@serve.zone/dcrouter 13.27.1 → 13.29.1

package/ts/opsserver/handlers/workhoster.handler.ts

@@ -45,6 +45,16 @@ export class WorkHosterHandler {
     throw new plugins.typedrequest.TypedResponseError('unauthorized');
   }
 
+  private async requireAdmin(request: { identity?: interfaces.data.IIdentity }): Promise<string> {
+    if (request.identity?.jwt) {
+      const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+        identity: request.identity,
+      });
+      if (isAdmin) return request.identity.userId;
+    }
+    throw new plugins.typedrequest.TypedResponseError('admin identity required');
+  }
+
   private registerHandlers(): void {
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayCapabilities>(
@@ -56,6 +66,122 @@ export class WorkHosterHandler {
       ),
     );
 
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientContext>(
+        'getGatewayClientContext',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
+          return {
+            context: this.getGatewayClientContext(auth),
+            capabilities: this.getGatewayCapabilities(),
+          };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListGatewayClients>(
+        'listGatewayClients',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg);
+          return { gatewayClients: await this.listManagedGatewayClients() };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateGatewayClient>(
+        'createGatewayClient',
+        async (dataArg) => {
+          const userId = await this.requireAdmin(dataArg);
+          const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+          if (!manager) return { success: false, message: 'Gateway client management not initialized' };
+          try {
+            const gatewayClient = await manager.createClient({
+              id: dataArg.id,
+              type: dataArg.type,
+              name: dataArg.name,
+              description: dataArg.description,
+              hostnamePatterns: dataArg.hostnamePatterns,
+              allowedRouteTargets: dataArg.allowedRouteTargets,
+              capabilities: dataArg.capabilities,
+              createdBy: userId,
+            });
+            return { success: true, gatewayClient };
+          } catch (error) {
+            return { success: false, message: (error as Error).message };
+          }
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateGatewayClient>(
+        'updateGatewayClient',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg);
+          const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+          if (!manager) return { success: false, message: 'Gateway client management not initialized' };
+          const gatewayClient = await manager.updateClient(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            hostnamePatterns: dataArg.hostnamePatterns,
+            allowedRouteTargets: dataArg.allowedRouteTargets,
+            capabilities: dataArg.capabilities,
+            enabled: dataArg.enabled,
+          });
+          return gatewayClient
+            ? { success: true, gatewayClient }
+            : { success: false, message: 'Gateway client not found' };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteGatewayClient>(
+        'deleteGatewayClient',
+        async (dataArg) => {
+          await this.requireAdmin(dataArg);
+          const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+          if (!manager) return { success: false, message: 'Gateway client management not initialized' };
+          const success = await manager.deleteClient(dataArg.id);
+          return { success, message: success ? undefined : 'Gateway client not found' };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateGatewayClientToken>(
+        'createGatewayClientToken',
+        async (dataArg) => {
+          const userId = await this.requireAdmin(dataArg);
+          const gatewayClient = await this.opsServerRef.dcRouterRef.gatewayClientManager?.getClient(dataArg.gatewayClientId);
+          const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+          if (!gatewayClient || !gatewayClient.enabled) {
+            return { success: false, message: 'Gateway client not found or disabled' };
+          }
+          if (!tokenManager) {
+            return { success: false, message: 'Token management not initialized' };
+          }
+          const result = await tokenManager.createToken(
+            dataArg.name?.trim() || `${gatewayClient.name} Token`,
+            ['gateway-clients:read', 'gateway-clients:write'],
+            dataArg.expiresInDays ?? null,
+            userId,
+            {
+              role: 'gatewayClient',
+              scopes: ['gateway-clients:read', 'gateway-clients:write'],
+              gatewayClient: { type: gatewayClient.type, id: gatewayClient.id },
+              hostnamePatterns: gatewayClient.hostnamePatterns,
+              allowedRouteTargets: gatewayClient.allowedRouteTargets,
+              capabilities: gatewayClient.capabilities,
+            },
+          );
+          return { success: true, tokenId: result.id, tokenValue: result.rawToken };
+        },
+      ),
+    );
+
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDomains>(
         'getGatewayClientDomains',
@@ -183,6 +309,30 @@ export class WorkHosterHandler {
     };
   }
 
+  private getGatewayClientContext(auth: TAuthContext): interfaces.data.IGatewayClientContext {
+    const policy = auth.token?.policy;
+    const role = auth.isAdmin ? 'admin' : policy?.role || 'operator';
+    return {
+      role,
+      scopes: auth.token?.scopes || ['*'],
+      gatewayClient: policy?.gatewayClient,
+      hostnamePatterns: policy?.hostnamePatterns || [],
+      allowedRouteTargets: policy?.allowedRouteTargets || [],
+      capabilities: policy?.capabilities || {},
+    };
+  }
+
+  private async listManagedGatewayClients(): Promise<interfaces.data.IGatewayClient[]> {
+    const manager = this.opsServerRef.dcRouterRef.gatewayClientManager;
+    if (!manager) return [];
+    const clients = await manager.listClients();
+    const tokens = this.opsServerRef.dcRouterRef.apiTokenManager?.listTokens() || [];
+    return clients.map((client) => ({
+      ...client,
+      tokenCount: tokens.filter((token) => token.policy?.gatewayClient?.id === client.id).length,
+    }));
+  }
+
   private buildExternalKey(ownership: interfaces.data.IWorkAppRouteOwnership): string {
     return [
       ownership.workHosterType,
@@ -212,15 +362,38 @@ export class WorkHosterHandler {
     return policyClient.id;
   }
 
-  private assertGatewayClientOwnership(auth: TAuthContext, ownership: interfaces.data.IGatewayClientOwnership): void {
+  private resolveGatewayClientOwnership(
+    auth: TAuthContext,
+    ownership: interfaces.data.IGatewayClientOwnership,
+  ): Required<interfaces.data.IGatewayClientOwnership> {
     const policy = auth.token?.policy;
-    if (!policy || policy.role !== 'gatewayClient') return;
-    if (!policy.gatewayClient) {
-      throw new plugins.typedrequest.TypedResponseError('gateway client token is missing gatewayClient binding');
+    if (policy?.role === 'gatewayClient') {
+      if (!policy.gatewayClient) {
+        throw new plugins.typedrequest.TypedResponseError('gateway client token is missing gatewayClient binding');
+      }
+      if (ownership.gatewayClientType && ownership.gatewayClientType !== policy.gatewayClient.type) {
+        throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+      }
+      if (ownership.gatewayClientId && ownership.gatewayClientId !== policy.gatewayClient.id) {
+        throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+      }
+      return {
+        gatewayClientType: policy.gatewayClient.type,
+        gatewayClientId: policy.gatewayClient.id,
+        appId: ownership.appId,
+        hostname: ownership.hostname,
+      };
     }
-    if (ownership.gatewayClientType !== policy.gatewayClient.type || ownership.gatewayClientId !== policy.gatewayClient.id) {
-      throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+
+    if (!ownership.gatewayClientType || !ownership.gatewayClientId) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client ownership is missing type or id');
     }
+    return ownership as Required<interfaces.data.IGatewayClientOwnership>;
+  }
+
+  private assertGatewayClientOwnership(auth: TAuthContext, ownership: Required<interfaces.data.IGatewayClientOwnership>): void {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient') return;
     if (!this.matchesHostnamePatterns(ownership.hostname, policy.hostnamePatterns || [])) {
       throw new plugins.typedrequest.TypedResponseError('hostname is outside token policy');
     }
@@ -403,7 +576,8 @@ export class WorkHosterHandler {
     enabled?: boolean,
     deleteRoute?: boolean,
   ): Promise<interfaces.data.IGatewayClientRouteSyncResult> {
-    this.assertGatewayClientOwnership(auth, ownership);
+    const resolvedOwnership = this.resolveGatewayClientOwnership(auth, ownership);
+    this.assertGatewayClientOwnership(auth, resolvedOwnership);
     this.assertRouteTargetsAllowed(auth, route);
 
     const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
@@ -411,7 +585,7 @@ export class WorkHosterHandler {
       return { success: false, message: 'Route management not initialized' };
     }
 
-    const externalKey = this.buildGatewayClientExternalKey(ownership);
+    const externalKey = this.buildGatewayClientExternalKey(resolvedOwnership);
     const existingRoute = manager.findApiRouteByExternalKey(externalKey);
 
     if (deleteRoute) {
@@ -430,15 +604,15 @@ export class WorkHosterHandler {
 
     const metadata: interfaces.data.IRouteMetadata = {
       ownerType: 'gatewayClient',
-      gatewayClientType: ownership.gatewayClientType,
-      gatewayClientId: ownership.gatewayClientId,
-      gatewayClientAppId: ownership.appId,
-      workHosterType: ownership.gatewayClientType,
-      workHosterId: ownership.gatewayClientId,
-      workAppId: ownership.appId,
+      gatewayClientType: resolvedOwnership.gatewayClientType,
+      gatewayClientId: resolvedOwnership.gatewayClientId,
+      gatewayClientAppId: resolvedOwnership.appId,
+      workHosterType: resolvedOwnership.gatewayClientType,
+      workHosterId: resolvedOwnership.gatewayClientId,
+      workAppId: resolvedOwnership.appId,
       externalKey,
     };
-    const normalizedRoute = this.normalizeGatewayClientRoute(route, ownership, externalKey);
+    const normalizedRoute = this.normalizeGatewayClientRoute(route, resolvedOwnership, externalKey);
 
     if (existingRoute) {
       const result = await manager.updateRoute(existingRoute.id, {
@@ -455,7 +629,7 @@ export class WorkHosterHandler {
     return { success: true, action: 'created', routeId };
   }
 
-  private buildGatewayClientExternalKey(ownership: interfaces.data.IGatewayClientOwnership): string {
+  private buildGatewayClientExternalKey(ownership: Required<interfaces.data.IGatewayClientOwnership>): string {
     return [
       ownership.gatewayClientType,
       ownership.gatewayClientId,
@@ -478,7 +652,7 @@ export class WorkHosterHandler {
 
   private normalizeGatewayClientRoute(
     route: interfaces.data.IDcRouterRouteConfig,
-    ownership: interfaces.data.IGatewayClientOwnership,
+    ownership: Required<interfaces.data.IGatewayClientOwnership>,
     externalKey: string,
   ): interfaces.data.IDcRouterRouteConfig {
     const normalizedRoute = { ...route };

package/ts/plugins.ts

@@ -41,6 +41,13 @@ export {
   typedsocket,
 }
 
+// @idp.global scope
+import * as idpSdkServer from '@idp.global/sdk/server';
+
+export {
+  idpSdkServer,
+}
+
 // @push.rocks scope
 import * as projectinfo from '@push.rocks/projectinfo';
 import * as qenv from '@push.rocks/qenv';

package/ts/vpn/classes.vpn-manager.ts

@@ -111,6 +111,7 @@ export class VpnManager {
 
     const subnet = this.getSubnet();
     const wgListenPort = this.config.wgListenPort ?? 51820;
+    const serverEndpoint = this.getWireGuardServerEndpoint();
 
     const desiredForwardingMode = this.getDesiredForwardingMode(anyClientUsesHostIp);
     if (anyClientUsesHostIp && desiredForwardingMode === 'hybrid') {
@@ -133,21 +134,19 @@ export class VpnManager {
       : { default: 'forceTarget' as const, target: '127.0.0.1' };
 
     const serverConfig: plugins.smartvpn.IVpnServerConfig = {
-      listenAddr: '0.0.0.0:0', // WS listener not strictly needed but required field
+      listenAddr: '127.0.0.1:0', // Required by smartvpn, unused in wireguard-only mode
       privateKey: this.serverKeys.noisePrivateKey,
       publicKey: this.serverKeys.noisePublicKey,
       subnet,
       dns: this.config.dns,
       forwardingMode: forwardingMode as any,
-      transportMode: 'all',
+      transportMode: 'wireguard',
       wgPrivateKey: this.serverKeys.wgPrivateKey,
       wgListenPort,
       clients: clientEntries,
       socketForwardProxyProtocol: !isBridge,
       destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
-      serverEndpoint: this.config.serverEndpoint
-        ? `${this.config.serverEndpoint}:${wgListenPort}`
-        : undefined,
+      serverEndpoint,
       clientAllowedIPs: [subnet],
       // Bridge-specific config
       ...(isBridge ? {
@@ -187,7 +186,7 @@ export class VpnManager {
       } catch {
         // Ignore stop errors
       }
-      this.vpnServer.stop();
+      await this.vpnServer.stop();
       this.vpnServer = undefined;
     }
     this.resolvedForwardingMode = undefined;
@@ -244,14 +243,10 @@ export class VpnManager {
       vlanId: doc.vlanId,
     });
 
-    // Override AllowedIPs with per-client values based on target profiles
-    if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = await this.config.getClientAllowedIPs(doc.targetProfileIds || []);
-      bundle.wireguardConfig = bundle.wireguardConfig.replace(
-        /AllowedIPs\s*=\s*.+/,
-        `AllowedIPs = ${allowedIPs.join(', ')}`,
-      );
-    }
+    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
+      bundle.wireguardConfig,
+      doc.targetProfileIds || [],
+    );
 
     // Persist client entry (including WG private key for export/QR)
     doc.clientId = bundle.entry.clientId;
@@ -381,9 +376,13 @@ export class VpnManager {
   public async rotateClientKey(clientId: string): Promise<plugins.smartvpn.IClientConfigBundle> {
     if (!this.vpnServer) throw new Error('VPN server not running');
     const bundle = await this.vpnServer.rotateClientKey(clientId);
+    const client = this.clients.get(clientId);
+    bundle.wireguardConfig = await this.rewriteWireGuardAllowedIPs(
+      bundle.wireguardConfig,
+      client?.targetProfileIds || [],
+    );
 
     // Update persisted entry with new keys (including private key for export/QR)
-    const client = this.clients.get(clientId);
     if (client) {
       client.noisePublicKey = bundle.entry.publicKey;
       client.wgPublicKey = bundle.entry.wgPublicKey || '';
@@ -414,15 +413,7 @@ export class VpnManager {
         );
       }
 
-      // Override AllowedIPs with per-client values based on target profiles
-      if (this.config.getClientAllowedIPs) {
-        const profileIds = persisted?.targetProfileIds || [];
-        const allowedIPs = await this.config.getClientAllowedIPs(profileIds);
-        config = config.replace(
-          /AllowedIPs\s*=\s*.+/,
-          `AllowedIPs = ${allowedIPs.join(', ')}`,
-        );
-      }
+      config = await this.rewriteWireGuardAllowedIPs(config, persisted?.targetProfileIds || []);
     }
 
     return config;
@@ -515,6 +506,46 @@ export class VpnManager {
     }
   }
 
+  private getWireGuardServerEndpoint(): string {
+    const endpoint = this.config.serverEndpoint?.trim();
+    if (!endpoint) {
+      throw new Error('vpnConfig.serverEndpoint is required when VPN is enabled');
+    }
+    if (endpoint.includes('://') || endpoint.includes('/')) {
+      throw new Error('vpnConfig.serverEndpoint must be a host or host:port, not a URL');
+    }
+
+    const host = endpoint.includes(':') ? endpoint.split(':')[0] : endpoint;
+    const lowerHost = host.toLowerCase();
+    if (
+      lowerHost === 'localhost'
+      || lowerHost === '0.0.0.0'
+      || lowerHost.startsWith('127.')
+    ) {
+      throw new Error('vpnConfig.serverEndpoint must be reachable by VPN clients');
+    }
+
+    return endpoint.includes(':')
+      ? endpoint
+      : `${endpoint}:${this.config.wgListenPort ?? 51820}`;
+  }
+
+  private async rewriteWireGuardAllowedIPs(
+    wireguardConfig: string,
+    targetProfileIds: string[],
+  ): Promise<string> {
+    if (!this.config.getClientAllowedIPs) return wireguardConfig;
+
+    const allowedIPs = await this.config.getClientAllowedIPs(targetProfileIds);
+    const effectiveAllowedIPs = allowedIPs.length ? allowedIPs : [this.getSubnet()];
+    const allowedLine = `AllowedIPs = ${effectiveAllowedIPs.join(', ')}`;
+
+    if (/^AllowedIPs\s*=.*$/m.test(wireguardConfig)) {
+      return wireguardConfig.replace(/^AllowedIPs\s*=.*$/m, allowedLine);
+    }
+    return `${wireguardConfig.trimEnd()}\n${allowedLine}\n`;
+  }
+
   // ── Private helpers ────────────────────────────────────────────────────
 
   private async loadOrGenerateServerKeys(): Promise<VpnServerKeysDoc> {
@@ -532,7 +563,7 @@ export class VpnManager {
 
     const noiseKeys = await tempServer.generateKeypair();
     const wgKeys = await tempServer.generateWgKeypair();
-    tempServer.stop();
+    await tempServer.stop();
 
     const doc = stored || new VpnServerKeysDoc();
     doc.noisePrivateKey = noiseKeys.privateKey;

package/ts_apiclient/classes.workhoster.ts

@@ -12,6 +12,14 @@ export class WorkHosterManager {
     return response.capabilities;
   }
 
+  public async getGatewayClientContext(): Promise<interfaces.data.IGatewayClientContext> {
+    const response = await this.clientRef.request<interfaces.requests.IReq_GetGatewayClientContext>(
+      'getGatewayClientContext',
+      this.clientRef.buildRequestPayload() as any,
+    );
+    return response.context;
+  }
+
   public async getDomains(): Promise<interfaces.data.IWorkHosterDomain[]> {
     const response = await this.clientRef.request<interfaces.requests.IReq_GetWorkHosterDomains>(
       'getWorkHosterDomains',

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.27.1',
+  version: '13.29.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate.ts

@@ -10,6 +10,8 @@ export interface ILoginState {
   isLoggedIn: boolean;
 }
 
+export type IAdminBootstrapStatus = interfaces.requests.IReq_GetAdminBootstrapStatus['response'];
+
 export interface IStatsState {
   serverStats: interfaces.data.IServerStats | null;
   emailStats: interfaces.data.IEmailStats | null;
@@ -285,6 +287,7 @@ export interface IRouteManagementState {
   mergedRoutes: interfaces.data.IMergedRoute[];
   warnings: interfaces.data.IRouteWarning[];
   apiTokens: interfaces.data.IApiTokenInfo[];
+  gatewayClients: interfaces.data.IGatewayClient[];
   isLoading: boolean;
   error: string | null;
   lastUpdated: number;
@@ -296,6 +299,7 @@ export const routeManagementStatePart = await appState.getStatePart<IRouteManage
     mergedRoutes: [],
     warnings: [],
     apiTokens: [],
+    gatewayClients: [],
     isLoading: false,
     error: null,
     lastUpdated: 0,
@@ -310,7 +314,11 @@ export const routeManagementStatePart = await appState.getStatePart<IRouteManage
 export interface IUser {
   id: string;
   username: string;
+  email?: string;
+  name?: string;
   role: string;
+  status?: 'active' | 'disabled';
+  authSources?: Array<'local' | 'idp.global'>;
 }
 
 export interface IUsersState {
@@ -349,6 +357,7 @@ const getActionContext = (): IActionContext => {
 export const loginAction = loginStatePart.createAction<{
   username: string;
   password: string;
+  authSource?: interfaces.requests.TAdminLoginAuthSource;
 }>(async (statePartArg, dataArg): Promise<ILoginState> => {
   const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
     interfaces.requests.IReq_AdminLoginWithUsernameAndPassword
@@ -358,6 +367,7 @@ export const loginAction = loginStatePart.createAction<{
     const response = await typedRequest.fire({
       username: dataArg.username,
       password: dataArg.password,
+      authSource: dataArg.authSource,
     });
 
     if (response.identity) {
@@ -373,6 +383,47 @@ export const loginAction = loginStatePart.createAction<{
   }
 });
 
+export async function getAdminBootstrapStatus(): Promise<IAdminBootstrapStatus> {
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_GetAdminBootstrapStatus
+  >('/typedrequest', 'getAdminBootstrapStatus');
+
+  return request.fire({});
+}
+
+export async function createInitialAdminUser(optionsArg: {
+  email: string;
+  name?: string;
+  password: string;
+  enableIdpGlobalAuth?: boolean;
+}) {
+  const context = getActionContext();
+  if (!context.identity) {
+    throw new Error('No identity available for admin bootstrap');
+  }
+
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateInitialAdminUser
+  >('/typedrequest', 'createInitialAdminUser');
+
+  const response = await request.fire({
+    identity: context.identity,
+    email: optionsArg.email,
+    name: optionsArg.name,
+    password: optionsArg.password,
+    enableIdpGlobalAuth: optionsArg.enableIdpGlobalAuth,
+  });
+
+  if (response.identity) {
+    loginStatePart.setState({
+      identity: response.identity,
+      isLoggedIn: true,
+    });
+  }
+
+  return response;
+}
+
 // Logout Action — always clears state, even if identity is expired/missing
 export const logoutAction = loginStatePart.createAction(async (statePartArg) => {
   const context = getActionContext();
@@ -2477,6 +2528,115 @@ export const fetchApiTokensAction = routeManagementStatePart.createAction(async
   }
 });
 
+export const fetchGatewayClientsAction = routeManagementStatePart.createAction(async (statePartArg): Promise<IRouteManagementState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  if (!context.identity) return currentState;
+
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_ListGatewayClients
+    >('/typedrequest', 'listGatewayClients');
+    const response = await request.fire({ identity: context.identity });
+    return {
+      ...currentState,
+      gatewayClients: response.gatewayClients,
+      error: null,
+      lastUpdated: Date.now(),
+    };
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to fetch gateway clients',
+    };
+  }
+});
+
+export async function createGatewayClient(data: {
+  id?: string;
+  type: interfaces.data.IGatewayClient['type'];
+  name: string;
+  description?: string;
+  hostnamePatterns?: string[];
+  allowedRouteTargets?: interfaces.data.IGatewayClient['allowedRouteTargets'];
+}) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateGatewayClient
+  >('/typedrequest', 'createGatewayClient');
+  return request.fire({
+    identity: context.identity!,
+    capabilities: {
+      readDomains: true,
+      readDnsRecords: true,
+      syncRoutes: true,
+      syncDnsRecords: false,
+      requestCertificates: false,
+    },
+    ...data,
+  });
+}
+
+export const updateGatewayClientAction = routeManagementStatePart.createAction<{
+  id: string;
+  name?: string;
+  description?: string;
+  hostnamePatterns?: string[];
+  allowedRouteTargets?: interfaces.data.IGatewayClient['allowedRouteTargets'];
+  enabled?: boolean;
+}>(async (statePartArg, dataArg, actionContext): Promise<IRouteManagementState> => {
+  const context = getActionContext();
+  const currentState = statePartArg.getState()!;
+  try {
+    const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_UpdateGatewayClient
+    >('/typedrequest', 'updateGatewayClient');
+    await request.fire({ identity: context.identity!, ...dataArg });
+    return await actionContext!.dispatch(fetchGatewayClientsAction, null);
+  } catch (error) {
+    return {
+      ...currentState,
+      error: error instanceof Error ? error.message : 'Failed to update gateway client',
+    };
+  }
+});
+
+export const deleteGatewayClientAction = routeManagementStatePart.createAction<string>(
+  async (statePartArg, gatewayClientId, actionContext): Promise<IRouteManagementState> => {
+    const context = getActionContext();
+    const currentState = statePartArg.getState()!;
+    try {
+      const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+        interfaces.requests.IReq_DeleteGatewayClient
+      >('/typedrequest', 'deleteGatewayClient');
+      await request.fire({ identity: context.identity!, id: gatewayClientId });
+      return await actionContext!.dispatch(fetchGatewayClientsAction, null);
+    } catch (error) {
+      return {
+        ...currentState,
+        error: error instanceof Error ? error.message : 'Failed to delete gateway client',
+      };
+    }
+  },
+);
+
+export async function createGatewayClientToken(
+  gatewayClientId: string,
+  name?: string,
+  expiresInDays?: number | null,
+) {
+  const context = getActionContext();
+  const request = new plugins.domtools.plugins.typedrequest.TypedRequest<
+    interfaces.requests.IReq_CreateGatewayClientToken
+  >('/typedrequest', 'createGatewayClientToken');
+  return request.fire({
+    identity: context.identity!,
+    gatewayClientId,
+    name,
+    expiresInDays,
+  });
+}
+
 // Users (read-only list)
 export const fetchUsersAction = usersStatePart.createAction(async (statePartArg): Promise<IUsersState> => {
   const context = getActionContext();

package/ts_web/elements/access/ops-view-apitokens.ts

@@ -20,6 +20,7 @@ export class OpsViewApiTokens extends DeesElement {
     mergedRoutes: [],
     warnings: [],
     apiTokens: [],
+    gatewayClients: [],
     isLoading: false,
     error: null,
     lastUpdated: 0,