.ownerType;
+      const isGatewayOwned = ownerType === 'gatewayClient' || ownerType === 'workhoster';
+      if (!isGatewayOwned) return false;
+      const routeGatewayClientId = metadata.gatewayClientId || metadata.workHosterId;
+      return gatewayClientId ? routeGatewayClientId === gatewayClientId : true;
+    });
+  }
+  private async listGatewayClientDomains(
+    auth: TAuthContext,
+    requestedGatewayClientId?: string,
+  ): Promise<interfaces.data.IGatewayClientDomain[]> {
+    const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+    if (!dnsManager) return [];
+    const gatewayClientId = this.resolveGatewayClientId(auth, requestedGatewayClientId);
+    const ownedRoutes = this.getOwnedRoutes(gatewayClientId);
+    const routeHostnames = ownedRoutes.flatMap((route) => this.getRouteHostnames(route.route));
+    const docs = await dnsManager.listDomains();
+    return docs
+      .filter((domainDoc) => {
+        if (!auth.token?.policy || auth.token.policy.role !== 'gatewayClient') return true;
+        return routeHostnames.some((hostname) => this.isHostnameInDomain(hostname, domainDoc.name));
+      })
+      .map((domainDoc) => {
+        const domain = dnsManager.toPublicDomain(domainDoc);
+        const canManageDnsRecords = domain.source === 'dcrouter' || Boolean(domain.providerId);
+        const serviceCount = routeHostnames.filter((hostname) => this.isHostnameInDomain(hostname, domain.name)).length;
+        return {
+          ...domain,
+          serviceCount,
+          managePath: `/domains/${domain.id}`,
+          capabilities: {
+            canCreateSubdomains: canManageDnsRecords,
+            canManageDnsRecords,
+            canIssueCertificates: Boolean(this.opsServerRef.dcRouterRef.smartProxy),
+            canHostEmail: Boolean(this.opsServerRef.dcRouterRef.emailDomainManager),
+          },
+        } satisfies interfaces.data.IGatewayClientDomain;
+      });
+  }
+  private async listGatewayClientDnsRecords(
+    auth: TAuthContext,
+    requestedGatewayClientId?: string,
+  ): Promise<interfaces.data.IGatewayClientDnsRecord[]> {
+    const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+    if (!dnsManager) return [];
+    const gatewayClientId = this.resolveGatewayClientId(auth, requestedGatewayClientId);
+    const ownedRoutes = this.getOwnedRoutes(gatewayClientId);
+    const domains = await dnsManager.listDomains();
+    const records: interfaces.data.IGatewayClientDnsRecord[] = [];
+    for (const route of ownedRoutes) {
+      const metadata = route.metadata;
+      if (!metadata) continue;
+      const gatewayClientType = metadata.gatewayClientType || metadata.workHosterType || 'custom';
+      const routeGatewayClientId = metadata.gatewayClientId || metadata.workHosterId || '';
+      const appId = metadata.gatewayClientAppId || metadata.workAppId || '';
+      for (const hostname of this.getRouteHostnames(route.route)) {
+        if (auth.token?.policy?.role === 'gatewayClient' && !this.matchesHostnamePatterns(hostname, auth.token.policy.hostnamePatterns || [])) {
+          continue;
+        }
+        const domainDoc = domains.find((domain) => this.isHostnameInDomain(hostname, domain.name));
+        const domainRecords = domainDoc ? await dnsManager.listRecordsForDomain(domainDoc.id) : [];
+        const matchingRecords = domainRecords.filter((record) => record.name === hostname);
+        if (matchingRecords.length === 0) {
+          records.push({
+            id: `missing:${hostname}`,
+            domainId: domainDoc?.id || '',
+            domainName: domainDoc?.name,
+            name: hostname,
+            type: 'MISSING',
+            value: '',
+            ttl: 0,
+            source: 'local',
+            status: 'missing',
+            gatewayClientType,
+            gatewayClientId: routeGatewayClientId,
+            appId,
+            hostname,
+            routeId: route.id,
+            managePath: domainDoc ? `/domains/${domainDoc.id}/dns` : '/domains',
+            createdAt: route.createdAt || 0,
+            updatedAt: route.updatedAt || 0,
+            createdBy: '',
+          });
+          continue;
+        }
+        for (const recordDoc of matchingRecords) {
+          const record = dnsManager.toPublicRecord(recordDoc);
+          records.push({
+            ...record,
+            domainName: domainDoc?.name,
+            status: 'active',
+            gatewayClientType,
+            gatewayClientId: routeGatewayClientId,
+            appId,
+            hostname,
+            routeId: route.id,
+            managePath: `/dns-records/${record.id}`,
+          });
+        }
+      }
+    }
+    return records;
+  }
+  private isHostnameInDomain(hostname: string, domainName: string): boolean {
+    const normalizedHostname = hostname.trim().toLowerCase();
+    const normalizedDomainName = domainName.trim().toLowerCase();
+    return normalizedHostname === normalizedDomainName || normalizedHostname.endsWith(`.${normalizedDomainName}`);
+  }
+  private async syncGatewayClientRoute(
+    auth: TAuthContext,
+    ownership: interfaces.data.IGatewayClientOwnership,
+    route?: interfaces.data.IDcRouterRouteConfig,
+    enabled?: boolean,
+    deleteRoute?: boolean,
+  ): Promise<interfaces.data.IGatewayClientRouteSyncResult> {
+    this.assertGatewayClientOwnership(auth, ownership);
+    this.assertRouteTargetsAllowed(auth, route);
+    const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+    if (!manager) {
+      return { success: false, message: 'Route management not initialized' };
+    }
+    const externalKey = this.buildGatewayClientExternalKey(ownership);
+    const existingRoute = manager.findApiRouteByExternalKey(externalKey);
+    if (deleteRoute) {
+      if (!existingRoute) {
+        return { success: true, action: 'unchanged' };
+      }
+      const result = await manager.deleteRoute(existingRoute.id);
+      return result.success
+        ? { success: true, action: 'deleted', routeId: existingRoute.id }
+        : { success: false, message: result.message };
+    }
+    if (!route) {
+      return { success: false, message: 'route is required unless delete=true' };
+    }
+    const metadata: interfaces.data.IRouteMetadata = {
+      ownerType: 'gatewayClient',
+      gatewayClientType: ownership.gatewayClientType,
+      gatewayClientId: ownership.gatewayClientId,
+      gatewayClientAppId: ownership.appId,
+      workHosterType: ownership.gatewayClientType,
+      workHosterId: ownership.gatewayClientId,
+      workAppId: ownership.appId,
+      externalKey,
+    };
+    const normalizedRoute = this.normalizeGatewayClientRoute(route, ownership, externalKey);
+    if (existingRoute) {
+      const result = await manager.updateRoute(existingRoute.id, {
+        route: normalizedRoute,
+        enabled: enabled ?? true,
+        metadata,
+      });
+      return result.success
+        ? { success: true, action: 'updated', routeId: existingRoute.id }
+        : { success: false, message: result.message };
+    }
+    const routeId = await manager.createRoute(normalizedRoute, auth.userId, enabled ?? true, metadata);
+    return { success: true, action: 'created', routeId };
+  }
+  private buildGatewayClientExternalKey(ownership: interfaces.data.IGatewayClientOwnership): string {
+    return [
+      ownership.gatewayClientType,
+      ownership.gatewayClientId,
+      ownership.appId,
+      ownership.hostname,
+    ].map((part) => part.trim()).join(':');
+  }
+  private normalizeWorkAppRoute(
+    route: interfaces.data.IDcRouterRouteConfig,
+    ownership: interfaces.data.IWorkAppRouteOwnership,
+    externalKey: string,
+  ): interfaces.data.IDcRouterRouteConfig {
+    const normalizedRoute = { ...route };
+    if (!normalizedRoute.name) {
+      normalizedRoute.name = `workapp-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
+    }
+    return normalizedRoute;
+  }
+  private normalizeGatewayClientRoute(
+    route: interfaces.data.IDcRouterRouteConfig,
+    ownership: interfaces.data.IGatewayClientOwnership,
+    externalKey: string,
+  ): interfaces.data.IDcRouterRouteConfig {
+    const normalizedRoute = { ...route };
+    if (!normalizedRoute.name) {
+      normalizedRoute.name = `gateway-client-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
+    }
+    return normalizedRoute;
+  }
+}

package/ts/readme.md CHANGED Viewed

@@ -79,7 +79,7 @@ await router.start();
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -91,7 +91,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 ### Company Information
-Task Venture Capital GmbH
+Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

package/ts_apiclient/classes.dcrouterapiclient.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import { ConfigManager } from './classes.config.js';
 import { LogManager } from './classes.logs.js';
 import { EmailManager } from './classes.email.js';
 import { RadiusManager } from './classes.radius.js';
+import { WorkHosterManager } from './classes.workhoster.js';
 export interface IDcRouterApiClientOptions {
   baseUrl: string;
@@ -31,6 +32,7 @@ export class DcRouterApiClient {
   public logs: LogManager;
   public emails: EmailManager;
   public radius: RadiusManager;
+  public workHosters: WorkHosterManager;
   constructor(options: IDcRouterApiClientOptions) {
     this.baseUrl = options.baseUrl.replace(/\/+$/, '');
@@ -45,6 +47,7 @@ export class DcRouterApiClient {
     this.logs = new LogManager(this);
     this.emails = new EmailManager(this);
     this.radius = new RadiusManager(this);
+    this.workHosters = new WorkHosterManager(this);
   }
   // =====================