@serve.zone/dcrouter 13.44.0 → 13.45.0

package/ts/classes.dcrouter.ts

@@ -1172,7 +1172,7 @@ export class DcRouter {
     // Combined routes for SmartProxy bootstrap (before DB routes are loaded)
     let routes: plugins.smartproxy.IRouteConfig[] = [
       ...this.seedConfigRoutes,
-      ...this.seedEmailRoutes,
+      ...this.getRuntimeEmailRoutes(this.seedEmailRoutes as IDcRouterRouteConfig[]),
       ...this.runtimeDnsRoutes,
     ];
 
@@ -1715,6 +1715,115 @@ export class DcRouter {
     return dnsRoutes;
   }
 
+  private getRuntimeEmailRoutes(emailRoutes: IDcRouterRouteConfig[]): plugins.smartproxy.IRouteConfig[] {
+    return emailRoutes.map((route) => this.createServerFirstEmailRuntimeRoute(route) || route);
+  }
+
+  private getCurrentGeneratedEmailRouteNames(): Set<string> {
+    const sourceRoutes = this.seedEmailRoutes.length > 0
+      ? this.seedEmailRoutes
+      : this.options.emailConfig
+        ? this.generateEmailRoutes(this.options.emailConfig)
+        : [];
+    return new Set(sourceRoutes.map((route) => route.name).filter(Boolean) as string[]);
+  }
+
+  private shouldHydrateGeneratedEmailRoute(storedRoute: IRoute): boolean {
+    if (storedRoute.origin !== 'email') {
+      return false;
+    }
+    const routeName = storedRoute.route.name;
+    if (!routeName || !this.getCurrentGeneratedEmailRouteNames().has(routeName)) {
+      return false;
+    }
+    const expectedSystemKey = `email:${routeName}`;
+    return !storedRoute.systemKey || storedRoute.systemKey === expectedSystemKey;
+  }
+
+  private createServerFirstEmailRuntimeRoute(
+    route: plugins.smartproxy.IRouteConfig,
+  ): plugins.smartproxy.IRouteConfig | undefined {
+    const action = route.action as any;
+    if (action?.type !== 'forward') {
+      return undefined;
+    }
+    const tlsMode = action.tls?.mode;
+    if (tlsMode === 'terminate' || tlsMode === 'terminate-and-reencrypt') {
+      return undefined;
+    }
+    const routePorts = plugins.smartproxy.expandPortRange(route.match?.ports as any) as number[];
+    if (routePorts.length !== 1) {
+      return undefined;
+    }
+
+    const target = action.targets?.[0];
+    if (!target || action.targets.length !== 1 || typeof target.port !== 'number') {
+      return undefined;
+    }
+    if (typeof target.host !== 'string') {
+      return undefined;
+    }
+
+    const targetHost = target.host === 'localhost' ? '127.0.0.1' : target.host;
+    return {
+      ...route,
+      action: {
+        type: 'socket-handler' as any,
+        socketHandler: this.createEmailSocketProxyHandler(targetHost, target.port),
+      } as any,
+    };
+  }
+
+  private createEmailSocketProxyHandler(
+    targetHost: string,
+    targetPort: number,
+  ): NonNullable<plugins.smartproxy.IRouteConfig['action']['socketHandler']> {
+    return (clientSocket) => {
+      let backendSocket: plugins.net.Socket | undefined;
+      let connectTimeout: ReturnType<typeof setTimeout> & { unref?: () => void };
+      let cleanupDone = false;
+
+      const cleanup = () => {
+        if (cleanupDone) return;
+        cleanupDone = true;
+        clearTimeout(connectTimeout);
+        clientSocket.removeListener('timeout', cleanup);
+        clientSocket.removeListener('error', cleanup);
+        clientSocket.removeListener('end', cleanup);
+        clientSocket.removeListener('close', cleanup);
+        backendSocket?.removeListener('timeout', cleanup);
+        backendSocket?.removeListener('error', cleanup);
+        backendSocket?.removeListener('end', cleanup);
+        backendSocket?.removeListener('close', cleanup);
+        clientSocket.destroy();
+        backendSocket?.destroy();
+      };
+
+      connectTimeout = setTimeout(() => {
+        cleanup();
+      }, 30_000);
+      connectTimeout.unref?.();
+
+      clientSocket.setTimeout(300_000);
+      clientSocket.on('timeout', cleanup);
+      clientSocket.on('error', cleanup);
+      clientSocket.on('end', cleanup);
+      clientSocket.on('close', cleanup);
+
+      backendSocket = plugins.net.connect(targetPort, targetHost, () => {
+        clearTimeout(connectTimeout);
+        backendSocket?.setTimeout(300_000);
+        clientSocket.pipe(backendSocket!);
+        backendSocket!.pipe(clientSocket);
+      });
+      backendSocket.setTimeout(30_000);
+      backendSocket.on('timeout', cleanup);
+      backendSocket.on('error', cleanup);
+      backendSocket.on('end', cleanup);
+      backendSocket.on('close', cleanup);
+    };
+  }
+
   private hydrateStoredRouteForRuntime(storedRoute: IRoute): plugins.smartproxy.IRouteConfig | undefined {
     const routeName = storedRoute.route.name || '';
     const isDohRoute = storedRoute.origin === 'dns'
@@ -1722,6 +1831,9 @@ export class DcRouter {
       && routeName.startsWith('dns-over-https-');
 
     if (!isDohRoute) {
+      if (this.shouldHydrateGeneratedEmailRoute(storedRoute)) {
+        return this.createServerFirstEmailRuntimeRoute(storedRoute.route);
+      }
       return undefined;
     }
 

package/ts/db/documents/classes.cached.email.ts

@@ -1,7 +1,8 @@
 import * as plugins from '../../plugins.js';
-import { CachedDocument, TTL } from '../classes.cached.document.js';
 import { DcRouterDb } from '../classes.dcrouter-db.js';
 
+const TTL = plugins.smartdata.smartdataTtlValues;
+
 /**
  * Email status in the cache
  */
@@ -19,17 +20,7 @@ const getDb = () => DcRouterDb.getInstance().getDb();
  * and maintaining email history for the configured TTL period.
  */
 @plugins.smartdata.Collection(() => getDb())
-export class CachedEmail extends CachedDocument<CachedEmail> {
-  // TTL fields from base class (decorators required on concrete class)
-  @plugins.smartdata.svDb()
-  public createdAt: Date = new Date();
-
-  @plugins.smartdata.svDb()
-  public expiresAt: Date = new Date(Date.now() + TTL.DAYS_30);
-
-  @plugins.smartdata.svDb()
-  public lastAccessedAt: Date = new Date();
-
+export class CachedEmail extends plugins.smartdata.SmartdataCachedDocument<CachedEmail> {
   /**
    * Unique identifier for this email
    */

package/ts/db/documents/classes.cached.ip.reputation.ts

@@ -1,7 +1,8 @@
 import * as plugins from '../../plugins.js';
-import { CachedDocument, TTL } from '../classes.cached.document.js';
 import { DcRouterDb } from '../classes.dcrouter-db.js';
 
+const TTL = plugins.smartdata.smartdataTtlValues;
+
 /**
  * Helper to get the smartdata database instance
  */
@@ -29,17 +30,7 @@ export interface IIPReputationData {
  * external API calls. Default TTL is 24 hours.
  */
 @plugins.smartdata.Collection(() => getDb())
-export class CachedIPReputation extends CachedDocument<CachedIPReputation> {
-  // TTL fields from base class (decorators required on concrete class)
-  @plugins.smartdata.svDb()
-  public createdAt: Date = new Date();
-
-  @plugins.smartdata.svDb()
-  public expiresAt: Date = new Date(Date.now() + TTL.HOURS_24);
-
-  @plugins.smartdata.svDb()
-  public lastAccessedAt: Date = new Date();
-
+export class CachedIPReputation extends plugins.smartdata.SmartdataCachedDocument<CachedIPReputation> {
   /**
    * IP address (unique identifier)
    */

package/ts/db/index.ts

@@ -1,9 +1,6 @@
 // Unified database manager
 export * from './classes.dcrouter-db.js';
 
-// TTL base class and constants
-export * from './classes.cached.document.js';
-
 // Cache cleaner
 export * from './classes.cache.cleaner.js';
 

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.44.0',
+  version: '13.45.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/elements/network/ops-view-routes.ts

@@ -2,6 +2,12 @@ import * as appstate from '../../appstate.js';
 import * as interfaces from '../../../dist_ts_interfaces/index.js';
 import { viewHostCss } from '../shared/css.js';
 import { type IStatsTile } from '@design.estate/dees-catalog';
+import type {
+  IRoutePathClassOption as ISzRoutePathClassOption,
+  IRouteSourcePolicyPreset as ISzRouteSourcePolicyPreset,
+  ISourceProfileOption as ISzSourceProfileOption,
+  SzInputRouteSourcePolicy,
+} from '@serve.zone/catalog';
 
 import {
   DeesElement,
@@ -24,8 +30,8 @@ const tlsCertOptions = [
   { key: 'auto', option: 'Auto (ACME/Let\'s Encrypt)' },
   { key: 'custom', option: 'Custom certificate' },
 ];
-const maxSourceBindingRows = 16;
 const giteaSourcePolicyProfileNames = ['TRUSTED NETWORKS', 'AI CRAWLERS', 'PUBLIC'] as const;
+type TSzRouteSecurity = NonNullable<ISzSourceProfileOption['security']>;
 
 function rateLimit(maxRequests: number): interfaces.data.IRouteSecurity['rateLimit'] {
   return { enabled: true, maxRequests, window: 60, keyBy: 'ip' };
@@ -35,36 +41,6 @@ function getDropdownKey(value: any): string {
   return typeof value === 'string' ? value : value?.key || '';
 }
 
-function getSourceBindingRefsFromFormData(formData: Record<string, any>): string[] {
-  const refs: string[] = [];
-  for (let index = 0; index < maxSourceBindingRows; index++) {
-    const ref = getDropdownKey(formData[`sourceBindingProfileRef${index}`]);
-    if (ref && !refs.includes(ref)) {
-      refs.push(ref);
-    }
-  }
-  return refs;
-}
-
-function buildSourceBindingsMetadata(
-  profileRefs: string[],
-  existingSourceBindings?: interfaces.data.IRouteSourceBinding[],
-): interfaces.data.IRouteSourceBinding[] {
-  return profileRefs.map((sourceProfileRef) => {
-    const existingBinding = existingSourceBindings?.find((binding) => binding.sourceProfileRef === sourceProfileRef);
-    return existingBinding
-      ? {
-          ...existingBinding,
-          sourceProfileRef,
-          onExceeded: existingBinding.onExceeded || { type: '429' as const },
-        }
-      : {
-          sourceProfileRef,
-          onExceeded: { type: '429' as const },
-        };
-  });
-}
-
 function getGiteaPresetProfileRefs(profiles: interfaces.data.ISourceProfile[]): {
   refs: string[];
   missingNames: string[];
@@ -116,70 +92,111 @@ function buildGiteaSourceBindingsMetadata(profileRefs: string[]): interfaces.dat
   ];
 }
 
-function getGiteaPresetSourceBindings(profiles: interfaces.data.ISourceProfile[]): interfaces.data.IRouteSourceBinding[] | null {
+function getGiteaSourcePolicyPresets(profiles: interfaces.data.ISourceProfile[]): ISzRouteSourcePolicyPreset[] {
   const { refs, missingNames } = getGiteaPresetProfileRefs(profiles);
   if (missingNames.length > 0) {
-    alert(`Gitea source-policy preset needs these seeded profiles: ${missingNames.join(', ')}`);
-    return null;
-  }
-  if (!validateSourceBindingSelection(refs, profiles)) {
-    return null;
+    return [];
   }
-  return buildGiteaSourceBindingsMetadata(refs);
+  return [
+    {
+      key: 'gitea-bot-protection',
+      label: 'Gitea bot protection',
+      description: 'TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC with path-class rate limits.',
+      bindings: buildGiteaSourceBindingsMetadata(refs),
+    },
+  ];
 }
 
-function metadataUsesPathPolicies(metadata?: interfaces.data.IRouteMetadata): boolean {
-  return Boolean(metadata?.sourceBindings?.some((binding) => binding.pathPolicies?.length));
+function normalizeSecurityListEntries(entries: unknown): string[] {
+  if (!Array.isArray(entries)) {
+    return [];
+  }
+  return entries
+    .map((entry) => {
+      if (typeof entry === 'string') return entry.trim();
+      if (entry && typeof entry === 'object' && 'ip' in entry) {
+        const ip = (entry as Record<string, unknown>).ip;
+        return typeof ip === 'string' ? ip.trim() : '';
+      }
+      return '';
+    })
+    .filter(Boolean);
 }
 
 function sourceProfileMatchesAll(profile: interfaces.data.ISourceProfile): boolean {
-  return (profile.security?.ipAllowList || []).some((entry) => {
-    const source = typeof entry === 'string' ? entry : entry.ip;
+  return normalizeSecurityListEntries(profile.security?.ipAllowList).some((source) => {
     return ['*', '0.0.0.0/0', '::/0'].includes(source.trim());
   });
 }
 
 function sourceProfileHasSourceMatches(profile: interfaces.data.ISourceProfile): boolean {
-  return (profile.security?.ipAllowList || []).some((entry) => {
-    const source = typeof entry === 'string' ? entry : entry.ip;
-    return source.trim().length > 0;
-  });
+  return normalizeSecurityListEntries(profile.security?.ipAllowList).length > 0;
 }
 
-function validateSourceBindingSelection(
-  profileRefs: string[],
-  profiles: interfaces.data.ISourceProfile[],
-): boolean {
-  if (profileRefs.length === 0) {
-    return true;
-  }
-
-  const selectedProfiles = profileRefs
-    .map((profileRef) => profiles.find((profile) => profile.id === profileRef))
-    .filter(Boolean) as interfaces.data.ISourceProfile[];
+function normalizeCatalogRateLimit(
+  rateLimitValue: interfaces.data.IRouteSecurity['rateLimit'] | undefined,
+): TSzRouteSecurity['rateLimit'] | undefined {
+  if (!rateLimitValue) return undefined;
+  return {
+    enabled: Boolean(rateLimitValue.enabled),
+    maxRequests: Number(rateLimitValue.maxRequests) || 0,
+    window: Number(rateLimitValue.window) || 0,
+    ...(rateLimitValue.keyBy ? { keyBy: String(rateLimitValue.keyBy) } : {}),
+  };
+}
 
-  if (selectedProfiles.length !== profileRefs.length) {
-    alert('One or more selected source profiles could not be found. Refresh profiles and try again.');
-    return false;
-  }
+function getSourceProfileOptions(profiles: interfaces.data.ISourceProfile[]): ISzSourceProfileOption[] {
+  return profiles.map((profile) => {
+    const ipAllowList = normalizeSecurityListEntries(profile.security?.ipAllowList);
+    const ipBlockList = normalizeSecurityListEntries(profile.security?.ipBlockList);
+    const rateLimitValue = normalizeCatalogRateLimit(profile.security?.rateLimit);
+    const security: TSzRouteSecurity = {
+      ...(ipAllowList.length ? { ipAllowList } : {}),
+      ...(ipBlockList.length ? { ipBlockList } : {}),
+      ...(typeof profile.security?.maxConnections === 'number' ? { maxConnections: profile.security.maxConnections } : {}),
+      ...(rateLimitValue ? { rateLimit: rateLimitValue } : {}),
+    };
+    return {
+      id: profile.id,
+      name: profile.name,
+      description: profile.description,
+      security,
+      hasSourceMatches: sourceProfileHasSourceMatches(profile),
+      matchesAllSources: sourceProfileMatchesAll(profile),
+    };
+  });
+}
 
-  const profilesWithoutMatches = selectedProfiles.filter((profile) => !sourceProfileHasSourceMatches(profile));
-  if (profilesWithoutMatches.length > 0) {
-    alert(`Source profiles need IP/CIDR match entries before use: ${profilesWithoutMatches.map((profile) => profile.name).join(', ')}`);
-    return false;
-  }
+function getRoutePathClassOptions(): ISzRoutePathClassOption[] {
+  return interfaces.data.routePathClasses.map((pathClass) => ({
+    key: pathClass,
+    label: interfaces.data.giteaRoutePathClassLabels[pathClass],
+    defaultPatterns: interfaces.data.giteaRoutePathClassPatterns[pathClass],
+  }));
+}
 
-  if (selectedProfiles.slice(0, -1).some((profile) => sourceProfileMatchesAll(profile))) {
-    alert('Wildcard source profiles must be last. Earlier wildcard profiles would shadow all following profiles.');
-    return false;
-  }
+function getSourcePolicyInfoText(profiles: interfaces.data.ISourceProfile[]): string {
+  const { missingNames } = getGiteaPresetProfileRefs(profiles);
+  const presetText = missingNames.length > 0
+    ? `Gitea preset hidden until these source profiles exist: ${missingNames.join(', ')}.`
+    : 'Use the Gitea preset as a starting point, then edit the generated bindings before saving.';
+  return `First matching source profile wins. Leave empty for no route-level source access control. ${presetText}`;
+}
 
-  const fallbackProfile = selectedProfiles[selectedProfiles.length - 1];
-  if (sourceProfileMatchesAll(fallbackProfile) && fallbackProfile.security?.rateLimit?.enabled !== true) {
-    return confirm(`The wildcard profile "${fallbackProfile.name}" has no enabled rate limit. Save anyway?`);
+function validateSourcePolicyInput(form: Element): boolean {
+  const sourcePolicyInput = form.querySelector('sz-input-route-source-policy') as SzInputRouteSourcePolicy | null;
+  if (!sourcePolicyInput || sourcePolicyInput.isValid()) {
+    return true;
   }
+  alert(sourcePolicyInput.getValidationMessages().join('\n'));
+  return false;
+}
 
-  return true;
+function getSourceBindingsFromFormData(formData: Record<string, unknown>): interfaces.data.IRouteSourceBinding[] {
+  const sourceBindings = formData.sourceBindings;
+  return Array.isArray(sourceBindings)
+    ? sourceBindings as interfaces.data.IRouteSourceBinding[]
+    : [];
 }
 
 function parseTargetPort(value: any): number | undefined {
@@ -620,13 +637,6 @@ export class OpsViewRoutes extends DeesElement {
     const profiles = this.profilesTargetsState.profiles;
     const targets = this.profilesTargetsState.targets;
 
-    const profileOptions = [
-      { key: '', option: '(none — inline security)' },
-      ...profiles.map((p) => ({
-        key: p.id,
-        option: `${p.name}${p.description ? ' — ' + p.description : ''}`,
-      })),
-    ];
     const targetOptions = [
       { key: '', option: '(none — inline target)' },
       ...targets.map((t) => ({
@@ -651,7 +661,10 @@ export class OpsViewRoutes extends DeesElement {
     const currentVpnOnly = route.vpnOnly === true;
     const currentRemoteIngressEnabled = route.remoteIngress?.enabled === true;
     const currentEdgeFilter = route.remoteIngress?.edgeFilter || [];
-    const currentSourceBindingRefs = this.getSourceBindingRefs(merged.metadata);
+    const sourceProfileOptions = getSourceProfileOptions(profiles);
+    const pathClassOptions = getRoutePathClassOptions();
+    const sourcePolicyPresets = getGiteaSourcePolicyPresets(profiles);
+    const sourcePolicyInfoText = getSourcePolicyInfoText(profiles);
 
     // Compute current TLS state for pre-population
     const currentTls = (route.action as any).tls;
@@ -672,24 +685,15 @@ export class OpsViewRoutes extends DeesElement {
           <dees-input-text .key=${'ports'} .label=${'Ports'} .description=${'Comma-separated, e.g. 80, 443'} .value=${currentPorts} .required=${true}></dees-input-text>
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'} .value=${currentDomains}></dees-input-list>
           <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'} .value=${route.priority != null ? String(route.priority) : ''}></dees-input-text>
-          <div class="sourcePolicyGroup" style="display: flex; flex-direction: column; gap: 12px; padding: 12px; border: 1px solid rgba(255,255,255,0.12); border-radius: 8px;">
-            <strong>Source Bindings</strong>
-            <small>First matching source profile wins. Leave all rows empty to remove route-level source access control.</small>
-            <dees-input-checkbox
-              .key=${'useGiteaTemplate'}
-              .label=${'Apply Gitea bot protection template on save'}
-              .description=${'Replaces these rows with TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and path-class limits.'}
-              .value=${false}
-            ></dees-input-checkbox>
-            ${Array.from({ length: maxSourceBindingRows }, (_item, index) => html`
-              <dees-input-dropdown
-                .key=${`sourceBindingProfileRef${index}`}
-                .label=${`Binding ${index + 1}`}
-                .options=${profileOptions}
-                .selectedOption=${profileOptions.find((o) => o.key === (currentSourceBindingRefs[index] || '')) || profileOptions[0]}
-              ></dees-input-dropdown>
-            `)}
-          </div>
+          <sz-input-route-source-policy
+            .key=${'sourceBindings'}
+            .label=${'Source Policy'}
+            .infoText=${sourcePolicyInfoText}
+            .sourceProfiles=${sourceProfileOptions}
+            .pathClassOptions=${pathClassOptions}
+            .presets=${sourcePolicyPresets}
+            .value=${merged.metadata?.sourceBindings || []}
+          ></sz-input-route-source-policy>
           <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions} .selectedOption=${targetOptions.find((o) => o.key === (merged.metadata?.networkTargetRef || '')) || null}></dees-input-dropdown>
           <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${currentTargetHost}></dees-input-text>
           <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'} .value=${currentTargetPort}></dees-input-text>
@@ -723,6 +727,7 @@ export class OpsViewRoutes extends DeesElement {
             if (!form) return;
             const formData = await form.collectFormData();
             if (!formData.name || !formData.ports) return;
+            if (!validateSourcePolicyInput(form)) return;
 
             const ports = formData.ports.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p));
             const domains: string[] = Array.isArray(formData.domains)
@@ -730,11 +735,7 @@ export class OpsViewRoutes extends DeesElement {
               : [];
             const priority = formData.priority ? parseInt(formData.priority, 10) : undefined;
 
-            const useGiteaTemplate = Boolean(formData.useGiteaTemplate);
-            const sourceBindingRefs = useGiteaTemplate
-              ? []
-              : getSourceBindingRefsFromFormData(formData);
-            if (!useGiteaTemplate && !validateSourceBindingSelection(sourceBindingRefs, profiles)) return;
+            const sourceBindings = getSourceBindingsFromFormData(formData);
             const targetKey = getDropdownKey(formData.networkTargetRef);
             const preserveMatchPort = !targetKey && Boolean(formData.preserveMatchPort);
             const targetPort = preserveMatchPort
@@ -798,12 +799,8 @@ export class OpsViewRoutes extends DeesElement {
             }
 
             const metadata: any = {};
-            if (useGiteaTemplate) {
-              const sourceBindings = getGiteaPresetSourceBindings(profiles);
-              if (!sourceBindings) return;
+            if (sourceBindings.length > 0) {
               metadata.sourceBindings = sourceBindings;
-            } else if (sourceBindingRefs.length > 0) {
-              metadata.sourceBindings = buildSourceBindingsMetadata(sourceBindingRefs, merged.metadata?.sourceBindings);
             } else if (merged.metadata?.sourceBindings) {
               metadata.sourceBindings = [];
             }
@@ -841,14 +838,11 @@ export class OpsViewRoutes extends DeesElement {
     const profiles = this.profilesTargetsState.profiles;
     const targets = this.profilesTargetsState.targets;
 
-    // Build dropdown options for profiles and targets
-    const profileOptions = [
-      { key: '', option: '(none — inline security)' },
-      ...profiles.map((p) => ({
-        key: p.id,
-        option: `${p.name}${p.description ? ' — ' + p.description : ''}`,
-      })),
-    ];
+    // Build dropdown options for targets and source policy metadata
+    const sourceProfileOptions = getSourceProfileOptions(profiles);
+    const pathClassOptions = getRoutePathClassOptions();
+    const sourcePolicyPresets = getGiteaSourcePolicyPresets(profiles);
+    const sourcePolicyInfoText = getSourcePolicyInfoText(profiles);
     const targetOptions = [
       { key: '', option: '(none — inline target)' },
       ...targets.map((t) => ({
@@ -865,24 +859,15 @@ export class OpsViewRoutes extends DeesElement {
           <dees-input-text .key=${'ports'} .label=${'Ports'} .description=${'Comma-separated, e.g. 80, 443'} .required=${true}></dees-input-text>
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'}></dees-input-list>
           <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'}></dees-input-text>
-          <div class="sourcePolicyGroup" style="display: flex; flex-direction: column; gap: 12px; padding: 12px; border: 1px solid rgba(255,255,255,0.12); border-radius: 8px;">
-            <strong>Source Bindings</strong>
-            <small>First matching source profile wins. Leave all rows empty for no route-level source access control.</small>
-            <dees-input-checkbox
-              .key=${'useGiteaTemplate'}
-              .label=${'Apply Gitea bot protection template on save'}
-              .description=${'Writes TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and path-class limits.'}
-              .value=${false}
-            ></dees-input-checkbox>
-            ${Array.from({ length: maxSourceBindingRows }, (_item, index) => html`
-              <dees-input-dropdown
-                .key=${`sourceBindingProfileRef${index}`}
-                .label=${`Binding ${index + 1}`}
-                .options=${profileOptions}
-                .selectedOption=${profileOptions[0]}
-              ></dees-input-dropdown>
-            `)}
-          </div>
+          <sz-input-route-source-policy
+            .key=${'sourceBindings'}
+            .label=${'Source Policy'}
+            .infoText=${sourcePolicyInfoText}
+            .sourceProfiles=${sourceProfileOptions}
+            .pathClassOptions=${pathClassOptions}
+            .presets=${sourcePolicyPresets}
+            .value=${[]}
+          ></sz-input-route-source-policy>
           <dees-input-dropdown .key=${'networkTargetRef'} .label=${'Network Target'} .options=${targetOptions}></dees-input-dropdown>
           <dees-input-text .key=${'targetHost'} .label=${'Target Host'} .description=${'Used when no network target is selected'} .value=${'localhost'}></dees-input-text>
           <dees-input-text .key=${'targetPort'} .label=${'Target Port'} .description=${'Used when no network target is selected'}></dees-input-text>
@@ -916,6 +901,7 @@ export class OpsViewRoutes extends DeesElement {
             if (!form) return;
             const formData = await form.collectFormData();
             if (!formData.name || !formData.ports) return;
+            if (!validateSourcePolicyInput(form)) return;
 
             const ports = formData.ports.split(',').map((p: string) => parseInt(p.trim(), 10)).filter((p: number) => !isNaN(p));
             const domains: string[] = Array.isArray(formData.domains)
@@ -923,11 +909,7 @@ export class OpsViewRoutes extends DeesElement {
               : [];
             const priority = formData.priority ? parseInt(formData.priority, 10) : undefined;
 
-            const useGiteaTemplate = Boolean(formData.useGiteaTemplate);
-            const sourceBindingRefs = useGiteaTemplate
-              ? []
-              : getSourceBindingRefsFromFormData(formData);
-            if (!useGiteaTemplate && !validateSourceBindingSelection(sourceBindingRefs, profiles)) return;
+            const sourceBindings = getSourceBindingsFromFormData(formData);
             const targetKey = getDropdownKey(formData.networkTargetRef);
             const preserveMatchPort = !targetKey && Boolean(formData.preserveMatchPort);
             const targetPort = preserveMatchPort
@@ -992,12 +974,8 @@ export class OpsViewRoutes extends DeesElement {
 
             // Build metadata if profile/target selected
             const metadata: any = {};
-            if (useGiteaTemplate) {
-              const sourceBindings = getGiteaPresetSourceBindings(profiles);
-              if (!sourceBindings) return;
+            if (sourceBindings.length > 0) {
               metadata.sourceBindings = sourceBindings;
-            } else if (sourceBindingRefs.length > 0) {
-              metadata.sourceBindings = buildSourceBindingsMetadata(sourceBindingRefs);
             }
             if (targetKey) {
               metadata.networkTargetRef = targetKey;