@serve.zone/dcrouter 14.2.3 → 14.3.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "14.2.3",
+  "version": "14.3.1",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "bin": {
@@ -51,7 +51,7 @@
     "@push.rocks/smartnetwork": "^4.7.2",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.4",
-    "@push.rocks/smartproxy": "^27.14.1",
+    "@push.rocks/smartproxy": "^27.15.0",
     "@push.rocks/smartradius": "^1.3.0",
     "@push.rocks/smartrequest": "^5.0.3",
     "@push.rocks/smartrx": "^3.0.10",
@@ -59,7 +59,7 @@
     "@push.rocks/smartunique": "^3.0.9",
     "@push.rocks/smartvpn": "1.20.0",
     "@push.rocks/taskbuffer": "^8.0.2",
-    "@serve.zone/catalog": "^2.13.0",
+    "@serve.zone/catalog": "^2.14.0",
     "@serve.zone/interfaces": "^6.3.0",
     "@serve.zone/remoteingress": "^4.23.0",
     "@tsclass/tsclass": "^9.5.1",

package/readme.md

@@ -12,24 +12,25 @@ Modern infrastructure often has too many tiny edge tools: a proxy here, a DNS da
 
 Highlights:
 
-- 🌐 SmartProxy-backed HTTP, HTTPS, TCP, TLS/SNI, and optional HTTP/3 route handling
+- 🌐 SmartProxy-backed HTTP, HTTPS, TCP, TLS/SNI, source-policy rate limits/challenges, and optional HTTP/3 route handling
 - 📬 SmartMTA-backed SMTP ingress and email-domain operations
 - 🧭 SmartDNS-backed authoritative DNS plus generated DNS-over-HTTPS routes
-- 🔐 ACME, certificate state, API tokens, users, source profiles, target profiles, and security policies
-- 🛡️ RADIUS, VLAN assignment, VPN-protected routes, and remote ingress firewall snapshots
+- 🔐 ACME with managed-domain DNS-01 support, certificate state, API tokens, users, source profiles, and target profiles
+- 🛡️ RADIUS, VLAN assignment, VPN-protected routes, IP intelligence, block rules, and remote ingress firewall snapshots
 - 🖥️ Browser Ops dashboard and TypedRequest API served by the built-in OpsServer
 
 ## Runtime Areas
 
 | Area | What dcrouter manages |
 | --- | --- |
-| Proxying | SmartProxy routes for HTTP, HTTPS, TCP, SNI, TLS termination, passthrough, and backend forwarding |
+| Proxying | SmartProxy routes for HTTP, HTTPS, TCP, SNI, TLS termination, passthrough, backend forwarding, source policies, rate limits, and browser challenges |
 | Route ownership | Constructor routes, generated email/DNS routes, and API-created routes with explicit origins |
 | DNS | Authoritative scopes, generated NS records, static DNS records, provider-backed domains, and DoH endpoints |
 | Email | UnifiedEmailServer startup, email-domain management, route-backed delivery actions, received mail operations |
-| Certificates | ACME config, stored certificate metadata, provisioning backoff, and certificate status reporting |
+| Certificates | ACME config, managed-domain DNS-01 challenges, HTTP-01 fallback, stored certificate metadata, provisioning backoff, and certificate status reporting |
 | Edge access | Remote ingress hub, edge registrations, derived edge ports, pushed firewall rules, VPN-only route access |
 | Network auth | RADIUS clients, MAC Authentication Bypass, VLAN mapping, and accounting sessions |
+| Security policy | DB-backed block rules, public-IP intelligence, compiled SmartProxy deny policy, RemoteIngress firewall snapshots, and audit events |
 | Operations | Dashboard views, TypedRequest handlers, metrics, logs, health, API tokens, users, and configuration views |
 
 ## Install
@@ -150,18 +151,25 @@ System routes are persisted with stable `systemKey` values. API-created routes a
 
 API-created route records pass ordered `metadata.sourceBindings[]` alongside the SmartProxy route config to express source and path policy variants without duplicating whole routes by hand. Each binding points at a source profile id through `sourceProfileRef`. Dashboard presets resolve seeded profile names to ids before saving.
 
+Source profiles store reusable defaults only. A source profile is not enforced globally by itself; dcrouter compiles it into SmartProxy routes only when a route references it through `metadata.sourceBindings[]`.
+
 Runtime behavior:
 
 - Source matching uses the referenced `SourceProfile.security.ipAllowList`.
 - Bindings are evaluated in order and the first matching source profile wins.
-- A matched binding that exceeds its configured rate or connection limit is terminal and returns `429`; dcrouter does not fall through to later bindings.
+- A matched binding that exceeds its configured rate or connection limit is terminal; dcrouter does not fall through to later bindings. Rate limits normally return `429`, or trigger a browser challenge when `rateLimit.onExceeded.type === 'challenge'`.
 - Source-binding rate limits are always keyed by source IP; dcrouter ignores `path` and `header` keying on source-binding and path-policy overrides.
+- Source-binding and path-policy `rateLimit` and `challenge` fields use tri-state semantics: omitted means inherit, `null` means explicitly clear inherited protection, and an object means custom protection.
+- Effective protection precedence is path policy, then route binding, then source profile, then parent source profile, then no protection.
+- When `sourceBindings[]` are present, dcrouter compiles source-policy variants from source profile, binding, and path policy protection. Base route `rateLimit` and `challenge` values are not part of that inheritance chain; routes without source bindings use normal SmartProxy route security.
+- Direct `challenge` protection applies to matching HTTP-visible requests. `rateLimit.onExceeded.type === 'challenge'` configures a browser challenge for rate-limit exceed events.
+- Binding-level and path-policy `onExceeded` is only for `429` message handling. Browser challenge-on-exceeded behavior belongs on `rateLimit.onExceeded`.
 - Private-only binding lists are valid. dcrouter adds a same-match terminal deny fallback so unmatched sources fail closed.
 - A public or wildcard binding is optional. When present, it must be last and must use `*`, or both `0.0.0.0/0` and `::/0`, in `security.ipAllowList`.
 - Create/update paths reject source bindings with missing source profiles, source profiles without source matches, or any all-source binding that shadows later bindings; persisted invalid bindings fail closed at compile time.
 - Server-side caps bound policy expansion to 16 source bindings, 12 path policies per binding, 64 path patterns per path policy, 256 characters and 8 wildcards per custom path pattern, 512 compiled SmartProxy route-port variants per stored route, and enough priority headroom above the stored route priority for generated source-binding variants.
 
-Path policies let a source binding override rate limits or connection limits for specific path classes. dcrouter currently ships Gitea-oriented classes: `git-smart-http`, `static`, `normal-html`, `expensive-html`, `raw`, and `archive`. Path-specific variants win over the same binding's fallback; if every path policy is path-specific, dcrouter adds a source-level fallback route for unmatched paths so normal browsing cannot fall through to a later source binding. The Gitea preset keeps `git-smart-http` high-limit and separate from HTML crawling paths so normal `git clone`, `git fetch`, `git push`, and Git LFS traffic are not subject to the lower HTML crawler limits.
+Path policies let a source binding override rate limits, browser challenges, or connection limits for specific path classes. dcrouter currently ships Gitea-oriented classes: `git-smart-http`, `static`, `normal-html`, `expensive-html`, `raw`, and `archive`. Path-specific variants win over the same binding's fallback; if every path policy is path-specific, dcrouter adds a source-level fallback route for unmatched paths so normal browsing cannot fall through to a later source binding. The Gitea preset keeps `git-smart-http` high-limit and separate from HTML crawling paths so normal `git clone`, `git fetch`, `git push`, and Git LFS traffic are not subject to the lower HTML crawler limits.
 
 ```typescript
 const trustedProfileId = 'source-profile-id-trusted';
@@ -181,6 +189,7 @@ const createRoutePayload = {
     sourceBindings: [
       {
         sourceProfileRef: trustedProfileId,
+        rateLimit: null,
         maxConnections: 5000,
         onExceeded: { type: '429' },
       },
@@ -210,7 +219,22 @@ const createRoutePayload = {
           },
           {
             pathClass: 'normal-html',
-            rateLimit: { enabled: true, maxRequests: 120, window: 60, keyBy: 'ip' },
+            rateLimit: {
+              enabled: true,
+              maxRequests: 120,
+              window: 60,
+              keyBy: 'ip',
+              onExceeded: {
+                type: 'challenge',
+                challenge: {
+                  providerId: 'smartchallenge',
+                  challengeType: 'wait',
+                  applyTo: { methods: ['GET'], browserNavigationsOnly: true },
+                  clearance: { ttlSeconds: 300, bindToHost: true, bindToRoute: true },
+                },
+                clearanceEffect: 'bypass-rate-limit',
+              },
+            },
           },
         ],
       },
@@ -219,6 +243,44 @@ const createRoutePayload = {
 };
 ```
 
+### Source Profiles
+
+Source profiles are reusable source-side security defaults. They can carry `ipAllowList`, `ipBlockList`, `maxConnections`, `rateLimit`, authentication fields, VPN fields, and `challenge`. Profiles can extend parent profiles; IP allow/block lists are unioned and scalar/object protection fields such as `maxConnections`, `rateLimit`, and `challenge` are overridden by the more specific profile.
+
+When `dbConfig.seedOnEmpty` seeds an empty database, dcrouter's built-in profile set includes:
+
+| Profile | Default purpose |
+| --- | --- |
+| `TRUSTED NETWORKS` | Private networks, localhost, and high connection allowance |
+| `AI CRAWLERS` | Placeholder crawler profile with low per-IP request limits until verified crawler CIDRs are added |
+| `PUBLIC` | Public fallback profile with per-IP request limiting |
+| `STANDARD` | Standard private-network access profile |
+
+The source profile dashboard supports protection modes for rate limits and browser challenges: inherit/unset, none/clear inherited, or custom. Custom challenge settings expose the provider id, challenge type, and clearance TTL used by source-policy route compilation.
+
+### Challenge Support
+
+dcrouter registers the `smartchallenge` provider with the `wait` challenge type when SmartProxy starts. Source policies can apply challenges in two ways:
+
+- `challenge` on a source profile, route binding, or path policy protects matching HTTP-visible traffic directly.
+- `rateLimit.onExceeded.type: 'challenge'` configures the rate-limit exceeded path to issue the configured challenge.
+
+Challenge-aware source-policy variants and HTTP/3-augmented challenged routes force HTTP protocol matching where needed so SmartProxy can process browser challenges correctly.
+
+### ACME And Certificate Challenges
+
+DB-backed ACME configuration drives SmartProxy certificate provisioning. When ACME is enabled and dcrouter has managed domains, `DnsManager` builds the DNS-01 provider used by SmartAcme. That provider creates and removes challenge TXT records through the same DNS record path used for dcrouter-hosted zones and provider-managed domains.
+
+SmartAcme is configured with DNS-01 priority for managed domains. If SmartAcme is still starting or retrying account setup, the certificate provision callback falls back to HTTP-01 for that request. Issued certificates are stored through the proxy certificate store, and certificate status is tracked from both newly issued and store-loaded certificate events.
+
+### Security Policy And IP Intelligence
+
+When DB-backed persistence is enabled, `SecurityPolicyManager` maintains global deny policy from block rules and observed public-IP intelligence. Rule types are `ip`, `cidr`, `asn`, and `organization`; organization rules support `exact` or `contains` matching against enriched ASN and registrant organization data.
+
+The compiled policy contains `blockedIps` and `blockedCidrs`. dcrouter merges it into SmartProxy's security policy and also compiles an IPv4 firewall snapshot for RemoteIngress edge synchronization. Security policy changes are audited when block rules are created, updated, or deleted.
+
+The OpsServer exposes these security policy methods through TypedRequest: `listSecurityBlockRules`, `createSecurityBlockRule`, `updateSecurityBlockRule`, `deleteSecurityBlockRule`, `listIpIntelligence`, `refreshIpIntelligence`, `getCompiledSecurityPolicy`, and `listSecurityPolicyAudit`.
+
 ## Production-Flavored Example
 
 ```typescript

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '14.2.3',
+  version: '14.3.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts/config/classes.route-config-manager.ts

@@ -11,9 +11,10 @@ import type {
   IRoutePathPolicyBinding,
   IRouteSourceBinding,
   IRouteSecurity,
+  TRouteRateLimitExceededPolicy,
 } from '../../ts_interfaces/data/route-management.js';
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
-import { type IHttp3Config, augmentRouteWithHttp3 } from '../http3/index.js';
+import { type IHttp3Config, augmentRouteWithHttp3, routeNeedsHttpProtocol } from '../http3/index.js';
 import type { ReferenceResolver } from './classes.reference-resolver.js';
 import { SourcePolicyCompiler } from './classes.source-policy-compiler.js';
 import { deriveHttpRedirects } from './helpers.http-redirects.js';
@@ -548,6 +549,7 @@ export class RouteConfigManager {
         continue;
       }
       const normalizedRateLimit = this.normalizeRateLimit(binding.rateLimit);
+      const normalizedChallenge = this.normalizeChallenge(binding.challenge);
       const normalizedPathPolicies = this.normalizePathPolicies(binding.pathPolicies);
 
       normalizedBindings.push({
@@ -556,7 +558,8 @@ export class RouteConfigManager {
         ...(typeof binding.sourceProfileName === 'string' && binding.sourceProfileName.trim()
           ? { sourceProfileName: binding.sourceProfileName.trim() }
           : {}),
-        ...(normalizedRateLimit ? { rateLimit: normalizedRateLimit } : {}),
+        ...(normalizedRateLimit !== undefined ? { rateLimit: normalizedRateLimit } : {}),
+        ...(normalizedChallenge !== undefined ? { challenge: normalizedChallenge } : {}),
         ...(typeof binding.maxConnections === 'number' && Number.isFinite(binding.maxConnections) && binding.maxConnections >= 0
           ? { maxConnections: binding.maxConnections }
           : {}),
@@ -592,6 +595,7 @@ export class RouteConfigManager {
       }
 
       const normalizedRateLimit = this.normalizeRateLimit(pathPolicy.rateLimit);
+      const normalizedChallenge = this.normalizeChallenge(pathPolicy.challenge);
       const pathPatterns = Array.isArray(pathPolicy.pathPatterns)
         ? [...new Set(pathPolicy.pathPatterns
             .map((pattern) => typeof pattern === 'string' ? pattern.trim() : '')
@@ -602,7 +606,8 @@ export class RouteConfigManager {
         ...(typeof pathPolicy.id === 'string' && pathPolicy.id.trim() ? { id: pathPolicy.id.trim() } : {}),
         pathClass: pathPolicy.pathClass,
         ...(pathPatterns?.length ? { pathPatterns } : {}),
-        ...(normalizedRateLimit ? { rateLimit: normalizedRateLimit } : {}),
+        ...(normalizedRateLimit !== undefined ? { rateLimit: normalizedRateLimit } : {}),
+        ...(normalizedChallenge !== undefined ? { challenge: normalizedChallenge } : {}),
         ...(typeof pathPolicy.maxConnections === 'number' && Number.isFinite(pathPolicy.maxConnections) && pathPolicy.maxConnections >= 0
           ? { maxConnections: pathPolicy.maxConnections }
           : {}),
@@ -634,24 +639,75 @@ export class RouteConfigManager {
   }
 
   private normalizeRateLimit(rateLimit?: IRouteSecurity['rateLimit']): IRouteSecurity['rateLimit'] | undefined {
+    if (rateLimit === null) {
+      return null;
+    }
     if (!rateLimit || typeof rateLimit !== 'object') {
       return undefined;
     }
+    if (rateLimit.enabled === false) {
+      return undefined;
+    }
 
     const maxRequests = Number(rateLimit.maxRequests);
     const window = Number(rateLimit.window);
-    if (!Number.isFinite(maxRequests) || maxRequests < 0 || !Number.isFinite(window) || window < 0) {
+    if (!Number.isFinite(maxRequests) || maxRequests <= 0 || !Number.isFinite(window) || window <= 0) {
       return undefined;
     }
 
+    const onExceeded = this.normalizeRateLimitExceeded(rateLimit.onExceeded);
     return {
-      enabled: rateLimit.enabled !== false,
+      enabled: true,
       maxRequests,
       window,
       keyBy: 'ip',
       ...(typeof rateLimit.errorMessage === 'string' && rateLimit.errorMessage.trim()
         ? { errorMessage: rateLimit.errorMessage.trim() }
         : {}),
+      ...(onExceeded ? { onExceeded } : {}),
+    };
+  }
+
+  private normalizeRateLimitExceeded(
+    onExceeded: TRouteRateLimitExceededPolicy | undefined,
+  ): TRouteRateLimitExceededPolicy | undefined {
+    if (!onExceeded || typeof onExceeded !== 'object') {
+      return undefined;
+    }
+    const rawExceeded = onExceeded;
+    if (rawExceeded.type === 'challenge') {
+      const challenge = this.normalizeChallenge(rawExceeded.challenge);
+      if (!challenge || challenge === null) {
+        return undefined;
+      }
+      return {
+        type: 'challenge' as const,
+        challenge,
+        clearanceEffect: rawExceeded.clearanceEffect === 'none' ? 'none' as const : 'bypass-rate-limit' as const,
+      };
+    }
+    if (rawExceeded.type === '429') {
+      return { type: '429' as const };
+    }
+    return undefined;
+  }
+
+  private normalizeChallenge(challenge?: IRouteSecurity['challenge']): IRouteSecurity['challenge'] | undefined {
+    if (challenge === null) {
+      return null;
+    }
+    if (!challenge || typeof challenge !== 'object') {
+      return undefined;
+    }
+    const providerId = typeof challenge.providerId === 'string' ? challenge.providerId.trim() : '';
+    const challengeType = typeof challenge.challengeType === 'string' ? challenge.challengeType.trim() : '';
+    if (!providerId || !challengeType) {
+      return undefined;
+    }
+    return {
+      ...structuredClone(challenge),
+      providerId,
+      challengeType,
     };
   }
 
@@ -782,6 +838,16 @@ export class RouteConfigManager {
     let preparedRoute = route;
     const http3Config = this.getHttp3Config?.();
 
+    if (routeNeedsHttpProtocol(preparedRoute)) {
+      preparedRoute = {
+        ...preparedRoute,
+        match: {
+          ...preparedRoute.match,
+          protocol: 'http',
+        },
+      };
+    }
+
     if (http3Config?.enabled !== false) {
       preparedRoute = augmentRouteWithHttp3(preparedRoute, { enabled: true, ...http3Config });
     }

package/ts/config/classes.source-policy-compiler.ts

@@ -188,6 +188,10 @@ export class SourcePolicyCompiler {
       if (bindingRateLimitError) {
         return bindingRateLimitError;
       }
+      const bindingChallengeError = this.validateChallengePayload(binding.challenge);
+      if (bindingChallengeError) {
+        return bindingChallengeError;
+      }
       const bindingMessage = binding.onExceeded?.errorMessage;
       if (typeof bindingMessage === 'string' && bindingMessage.length > sourcePolicyLimits.maxExceededMessageLength) {
         return `Source policy exceeded message exceeds ${sourcePolicyLimits.maxExceededMessageLength} characters`;
@@ -221,6 +225,10 @@ export class SourcePolicyCompiler {
         if (pathRateLimitError) {
           return pathRateLimitError;
         }
+        const pathChallengeError = this.validateChallengePayload(pathPolicy.challenge);
+        if (pathChallengeError) {
+          return pathChallengeError;
+        }
         const pathMessage = pathPolicy.onExceeded?.errorMessage;
         if (typeof pathMessage === 'string' && pathMessage.length > sourcePolicyLimits.maxExceededMessageLength) {
           return `Source policy exceeded message exceeds ${sourcePolicyLimits.maxExceededMessageLength} characters`;
@@ -255,9 +263,12 @@ export class SourcePolicyCompiler {
   }
 
   private static validateRateLimitPayload(rateLimit: IRouteSecurity['rateLimit'] | undefined): string | undefined {
-    if (!rateLimit || typeof rateLimit !== 'object') {
+    if (rateLimit === null || rateLimit === undefined) {
       return undefined;
     }
+    if (typeof rateLimit !== 'object') {
+      return 'Source policy rate limit must be an object, null, or omitted';
+    }
     const rawRateLimit = rateLimit as unknown as Record<string, unknown>;
     for (const key of ['maxRequests', 'window'] as const) {
       const value = rawRateLimit[key];
@@ -271,6 +282,53 @@ export class SourcePolicyCompiler {
     ) {
       return `Source policy rate limit error message exceeds ${sourcePolicyLimits.maxExceededMessageLength} characters`;
     }
+    const rawOnExceeded = rawRateLimit.onExceeded;
+    if (rawOnExceeded !== undefined) {
+      if (!rawOnExceeded || typeof rawOnExceeded !== 'object') {
+        return 'Source policy rate limit onExceeded must be an object or omitted';
+      }
+      const onExceeded = rawOnExceeded as NonNullable<IRouteSecurity['rateLimit']>['onExceeded'];
+      if (!onExceeded || !['429', 'challenge'].includes(onExceeded.type)) {
+        return 'Source policy rate limit onExceeded.type must be 429 or challenge';
+      }
+      if (
+        onExceeded.clearanceEffect !== undefined
+        && !['bypass-rate-limit', 'none'].includes(onExceeded.clearanceEffect)
+      ) {
+        return 'Source policy rate limit onExceeded.clearanceEffect must be bypass-rate-limit or none';
+      }
+      if (onExceeded.type === 'challenge') {
+        if (!onExceeded.challenge) {
+          return 'Source policy rate limit challenge requires challenge config';
+        }
+        const challengeError = this.validateChallengePayload(onExceeded.challenge);
+        if (challengeError) {
+          return challengeError;
+        }
+      }
+    }
+    return undefined;
+  }
+
+  private static validateChallengePayload(challenge: IRouteSecurity['challenge'] | undefined): string | undefined {
+    if (challenge === null || challenge === undefined) {
+      return undefined;
+    }
+    if (typeof challenge !== 'object') {
+      return 'Source policy challenge must be an object, null, or omitted';
+    }
+    if (typeof challenge.providerId !== 'string' || challenge.providerId.trim().length === 0) {
+      return 'Source policy challenge requires providerId';
+    }
+    if (typeof challenge.challengeType !== 'string' || challenge.challengeType.trim().length === 0) {
+      return 'Source policy challenge requires challengeType';
+    }
+    if (challenge.providerId.length > sourcePolicyLimits.maxIdLength) {
+      return `Source policy challenge providerId exceeds ${sourcePolicyLimits.maxIdLength} characters`;
+    }
+    if (challenge.challengeType.length > sourcePolicyLimits.maxIdLength) {
+      return `Source policy challenge challengeType exceeds ${sourcePolicyLimits.maxIdLength} characters`;
+    }
     return undefined;
   }
 
@@ -421,6 +479,19 @@ export class SourcePolicyCompiler {
         )
       : 0;
 
+    const security = this.buildBindingSecurity(
+      options.route.security,
+      options.profileSecurity,
+      options.binding,
+      options.pathPolicy,
+    );
+    const match: plugins.smartproxy.IRouteConfig['match'] = options.pathPattern
+      ? { ...options.sourceMatch, path: options.pathPattern }
+      : { ...options.sourceMatch };
+    if (this.requiresHttpProtocol(security)) {
+      match.protocol = 'http';
+    }
+
     return {
       ...options.route,
       id: pathPolicyKey
@@ -429,16 +500,9 @@ export class SourcePolicyCompiler {
       name: pathLabel
         ? `${options.route.name || routeKey}:source:${options.profileName}:path:${pathLabel}${pathPatternSuffix}`
         : `${options.route.name || routeKey}:source:${options.profileName}`,
-      match: options.pathPattern
-        ? { ...options.sourceMatch, path: options.pathPattern }
-        : { ...options.sourceMatch },
+      match,
       priority: this.clampPriority(options.sourcePriority + pathPriority),
-      security: this.buildBindingSecurity(
-        options.route.security,
-        options.profileSecurity,
-        options.binding,
-        options.pathPolicy,
-      ),
+      security,
     };
   }
 
@@ -624,17 +688,27 @@ export class SourcePolicyCompiler {
   private static forceIpRateLimit(
     rateLimit: IRouteSecurity['rateLimit'] | undefined,
   ): IRouteSecurity['rateLimit'] | undefined {
-    if (!rateLimit) {
+    if (rateLimit === null) {
+      return null;
+    }
+    if (!rateLimit || rateLimit.enabled === false) {
+      return undefined;
+    }
+    const { headerName: _headerName, ...rest } = structuredClone(rateLimit);
+    if (Number(rest.maxRequests) <= 0 || Number(rest.window) <= 0) {
       return undefined;
     }
-    const { headerName: _headerName, ...rest } = structuredClone(rateLimit as Record<string, any>);
     return {
       ...rest,
+      enabled: true,
       keyBy: 'ip',
     } as IRouteSecurity['rateLimit'];
   }
 
-  private static sanitizeSourcePolicySecurity(security: IRouteSecurity): IRouteSecurity {
+  private static sanitizeSourcePolicySecurity(
+    security: IRouteSecurity,
+    options: { preserveClears?: boolean } = {},
+  ): IRouteSecurity {
     const sanitized = structuredClone(security);
     const maxConnections = this.normalizeMaxConnections(sanitized.maxConnections);
     if (maxConnections === undefined) {
@@ -642,8 +716,19 @@ export class SourcePolicyCompiler {
     } else {
       sanitized.maxConnections = maxConnections;
     }
-    if (sanitized.rateLimit) {
-      sanitized.rateLimit = this.forceIpRateLimit(sanitized.rateLimit);
+    if (sanitized.rateLimit !== undefined && sanitized.rateLimit !== null) {
+      const rateLimit = this.forceIpRateLimit(sanitized.rateLimit);
+      if (rateLimit === undefined) {
+        delete sanitized.rateLimit;
+      } else {
+        sanitized.rateLimit = rateLimit;
+      }
+    }
+    if (sanitized.rateLimit === null && !options.preserveClears) {
+      delete sanitized.rateLimit;
+    }
+    if (sanitized.challenge === null && !options.preserveClears) {
+      delete sanitized.challenge;
     }
     return sanitized;
   }
@@ -676,12 +761,20 @@ export class SourcePolicyCompiler {
     profileSecurity: IRouteSecurity,
     binding: IRouteSourceBinding,
     pathPolicy?: IRoutePathPolicyBinding,
-  ): IRouteSecurity | undefined {
+  ): plugins.smartproxy.IRouteConfig['security'] {
     const baseSecurity = this.omitSourceMatchFields(routeSecurity || {});
-    const sourceSecurity = this.omitSourceMatchFields(profileSecurity);
+    delete baseSecurity.rateLimit;
+    delete baseSecurity.challenge;
+    const sourceSecurity = this.omitSourceMatchFields(profileSecurity, { preserveClears: true });
 
     if (binding.rateLimit !== undefined) {
-      sourceSecurity.rateLimit = this.forceIpRateLimit(binding.rateLimit);
+      const rateLimit = this.forceIpRateLimit(binding.rateLimit);
+      if (rateLimit !== undefined) {
+        sourceSecurity.rateLimit = rateLimit;
+      }
+    }
+    if (binding.challenge !== undefined) {
+      sourceSecurity.challenge = binding.challenge;
     }
     if (binding.maxConnections !== undefined) {
       const maxConnections = this.normalizeMaxConnections(binding.maxConnections);
@@ -699,7 +792,13 @@ export class SourcePolicyCompiler {
     }
 
     if (pathPolicy?.rateLimit !== undefined) {
-      sourceSecurity.rateLimit = this.forceIpRateLimit(pathPolicy.rateLimit);
+      const rateLimit = this.forceIpRateLimit(pathPolicy.rateLimit);
+      if (rateLimit !== undefined) {
+        sourceSecurity.rateLimit = rateLimit;
+      }
+    }
+    if (pathPolicy?.challenge !== undefined) {
+      sourceSecurity.challenge = pathPolicy.challenge;
     }
     if (pathPolicy?.maxConnections !== undefined) {
       const maxConnections = this.normalizeMaxConnections(pathPolicy.maxConnections);
@@ -721,11 +820,30 @@ export class SourcePolicyCompiler {
       ...sourceSecurity,
     });
 
-    return this.isEmptySecurity(mergedSecurity) ? undefined : mergedSecurity;
+    if (this.isEmptySecurity(mergedSecurity)) {
+      return undefined;
+    }
+
+    const { rateLimit, challenge, ...rest } = mergedSecurity;
+    return {
+      ...rest,
+      ...(rateLimit ? { rateLimit } : {}),
+      ...(challenge ? { challenge } : {}),
+    };
+  }
+
+  private static requiresHttpProtocol(security: IRouteSecurity | undefined): boolean {
+    return Boolean(
+      security?.challenge
+      || (security?.rateLimit && security.rateLimit !== null && security.rateLimit.onExceeded?.type === 'challenge'),
+    );
   }
 
-  private static omitSourceMatchFields(security: IRouteSecurity): IRouteSecurity {
+  private static omitSourceMatchFields(
+    security: IRouteSecurity,
+    options: { preserveClears?: boolean } = {},
+  ): IRouteSecurity {
     const { ipAllowList: _ipAllowList, ...controls } = security;
-    return this.sanitizeSourcePolicySecurity(controls);
+    return this.sanitizeSourcePolicySecurity(controls, options);
   }
 }

package/ts/dns/manager.dns.ts

@@ -221,15 +221,24 @@ export class DnsManager {
     value?: string,
   ): Promise<void> {
     const records = await DnsRecordDoc.findByDomainId(domainId);
+    const failedDeletes: string[] = [];
     for (const rec of records) {
       if (
         rec.name.toLowerCase() === name.toLowerCase()
         && rec.type === type
         && (value === undefined || rec.value === value)
       ) {
-        await this.deleteRecord(rec.id);
+        const deleteResult = await this.deleteRecord(rec.id);
+        if (!deleteResult.success) {
+          failedDeletes.push(deleteResult.message || `failed to delete DNS record ${rec.id}`);
+        }
       }
     }
+    if (failedDeletes.length > 0) {
+      throw new Error(
+        `DnsManager: failed to delete ${type} record(s) for ${name}: ${failedDeletes.join('; ')}`,
+      );
+    }
   }
 
   /**
@@ -274,7 +283,7 @@ export class DnsManager {
           logger.log('warn', `DnsManager: failed to clean existing TXT for ${dnsChallenge.hostName}: ${(err as Error).message}`);
         }
         // Create the challenge TXT record via the unified path
-        await self.createRecord({
+        const createResult = await self.createRecord({
           domainId: domainDoc.id,
           name: dnsChallenge.hostName,
           type: 'TXT',
@@ -282,6 +291,12 @@ export class DnsManager {
           ttl: 120,
           createdBy: 'acme-dns01',
         });
+        if (!createResult.success) {
+          throw new Error(
+            createResult.message ||
+              `DnsManager: failed to create TXT challenge for ${dnsChallenge.hostName}`,
+          );
+        }
       },
       async acmeRemoveDnsChallenge(dnsChallenge: { hostName: string; challenge: string }) {
         const domainDoc = await self.findDomainForFqdn(dnsChallenge.hostName);

package/ts/http3/http3-route-augmentation.ts

@@ -49,6 +49,14 @@ function isEmailRoute(route: plugins.smartproxy.IRouteConfig): boolean {
   );
 }
 
+export function routeNeedsHttpProtocol(route: plugins.smartproxy.IRouteConfig): boolean {
+  const security = route.security;
+  return Boolean(
+    security?.challenge
+    || security?.rateLimit?.onExceeded?.type === 'challenge',
+  );
+}
+
 /**
  * Determine if a route qualifies for HTTP/3 augmentation.
  */
@@ -103,7 +111,9 @@ export function augmentRouteWithHttp3(
     match: {
       ...route.match,
       transport: 'all' as const,
-      ...(route.security?.challenge ? { protocol: 'http' as const } : {}),
+      ...(routeNeedsHttpProtocol(route)
+        ? { protocol: 'http' as const }
+        : {}),
     },
     action: {
       ...route.action,

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '14.2.3',
+  version: '14.3.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }