@serve.zone/dcrouter 15.0.0 → 15.0.2

package/ts/email/classes.email-route-builder.ts

@@ -0,0 +1,312 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import type { IUnifiedEmailServerOptions } from '@push.rocks/smartmta';
+import type { IRoute } from '../../ts_interfaces/data/route-management.js';
+import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { DcRouter } from '../classes.dcrouter.js';
+
+type TInboundProxyProtocolPolicy = NonNullable<plugins.smartproxy.IRouteMatch['inboundProxyProtocol']>;
+
+/**
+ * Generates SmartProxy routes for the email ports and hydrates persisted
+ * email routes into runtime routes: server-first SMTP ports get a raw
+ * socket-handler proxy that injects PROXY protocol toward the backend.
+ */
+export class EmailRouteBuilder {
+  constructor(private dcRouterRef: DcRouter) {}
+
+  public generateEmailRoutes(emailConfig: IUnifiedEmailServerOptions): IDcRouterRouteConfig[] {
+    const emailRoutes: IDcRouterRouteConfig[] = [];
+
+    // Create routes for each email port
+    for (const port of emailConfig.ports) {
+      // Create a descriptive name for the route based on the port
+      let routeName = 'email-route';
+      let tlsMode: 'terminate' | undefined;
+
+      // Handle different email ports differently
+      switch (port) {
+        case 25: // SMTP
+          routeName = 'smtp-route';
+          break;
+
+        case 587: // Submission
+          routeName = 'submission-route';
+          break;
+
+        case 465: // SMTPS
+          routeName = 'smtps-route';
+          tlsMode = 'terminate'; // SmartProxy owns public TLS; backend remains server-first SMTP
+          break;
+
+        default:
+          routeName = `email-port-${port}-route`;
+
+          // Check if we have specific settings for this port
+          if (this.dcRouterRef.options.emailPortConfig?.portSettings &&
+              this.dcRouterRef.options.emailPortConfig.portSettings[port]) {
+            const portSettings = this.dcRouterRef.options.emailPortConfig.portSettings[port];
+
+            // If this port requires TLS termination, set the mode accordingly
+            if (portSettings.terminateTls) {
+              tlsMode = 'terminate';
+            }
+
+            // Override the route name if specified
+            if (portSettings.routeName) {
+              routeName = portSettings.routeName;
+            }
+          }
+          break;
+      }
+
+      // Create forward action to route to internal email server ports
+      const defaultPortMapping: Record<number, number> = {
+        25: 10025,   // SMTP
+        587: 10587,  // Submission
+        465: 10465   // SMTPS
+      };
+
+      const portMapping = this.dcRouterRef.options.emailPortConfig?.portMapping || defaultPortMapping;
+      const internalPort = portMapping[port] || port + 10000;
+
+      let action: any = {
+        type: 'forward',
+        sendProxyProtocol: true,
+        targets: [{
+          host: 'localhost', // Forward to internal email server
+          port: internalPort,
+          sendProxyProtocol: true,
+        }]
+      };
+
+      // Plain SMTP/STARTTLS ports must not carry TLS metadata, or SmartProxy waits for TLS/SNI first.
+      if (tlsMode === 'terminate') {
+        action.tls = {
+          mode: tlsMode,
+          certificate: 'auto',
+        };
+      }
+
+      // Create the route configuration
+      const routeConfig: IDcRouterRouteConfig = {
+        name: routeName,
+        match: {
+          ports: [port],
+          transport: 'tcp',
+        },
+        action: action
+      };
+
+      if (this.dcRouterRef.isRemoteIngressHubEnabled()) {
+        routeConfig.remoteIngress = { enabled: true };
+        const inboundProxyProtocol = this.getRemoteIngressEmailInboundProxyPolicy(port);
+        if (inboundProxyProtocol) {
+          routeConfig.match.inboundProxyProtocol = inboundProxyProtocol;
+        }
+      }
+
+      // Add the route to our list
+      emailRoutes.push(routeConfig);
+    }
+
+    return emailRoutes;
+  }
+
+  public getRuntimeEmailRoutes(emailRoutes: IDcRouterRouteConfig[]): plugins.smartproxy.IRouteConfig[] {
+    return emailRoutes.map((route) => this.createServerFirstEmailRuntimeRoute(route) || route);
+  }
+
+  /**
+   * Hydrate a persisted route into its runtime form: generated email routes
+   * get the server-first socket-handler treatment, DoH routes get the DNS
+   * socket handler. Returns undefined when the stored route runs as-is.
+   */
+  public hydrateStoredRouteForRuntime(storedRoute: IRoute): plugins.smartproxy.IRouteConfig | undefined {
+    const routeName = storedRoute.route.name || '';
+    const isDohRoute = storedRoute.origin === 'dns'
+      && storedRoute.route.action?.type === 'socket-handler'
+      && routeName.startsWith('dns-over-https-');
+
+    if (!isDohRoute) {
+      if (this.shouldHydrateGeneratedEmailRoute(storedRoute)) {
+        return this.createServerFirstEmailRuntimeRoute(storedRoute.route);
+      }
+      return undefined;
+    }
+
+    return {
+      ...storedRoute.route,
+      action: {
+        ...storedRoute.route.action,
+        type: 'socket-handler' as any,
+        socketHandler: this.dcRouterRef.dnsServerRuntime.createSocketHandler(),
+      } as any,
+    };
+  }
+
+  private getCurrentGeneratedEmailRouteNames(): Set<string> {
+    if (this.dcRouterRef.options.dbConfig?.enabled === false) {
+      return new Set();
+    }
+    const sourceRoutes = this.dcRouterRef.seedEmailRoutes.length > 0
+      ? this.dcRouterRef.seedEmailRoutes
+      : this.dcRouterRef.options.emailConfig
+        ? this.generateEmailRoutes(this.dcRouterRef.options.emailConfig)
+        : [];
+    return new Set(sourceRoutes.map((route) => route.name).filter(Boolean) as string[]);
+  }
+
+  private shouldHydrateGeneratedEmailRoute(storedRoute: IRoute): boolean {
+    if (storedRoute.origin !== 'email') {
+      return false;
+    }
+    const routeName = storedRoute.route.name;
+    if (!routeName || !this.getCurrentGeneratedEmailRouteNames().has(routeName)) {
+      return false;
+    }
+    const expectedSystemKey = `email:${routeName}`;
+    return !storedRoute.systemKey || storedRoute.systemKey === expectedSystemKey;
+  }
+
+  private createServerFirstEmailRuntimeRoute(
+    route: plugins.smartproxy.IRouteConfig,
+  ): plugins.smartproxy.IRouteConfig | undefined {
+    const action = route.action as any;
+    if (action?.type !== 'forward') {
+      return undefined;
+    }
+    const tlsMode = action.tls?.mode;
+    if (tlsMode === 'terminate-and-reencrypt') {
+      return undefined;
+    }
+    const routePorts = plugins.smartproxy.expandPortRange(route.match?.ports as any) as number[];
+    if (routePorts.length !== 1) {
+      return undefined;
+    }
+
+    const target = action.targets?.[0];
+    if (!target || action.targets.length !== 1 || typeof target.port !== 'number') {
+      return undefined;
+    }
+    if (typeof target.host !== 'string') {
+      return undefined;
+    }
+
+    const targetHost = target.host === 'localhost' ? '127.0.0.1' : target.host;
+    const inboundProxyProtocol = this.getRemoteIngressEmailInboundProxyPolicy(routePorts[0]);
+    return {
+      ...route,
+      match: {
+        ...route.match,
+        ...(inboundProxyProtocol
+          ? { inboundProxyProtocol }
+          : {}),
+      },
+      action: {
+        type: 'socket-handler' as any,
+        ...(action.tls
+          ? { tls: action.tls }
+          : {}),
+        socketHandler: this.createEmailSocketProxyHandler(targetHost, target.port),
+      } as any,
+    };
+  }
+
+  private getRemoteIngressEmailInboundProxyPolicy(
+    port: number,
+  ): TInboundProxyProtocolPolicy | undefined {
+    if (!this.dcRouterRef.isRemoteIngressHubEnabled()) {
+      return undefined;
+    }
+    return { mode: port === 25 || port === 587 ? 'required' : 'optional' };
+  }
+
+  private createEmailSocketProxyHandler(
+    targetHost: string,
+    targetPort: number,
+  ): NonNullable<plugins.smartproxy.IRouteConfig['action']['socketHandler']> {
+    return (clientSocket, context) => {
+      let backendSocket: plugins.net.Socket | undefined;
+      let connectTimeout: ReturnType<typeof setTimeout> & { unref?: () => void };
+      let cleanupDone = false;
+
+      const cleanup = () => {
+        if (cleanupDone) return;
+        cleanupDone = true;
+        clearTimeout(connectTimeout);
+        clientSocket.removeListener('timeout', cleanup);
+        clientSocket.removeListener('error', cleanup);
+        clientSocket.removeListener('end', cleanup);
+        clientSocket.removeListener('close', cleanup);
+        backendSocket?.removeListener('timeout', cleanup);
+        backendSocket?.removeListener('error', cleanup);
+        backendSocket?.removeListener('end', cleanup);
+        backendSocket?.removeListener('close', cleanup);
+        clientSocket.destroy();
+        backendSocket?.destroy();
+      };
+
+      connectTimeout = setTimeout(() => {
+        cleanup();
+      }, 30_000);
+      connectTimeout.unref?.();
+
+      clientSocket.setTimeout(300_000);
+      clientSocket.on('timeout', cleanup);
+      clientSocket.on('error', cleanup);
+      clientSocket.on('end', cleanup);
+      clientSocket.on('close', cleanup);
+
+      backendSocket = plugins.net.connect(targetPort, targetHost, () => {
+        clearTimeout(connectTimeout);
+        backendSocket?.setTimeout(300_000);
+        const proxyHeader = this.createProxyProtocolV1Header(
+          context?.clientIp,
+          targetHost,
+          0,
+          targetPort,
+        );
+        if (!proxyHeader) {
+          cleanup();
+          return;
+        }
+        backendSocket!.write(proxyHeader, () => {
+          clientSocket.pipe(backendSocket!);
+          backendSocket!.pipe(clientSocket);
+        });
+      });
+      backendSocket.setTimeout(30_000);
+      backendSocket.on('timeout', cleanup);
+      backendSocket.on('error', cleanup);
+      backendSocket.on('end', cleanup);
+      backendSocket.on('close', cleanup);
+    };
+  }
+
+  private createProxyProtocolV1Header(
+    sourceIp: string | undefined,
+    destinationIp: string,
+    sourcePort: number,
+    destinationPort: number,
+  ): string | undefined {
+    if (!sourceIp || !plugins.net.isIP(sourceIp)) {
+      logger.log('warn', `Cannot create email PROXY protocol header for invalid source IP: ${sourceIp || 'unknown'}`);
+      return undefined;
+    }
+    const sourceFamily = plugins.net.isIP(sourceIp);
+    const destinationAddress = destinationIp === 'localhost' || destinationIp === '127.0.0.1' || destinationIp === '::1'
+      ? sourceFamily === 6 ? '::1' : '127.0.0.1'
+      : destinationIp;
+    const destinationFamily = plugins.net.isIP(destinationAddress);
+    if (!destinationFamily) {
+      logger.log('warn', `Cannot create email PROXY protocol header for invalid destination IP: ${destinationIp}`);
+      return undefined;
+    }
+    if (sourceFamily !== destinationFamily) {
+      return undefined;
+    }
+    const protocol = sourceFamily === 6 ? 'TCP6' : 'TCP4';
+    return `PROXY ${protocol} ${sourceIp} ${destinationAddress} ${sourcePort} ${destinationPort}\r\n`;
+  }
+}

package/ts/email/index.ts

@@ -1,4 +1,6 @@
+export * from './classes.accepted-email-spool.js';
 export * from './classes.email-domain.manager.js';
+export * from './classes.email-route-builder.js';
 export * from './classes.email-settings.manager.js';
 export * from './classes.smartmta-storage-manager.js';
 export * from './classes.workapp-mail-manager.js';

package/ts/opsserver/handlers/gatewayclient.handler.ts

@@ -654,7 +654,7 @@ export class GatewayClientHandler {
 
     const sourceBindings = this.getManagedRouteSourceBindings();
     if (!sourceBindings) {
-      return { success: false, message: 'STANDARD source profile not found' };
+      return { success: false, message: 'PUBLIC source profile not found' };
     }
 
     const metadata: interfaces.data.IRouteMetadata = {
@@ -709,16 +709,18 @@ export class GatewayClientHandler {
 
   private getManagedRouteSourceBindings(): interfaces.data.IRouteSourceBinding[] | undefined {
     const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
-    const standardProfile = resolver?.listProfiles().find((profile: interfaces.data.ISourceProfile) => {
-      return profile.id.trim().toLowerCase() === 'standard'
-        || profile.name.trim().toLowerCase() === 'standard';
+    const profiles = resolver?.listProfiles() || [];
+    const publicProfile = profiles.find((profile: interfaces.data.ISourceProfile) => {
+      return profile.id.trim().toLowerCase() === 'public';
+    }) || profiles.find((profile: interfaces.data.ISourceProfile) => {
+      return profile.name.trim().toLowerCase() === 'public';
     });
-    if (!standardProfile) {
+    if (!publicProfile) {
       return undefined;
     }
     return [{
-      sourceProfileRef: standardProfile.id,
-      sourceProfileName: standardProfile.name,
+      sourceProfileRef: publicProfile.id,
+      sourceProfileName: publicProfile.name,
     }];
   }
 }

package/ts/remoteingress/classes.hub-lifecycle.ts

@@ -0,0 +1,278 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { ProxyCertDoc } from '../db/index.js';
+import { RemoteIngressManager, type IRemoteIngressFirewallConfig } from './classes.remoteingress-manager.js';
+import { TunnelManager } from './classes.tunnel-manager.js';
+import type { IDcRouterRouteConfig, IRemoteIngressHubSettings, TRemoteIngressHubSettingsUpdate } from '../../ts_interfaces/data/remoteingress.js';
+import type { DcRouter } from '../classes.dcrouter.js';
+
+/**
+ * Generation-guarded lifecycle for the RemoteIngress tunnel hub: serialized
+ * start/stop/restart of the Rust hub, edge mutations, route/firewall pushes,
+ * and hub-settings updates that may require a SmartProxy restart.
+ */
+export class RemoteIngressHubLifecycle {
+  private lifecycleChain: Promise<void> = Promise.resolve();
+  private stopping = false;
+  private generation = 0;
+
+  constructor(private dcRouterRef: DcRouter) {}
+
+  public async setup(): Promise<void> {
+    const remoteIngressManager = this.dcRouterRef.remoteIngressManager;
+    if (!remoteIngressManager) {
+      return;
+    }
+
+    const hubSettings = remoteIngressManager.getHubSettings();
+    if (!hubSettings.enabled) {
+      logger.log('info', 'Remote Ingress hub is disabled in DB settings');
+      return;
+    }
+
+    logger.log('info', 'Setting up Remote Ingress hub...');
+    this.stopping = false;
+    const generation = ++this.generation;
+
+    const firewallConfig = await this.dcRouterRef.securityPolicyManager?.compileRemoteIngressFirewall();
+    if (!this.isGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }
+    remoteIngressManager.setFirewallConfig(firewallConfig);
+
+    // Pass current bootstrap routes so the manager can derive edge ports initially.
+    // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
+    // will push the complete merged routes here.
+    remoteIngressManager.setRoutes(this.dcRouterRef.getRemoteIngressBootstrapRoutes() as any[]);
+
+    // If ConfigManagers finished before us, re-apply routes
+    // so the callback delivers the full DB set to our newly-created remoteIngressManager.
+    if (this.dcRouterRef.routeConfigManager) {
+      await this.dcRouterRef.routeConfigManager.applyRoutes();
+    }
+    if (!this.isGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }
+
+    await this.queueTask(async () => {
+      await this.startTunnelHubLocked(generation);
+    });
+    if (!this.isGenerationCurrent(generation, remoteIngressManager)) {
+      return;
+    }
+
+    const edgeCount = remoteIngressManager.getAllEdges().length;
+    logger.log('info', `Remote Ingress hub started on port ${hubSettings.tunnelPort} with ${edgeCount} registered edge(s)`);
+  }
+
+  public async stop(): Promise<void> {
+    this.stopping = true;
+    this.generation++;
+    await this.queueTask(async () => {
+      const currentTunnelManager = this.dcRouterRef.tunnelManager;
+      if (currentTunnelManager) {
+        await currentTunnelManager.stop();
+        if (this.dcRouterRef.tunnelManager === currentTunnelManager) {
+          this.dcRouterRef.tunnelManager = undefined;
+        }
+      }
+    });
+  }
+
+  public async mutateEdges<T>(
+    mutation: (manager: RemoteIngressManager) => Promise<T>,
+    syncAllowedEdges = true,
+  ): Promise<T> {
+    return await this.queueTask(async () => {
+      if (this.stopping) {
+        throw new Error('RemoteIngress is stopping');
+      }
+      const manager = this.dcRouterRef.remoteIngressManager;
+      if (!manager) {
+        throw new Error('RemoteIngress not configured');
+      }
+      const result = await mutation(manager);
+      if (syncAllowedEdges && this.dcRouterRef.tunnelManager) {
+        await this.dcRouterRef.tunnelManager.syncAllowedEdges();
+      }
+      return result;
+    });
+  }
+
+  public async updateRoutes(routes: IDcRouterRouteConfig[]): Promise<void> {
+    await this.queueTask(async () => {
+      if (this.stopping) return;
+      if (this.dcRouterRef.remoteIngressManager) {
+        this.dcRouterRef.remoteIngressManager.setRoutes(routes);
+      }
+      if (this.dcRouterRef.tunnelManager) {
+        await this.dcRouterRef.tunnelManager.syncAllowedEdges();
+      }
+    });
+  }
+
+  public async applyFirewallConfig(firewallConfig: IRemoteIngressFirewallConfig | undefined): Promise<void> {
+    await this.queueTask(async () => {
+      if (this.stopping) return;
+      if (this.dcRouterRef.remoteIngressManager) {
+        this.dcRouterRef.remoteIngressManager.setFirewallConfig(firewallConfig);
+      }
+      if (this.dcRouterRef.tunnelManager) {
+        await this.dcRouterRef.tunnelManager.syncAllowedEdges();
+      }
+    });
+  }
+
+  public async updateHubSettings(
+    updates: TRemoteIngressHubSettingsUpdate,
+    updatedBy: string,
+  ): Promise<IRemoteIngressHubSettings> {
+    const manager = this.dcRouterRef.remoteIngressManager;
+    if (!manager) {
+      throw new Error('RemoteIngress is not configured');
+    }
+
+    const previousSettings = manager.getHubSettings();
+    const settings = await manager.updateHubSettings(updates, updatedBy);
+    const enabledChanged = previousSettings.enabled !== settings.enabled;
+
+    if (!settings.enabled) {
+      await this.queueTask(async () => {
+        await this.stopTunnelHubLocked();
+      });
+    }
+
+    if (enabledChanged) {
+      await this.dcRouterRef.restartSmartProxyForRemoteIngressSettings();
+    }
+
+    if (settings.enabled) {
+      await this.queueTask(async () => {
+        await this.restartTunnelHubLocked();
+      });
+    }
+
+    return settings;
+  }
+
+  private isGenerationCurrent(generation: number, manager: RemoteIngressManager): boolean {
+    return !this.stopping
+      && generation === this.generation
+      && this.dcRouterRef.remoteIngressManager === manager;
+  }
+
+  private queueTask<T>(task: () => Promise<T>): Promise<T> {
+    const run = this.lifecycleChain.then(task);
+    this.lifecycleChain = run.then(() => undefined, () => undefined);
+    return run;
+  }
+
+  private async stopTunnelHubLocked(): Promise<void> {
+    this.generation++;
+    const currentTunnelManager = this.dcRouterRef.tunnelManager;
+    if (currentTunnelManager) {
+      await currentTunnelManager.stop();
+      if (this.dcRouterRef.tunnelManager === currentTunnelManager) {
+        this.dcRouterRef.tunnelManager = undefined;
+      }
+    }
+  }
+
+  private async restartTunnelHubLocked(): Promise<void> {
+    const generation = ++this.generation;
+    const hubSettings = this.dcRouterRef.remoteIngressManager?.getHubSettings();
+    if (!this.dcRouterRef.remoteIngressManager || !hubSettings?.enabled || this.stopping) {
+      return;
+    }
+
+    const currentTunnelManager = this.dcRouterRef.tunnelManager;
+    if (currentTunnelManager) {
+      await currentTunnelManager.stop();
+      if (this.dcRouterRef.tunnelManager === currentTunnelManager) {
+        this.dcRouterRef.tunnelManager = undefined;
+      }
+    }
+
+    if (this.stopping || generation !== this.generation) {
+      return;
+    }
+    await this.startTunnelHubLocked(generation);
+  }
+
+  private async startTunnelHubLocked(generation: number): Promise<void> {
+    const manager = this.dcRouterRef.remoteIngressManager;
+    const hubSettings = manager?.getHubSettings();
+    if (!manager || !hubSettings?.enabled || this.stopping || generation !== this.generation) {
+      return;
+    }
+
+    const firewallConfig = await this.dcRouterRef.securityPolicyManager?.compileRemoteIngressFirewall();
+    if (this.stopping || generation !== this.generation || this.dcRouterRef.remoteIngressManager !== manager) {
+      return;
+    }
+    manager.setFirewallConfig(firewallConfig);
+
+    const tlsConfig = await this.resolveTlsConfig(hubSettings.hubDomain);
+    if (this.stopping || generation !== this.generation || this.dcRouterRef.remoteIngressManager !== manager) {
+      return;
+    }
+
+    const tunnelManager = new TunnelManager(manager, {
+      tunnelPort: hubSettings.tunnelPort,
+      targetHost: '127.0.0.1',
+      tls: tlsConfig,
+      performance: manager.getHubPerformanceConfig(),
+    });
+    try {
+      await tunnelManager.start();
+    } catch (err) {
+      await tunnelManager.stop().catch(() => {});
+      throw err;
+    }
+
+    if (this.stopping || generation !== this.generation || this.dcRouterRef.remoteIngressManager !== manager) {
+      await tunnelManager.stop().catch((err) => {
+        logger.log('warn', `Failed to stop stale RemoteIngress tunnel hub: ${(err as Error).message}`);
+      });
+      return;
+    }
+    this.dcRouterRef.tunnelManager = tunnelManager;
+  }
+
+  private async resolveTlsConfig(
+    hubDomain?: string,
+  ): Promise<{ certPem: string; keyPem: string } | undefined> {
+    // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
+    let tlsConfig: { certPem: string; keyPem: string } | undefined;
+
+    // Priority 1: Explicit cert/key file paths
+    const explicitTls = this.dcRouterRef.options.remoteIngressConfig?.tls;
+    if (explicitTls?.certPath && explicitTls?.keyPath) {
+      try {
+        const certPem = plugins.fs.readFileSync(explicitTls.certPath, 'utf8');
+        const keyPem = plugins.fs.readFileSync(explicitTls.keyPath, 'utf8');
+        tlsConfig = { certPem, keyPem };
+        logger.log('info', 'Using explicit TLS cert/key for RemoteIngress tunnel');
+      } catch (err: unknown) {
+        logger.log('warn', `Failed to read RemoteIngress TLS cert/key files: ${(err as Error).message}`);
+      }
+    }
+
+    // Priority 2: Existing cert from SmartProxy cert store for hubDomain
+    if (!tlsConfig && hubDomain) {
+      try {
+        const stored = await ProxyCertDoc.findByDomain(hubDomain);
+        if (stored?.publicKey && stored?.privateKey) {
+          tlsConfig = { certPem: stored.publicKey, keyPem: stored.privateKey };
+          logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${hubDomain}`);
+        }
+      } catch { /* no stored cert, fall through */ }
+    }
+
+    if (!tlsConfig) {
+      logger.log('info', 'No TLS cert configured for RemoteIngress tunnel — using auto-generated self-signed');
+    }
+
+    return tlsConfig;
+  }
+}

package/ts/remoteingress/classes.remoteingress-manager.ts

@@ -2,7 +2,7 @@ import * as plugins from '../plugins.js';
 import type { IDcRouterRouteConfig, IRemoteIngress, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, TRemoteIngressHubSettingsUpdate, TRemoteIngressPerformanceProfile } from '../../ts_interfaces/data/remoteingress.js';
 import { RemoteIngressEdgeDoc, RemoteIngressHubSettingsDoc } from '../db/index.js';
 
-interface IRemoteIngressFirewallConfig {
+export interface IRemoteIngressFirewallConfig {
   blockedIps?: string[];
 }
 

package/ts/remoteingress/index.ts

@@ -1,2 +1,3 @@
 export * from './classes.remoteingress-manager.js';
 export * from './classes.tunnel-manager.js';
+export * from './classes.hub-lifecycle.js';