Across the ecosystem, the recurring pattern was clear: services gained durable state, explicit policy models, and admin surfaces that make them manageable in production rather than merely functional in isolation.
dcrouter: From Gateway to Datacenter Control Plane
@serve.zone/dcrouter remained the most active infrastructure project in April, reaching the 13.20.x release line and expanding from protocol gateway into a broader datacenter edge control plane.
DB-backed DNS management -- DNS providers, domains, and records are now persisted and managed through the runtime and Ops UI. Provider-managed domains can be mirrored locally for API and dashboard visibility while remaining authoritative at the upstream provider. dcrouter-hosted domains are handled directly by the built-in DNS path.
ACME configuration in the dashboard -- Certificate behavior moved into database-backed configuration with reusable UI flows for provider setup and domain/certificate management. April also aligned dcrouter with smartacme's new forced-renewal support, including safeguards around valid certificates.
Email domain lifecycle management -- Email domains can now be created and managed through dcrouter with DKIM generation, DNS provisioning, validation, optional subdomain support, persistent smartmta storage, and runtime synchronization between configured domains and the mail server.
Unified route ownership -- Route management was reorganized around persisted route origins: config, email, dns, and api. System-generated routes can be shown separately from user-managed routes, while API-owned routes support full CRUD. This gives dcrouter one route model across HTTP, DNS, email, remote ingress, and programmatic configuration.
Profile-based VPN access -- The VPN access model moved away from tag-based rules toward source and target profiles. Source profiles describe who or what is connecting; target profiles describe reachable networks, hosts, and ports. Routes can then reference those profiles instead of embedding ad hoc access rules.
Remote ingress controls -- Route configuration gained remote ingress controls and preserve-port targeting, making tunnel-backed services easier to expose without losing backend port semantics.
Ops dashboard reorganization -- The web UI was reorganized into grouped operations areas covering overview, domains, DNS, certificates, email, access, security, network, routes, VPN, and remote ingress. Tables gained filtering, live update highlighting, and clearer monitoring views as dees-catalog evolved underneath.
Network monitoring -- dcrouter now consumes the richer smartproxy metrics model: protocol distribution, bandwidth-ranked IP and domain activity, request-based domain aggregation, and route-aware traffic statistics.
The result is a gateway that is no longer configured only as a static edge process. It is becoming the operational system of record for routing, certificates, DNS, email, VPN access, and ingress policy.
siprouter: A Rust-Backed Telephony Stack
April introduced heavy activity around @serve.zone/siprouter, a SIP and WebRTC routing system with a TypeScript control plane and Rust media/SIP data plane.
SIP B2BUA and WebRTC bridge -- siprouter handles SIP provider and device legs, browser WebRTC legs, and internal tool or recording legs as a multi-leg call hub. The architecture is built around controlled call legs rather than a simple pass-through proxy.
Rust proxy engine -- SIP dialog handling, RTP port management, WebRTC bridging, outbound calling, voicemail, IVR, recording, and dashboard event reporting are handled by a Rust-backed proxy engine integrated with the TypeScript runtime.
Audio engine upgrades -- The media pipeline moved to 48 kHz float processing with adaptive RTP jitter buffering, stable 20 ms resampling, Opus packet loss concealment, negotiated SDP payload handling, and per-leg denoising.
Voicemail, IVR, and TTS -- April added DTMF-driven IVR flows, prompt playback, voicemail recording, dashboard management, and Kokoro-based TTS generation with caching and live streaming interaction support.
Guided provider setup -- The dashboard gained guided provider creation, explicit inbound DID routing, provider-based number matching, incoming number ranges, and improved diagnostics for inbound routing.
Fax support -- The 1.26.x line added fax routing, job tracking, inbox management, and T.38/UDPTL media support.
Docker release pipeline -- siprouter also gained multi-architecture Docker build support and tagged release automation.
This is a new major building block for serve.zone: telephony, browser calling, voicemail, IVR, and fax in the same infrastructure style as the existing gateway stack.
idp.global and Swift Tooling: Identity Moves to Devices
April's identity work connected backend authentication, native clients, and Swift automation.
idp.global authentication hardening -- idp.global added argon2 password hashing, legacy hash migration, rotating hashed refresh tokens, refresh-token reuse detection, and persisted email action tokens and registration sessions.
OIDC persistence and consent -- Authorization codes, access tokens, refresh tokens, and user consent records are now stored in SmartData-backed persistence with hashed token storage. OIDC flows gained consent-aware continuation after login and stronger abuse protection around login, magic links, password reset, and token exchange.
Passport device flows -- The identity provider gained passport device enrollment, signed device requests, challenge approval, push token registration, alert lifecycle APIs, and alert-rule management. This pushes identity beyond password/OIDC sessions toward device-backed approvals.
Native companion app -- idp.global/swiftapp built out a SwiftUI companion app for iPhone, iPad, Mac, and Apple Watch. The app now uses the live idp.global backend by default for pairing, dashboard loading, approvals, and alerts. Pairing includes a welcome flow, QR scanning, manual fallback, NFC pairing, and NFC identity proof with signed GPS position on supported devices.
@git.zone/tsswift -- A new Swift/Xcode workflow CLI emerged in April. tsswift can detect SwiftPM, Xcode project, and workspace layouts; run doctor, build, test, run, emulator, launch, screenshot, review, and watch workflows; persist simulator preferences; and operate named remote macOS builders over SSH with rsync-based project sync. Remote screenshot capture syncs outputs back into the local project.
@api.global/swiftsupport -- api.global gained a Swift transport support package for typedrequest over POST /typedrequest and typedsocket over WebSocket, including typed clients, correlation metadata, retry handling, and typed transport errors.
Together, these pieces make Swift clients first-class participants in the code.foss.global identity and API ecosystem rather than one-off consumers.
modelgrid: Cluster-Aware AI Model Operations
modelgrid.com/modelgrid reached its 1.1.x line in April and shifted toward a vLLM-first daemon for OpenAI-compatible model serving.
OpenAI-compatible API -- The daemon exposes endpoints such as /v1/chat/completions, /v1/models, and /v1/embeddings, with catalog-backed model resolution through list.modelgrid.com.
Cluster foundations -- ModelGrid gained standalone, control-plane, and worker roles; desired replica state; heartbeats; placement; node lifecycle commands; and internal /_cluster/* endpoints.
CLI operations -- New cluster commands cover status, nodes, models, ensure, scale, cordon, drain, and activate workflows.
Browser operations console -- The daemon now serves a browser UI with overview health data, backed by a bundled frontend and typed server integration.
API hardening -- Follow-up work added request IDs, per-minute rate limits, Prometheus counters for requests, authentication failures, and 5xx responses, degraded health reasons, 413 handling for oversized request bodies, and 504 mapping for upstream timeouts.
ModelGrid is moving from local model runner toward a small cluster control plane for catalog-backed AI inference.
dees-catalog: Production UI Components for Operations Dashboards
@design.estate/dees-catalog moved quickly from 3.49.x to 3.81.x in April. The changes were especially relevant because dcrouter, serve.zone catalog views, object storage UIs, and other dashboards depend on these components.
dees-table overhaul -- Tables gained multi-column sorting with priority indicators, file-manager-style row selection, JSON copy support, schema-based in-cell editing, keyboard navigation, virtualized rendering for large datasets, floating headers, and opt-in live-update flash highlighting. Later fixes stabilized live updates by reusing row DOM and avoiding redundant layout recalculations.
Input and form improvements -- Dropdowns and date pickers moved into floating window-layer overlays with search, keyboard navigation, and viewport repositioning. Input lists gained candidate autocomplete, Tab completion, payload retrieval, and freeform entries. Text inputs gained validated success states and an editing context menu.
Tile-based layout system -- The new dees-tile component became the shared layout primitive for modals, data views, inputs, stats grids, product cards, terminal previews, login views, and dashboard sections.
Stepper and updater flows -- dees-stepper gained footer actions, form-aware validation, cancellation confirmation, overlay support, progress-aware async steps, and progressbar embedding. dees-updater gained progress views, ready-state countdowns, version metadata cards, and completion actions.
Theme tokens and app shell polish -- Shared --dees-* theme tokens were centralized and applied across app dashboards, login views, stats grids, charts, modals, and headings. dees-simple-appdash gained dismissible global message banners and nested sidebar subviews.
Viewer and chart refinements -- Area charts moved to Lightweight Charts, ECharts components were aligned with shared theme tokens, PDF viewing gained sidebar-position support and footer/file-size refinements, and media tile components were reworked as thumbnail components.
dees-wcctools and dees-domtools -- wcctools added better recording/export documentation, improved recording capture, WebM/MP4 export support, and sidebar search by component tag name. dees-domtools stabilized singleton setup, lifecycle cleanup, readiness handling, external resource loading, and keyboard event handling.
The April UI work was not cosmetic. It supplied the operational affordances needed by dashboards that manage live routing, DNS, certificates, email, model clusters, and telephony flows.
smartdb, smartdata, and Migration Tooling
Persistence libraries saw major hardening in April, led by @push.rocks/smartdb.
smartdb durability -- smartdb gained Bitcask-style binary file storage, a binary WAL, compaction, legacy JSON-to-v1 migration, persistent and restore support for in-memory storage, and stronger startup recovery.
Operation history and debug UI -- Operation log APIs, point-in-time revert, collection/document browsing APIs, and a web debug dashboard make smartdb easier to inspect and recover during development and operations.
Integrity checks -- Offline validation, CRC/header/hint validation, stale hint detection, persisted index restoration, unique-index enforcement after restart, and crash-start compaction all landed in April.
MongoDB-style updates -- Aggregation pipeline updates were added for update and findOneAndUpdate, including $unset stages, upsert support, and immutable _id enforcement.
smartdata fixes -- smartdata improved collection caching by scoping it per SmartdataDb instance, added EasyStore.replace(), hardened index creation, improved duplicate-key diagnostics, and strengthened collection integrity checks.
smartmigration -- A new migration package appeared for deterministic SaaS data migrations across MongoDB/smartdata and S3/smartbucket. It includes builder-style semver migration chains, ledgers, dry-run planning, fresh-install handling, checkpoints, structured errors, optional locking, skip-forward resume, lock heartbeats, predictive dry-run planning, stricter option validation, and checkpoint cleanup.
smartchangelog -- Another new package, smartchangelog, parses push.rocks-format changelog.md files and supports latest-version, exact-version, range, and grouped historical release queries.
These changes matter because more of the stack now treats persisted runtime state as the default: routes, domains, tokens, device enrollments, model clusters, migrations, and operational settings all need reliable local storage.
smartproxy and Registry Infrastructure
@push.rocks/smartproxy continued to harden the Rust-backed networking layer beneath dcrouter and related services.
Protocol metrics -- smartproxy added frontend and backend protocol distribution across HTTP/1, HTTP/2, HTTP/3, WebSocket, and other traffic. It also gained per-IP domain request maps, top IP-domain pairs, per-domain HTTP request rates, stable route metric keys, and normalized domain labels.
HTTP/3 service wiring -- QUIC listener support moved forward with HTTP/3 proxy service wiring.
Domain-scoped filtering -- Domain-scoped IP allow lists now work across HTTP, QUIC, and passthrough traffic using Host and SNI context.
Typed Rust configuration -- Typed Rust config serialization and stronger cross-contract tests improved the boundary between the TypeScript control plane and Rust proxy engine.
WebSocket coverage -- End-to-end WebSocket proxy tests were added to protect behavior across protocol upgrades.
smartregistry -- The registry core gained declarative protocol routing and request-scoped storage hook context, so hooks receive protocol, actor, package, and version metadata without cross-request leakage. Shared base helpers were refactored for auth extraction, actor construction, header parsing, protocol logging, and storage path handling.
These changes move the registry and proxy layers toward safer multi-protocol operation under one control plane.
Storage, Network, and Mail Libraries
Several push.rocks libraries received focused April improvements that fed into the larger systems.
@push.rocks/smartstorage -- Runtime storage stats, bucket summaries, filesystem capacity snapshots, cluster health reporting, drive health, quorum/healing state, and runtime credential replacement APIs were added around the S3-compatible storage server.
@push.rocks/smartacme -- Certificate issuance gained a forceRenew option that bypasses cached non-expired certificates while preserving the existing certificate as fallback until new issuance succeeds.
@push.rocks/smartbucket -- The bucket API now exposes the underlying shared S3 client through getStorageClient() for lower-level operations.
@push.rocks/smartnetwork -- Domain intelligence lookups now combine RDAP bootstrap discovery with DNS enrichment, normalized domains, IDN support, RDAP-less ccTLD fallback, caching, and shared smartdns lifecycle cleanup.
@push.rocks/smartmta -- Mail server APIs were aligned around queue IDs, outbound hostname behavior, DKIM selector handling, typed storage-manager integration, and queue inspection/stat APIs.
@push.rocks/smartvpn -- Hybrid forwarding mode gained per-client userspace NAT vs bridge selection, bridge options, DHCP/static LAN IPs, VLAN assignment, and safer shutdown cleanup for bridge/hybrid modes.
@push.rocks/smartversion -- SmartVersion gained equality helpers and hardened fuzzy version parsing.
Finance and Operations Tools
April also brought smaller but meaningful improvements outside the core gateway and persistence layers.
@fin.cx/einvoice -- The 5.2.x line improved in-memory validation for programmatically created invoices, added structured EN16931 mandatory-field errors and validation caching, tightened FatturaPA detection coverage, and improved published type compatibility.
@fin.cx/opendata -- OpenData expanded into local legal data storage with a LawService and LawRecord model for German, EU, and US law texts. Persistence migrated toward embedded local smartdb-backed storage.
@fin.cx/skr -- SKR aligned with the updated einvoice package, stabilized published exports, added strict consumer typecheck coverage, and hardened accounting/invoice/journal integrations.
@serve.zone/nupst -- UPS monitoring gained edge-triggered threshold handling, grouped action orchestration, redundant vs non-redundant group semantics, HA-aware Proxmox shutdown behavior, configurable shutdown delays, structured systemd status reporting, interactive action editing, and changelog display before upgrades.
@serve.zone/catalog -- Shared serve.zone UI components were updated for route cards, VPN/source/target metadata, TLS details, conditional actions, dark-theme behavior, and dees-tile based dashboard layouts.
@git.zone/cli -- The GitZone CLI added machine-readable JSON/plain/human output modes, read-only command recommendation and format planning flows, better non-interactive configuration handling, and package formatting fixes that avoid modifying buildDocs or dependency entries.
What's Next
April's work made the ecosystem more operational. The big additions were not single features in isolation; they were durable management layers: dcrouter owns routes, domains, certificates, email, VPN access, and ingress policy; idp.global owns device-backed approval flows; modelgrid owns model cluster state; smartdb and smartmigration provide safer local persistence and upgrades; dees-catalog provides the UI primitives needed to operate those systems.
The stack is moving from "can this service run?" to "can this service be managed, inspected, migrated, and recovered while running?" That shift defines April's code.foss.global update.
code.foss.global is hosted by Task Venture Capital GmbH, Bremen, Germany.