@serve.zone/dcrouter 15.0.1 → 15.0.2

package/dist_ts/remoteingress/classes.hub-lifecycle.js

@@ -0,0 +1,241 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { ProxyCertDoc } from '../db/index.js';
+import { RemoteIngressManager } from './classes.remoteingress-manager.js';
+import { TunnelManager } from './classes.tunnel-manager.js';
+/**
+ * Generation-guarded lifecycle for the RemoteIngress tunnel hub: serialized
+ * start/stop/restart of the Rust hub, edge mutations, route/firewall pushes,
+ * and hub-settings updates that may require a SmartProxy restart.
+ */
+export class RemoteIngressHubLifecycle {
+    dcRouterRef;
+    lifecycleChain = Promise.resolve();
+    stopping = false;
+    generation = 0;
+    constructor(dcRouterRef) {
+        this.dcRouterRef = dcRouterRef;
+    }
+    async setup() {
+        const remoteIngressManager = this.dcRouterRef.remoteIngressManager;
+        if (!remoteIngressManager) {
+            return;
+        }
+        const hubSettings = remoteIngressManager.getHubSettings();
+        if (!hubSettings.enabled) {
+            logger.log('info', 'Remote Ingress hub is disabled in DB settings');
+            return;
+        }
+        logger.log('info', 'Setting up Remote Ingress hub...');
+        this.stopping = false;
+        const generation = ++this.generation;
+        const firewallConfig = await this.dcRouterRef.securityPolicyManager?.compileRemoteIngressFirewall();
+        if (!this.isGenerationCurrent(generation, remoteIngressManager)) {
+            return;
+        }
+        remoteIngressManager.setFirewallConfig(firewallConfig);
+        // Pass current bootstrap routes so the manager can derive edge ports initially.
+        // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
+        // will push the complete merged routes here.
+        remoteIngressManager.setRoutes(this.dcRouterRef.getRemoteIngressBootstrapRoutes());
+        // If ConfigManagers finished before us, re-apply routes
+        // so the callback delivers the full DB set to our newly-created remoteIngressManager.
+        if (this.dcRouterRef.routeConfigManager) {
+            await this.dcRouterRef.routeConfigManager.applyRoutes();
+        }
+        if (!this.isGenerationCurrent(generation, remoteIngressManager)) {
+            return;
+        }
+        await this.queueTask(async () => {
+            await this.startTunnelHubLocked(generation);
+        });
+        if (!this.isGenerationCurrent(generation, remoteIngressManager)) {
+            return;
+        }
+        const edgeCount = remoteIngressManager.getAllEdges().length;
+        logger.log('info', `Remote Ingress hub started on port ${hubSettings.tunnelPort} with ${edgeCount} registered edge(s)`);
+    }
+    async stop() {
+        this.stopping = true;
+        this.generation++;
+        await this.queueTask(async () => {
+            const currentTunnelManager = this.dcRouterRef.tunnelManager;
+            if (currentTunnelManager) {
+                await currentTunnelManager.stop();
+                if (this.dcRouterRef.tunnelManager === currentTunnelManager) {
+                    this.dcRouterRef.tunnelManager = undefined;
+                }
+            }
+        });
+    }
+    async mutateEdges(mutation, syncAllowedEdges = true) {
+        return await this.queueTask(async () => {
+            if (this.stopping) {
+                throw new Error('RemoteIngress is stopping');
+            }
+            const manager = this.dcRouterRef.remoteIngressManager;
+            if (!manager) {
+                throw new Error('RemoteIngress not configured');
+            }
+            const result = await mutation(manager);
+            if (syncAllowedEdges && this.dcRouterRef.tunnelManager) {
+                await this.dcRouterRef.tunnelManager.syncAllowedEdges();
+            }
+            return result;
+        });
+    }
+    async updateRoutes(routes) {
+        await this.queueTask(async () => {
+            if (this.stopping)
+                return;
+            if (this.dcRouterRef.remoteIngressManager) {
+                this.dcRouterRef.remoteIngressManager.setRoutes(routes);
+            }
+            if (this.dcRouterRef.tunnelManager) {
+                await this.dcRouterRef.tunnelManager.syncAllowedEdges();
+            }
+        });
+    }
+    async applyFirewallConfig(firewallConfig) {
+        await this.queueTask(async () => {
+            if (this.stopping)
+                return;
+            if (this.dcRouterRef.remoteIngressManager) {
+                this.dcRouterRef.remoteIngressManager.setFirewallConfig(firewallConfig);
+            }
+            if (this.dcRouterRef.tunnelManager) {
+                await this.dcRouterRef.tunnelManager.syncAllowedEdges();
+            }
+        });
+    }
+    async updateHubSettings(updates, updatedBy) {
+        const manager = this.dcRouterRef.remoteIngressManager;
+        if (!manager) {
+            throw new Error('RemoteIngress is not configured');
+        }
+        const previousSettings = manager.getHubSettings();
+        const settings = await manager.updateHubSettings(updates, updatedBy);
+        const enabledChanged = previousSettings.enabled !== settings.enabled;
+        if (!settings.enabled) {
+            await this.queueTask(async () => {
+                await this.stopTunnelHubLocked();
+            });
+        }
+        if (enabledChanged) {
+            await this.dcRouterRef.restartSmartProxyForRemoteIngressSettings();
+        }
+        if (settings.enabled) {
+            await this.queueTask(async () => {
+                await this.restartTunnelHubLocked();
+            });
+        }
+        return settings;
+    }
+    isGenerationCurrent(generation, manager) {
+        return !this.stopping
+            && generation === this.generation
+            && this.dcRouterRef.remoteIngressManager === manager;
+    }
+    queueTask(task) {
+        const run = this.lifecycleChain.then(task);
+        this.lifecycleChain = run.then(() => undefined, () => undefined);
+        return run;
+    }
+    async stopTunnelHubLocked() {
+        this.generation++;
+        const currentTunnelManager = this.dcRouterRef.tunnelManager;
+        if (currentTunnelManager) {
+            await currentTunnelManager.stop();
+            if (this.dcRouterRef.tunnelManager === currentTunnelManager) {
+                this.dcRouterRef.tunnelManager = undefined;
+            }
+        }
+    }
+    async restartTunnelHubLocked() {
+        const generation = ++this.generation;
+        const hubSettings = this.dcRouterRef.remoteIngressManager?.getHubSettings();
+        if (!this.dcRouterRef.remoteIngressManager || !hubSettings?.enabled || this.stopping) {
+            return;
+        }
+        const currentTunnelManager = this.dcRouterRef.tunnelManager;
+        if (currentTunnelManager) {
+            await currentTunnelManager.stop();
+            if (this.dcRouterRef.tunnelManager === currentTunnelManager) {
+                this.dcRouterRef.tunnelManager = undefined;
+            }
+        }
+        if (this.stopping || generation !== this.generation) {
+            return;
+        }
+        await this.startTunnelHubLocked(generation);
+    }
+    async startTunnelHubLocked(generation) {
+        const manager = this.dcRouterRef.remoteIngressManager;
+        const hubSettings = manager?.getHubSettings();
+        if (!manager || !hubSettings?.enabled || this.stopping || generation !== this.generation) {
+            return;
+        }
+        const firewallConfig = await this.dcRouterRef.securityPolicyManager?.compileRemoteIngressFirewall();
+        if (this.stopping || generation !== this.generation || this.dcRouterRef.remoteIngressManager !== manager) {
+            return;
+        }
+        manager.setFirewallConfig(firewallConfig);
+        const tlsConfig = await this.resolveTlsConfig(hubSettings.hubDomain);
+        if (this.stopping || generation !== this.generation || this.dcRouterRef.remoteIngressManager !== manager) {
+            return;
+        }
+        const tunnelManager = new TunnelManager(manager, {
+            tunnelPort: hubSettings.tunnelPort,
+            targetHost: '127.0.0.1',
+            tls: tlsConfig,
+            performance: manager.getHubPerformanceConfig(),
+        });
+        try {
+            await tunnelManager.start();
+        }
+        catch (err) {
+            await tunnelManager.stop().catch(() => { });
+            throw err;
+        }
+        if (this.stopping || generation !== this.generation || this.dcRouterRef.remoteIngressManager !== manager) {
+            await tunnelManager.stop().catch((err) => {
+                logger.log('warn', `Failed to stop stale RemoteIngress tunnel hub: ${err.message}`);
+            });
+            return;
+        }
+        this.dcRouterRef.tunnelManager = tunnelManager;
+    }
+    async resolveTlsConfig(hubDomain) {
+        // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
+        let tlsConfig;
+        // Priority 1: Explicit cert/key file paths
+        const explicitTls = this.dcRouterRef.options.remoteIngressConfig?.tls;
+        if (explicitTls?.certPath && explicitTls?.keyPath) {
+            try {
+                const certPem = plugins.fs.readFileSync(explicitTls.certPath, 'utf8');
+                const keyPem = plugins.fs.readFileSync(explicitTls.keyPath, 'utf8');
+                tlsConfig = { certPem, keyPem };
+                logger.log('info', 'Using explicit TLS cert/key for RemoteIngress tunnel');
+            }
+            catch (err) {
+                logger.log('warn', `Failed to read RemoteIngress TLS cert/key files: ${err.message}`);
+            }
+        }
+        // Priority 2: Existing cert from SmartProxy cert store for hubDomain
+        if (!tlsConfig && hubDomain) {
+            try {
+                const stored = await ProxyCertDoc.findByDomain(hubDomain);
+                if (stored?.publicKey && stored?.privateKey) {
+                    tlsConfig = { certPem: stored.publicKey, keyPem: stored.privateKey };
+                    logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${hubDomain}`);
+                }
+            }
+            catch { /* no stored cert, fall through */ }
+        }
+        if (!tlsConfig) {
+            logger.log('info', 'No TLS cert configured for RemoteIngress tunnel — using auto-generated self-signed');
+        }
+        return tlsConfig;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5odWItbGlmZWN5Y2xlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vdHMvcmVtb3RlaW5ncmVzcy9jbGFzc2VzLmh1Yi1saWZlY3ljbGUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxLQUFLLE9BQU8sTUFBTSxlQUFlLENBQUM7QUFDekMsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLGNBQWMsQ0FBQztBQUN0QyxPQUFPLEVBQUUsWUFBWSxFQUFFLE1BQU0sZ0JBQWdCLENBQUM7QUFDOUMsT0FBTyxFQUFFLG9CQUFvQixFQUFxQyxNQUFNLG9DQUFvQyxDQUFDO0FBQzdHLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSw2QkFBNkIsQ0FBQztBQUk1RDs7OztHQUlHO0FBQ0gsTUFBTSxPQUFPLHlCQUF5QjtJQUtoQjtJQUpaLGNBQWMsR0FBa0IsT0FBTyxDQUFDLE9BQU8sRUFBRSxDQUFDO0lBQ2xELFFBQVEsR0FBRyxLQUFLLENBQUM7SUFDakIsVUFBVSxHQUFHLENBQUMsQ0FBQztJQUV2QixZQUFvQixXQUFxQjtRQUFyQixnQkFBVyxHQUFYLFdBQVcsQ0FBVTtJQUFHLENBQUM7SUFFdEMsS0FBSyxDQUFDLEtBQUs7UUFDaEIsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDO1FBQ25FLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO1lBQzFCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxXQUFXLEdBQUcsb0JBQW9CLENBQUMsY0FBYyxFQUFFLENBQUM7UUFDMUQsSUFBSSxDQUFDLFdBQVcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUN6QixNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwrQ0FBK0MsQ0FBQyxDQUFDO1lBQ3BFLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsa0NBQWtDLENBQUMsQ0FBQztRQUN2RCxJQUFJLENBQUMsUUFBUSxHQUFHLEtBQUssQ0FBQztRQUN0QixNQUFNLFVBQVUsR0FBRyxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUM7UUFFckMsTUFBTSxjQUFjLEdBQUcsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLHFCQUFxQixFQUFFLDRCQUE0QixFQUFFLENBQUM7UUFDcEcsSUFBSSxDQUFDLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxVQUFVLEVBQUUsb0JBQW9CLENBQUMsRUFBRSxDQUFDO1lBQ2hFLE9BQU87UUFDVCxDQUFDO1FBQ0Qsb0JBQW9CLENBQUMsaUJBQWlCLENBQUMsY0FBYyxDQUFDLENBQUM7UUFFdkQsZ0ZBQWdGO1FBQ2hGLGdGQUFnRjtRQUNoRiw2Q0FBNkM7UUFDN0Msb0JBQW9CLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsK0JBQStCLEVBQVcsQ0FBQyxDQUFDO1FBRTVGLHdEQUF3RDtRQUN4RCxzRkFBc0Y7UUFDdEYsSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLGtCQUFrQixFQUFFLENBQUM7WUFDeEMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLGtCQUFrQixDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQzFELENBQUM7UUFDRCxJQUFJLENBQUMsSUFBSSxDQUFDLG1CQUFtQixDQUFDLFVBQVUsRUFBRSxvQkFBb0IsQ0FBQyxFQUFFLENBQUM7WUFDaEUsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDOUIsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsVUFBVSxDQUFDLENBQUM7UUFDOUMsQ0FBQyxDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsSUFBSSxDQUFDLG1CQUFtQixDQUFDLFVBQVUsRUFBRSxvQkFBb0IsQ0FBQyxFQUFFLENBQUM7WUFDaEUsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxvQkFBb0IsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUM7UUFDNUQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsc0NBQXNDLFdBQVcsQ0FBQyxVQUFVLFNBQVMsU0FBUyxxQkFBcUIsQ0FBQyxDQUFDO0lBQzFILENBQUM7SUFFTSxLQUFLLENBQUMsSUFBSTtRQUNmLElBQUksQ0FBQyxRQUFRLEdBQUcsSUFBSSxDQUFDO1FBQ3JCLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUNsQixNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDOUIsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLGFBQWEsQ0FBQztZQUM1RCxJQUFJLG9CQUFvQixFQUFFLENBQUM7Z0JBQ3pCLE1BQU0sb0JBQW9CLENBQUMsSUFBSSxFQUFFLENBQUM7Z0JBQ2xDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLEtBQUssb0JBQW9CLEVBQUUsQ0FBQztvQkFDNUQsSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLEdBQUcsU0FBUyxDQUFDO2dCQUM3QyxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVNLEtBQUssQ0FBQyxXQUFXLENBQ3RCLFFBQXVELEVBQ3ZELGdCQUFnQixHQUFHLElBQUk7UUFFdkIsT0FBTyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDckMsSUFBSSxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBQ2xCLE1BQU0sSUFBSSxLQUFLLENBQUMsMkJBQTJCLENBQUMsQ0FBQztZQUMvQyxDQUFDO1lBQ0QsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQztZQUN0RCxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7Z0JBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO1lBQ2xELENBQUM7WUFDRCxNQUFNLE1BQU0sR0FBRyxNQUFNLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQztZQUN2QyxJQUFJLGdCQUFnQixJQUFJLElBQUksQ0FBQyxXQUFXLENBQUMsYUFBYSxFQUFFLENBQUM7Z0JBQ3ZELE1BQU0sSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUMxRCxDQUFDO1lBQ0QsT0FBTyxNQUFNLENBQUM7UUFDaEIsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRU0sS0FBSyxDQUFDLFlBQVksQ0FBQyxNQUE4QjtRQUN0RCxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDOUIsSUFBSSxJQUFJLENBQUMsUUFBUTtnQkFBRSxPQUFPO1lBQzFCLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO2dCQUMxQyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUMxRCxDQUFDO1lBQ0QsSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLGFBQWEsRUFBRSxDQUFDO2dCQUNuQyxNQUFNLElBQUksQ0FBQyxXQUFXLENBQUMsYUFBYSxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDMUQsQ0FBQztRQUNILENBQUMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVNLEtBQUssQ0FBQyxtQkFBbUIsQ0FBQyxjQUF3RDtRQUN2RixNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDOUIsSUFBSSxJQUFJLENBQUMsUUFBUTtnQkFBRSxPQUFPO1lBQzFCLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO2dCQUMxQyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxDQUFDO1lBQzFFLENBQUM7WUFDRCxJQUFJLElBQUksQ0FBQyxXQUFXLENBQUMsYUFBYSxFQUFFLENBQUM7Z0JBQ25DLE1BQU0sSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUMxRCxDQUFDO1FBQ0gsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRU0sS0FBSyxDQUFDLGlCQUFpQixDQUM1QixPQUF3QyxFQUN4QyxTQUFpQjtRQUVqQixNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDO1FBQ3RELElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE1BQU0sSUFBSSxLQUFLLENBQUMsaUNBQWlDLENBQUMsQ0FBQztRQUNyRCxDQUFDO1FBRUQsTUFBTSxnQkFBZ0IsR0FBRyxPQUFPLENBQUMsY0FBYyxFQUFFLENBQUM7UUFDbEQsTUFBTSxRQUFRLEdBQUcsTUFBTSxPQUFPLENBQUMsaUJBQWlCLENBQUMsT0FBTyxFQUFFLFNBQVMsQ0FBQyxDQUFDO1FBQ3JFLE1BQU0sY0FBYyxHQUFHLGdCQUFnQixDQUFDLE9BQU8sS0FBSyxRQUFRLENBQUMsT0FBTyxDQUFDO1FBRXJFLElBQUksQ0FBQyxRQUFRLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDdEIsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssSUFBSSxFQUFFO2dCQUM5QixNQUFNLElBQUksQ0FBQyxtQkFBbUIsRUFBRSxDQUFDO1lBQ25DLENBQUMsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELElBQUksY0FBYyxFQUFFLENBQUM7WUFDbkIsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLHlDQUF5QyxFQUFFLENBQUM7UUFDckUsQ0FBQztRQUVELElBQUksUUFBUSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3JCLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxLQUFLLElBQUksRUFBRTtnQkFDOUIsTUFBTSxJQUFJLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztZQUN0QyxDQUFDLENBQUMsQ0FBQztRQUNMLENBQUM7UUFFRCxPQUFPLFFBQVEsQ0FBQztJQUNsQixDQUFDO0lBRU8sbUJBQW1CLENBQUMsVUFBa0IsRUFBRSxPQUE2QjtRQUMzRSxPQUFPLENBQUMsSUFBSSxDQUFDLFFBQVE7ZUFDaEIsVUFBVSxLQUFLLElBQUksQ0FBQyxVQUFVO2VBQzlCLElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLEtBQUssT0FBTyxDQUFDO0lBQ3pELENBQUM7SUFFTyxTQUFTLENBQUksSUFBc0I7UUFDekMsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDM0MsSUFBSSxDQUFDLGNBQWMsR0FBRyxHQUFHLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDLFNBQVMsRUFBRSxHQUFHLEVBQUUsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUNqRSxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFTyxLQUFLLENBQUMsbUJBQW1CO1FBQy9CLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUNsQixNQUFNLG9CQUFvQixHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsYUFBYSxDQUFDO1FBQzVELElBQUksb0JBQW9CLEVBQUUsQ0FBQztZQUN6QixNQUFNLG9CQUFvQixDQUFDLElBQUksRUFBRSxDQUFDO1lBQ2xDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLEtBQUssb0JBQW9CLEVBQUUsQ0FBQztnQkFDNUQsSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLEdBQUcsU0FBUyxDQUFDO1lBQzdDLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVPLEtBQUssQ0FBQyxzQkFBc0I7UUFDbEMsTUFBTSxVQUFVLEdBQUcsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDO1FBQ3JDLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLEVBQUUsY0FBYyxFQUFFLENBQUM7UUFDNUUsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLElBQUksQ0FBQyxXQUFXLEVBQUUsT0FBTyxJQUFJLElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNyRixPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLENBQUM7UUFDNUQsSUFBSSxvQkFBb0IsRUFBRSxDQUFDO1lBQ3pCLE1BQU0sb0JBQW9CLENBQUMsSUFBSSxFQUFFLENBQUM7WUFDbEMsSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLGFBQWEsS0FBSyxvQkFBb0IsRUFBRSxDQUFDO2dCQUM1RCxJQUFJLENBQUMsV0FBVyxDQUFDLGFBQWEsR0FBRyxTQUFTLENBQUM7WUFDN0MsQ0FBQztRQUNILENBQUM7UUFFRCxJQUFJLElBQUksQ0FBQyxRQUFRLElBQUksVUFBVSxLQUFLLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUNwRCxPQUFPO1FBQ1QsQ0FBQztRQUNELE1BQU0sSUFBSSxDQUFDLG9CQUFvQixDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQzlDLENBQUM7SUFFTyxLQUFLLENBQUMsb0JBQW9CLENBQUMsVUFBa0I7UUFDbkQsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQztRQUN0RCxNQUFNLFdBQVcsR0FBRyxPQUFPLEVBQUUsY0FBYyxFQUFFLENBQUM7UUFDOUMsSUFBSSxDQUFDLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxPQUFPLElBQUksSUFBSSxDQUFDLFFBQVEsSUFBSSxVQUFVLEtBQUssSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ3pGLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLHFCQUFxQixFQUFFLDRCQUE0QixFQUFFLENBQUM7UUFDcEcsSUFBSSxJQUFJLENBQUMsUUFBUSxJQUFJLFVBQVUsS0FBSyxJQUFJLENBQUMsVUFBVSxJQUFJLElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDekcsT0FBTztRQUNULENBQUM7UUFDRCxPQUFPLENBQUMsaUJBQWlCLENBQUMsY0FBYyxDQUFDLENBQUM7UUFFMUMsTUFBTSxTQUFTLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ3JFLElBQUksSUFBSSxDQUFDLFFBQVEsSUFBSSxVQUFVLEtBQUssSUFBSSxDQUFDLFVBQVUsSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixLQUFLLE9BQU8sRUFBRSxDQUFDO1lBQ3pHLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsSUFBSSxhQUFhLENBQUMsT0FBTyxFQUFFO1lBQy9DLFVBQVUsRUFBRSxXQUFXLENBQUMsVUFBVTtZQUNsQyxVQUFVLEVBQUUsV0FBVztZQUN2QixHQUFHLEVBQUUsU0FBUztZQUNkLFdBQVcsRUFBRSxPQUFPLENBQUMsdUJBQXVCLEVBQUU7U0FDL0MsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDO1lBQ0gsTUFBTSxhQUFhLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDOUIsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLGFBQWEsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLEdBQUUsQ0FBQyxDQUFDLENBQUM7WUFDM0MsTUFBTSxHQUFHLENBQUM7UUFDWixDQUFDO1FBRUQsSUFBSSxJQUFJLENBQUMsUUFBUSxJQUFJLFVBQVUsS0FBSyxJQUFJLENBQUMsVUFBVSxJQUFJLElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDekcsTUFBTSxhQUFhLENBQUMsSUFBSSxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUU7Z0JBQ3ZDLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLGtEQUFtRCxHQUFhLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUNqRyxDQUFDLENBQUMsQ0FBQztZQUNILE9BQU87UUFDVCxDQUFDO1FBQ0QsSUFBSSxDQUFDLFdBQVcsQ0FBQyxhQUFhLEdBQUcsYUFBYSxDQUFDO0lBQ2pELENBQUM7SUFFTyxLQUFLLENBQUMsZ0JBQWdCLENBQzVCLFNBQWtCO1FBRWxCLGlHQUFpRztRQUNqRyxJQUFJLFNBQTBELENBQUM7UUFFL0QsMkNBQTJDO1FBQzNDLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsT0FBTyxDQUFDLG1CQUFtQixFQUFFLEdBQUcsQ0FBQztRQUN0RSxJQUFJLFdBQVcsRUFBRSxRQUFRLElBQUksV0FBVyxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ2xELElBQUksQ0FBQztnQkFDSCxNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsRUFBRSxDQUFDLFlBQVksQ0FBQyxXQUFXLENBQUMsUUFBUSxFQUFFLE1BQU0sQ0FBQyxDQUFDO2dCQUN0RSxNQUFNLE1BQU0sR0FBRyxPQUFPLENBQUMsRUFBRSxDQUFDLFlBQVksQ0FBQyxXQUFXLENBQUMsT0FBTyxFQUFFLE1BQU0sQ0FBQyxDQUFDO2dCQUNwRSxTQUFTLEdBQUcsRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLENBQUM7Z0JBQ2hDLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLHNEQUFzRCxDQUFDLENBQUM7WUFDN0UsQ0FBQztZQUFDLE9BQU8sR0FBWSxFQUFFLENBQUM7Z0JBQ3RCLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG9EQUFxRCxHQUFhLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUNuRyxDQUFDO1FBQ0gsQ0FBQztRQUVELHFFQUFxRTtRQUNyRSxJQUFJLENBQUMsU0FBUyxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQzVCLElBQUksQ0FBQztnQkFDSCxNQUFNLE1BQU0sR0FBRyxNQUFNLFlBQVksQ0FBQyxZQUFZLENBQUMsU0FBUyxDQUFDLENBQUM7Z0JBQzFELElBQUksTUFBTSxFQUFFLFNBQVMsSUFBSSxNQUFNLEVBQUUsVUFBVSxFQUFFLENBQUM7b0JBQzVDLFNBQVMsR0FBRyxFQUFFLE9BQU8sRUFBRSxNQUFNLENBQUMsU0FBUyxFQUFFLE1BQU0sRUFBRSxNQUFNLENBQUMsVUFBVSxFQUFFLENBQUM7b0JBQ3JFLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLHdEQUF3RCxTQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUMxRixDQUFDO1lBQ0gsQ0FBQztZQUFDLE1BQU0sQ0FBQyxDQUFDLGtDQUFrQyxDQUFDLENBQUM7UUFDaEQsQ0FBQztRQUVELElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUNmLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG9GQUFvRixDQUFDLENBQUM7UUFDM0csQ0FBQztRQUVELE9BQU8sU0FBUyxDQUFDO0lBQ25CLENBQUM7Q0FDRiJ9

package/dist_ts/remoteingress/classes.remoteingress-manager.d.ts

@@ -1,5 +1,5 @@
 import type { IDcRouterRouteConfig, IRemoteIngress, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, TRemoteIngressHubSettingsUpdate } from '../../dist_ts_interfaces/data/remoteingress.js';
-interface IRemoteIngressFirewallConfig {
+export interface IRemoteIngressFirewallConfig {
     blockedIps?: string[];
 }
 /**
@@ -109,4 +109,3 @@ export declare class RemoteIngressManager {
     private normalizePerformanceConfig;
     private toHubSettings;
 }
-export {};

package/dist_ts/remoteingress/index.d.ts

@@ -1,2 +1,3 @@
 export * from './classes.remoteingress-manager.js';
 export * from './classes.tunnel-manager.js';
+export * from './classes.hub-lifecycle.js';

package/dist_ts/remoteingress/index.js

@@ -1,3 +1,4 @@
 export * from './classes.remoteingress-manager.js';
 export * from './classes.tunnel-manager.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9yZW1vdGVpbmdyZXNzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWMsb0NBQW9DLENBQUM7QUFDbkQsY0FBYyw2QkFBNkIsQ0FBQyJ9
+export * from './classes.hub-lifecycle.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9yZW1vdGVpbmdyZXNzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWMsb0NBQW9DLENBQUM7QUFDbkQsY0FBYyw2QkFBNkIsQ0FBQztBQUM1QyxjQUFjLDRCQUE0QixDQUFDIn0=

package/dist_ts/security/classes.route-policy-augmenter.d.ts

@@ -0,0 +1,22 @@
+import * as plugins from '../plugins.js';
+import type { ISecurityCompiledPolicy } from '../../dist_ts_interfaces/data/security-policy.js';
+import type { DcRouter } from '../classes.dcrouter.js';
+/**
+ * Pure route-policy transformations applied before routes reach SmartProxy:
+ * per-listener inbound PROXY protocol policies (driven by RemoteIngress and
+ * VPN) and merging of compiled security policies.
+ */
+export declare class RoutePolicyAugmenter {
+    private dcRouterRef;
+    constructor(dcRouterRef: DcRouter);
+    /**
+     * Ensure every route on a shared listener carries a compatible
+     * inboundProxyProtocol policy, deriving defaults from RemoteIngress/VPN.
+     */
+    applyInboundProxyProtocolPolicies(routes: plugins.smartproxy.IRouteConfig[]): plugins.smartproxy.IRouteConfig[];
+    /** Union blocked IPs/CIDRs across configured and compiled security policies. */
+    mergeSecurityPolicies(...policies: Array<Partial<ISecurityCompiledPolicy> | undefined>): ISecurityCompiledPolicy | undefined;
+    private getDesiredInboundProxyProtocolPolicy;
+    private getInboundProxyListenerKeys;
+    private mergeInboundProxyProtocolPolicies;
+}

package/dist_ts/security/classes.route-policy-augmenter.js

@@ -0,0 +1,120 @@
+import * as plugins from '../plugins.js';
+/**
+ * Pure route-policy transformations applied before routes reach SmartProxy:
+ * per-listener inbound PROXY protocol policies (driven by RemoteIngress and
+ * VPN) and merging of compiled security policies.
+ */
+export class RoutePolicyAugmenter {
+    dcRouterRef;
+    constructor(dcRouterRef) {
+        this.dcRouterRef = dcRouterRef;
+    }
+    /**
+     * Ensure every route on a shared listener carries a compatible
+     * inboundProxyProtocol policy, deriving defaults from RemoteIngress/VPN.
+     */
+    applyInboundProxyProtocolPolicies(routes) {
+        const policiesByListener = new Map();
+        for (const route of routes) {
+            const policy = route.match?.inboundProxyProtocol || this.getDesiredInboundProxyProtocolPolicy(route);
+            if (!policy) {
+                continue;
+            }
+            for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
+                const mergedPolicy = this.mergeInboundProxyProtocolPolicies(policiesByListener.get(listenerKey), policy);
+                if (mergedPolicy) {
+                    policiesByListener.set(listenerKey, mergedPolicy);
+                }
+            }
+        }
+        if (policiesByListener.size === 0) {
+            return routes;
+        }
+        return routes.map((route) => {
+            if (route.match?.inboundProxyProtocol) {
+                return route;
+            }
+            let listenerPolicy;
+            for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
+                listenerPolicy = this.mergeInboundProxyProtocolPolicies(listenerPolicy, policiesByListener.get(listenerKey));
+            }
+            if (!listenerPolicy) {
+                return route;
+            }
+            return {
+                ...route,
+                match: {
+                    ...route.match,
+                    inboundProxyProtocol: listenerPolicy,
+                },
+            };
+        });
+    }
+    /** Union blocked IPs/CIDRs across configured and compiled security policies. */
+    mergeSecurityPolicies(...policies) {
+        const blockedIps = new Set();
+        const blockedCidrs = new Set();
+        for (const policy of policies) {
+            for (const ip of policy?.blockedIps || []) {
+                if (ip)
+                    blockedIps.add(ip);
+            }
+            for (const cidr of policy?.blockedCidrs || []) {
+                if (cidr)
+                    blockedCidrs.add(cidr);
+            }
+        }
+        if (blockedIps.size === 0 && blockedCidrs.size === 0) {
+            return undefined;
+        }
+        return {
+            blockedIps: [...blockedIps].sort(),
+            blockedCidrs: [...blockedCidrs].sort(),
+        };
+    }
+    getDesiredInboundProxyProtocolPolicy(route) {
+        const dcRoute = route;
+        if (this.dcRouterRef.isRemoteIngressHubEnabled() && dcRoute.remoteIngress?.enabled) {
+            const ports = plugins.smartproxy.expandPortRange(route.match.ports);
+            if (ports.some((port) => port === 25 || port === 587)) {
+                return { mode: 'required' };
+            }
+            return { mode: 'optional' };
+        }
+        if (this.dcRouterRef.options.vpnConfig?.enabled) {
+            return { mode: 'optional' };
+        }
+        return undefined;
+    }
+    getInboundProxyListenerKeys(route) {
+        const ports = plugins.smartproxy.expandPortRange(route.match.ports);
+        const transports = route.match.transport === 'udp'
+            ? ['udp']
+            : route.match.transport === 'all'
+                ? ['tcp', 'udp']
+                : ['tcp'];
+        const keys = [];
+        for (const port of ports) {
+            for (const transport of transports) {
+                keys.push(`${transport}:${port}`);
+            }
+        }
+        return keys;
+    }
+    mergeInboundProxyProtocolPolicies(current, next) {
+        if (!current)
+            return next;
+        if (!next)
+            return current;
+        if (current.mode === 'required')
+            return current;
+        if (next.mode === 'required')
+            return next;
+        if (current.mode === 'optional')
+            return current;
+        if (next.mode === 'optional')
+            return next;
+        return current;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5yb3V0ZS1wb2xpY3ktYXVnbWVudGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vdHMvc2VjdXJpdHkvY2xhc3Nlcy5yb3V0ZS1wb2xpY3ktYXVnbWVudGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sZUFBZSxDQUFDO0FBT3pDOzs7O0dBSUc7QUFDSCxNQUFNLE9BQU8sb0JBQW9CO0lBQ1g7SUFBcEIsWUFBb0IsV0FBcUI7UUFBckIsZ0JBQVcsR0FBWCxXQUFXLENBQVU7SUFBRyxDQUFDO0lBRTdDOzs7T0FHRztJQUNJLGlDQUFpQyxDQUN0QyxNQUF5QztRQUV6QyxNQUFNLGtCQUFrQixHQUFHLElBQUksR0FBRyxFQUF1QyxDQUFDO1FBRTFFLEtBQUssTUFBTSxLQUFLLElBQUksTUFBTSxFQUFFLENBQUM7WUFDM0IsTUFBTSxNQUFNLEdBQUcsS0FBSyxDQUFDLEtBQUssRUFBRSxvQkFBb0IsSUFBSSxJQUFJLENBQUMsb0NBQW9DLENBQUMsS0FBSyxDQUFDLENBQUM7WUFDckcsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO2dCQUNaLFNBQVM7WUFDWCxDQUFDO1lBQ0QsS0FBSyxNQUFNLFdBQVcsSUFBSSxJQUFJLENBQUMsMkJBQTJCLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDbEUsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLGlDQUFpQyxDQUN6RCxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsV0FBVyxDQUFDLEVBQ25DLE1BQU0sQ0FDUCxDQUFDO2dCQUNGLElBQUksWUFBWSxFQUFFLENBQUM7b0JBQ2pCLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsWUFBWSxDQUFDLENBQUM7Z0JBQ3BELENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUVELElBQUksa0JBQWtCLENBQUMsSUFBSSxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ2xDLE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUM7UUFFRCxPQUFPLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxLQUFLLEVBQUUsRUFBRTtZQUMxQixJQUFJLEtBQUssQ0FBQyxLQUFLLEVBQUUsb0JBQW9CLEVBQUUsQ0FBQztnQkFDdEMsT0FBTyxLQUFLLENBQUM7WUFDZixDQUFDO1lBQ0QsSUFBSSxjQUF1RCxDQUFDO1lBQzVELEtBQUssTUFBTSxXQUFXLElBQUksSUFBSSxDQUFDLDJCQUEyQixDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7Z0JBQ2xFLGNBQWMsR0FBRyxJQUFJLENBQUMsaUNBQWlDLENBQ3JELGNBQWMsRUFDZCxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQ3BDLENBQUM7WUFDSixDQUFDO1lBQ0QsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO2dCQUNwQixPQUFPLEtBQUssQ0FBQztZQUNmLENBQUM7WUFDRCxPQUFPO2dCQUNMLEdBQUcsS0FBSztnQkFDUixLQUFLLEVBQUU7b0JBQ0wsR0FBRyxLQUFLLENBQUMsS0FBSztvQkFDZCxvQkFBb0IsRUFBRSxjQUFjO2lCQUNyQzthQUNGLENBQUM7UUFDSixDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxnRkFBZ0Y7SUFDekUscUJBQXFCLENBQzFCLEdBQUcsUUFBNkQ7UUFFaEUsTUFBTSxVQUFVLEdBQUcsSUFBSSxHQUFHLEVBQVUsQ0FBQztRQUNyQyxNQUFNLFlBQVksR0FBRyxJQUFJLEdBQUcsRUFBVSxDQUFDO1FBRXZDLEtBQUssTUFBTSxNQUFNLElBQUksUUFBUSxFQUFFLENBQUM7WUFDOUIsS0FBSyxNQUFNLEVBQUUsSUFBSSxNQUFNLEVBQUUsVUFBVSxJQUFJLEVBQUUsRUFBRSxDQUFDO2dCQUMxQyxJQUFJLEVBQUU7b0JBQUUsVUFBVSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsQ0FBQztZQUM3QixDQUFDO1lBQ0QsS0FBSyxNQUFNLElBQUksSUFBSSxNQUFNLEVBQUUsWUFBWSxJQUFJLEVBQUUsRUFBRSxDQUFDO2dCQUM5QyxJQUFJLElBQUk7b0JBQUUsWUFBWSxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQztZQUNuQyxDQUFDO1FBQ0gsQ0FBQztRQUVELElBQUksVUFBVSxDQUFDLElBQUksS0FBSyxDQUFDLElBQUksWUFBWSxDQUFDLElBQUksS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNyRCxPQUFPLFNBQVMsQ0FBQztRQUNuQixDQUFDO1FBRUQsT0FBTztZQUNMLFVBQVUsRUFBRSxDQUFDLEdBQUcsVUFBVSxDQUFDLENBQUMsSUFBSSxFQUFFO1lBQ2xDLFlBQVksRUFBRSxDQUFDLEdBQUcsWUFBWSxDQUFDLENBQUMsSUFBSSxFQUFFO1NBQ3ZDLENBQUM7SUFDSixDQUFDO0lBRU8sb0NBQW9DLENBQzFDLEtBQXNDO1FBRXRDLE1BQU0sT0FBTyxHQUFHLEtBQTZCLENBQUM7UUFDOUMsSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLHlCQUF5QixFQUFFLElBQUksT0FBTyxDQUFDLGFBQWEsRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUNuRixNQUFNLEtBQUssR0FBRyxPQUFPLENBQUMsVUFBVSxDQUFDLGVBQWUsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLEtBQVksQ0FBYSxDQUFDO1lBQ3ZGLElBQUksS0FBSyxDQUFDLElBQUksQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxLQUFLLEVBQUUsSUFBSSxJQUFJLEtBQUssR0FBRyxDQUFDLEVBQUUsQ0FBQztnQkFDdEQsT0FBTyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsQ0FBQztZQUM5QixDQUFDO1lBQ0QsT0FBTyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsQ0FBQztRQUM5QixDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxTQUFTLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDaEQsT0FBTyxFQUFFLElBQUksRUFBRSxVQUFVLEVBQUUsQ0FBQztRQUM5QixDQUFDO1FBQ0QsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztJQUVPLDJCQUEyQixDQUFDLEtBQXNDO1FBQ3hFLE1BQU0sS0FBSyxHQUFHLE9BQU8sQ0FBQyxVQUFVLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsS0FBWSxDQUFhLENBQUM7UUFDdkYsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLEtBQUssQ0FBQyxTQUFTLEtBQUssS0FBSztZQUNoRCxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUM7WUFDVCxDQUFDLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxTQUFTLEtBQUssS0FBSztnQkFDL0IsQ0FBQyxDQUFDLENBQUMsS0FBSyxFQUFFLEtBQUssQ0FBQztnQkFDaEIsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDZCxNQUFNLElBQUksR0FBYSxFQUFFLENBQUM7UUFDMUIsS0FBSyxNQUFNLElBQUksSUFBSSxLQUFLLEVBQUUsQ0FBQztZQUN6QixLQUFLLE1BQU0sU0FBUyxJQUFJLFVBQVUsRUFBRSxDQUFDO2dCQUNuQyxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsU0FBUyxJQUFJLElBQUksRUFBRSxDQUFDLENBQUM7WUFDcEMsQ0FBQztRQUNILENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFFTyxpQ0FBaUMsQ0FDdkMsT0FBcUMsRUFDckMsSUFBa0M7UUFFbEMsSUFBSSxDQUFDLE9BQU87WUFBRSxPQUFPLElBQUksQ0FBQztRQUMxQixJQUFJLENBQUMsSUFBSTtZQUFFLE9BQU8sT0FBTyxDQUFDO1FBQzFCLElBQUksT0FBTyxDQUFDLElBQUksS0FBSyxVQUFVO1lBQUUsT0FBTyxPQUFPLENBQUM7UUFDaEQsSUFBSSxJQUFJLENBQUMsSUFBSSxLQUFLLFVBQVU7WUFBRSxPQUFPLElBQUksQ0FBQztRQUMxQyxJQUFJLE9BQU8sQ0FBQyxJQUFJLEtBQUssVUFBVTtZQUFFLE9BQU8sT0FBTyxDQUFDO1FBQ2hELElBQUksSUFBSSxDQUFDLElBQUksS0FBSyxVQUFVO1lBQUUsT0FBTyxJQUFJLENBQUM7UUFDMUMsT0FBTyxPQUFPLENBQUM7SUFDakIsQ0FBQztDQUNGIn0=

package/dist_ts/security/index.d.ts

@@ -2,3 +2,4 @@ export { SecurityLogger, SecurityLogLevel, SecurityEventType, type ISecurityEven
 export { IPReputationChecker, ReputationThreshold, IPType, type IReputationResult, type IIPReputationOptions } from './classes.ipreputationchecker.js';
 export { ContentScanner, ThreatCategory, type IScanResult, type IContentScannerOptions } from './classes.contentscanner.js';
 export { SecurityPolicyManager, type ISecurityPolicyManagerOptions, type IRemoteIngressFirewallSnapshot, } from './classes.security-policy-manager.js';
+export * from './classes.route-policy-augmenter.js';

package/dist_ts/security/index.js

@@ -2,4 +2,5 @@ export { SecurityLogger, SecurityLogLevel, SecurityEventType } from './classes.s
 export { IPReputationChecker, ReputationThreshold, IPType } from './classes.ipreputationchecker.js';
 export { ContentScanner, ThreatCategory } from './classes.contentscanner.js';
 export { SecurityPolicyManager, } from './classes.security-policy-manager.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9zZWN1cml0eS9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQ0wsY0FBYyxFQUNkLGdCQUFnQixFQUNoQixpQkFBaUIsRUFFbEIsTUFBTSw2QkFBNkIsQ0FBQztBQUVyQyxPQUFPLEVBQ0wsbUJBQW1CLEVBQ25CLG1CQUFtQixFQUNuQixNQUFNLEVBR1AsTUFBTSxrQ0FBa0MsQ0FBQztBQUUxQyxPQUFPLEVBQ0wsY0FBYyxFQUNkLGNBQWMsRUFHZixNQUFNLDZCQUE2QixDQUFDO0FBRXJDLE9BQU8sRUFDTCxxQkFBcUIsR0FHdEIsTUFBTSxzQ0FBc0MsQ0FBQyJ9
+export * from './classes.route-policy-augmenter.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9zZWN1cml0eS9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQ0wsY0FBYyxFQUNkLGdCQUFnQixFQUNoQixpQkFBaUIsRUFFbEIsTUFBTSw2QkFBNkIsQ0FBQztBQUVyQyxPQUFPLEVBQ0wsbUJBQW1CLEVBQ25CLG1CQUFtQixFQUNuQixNQUFNLEVBR1AsTUFBTSxrQ0FBa0MsQ0FBQztBQUUxQyxPQUFPLEVBQ0wsY0FBYyxFQUNkLGNBQWMsRUFHZixNQUFNLDZCQUE2QixDQUFDO0FBRXJDLE9BQU8sRUFDTCxxQkFBcUIsR0FHdEIsTUFBTSxzQ0FBc0MsQ0FBQztBQUM5QyxjQUFjLHFDQUFxQyxDQUFDIn0=

package/dist_ts/vpn/classes.vpn-access-resolver.d.ts

@@ -0,0 +1,34 @@
+import type { TVpnClientAllowEntry } from '../config/classes.route-config-manager.js';
+import type { IDcRouterRouteConfig } from '../../dist_ts_interfaces/data/remoteingress.js';
+import type { DcRouter } from '../classes.dcrouter.js';
+/**
+ * Resolves which VPN clients may access which routes and which IPs belong in
+ * a client's WireGuard AllowedIPs, including cached DNS resolution of
+ * VPN-gated route domains.
+ */
+export declare class VpnAccessResolver {
+    private dcRouterRef;
+    /** Cache for DNS-resolved IPs of VPN-gated domains. TTL: 5 minutes. */
+    private domainIpCache;
+    /** Deduplicate wildcard-resolution warnings for WireGuard AllowedIPs generation. */
+    private warnedWildcardDomains;
+    constructor(dcRouterRef: DcRouter);
+    /** Clear DNS and warning caches, e.g. after a VPN config change. */
+    reset(): void;
+    /**
+     * Build the per-route VPN client allow resolver handed to RouteConfigManager,
+     * or undefined when VPN is disabled.
+     */
+    createRouteAllowResolver(): ((route: IDcRouterRouteConfig, routeId?: string) => TVpnClientAllowEntry[]) | undefined;
+    /**
+     * Compute the WireGuard AllowedIPs for a client from its target profiles:
+     * the VPN subnet, direct target IPs, and DNS-resolved route domains.
+     */
+    getClientAllowedIPs(targetProfileIds: string[]): Promise<string[]>;
+    /**
+     * Resolve a domain's A record(s) for VPN AllowedIPs, with a 5-minute cache.
+     */
+    private resolveDomainIPs;
+    private isWildcardDomain;
+    private logSkippedWildcardAllowedIp;
+}

package/dist_ts/vpn/classes.vpn-access-resolver.js

@@ -0,0 +1,101 @@
+import { logger } from '../logger.js';
+/**
+ * Resolves which VPN clients may access which routes and which IPs belong in
+ * a client's WireGuard AllowedIPs, including cached DNS resolution of
+ * VPN-gated route domains.
+ */
+export class VpnAccessResolver {
+    dcRouterRef;
+    /** Cache for DNS-resolved IPs of VPN-gated domains. TTL: 5 minutes. */
+    domainIpCache = new Map();
+    /** Deduplicate wildcard-resolution warnings for WireGuard AllowedIPs generation. */
+    warnedWildcardDomains = new Set();
+    constructor(dcRouterRef) {
+        this.dcRouterRef = dcRouterRef;
+    }
+    /** Clear DNS and warning caches, e.g. after a VPN config change. */
+    reset() {
+        this.domainIpCache.clear();
+        this.warnedWildcardDomains.clear();
+    }
+    /**
+     * Build the per-route VPN client allow resolver handed to RouteConfigManager,
+     * or undefined when VPN is disabled.
+     */
+    createRouteAllowResolver() {
+        if (!this.dcRouterRef.options.vpnConfig?.enabled) {
+            return undefined;
+        }
+        return (route, routeId) => {
+            if (!this.dcRouterRef.vpnManager || !this.dcRouterRef.targetProfileManager) {
+                // VPN not ready yet — deny all until re-apply after VPN starts.
+                return [];
+            }
+            return this.dcRouterRef.targetProfileManager.getMatchingVpnClients(route, routeId, this.dcRouterRef.vpnManager.listClients(), this.dcRouterRef.routeConfigManager?.getRoutes() || new Map());
+        };
+    }
+    /**
+     * Compute the WireGuard AllowedIPs for a client from its target profiles:
+     * the VPN subnet, direct target IPs, and DNS-resolved route domains.
+     */
+    async getClientAllowedIPs(targetProfileIds) {
+        const subnet = this.dcRouterRef.options.vpnConfig?.subnet || '10.8.0.0/24';
+        const ips = new Set([subnet]);
+        const targetProfileManager = this.dcRouterRef.targetProfileManager;
+        if (!targetProfileManager)
+            return [...ips];
+        const allRoutes = this.dcRouterRef.routeConfigManager?.getRoutes() || new Map();
+        const { domains, targetIps } = targetProfileManager.getClientAccessSpec(targetProfileIds, allRoutes);
+        // Add target IPs directly
+        for (const ip of targetIps) {
+            ips.add(`${ip}/32`);
+        }
+        // Resolve DNS A records for matched domains (with caching)
+        for (const domain of domains) {
+            if (this.isWildcardDomain(domain)) {
+                this.logSkippedWildcardAllowedIp(domain);
+                continue;
+            }
+            const resolvedIps = await this.resolveDomainIPs(domain);
+            for (const ip of resolvedIps) {
+                ips.add(`${ip}/32`);
+            }
+        }
+        return [...ips];
+    }
+    /**
+     * Resolve a domain's A record(s) for VPN AllowedIPs, with a 5-minute cache.
+     */
+    async resolveDomainIPs(domain) {
+        const cached = this.domainIpCache.get(domain);
+        if (cached && cached.expiresAt > Date.now()) {
+            return cached.ips;
+        }
+        try {
+            const { promises: dnsPromises } = await import('dns');
+            const ips = await dnsPromises.resolve4(domain);
+            this.domainIpCache.set(domain, { ips, expiresAt: Date.now() + 5 * 60 * 1000 });
+            // Evict oldest entries if cache exceeds 1000 entries
+            if (this.domainIpCache.size > 1000) {
+                const firstKey = this.domainIpCache.keys().next().value;
+                if (firstKey)
+                    this.domainIpCache.delete(firstKey);
+            }
+            return ips;
+        }
+        catch (err) {
+            logger.log('warn', `VPN: Failed to resolve ${domain} for AllowedIPs: ${err.message}`);
+            return cached?.ips || []; // Return stale cache on failure, or empty
+        }
+    }
+    isWildcardDomain(domain) {
+        return domain.includes('*');
+    }
+    logSkippedWildcardAllowedIp(domain) {
+        if (this.warnedWildcardDomains.has(domain))
+            return;
+        this.warnedWildcardDomains.add(domain);
+        logger.log('warn', `VPN: Skipping wildcard domain '${domain}' for WireGuard AllowedIPs; wildcard patterns must be resolved to concrete hostnames by matching routes.`);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy52cG4tYWNjZXNzLXJlc29sdmVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vdHMvdnBuL2NsYXNzZXMudnBuLWFjY2Vzcy1yZXNvbHZlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sY0FBYyxDQUFDO0FBS3RDOzs7O0dBSUc7QUFDSCxNQUFNLE9BQU8saUJBQWlCO0lBTVI7SUFMcEIsdUVBQXVFO0lBQy9ELGFBQWEsR0FBRyxJQUFJLEdBQUcsRUFBZ0QsQ0FBQztJQUNoRixvRkFBb0Y7SUFDNUUscUJBQXFCLEdBQUcsSUFBSSxHQUFHLEVBQVUsQ0FBQztJQUVsRCxZQUFvQixXQUFxQjtRQUFyQixnQkFBVyxHQUFYLFdBQVcsQ0FBVTtJQUFHLENBQUM7SUFFN0Msb0VBQW9FO0lBQzdELEtBQUs7UUFDVixJQUFJLENBQUMsYUFBYSxDQUFDLEtBQUssRUFBRSxDQUFDO1FBQzNCLElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxLQUFLLEVBQUUsQ0FBQztJQUNyQyxDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksd0JBQXdCO1FBSTdCLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxTQUFTLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDakQsT0FBTyxTQUFTLENBQUM7UUFDbkIsQ0FBQztRQUVELE9BQU8sQ0FBQyxLQUEyQixFQUFFLE9BQWdCLEVBQUUsRUFBRTtZQUN2RCxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxVQUFVLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixFQUFFLENBQUM7Z0JBQzNFLGdFQUFnRTtnQkFDaEUsT0FBTyxFQUFFLENBQUM7WUFDWixDQUFDO1lBRUQsT0FBTyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDLHFCQUFxQixDQUNoRSxLQUFLLEVBQ0wsT0FBTyxFQUNQLElBQUksQ0FBQyxXQUFXLENBQUMsVUFBVSxDQUFDLFdBQVcsRUFBRSxFQUN6QyxJQUFJLENBQUMsV0FBVyxDQUFDLGtCQUFrQixFQUFFLFNBQVMsRUFBRSxJQUFJLElBQUksR0FBRyxFQUFFLENBQzlELENBQUM7UUFDSixDQUFDLENBQUM7SUFDSixDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksS0FBSyxDQUFDLG1CQUFtQixDQUFDLGdCQUEwQjtRQUN6RCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLE9BQU8sQ0FBQyxTQUFTLEVBQUUsTUFBTSxJQUFJLGFBQWEsQ0FBQztRQUMzRSxNQUFNLEdBQUcsR0FBRyxJQUFJLEdBQUcsQ0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFFdEMsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLG9CQUFvQixDQUFDO1FBQ25FLElBQUksQ0FBQyxvQkFBb0I7WUFBRSxPQUFPLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQztRQUUzQyxNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLGtCQUFrQixFQUFFLFNBQVMsRUFBRSxJQUFJLElBQUksR0FBRyxFQUFFLENBQUM7UUFFaEYsTUFBTSxFQUFFLE9BQU8sRUFBRSxTQUFTLEVBQUUsR0FBRyxvQkFBb0IsQ0FBQyxtQkFBbUIsQ0FDckUsZ0JBQWdCLEVBQ2hCLFNBQVMsQ0FDVixDQUFDO1FBRUYsMEJBQTBCO1FBQzFCLEtBQUssTUFBTSxFQUFFLElBQUksU0FBUyxFQUFFLENBQUM7WUFDM0IsR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDdEIsQ0FBQztRQUVELDJEQUEyRDtRQUMzRCxLQUFLLE1BQU0sTUFBTSxJQUFJLE9BQU8sRUFBRSxDQUFDO1lBQzdCLElBQUksSUFBSSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7Z0JBQ2xDLElBQUksQ0FBQywyQkFBMkIsQ0FBQyxNQUFNLENBQUMsQ0FBQztnQkFDekMsU0FBUztZQUNYLENBQUM7WUFDRCxNQUFNLFdBQVcsR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUN4RCxLQUFLLE1BQU0sRUFBRSxJQUFJLFdBQVcsRUFBRSxDQUFDO2dCQUM3QixHQUFHLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRSxLQUFLLENBQUMsQ0FBQztZQUN0QixDQUFDO1FBQ0gsQ0FBQztRQUVELE9BQU8sQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDO0lBQ2xCLENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFjO1FBQzNDLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQzlDLElBQUksTUFBTSxJQUFJLE1BQU0sQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUM7WUFDNUMsT0FBTyxNQUFNLENBQUMsR0FBRyxDQUFDO1FBQ3BCLENBQUM7UUFDRCxJQUFJLENBQUM7WUFDSCxNQUFNLEVBQUUsUUFBUSxFQUFFLFdBQVcsRUFBRSxHQUFHLE1BQU0sTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO1lBQ3RELE1BQU0sR0FBRyxHQUFHLE1BQU0sV0FBVyxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUMvQyxJQUFJLENBQUMsYUFBYSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsRUFBRSxHQUFHLEVBQUUsU0FBUyxFQUFFLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksRUFBRSxDQUFDLENBQUM7WUFDL0UscURBQXFEO1lBQ3JELElBQUksSUFBSSxDQUFDLGFBQWEsQ0FBQyxJQUFJLEdBQUcsSUFBSSxFQUFFLENBQUM7Z0JBQ25DLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUMsSUFBSSxFQUFFLENBQUMsSUFBSSxFQUFFLENBQUMsS0FBSyxDQUFDO2dCQUN4RCxJQUFJLFFBQVE7b0JBQUUsSUFBSSxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDcEQsQ0FBQztZQUNELE9BQU8sR0FBRyxDQUFDO1FBQ2IsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwwQkFBMEIsTUFBTSxvQkFBcUIsR0FBYSxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDakcsT0FBTyxNQUFNLEVBQUUsR0FBRyxJQUFJLEVBQUUsQ0FBQyxDQUFDLDBDQUEwQztRQUN0RSxDQUFDO0lBQ0gsQ0FBQztJQUVPLGdCQUFnQixDQUFDLE1BQWM7UUFDckMsT0FBTyxNQUFNLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzlCLENBQUM7SUFFTywyQkFBMkIsQ0FBQyxNQUFjO1FBQ2hELElBQUksSUFBSSxDQUFDLHFCQUFxQixDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUM7WUFBRSxPQUFPO1FBQ25ELElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDdkMsTUFBTSxDQUFDLEdBQUcsQ0FDUixNQUFNLEVBQ04sa0NBQWtDLE1BQU0sMEdBQTBHLENBQ25KLENBQUM7SUFDSixDQUFDO0NBQ0YifQ==

package/dist_ts/vpn/index.d.ts

@@ -1 +1,2 @@
 export * from './classes.vpn-manager.js';
+export * from './classes.vpn-access-resolver.js';

package/dist_ts/vpn/index.js

@@ -1,2 +1,3 @@
 export * from './classes.vpn-manager.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy92cG4vaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYywwQkFBMEIsQ0FBQyJ9
+export * from './classes.vpn-access-resolver.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy92cG4vaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYywwQkFBMEIsQ0FBQztBQUN6QyxjQUFjLGtDQUFrQyxDQUFDIn0=