@serve.zone/dcrouter 13.43.0 → 13.43.2

package/readme.md

@@ -146,19 +146,20 @@ dcrouter keeps generated and operator-created routes separate so automation can
 
 System routes are persisted with stable `systemKey` values. API-created routes are the editable route layer intended for operators and automation.
 
-## Route Source Policies
+## Route Source Bindings
 
-API-created route records pass `metadata.sourcePolicy` alongside the SmartProxy route config to express ordered source and path policy variants without duplicating whole routes by hand. A source policy contains ordered `bindings`, each pointing at a source profile id through `sourceProfileRef`. Dashboard presets resolve seeded profile names to ids before saving.
+API-created route records pass ordered `metadata.sourceBindings[]` alongside the SmartProxy route config to express source and path policy variants without duplicating whole routes by hand. Each binding points at a source profile id through `sourceProfileRef`. Dashboard presets resolve seeded profile names to ids before saving.
 
 Runtime behavior:
 
 - Source matching uses the referenced `SourceProfile.security.ipAllowList`.
 - Bindings are evaluated in order and the first matching source profile wins.
 - A matched binding that exceeds its configured rate or connection limit is terminal and returns `429`; dcrouter does not fall through to later bindings.
-- Source-policy rate limits are always keyed by source IP; dcrouter ignores `path` and `header` keying on source-policy binding and path-policy overrides.
-- A public fallback binding must be last and must use `*`, or both `0.0.0.0/0` and `::/0`, in `security.ipAllowList`.
-- Create/update paths reject source policies with missing source profiles, source profiles without source matches, missing final all-source fallback, or any all-source binding that shadows later bindings; persisted invalid policies fail closed at compile time.
-- Server-side caps bound policy expansion to 16 source bindings, 12 path policies per binding, 64 path patterns per path policy, 256 characters and 8 wildcards per custom path pattern, and 512 compiled SmartProxy route-port variants per stored route.
+- Source-binding rate limits are always keyed by source IP; dcrouter ignores `path` and `header` keying on source-binding and path-policy overrides.
+- Private-only binding lists are valid. dcrouter adds a same-match terminal deny fallback so unmatched sources fail closed.
+- A public or wildcard binding is optional. When present, it must be last and must use `*`, or both `0.0.0.0/0` and `::/0`, in `security.ipAllowList`.
+- Create/update paths reject source bindings with missing source profiles, source profiles without source matches, or any all-source binding that shadows later bindings; persisted invalid bindings fail closed at compile time.
+- Server-side caps bound policy expansion to 16 source bindings, 12 path policies per binding, 64 path patterns per path policy, 256 characters and 8 wildcards per custom path pattern, 512 compiled SmartProxy route-port variants per stored route, and enough priority headroom above the stored route priority for generated source-binding variants.
 
 Path policies let a source binding override rate limits or connection limits for specific path classes. dcrouter currently ships Gitea-oriented classes: `git-smart-http`, `static`, `normal-html`, `expensive-html`, `raw`, and `archive`. Path-specific variants win over the same binding's fallback; if every path policy is path-specific, dcrouter adds a source-level fallback route for unmatched paths so normal browsing cannot fall through to a later source binding. The Gitea preset keeps `git-smart-http` high-limit and separate from HTML crawling paths so normal `git clone`, `git fetch`, `git push`, and Git LFS traffic are not subject to the lower HTML crawler limits.
 
@@ -177,45 +178,43 @@ const createRoutePayload = {
     },
   },
   metadata: {
-    sourcePolicy: {
-      bindings: [
-        {
-          sourceProfileRef: trustedProfileId,
-          maxConnections: 5000,
-          onExceeded: { type: '429' },
-        },
-        {
-          sourceProfileRef: publicProfileId,
-          onExceeded: { type: '429' },
-          pathPolicies: [
-            {
-              pathClass: 'git-smart-http',
-              rateLimit: { enabled: true, maxRequests: 1200, window: 60, keyBy: 'ip' },
-            },
-            {
-              pathClass: 'static',
-              rateLimit: { enabled: true, maxRequests: 600, window: 60, keyBy: 'ip' },
-            },
-            {
-              pathClass: 'raw',
-              rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
-            },
-            {
-              pathClass: 'archive',
-              rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
-            },
-            {
-              pathClass: 'expensive-html',
-              rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
-            },
-            {
-              pathClass: 'normal-html',
-              rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
-            },
-          ],
-        },
-      ],
-    },
+    sourceBindings: [
+      {
+        sourceProfileRef: trustedProfileId,
+        maxConnections: 5000,
+        onExceeded: { type: '429' },
+      },
+      {
+        sourceProfileRef: publicProfileId,
+        onExceeded: { type: '429' },
+        pathPolicies: [
+          {
+            pathClass: 'git-smart-http',
+            rateLimit: { enabled: true, maxRequests: 1200, window: 60, keyBy: 'ip' },
+          },
+          {
+            pathClass: 'static',
+            rateLimit: { enabled: true, maxRequests: 600, window: 60, keyBy: 'ip' },
+          },
+          {
+            pathClass: 'raw',
+            rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+          },
+          {
+            pathClass: 'archive',
+            rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+          },
+          {
+            pathClass: 'expensive-html',
+            rateLimit: { enabled: true, maxRequests: 30, window: 60, keyBy: 'ip' },
+          },
+          {
+            pathClass: 'normal-html',
+            rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+          },
+        ],
+      },
+    ],
   },
 };
 ```

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.43.0',
+  version: '13.43.2',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts/config/classes.reference-resolver.ts

@@ -7,7 +7,7 @@ import type {
   IRouteMetadata,
   IRoute,
   IRouteSecurity,
-  IRouteSourcePolicy,
+  IRouteSourceBinding,
 } from '../../ts_interfaces/data/route-management.js';
 
 const MAX_INHERITANCE_DEPTH = 5;
@@ -288,8 +288,8 @@ export class ReferenceResolver {
 
   /**
    * Resolve references for a single route.
-   * Materializes source profile and/or network target into the route's fields.
-   * When a source profile is selected, it owns the route security fully.
+   * Resolves source binding display names and/or network target references.
+   * Source profile security is resolved at apply time by SourcePolicyCompiler.
    * Returns the resolved route and updated metadata.
    */
   public resolveRoute(
@@ -298,27 +298,12 @@ export class ReferenceResolver {
   ): { route: plugins.smartproxy.IRouteConfig; metadata: IRouteMetadata } {
     const resolvedMetadata: IRouteMetadata = { ...metadata };
 
-    if (resolvedMetadata.sourcePolicy?.bindings.length) {
-      const resolvedSourcePolicy = this.resolveRouteSourcePolicy(resolvedMetadata.sourcePolicy);
-      if (resolvedSourcePolicy) {
-        resolvedMetadata.sourcePolicy = resolvedSourcePolicy;
-        resolvedMetadata.sourceProfileRef = undefined;
-        resolvedMetadata.sourceProfileName = undefined;
+    if (resolvedMetadata.sourceBindings?.length) {
+      const resolvedSourceBindings = this.resolveRouteSourceBindings(resolvedMetadata.sourceBindings);
+      if (resolvedSourceBindings) {
+        resolvedMetadata.sourceBindings = resolvedSourceBindings;
         resolvedMetadata.lastResolvedAt = Date.now();
       }
-    } else if (resolvedMetadata.sourceProfileRef) {
-      const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
-      if (resolvedSecurity) {
-        const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
-        route = {
-          ...route,
-          security: this.cloneSecurityFields(resolvedSecurity),
-        };
-        resolvedMetadata.sourceProfileName = profile?.name;
-        resolvedMetadata.lastResolvedAt = Date.now();
-      } else {
-        logger.log('warn', `Source profile '${resolvedMetadata.sourceProfileRef}' not found during resolution`);
-      }
     }
 
     if (resolvedMetadata.networkTargetRef) {
@@ -387,12 +372,12 @@ export class ReferenceResolver {
   // Private: source profile resolution with inheritance
   // =========================================================================
 
-  private resolveRouteSourcePolicy(sourcePolicy: IRouteSourcePolicy): IRouteSourcePolicy | undefined {
-    const bindings = sourcePolicy.bindings
+  private resolveRouteSourceBindings(sourceBindings: IRouteSourceBinding[]): IRouteSourceBinding[] | undefined {
+    const bindings = sourceBindings
       .map((binding) => {
         const profile = this.profiles.get(binding.sourceProfileRef);
         if (!profile) {
-          logger.log('warn', `Source profile '${binding.sourceProfileRef}' not found during source policy resolution`);
+          logger.log('warn', `Source profile '${binding.sourceProfileRef}' not found during source binding resolution`);
           return binding;
         }
         return {
@@ -402,7 +387,7 @@ export class ReferenceResolver {
       })
       .filter((binding) => binding.sourceProfileRef);
 
-    return bindings.length > 0 ? { bindings } : undefined;
+    return bindings.length > 0 ? bindings : undefined;
   }
 
   private metadataUsesSourceProfile(metadata: IRouteMetadata | undefined, profileId: string): boolean {
@@ -411,10 +396,7 @@ export class ReferenceResolver {
 
   private getSourceProfileRefsFromMetadata(metadata: IRouteMetadata | undefined): string[] {
     const refs = new Set<string>();
-    if (metadata?.sourceProfileRef) {
-      refs.add(metadata.sourceProfileRef);
-    }
-    for (const binding of metadata?.sourcePolicy?.bindings || []) {
+    for (const binding of metadata?.sourceBindings || []) {
       if (binding.sourceProfileRef) {
         refs.add(binding.sourceProfileRef);
       }
@@ -623,22 +605,16 @@ export class ReferenceResolver {
   }
 
   private clearSourceProfileFromMetadata(metadata: IRouteMetadata, profileId: string): IRouteMetadata {
-    const sourcePolicy = metadata.sourcePolicy?.bindings?.length
-      ? {
-          bindings: metadata.sourcePolicy.bindings.filter(
-            (binding) => binding.sourceProfileRef !== profileId,
-          ),
-        }
+    const sourceBindings = metadata.sourceBindings?.length
+      ? metadata.sourceBindings.filter((binding) => binding.sourceProfileRef !== profileId)
       : undefined;
 
     const nextMetadata: IRouteMetadata = {
       ...metadata,
-      sourceProfileRef: metadata.sourceProfileRef === profileId ? undefined : metadata.sourceProfileRef,
-      sourceProfileName: metadata.sourceProfileRef === profileId ? undefined : metadata.sourceProfileName,
-      sourcePolicy: sourcePolicy?.bindings.length ? sourcePolicy : undefined,
+      sourceBindings: sourceBindings?.length ? sourceBindings : undefined,
     };
 
-    if (!nextMetadata.sourceProfileRef && !nextMetadata.sourcePolicy && !nextMetadata.networkTargetRef) {
+    if (!nextMetadata.sourceBindings && !nextMetadata.networkTargetRef) {
       nextMetadata.lastResolvedAt = undefined;
     }
 

package/ts/config/classes.route-config-manager.ts

@@ -9,7 +9,7 @@ import type {
   IRouteWarning,
   IRouteMetadata,
   IRoutePathPolicyBinding,
-  IRouteSourcePolicy,
+  IRouteSourceBinding,
   IRouteSecurity,
 } from '../../ts_interfaces/data/route-management.js';
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
@@ -142,9 +142,9 @@ export class RouteConfigManager {
   ): Promise<string> {
     const id = plugins.uuid.v4();
     const now = Date.now();
-    const sourcePolicyPayloadError = SourcePolicyCompiler.validateSourcePolicyPayload(metadata?.sourcePolicy);
-    if (sourcePolicyPayloadError) {
-      throw new Error(sourcePolicyPayloadError);
+    const sourceBindingsPayloadError = SourcePolicyCompiler.validateSourceBindingsPayload(metadata?.sourceBindings);
+    if (sourceBindingsPayloadError) {
+      throw new Error(sourceBindingsPayloadError);
     }
 
     // Ensure route has a name
@@ -159,9 +159,9 @@ export class RouteConfigManager {
       route = resolved.route;
       resolvedMetadata = this.normalizeRouteMetadata(resolved.metadata);
     }
-    const sourcePolicyValidationError = this.validateSourcePolicy(resolvedMetadata?.sourcePolicy, route);
-    if (sourcePolicyValidationError) {
-      throw new Error(sourcePolicyValidationError);
+    const sourceBindingsValidationError = this.validateSourceBindings(resolvedMetadata?.sourceBindings, route);
+    if (sourceBindingsValidationError) {
+      throw new Error(sourceBindingsValidationError);
     }
 
     const stored: IRoute = {
@@ -193,12 +193,11 @@ export class RouteConfigManager {
     if (!stored) {
       return { success: false, message: 'Route not found' };
     }
-    const sourcePolicyPayloadError = SourcePolicyCompiler.validateSourcePolicyPayload(patch.metadata?.sourcePolicy);
-    if (sourcePolicyPayloadError) {
-      return { success: false, message: sourcePolicyPayloadError };
+    const sourceBindingsPayloadError = SourcePolicyCompiler.validateSourceBindingsPayload(patch.metadata?.sourceBindings);
+    if (sourceBindingsPayloadError) {
+      return { success: false, message: sourceBindingsPayloadError };
     }
 
-    const previousSourceProfileRef = stored.metadata?.sourceProfileRef;
     const previousRoute = structuredClone(stored.route);
     const previousMetadata = structuredClone(stored.metadata);
     const previousEnabled = stored.enabled;
@@ -244,13 +243,6 @@ export class RouteConfigManager {
         ...stored.metadata,
         ...patch.metadata,
       });
-      if (
-        previousSourceProfileRef
-        && !stored.metadata?.sourceProfileRef
-        && !patch.route?.security
-      ) {
-        delete stored.route.security;
-      }
     }
 
     // Re-resolve if metadata refs exist and resolver is available
@@ -260,12 +252,12 @@ export class RouteConfigManager {
       stored.metadata = this.normalizeRouteMetadata(resolved.metadata);
     }
 
-    const sourcePolicyValidationError = this.validateSourcePolicy(stored.metadata?.sourcePolicy, stored.route);
-    if (sourcePolicyValidationError) {
+    const sourceBindingsValidationError = this.validateSourceBindings(stored.metadata?.sourceBindings, stored.route);
+    if (sourceBindingsValidationError) {
       stored.route = previousRoute;
       stored.metadata = previousMetadata;
       stored.enabled = previousEnabled;
-      return { success: false, message: sourcePolicyValidationError };
+      return { success: false, message: sourceBindingsValidationError };
     }
 
     stored.updatedAt = Date.now();
@@ -487,10 +479,8 @@ export class RouteConfigManager {
     };
 
     const normalized: IRouteMetadata = {
-      sourceProfileRef: normalizeString(metadata.sourceProfileRef),
-      sourcePolicy: this.normalizeSourcePolicy(metadata.sourcePolicy),
+      sourceBindings: this.normalizeSourceBindings(metadata.sourceBindings),
       networkTargetRef: normalizeString(metadata.networkTargetRef),
-      sourceProfileName: normalizeString(metadata.sourceProfileName),
       networkTargetName: normalizeString(metadata.networkTargetName),
       lastResolvedAt: typeof metadata.lastResolvedAt === 'number' && Number.isFinite(metadata.lastResolvedAt)
         ? metadata.lastResolvedAt
@@ -511,13 +501,10 @@ export class RouteConfigManager {
       externalKey: normalizeString(metadata.externalKey),
     };
 
-    if (!normalized.sourceProfileRef) {
-      normalized.sourceProfileName = undefined;
-    }
     if (!normalized.networkTargetRef) {
       normalized.networkTargetName = undefined;
     }
-    if (!normalized.sourceProfileRef && !normalized.sourcePolicy && !normalized.networkTargetRef) {
+    if (!normalized.sourceBindings && !normalized.networkTargetRef) {
       normalized.lastResolvedAt = undefined;
     }
     if (normalized.ownerType !== 'gatewayClient' && normalized.ownerType !== 'workhoster') {
@@ -542,14 +529,13 @@ export class RouteConfigManager {
     return normalized;
   }
 
-  private normalizeSourcePolicy(sourcePolicy?: Partial<IRouteSourcePolicy>): IRouteSourcePolicy | undefined {
-    const bindings = sourcePolicy?.bindings;
-    if (!Array.isArray(bindings)) {
+  private normalizeSourceBindings(sourceBindings?: Partial<IRouteSourceBinding>[]): IRouteSourceBinding[] | undefined {
+    if (!Array.isArray(sourceBindings)) {
       return undefined;
     }
 
-    const normalizedBindings: IRouteSourcePolicy['bindings'] = [];
-    for (const binding of bindings) {
+    const normalizedBindings: IRouteSourceBinding[] = [];
+    for (const binding of sourceBindings) {
       const sourceProfileRef = typeof binding.sourceProfileRef === 'string'
         ? binding.sourceProfileRef.trim()
         : '';
@@ -583,7 +569,7 @@ export class RouteConfigManager {
       });
     }
 
-    return normalizedBindings.length > 0 ? { bindings: normalizedBindings } : undefined;
+    return normalizedBindings.length > 0 ? normalizedBindings : undefined;
   }
 
   private normalizePathPolicies(
@@ -631,15 +617,15 @@ export class RouteConfigManager {
     return normalizedPathPolicies.length > 0 ? normalizedPathPolicies : undefined;
   }
 
-  private validateSourcePolicy(
-    sourcePolicy: IRouteSourcePolicy | undefined,
+  private validateSourceBindings(
+    sourceBindings: IRouteSourceBinding[] | undefined,
     route: IDcRouterRouteConfig,
   ): string | undefined {
-    const shapeError = SourcePolicyCompiler.validateSourcePolicyShape(sourcePolicy, route);
+    const shapeError = SourcePolicyCompiler.validateSourceBindingsShape(sourceBindings, route);
     if (shapeError) {
       return shapeError;
     }
-    return SourcePolicyCompiler.validateResolvedSourcePolicy(sourcePolicy, this.referenceResolver);
+    return SourcePolicyCompiler.validateResolvedSourceBindings(sourceBindings, this.referenceResolver);
   }
 
   private normalizeRateLimit(rateLimit?: IRouteSecurity['rateLimit']): IRouteSecurity['rateLimit'] | undefined {
@@ -756,14 +742,29 @@ export class RouteConfigManager {
   }
 
   private prepareStoredRoutesForApply(storedRoute: IRoute): plugins.smartproxy.IRouteConfig[] {
+    if (this.isManagedAccessRoute(storedRoute) && !storedRoute.metadata?.sourceBindings?.length) {
+      return [];
+    }
     const hydratedRoute = this.hydrateStoredRoute?.(storedRoute);
-    const sourcePolicyRoutes = SourcePolicyCompiler.compileRoute(
+    const sourceBoundRoutes = SourcePolicyCompiler.compileRoute(
       hydratedRoute || storedRoute.route,
       storedRoute.metadata,
       this.referenceResolver,
       storedRoute.id,
     );
-    return sourcePolicyRoutes.map((route) => this.prepareRouteForApply(route, storedRoute.id));
+    return sourceBoundRoutes.map((route) => this.prepareRouteForApply(route, storedRoute.id));
+  }
+
+  private isManagedAccessRoute(storedRoute: IRoute): boolean {
+    const metadata = storedRoute.metadata;
+    if (storedRoute.origin !== 'api' || !metadata) {
+      return false;
+    }
+    return metadata.ownerType === 'gatewayClient'
+      || metadata.ownerType === 'workhoster'
+      || Boolean(metadata.gatewayClientId)
+      || Boolean(metadata.workHosterId)
+      || Boolean(metadata.externalKey);
   }
 
   private prepareRouteForApply(