The Rust-hybrid stack goes production.
Over the past two months, the code.foss.global ecosystem underwent a fundamental architectural shift: critical infrastructure projects gained Rust data planes while keeping TypeScript control planes. February laid the groundwork -- Rust networking engines, IPC bridges, and toolchain automation. March turned that groundwork into shippable products: a self-hosted S3-compatible storage appliance, a multi-protocol package registry, a unified datacenter gateway handling seven protocol families, and a VPN system that matured from proof-of-concept to deployment-ready.
The Hybrid TypeScript/Rust Architecture
The foundation enabling this shift is @push.rocks/smartrust, the bridge library that establishes IPC channels between TypeScript processes and compiled Rust binaries via stdio and Unix domain sockets. smartrust handles serialization, process lifecycle, and bidirectional message passing, letting any TypeScript module offload compute-intensive work to a Rust subprocess without abandoning its existing API surface.
@git.zone/tsrust complements this with zero-setup Rust toolchain management and cross-compilation. It detects the host platform, downloads the appropriate Rust toolchain on first run, and compiles Rust crates as part of the standard pnpm build pipeline. No manual rustup or cargo configuration required.
@git.zone/tsdeno launched in March as a new companion tool: a smart wrapper around deno compile that isolates package.json during compilation, preventing devDependencies from inflating binaries by hundreds of megabytes. It supports cross-compilation, config-based multi-target builds, and a programmatic API for CI/CD integration.
dcrouter: The All-In-One Datacenter Gateway
@serve.zone/dcrouter was the most actively developed project across both months. What started as an HTTP reverse proxy is now a unified infrastructure gateway consolidating seven protocol-level services into a single deployment.
HTTP/HTTPS with Automatic TLS -- TLS termination with automatic certificate provisioning via ACME, including Cloudflare DNS-01 challenges for wildcard certificates. Routing decisions are based on SNI and Host headers, supporting both termination and transparent passthrough for services that manage their own certificates.
HTTP/3 and QUIC -- A full QUIC listener alongside the TCP stack enables HTTP/3 for clients that support it. The QUIC implementation shares the same routing table as the HTTP/1.1 and HTTP/2 paths, so configuration is unified regardless of transport.
TCP/SNI Proxying -- Transparent TCP passthrough based on SNI extraction from the TLS ClientHello, for services that require end-to-end TLS without termination at the gateway.
Multi-Domain SMTP -- An integrated SMTP server (powered by smartmta) with per-domain routing, DKIM signing, SPF validation, and DMARC policy enforcement. Inbound mail is routed to backend services based on recipient domain, making dcrouter the MX entry point.
DNS Server (Rust-backed) -- An authoritative DNS responder implemented in Rust for packet parsing and response assembly, serving zone data configured through dcrouter's TypeScript API. Eliminates the need for a separate DNS daemon.
RADIUS Authentication -- Network device authentication via RADIUS supporting PAP, CHAP, MAC-based authentication, and VLAN assignment. This enables dcrouter to serve as the AAA backend for switches, access points, and VPN concentrators.
Remote Ingress -- A NAT traversal system allowing nodes behind firewalls to register with dcrouter edge instances and receive proxied traffic via persistent WebSocket or QUIC tunnels with PROXY protocol headers to preserve client IP information.
OpsServer Dashboard -- A built-in web UI exposing real-time connection counts, throughput graphs, certificate status, and per-route health checks.
The result is a single deployment that replaces nginx, postfix, bind, freeradius, and a reverse tunnel service.
smartproxy: Kernel-Level Forwarding and Unified Route Config
@push.rocks/smartproxy reached a major milestone in March with a complete routing overhaul and kernel-level packet forwarding.
Unified Route-Based Configuration -- All proxy behavior is now defined through a single route configuration system. Each route specifies match criteria (domain patterns, IP ranges, ports), the action (forward, terminate, redirect, block), and backend targets. This replaces the previous separate configuration for HTTP, TCP, and TLS modes.
NFTables Kernel-Level Forwarding -- For high-throughput passthrough routes, smartproxy can now install NFTables rules to forward packets entirely in kernel space, bypassing both the Rust and Node.js layers. The TypeScript API manages rule lifecycle while the actual forwarding happens at line rate in the kernel's netfilter subsystem.
Rust Networking Engine -- Connection acceptance, TLS handshake, protocol detection, and byte-level forwarding all run in Rust. The Rust engine communicates with TypeScript via socket-based IPC. For passthrough routes, bytes never touch the Node.js event loop. For terminated routes, the Rust layer handles TLS and forwards plaintext to the TypeScript-managed backend pool.
PROXY Protocol v1/v2 -- Both sending and receiving PROXY protocol headers, enabling smartproxy to sit behind or in front of other proxies while preserving original client addresses through the entire chain.
JWT Authentication -- Route-level JWT validation with configurable JWKS endpoints, claim-based routing decisions, and token refresh handling.
IP Filtering and Rate Limiting -- Per-route IP allowlists/denylists and token-bucket rate limiting, evaluated in the Rust layer before connections reach backend services.
Real-Time Metrics -- Per-connection byte counters and throughput sampling at configurable intervals, exposed via IPC and a Prometheus-compatible HTTP endpoint.
lossless.zone/objectstorage: Self-Hosted S3 in a Single Docker Image
lossless.zone launched as a new organization in March, debuting with objectstorage -- a fully-featured, self-hosted S3-compatible storage server with a web-based management interface packaged as a single Docker image.
Rust Storage Engine -- Built on @push.rocks/smartstorage, the storage layer uses hyper 1.x with streaming I/O, zero-copy data paths via sendfile(2), and optional Reed-Solomon erasure coding for distributed deployments.
SigV4 Authentication -- Full AWS Signature Version 4 request signing, making it compatible with any S3 client library, the AWS CLI, and tools like rclone or s3cmd.
IAM-Style Policy System -- Bucket-level access policies with principal-based permissions, enabling fine-grained access control for multi-tenant deployments.
Web Management UI -- A Finder-style column browser built with LitElement and dees-catalog components for navigating buckets and object hierarchies. Includes a built-in Monaco editor for editing text-based objects directly in the browser and a PDF viewer for document preview.
Deno Backend -- The management API and web UI are served by a Deno process that coordinates the Rust storage binary, handles authentication, and serves the SPA frontend.
stack.gallery/registry: Multi-Protocol Package Registry
@stack.gallery/registry shipped its initial production releases in March, implementing a multi-protocol package registry that supports:
- NPM -- Full registry compatibility including scoped packages, dist-tags, and
npm auditadvisory responses - OCI/Docker -- Container image push/pull with manifest list support for multi-arch images
- Maven -- Artifact repository for JVM packages
- Cargo -- Rust crate hosting with sparse index support
- PyPI -- Python package hosting with PEP 503 simple repository API
- Composer -- PHP package hosting
- RubyGems -- Ruby gem hosting
Upstream Proxying and Caching -- Each protocol endpoint can be configured to proxy upstream registries (e.g., npmjs.com, Docker Hub) with local caching, functioning as a pull-through cache that reduces external bandwidth and provides availability during upstream outages.
Authentication -- LDAP, OAuth 2.0, and OIDC integration with scoped API tokens for CI/CD pipelines.
Angular 19 Dashboard -- An embedded web UI for browsing packages, managing users, viewing audit logs, and configuring upstream mirrors.
Built on Deno with a modular protocol handler architecture.
smartstorage: Self-Healing and IAM Policies
@push.rocks/smartstorage reached its next major iteration in March, adding features that move it from a storage engine to a production-ready object storage platform:
Self-Healing Background Scanner -- A continuous background process verifies data integrity by checking object checksums against stored metadata. When corruption or missing shards are detected in erasure-coded deployments, the scanner automatically reconstructs the affected data from remaining shards and re-distributes repaired blocks across healthy nodes.
IAM Bucket Policies -- JSON-based access policies modeled after AWS IAM, supporting principal matching, action-level permissions (GetObject, PutObject, DeleteObject, ListBucket), resource-level scoping with wildcard patterns, and condition keys for IP-based restrictions.
Multipart Uploads -- S3-compatible multipart upload API for large objects, with configurable part sizes and parallel upload support. In-progress uploads are tracked with automatic cleanup of abandoned parts.
Range Requests -- HTTP Range header support for partial object retrieval, enabling video streaming, resumable downloads, and efficient random access to large files.
CORS Configuration -- Per-bucket CORS rules for browser-based direct uploads and downloads.
smartvpn: From Prototype to Deployment-Ready
@push.rocks/smartvpn matured rapidly in March, going from initial proof-of-concept to a feature-complete VPN system:
XChaCha20-Poly1305 Encryption -- All tunnel traffic uses XChaCha20-Poly1305 AEAD, chosen for its 192-bit nonce (eliminating nonce reuse concerns in long-lived tunnels) and constant-time performance without hardware AES support.
Noise NK Handshake -- Key exchange uses the Noise Protocol Framework's NK pattern, where the server's static public key is known to the client in advance, providing mutual authentication and forward secrecy in a single round-trip.
Dual Transport -- Tunnels run over WebSocket (for environments where only HTTPS egress is permitted) or native QUIC (for lower overhead and built-in connection migration). Transport is negotiated at handshake time.
QoS and Traffic Shaping -- March added traffic classification and prioritization within tunnels, ensuring interactive traffic (SSH, VoIP) isn't starved by bulk transfers.
Real-Time Telemetry -- Per-tunnel bandwidth, latency, and packet loss metrics exposed for monitoring integration.
remoteingress: Continued Hardening
@serve.zone/remoteingress saw heavy development in March with steady releases hardening the Rust-core NAT traversal system:
Dual Transport (TCP+TLS and QUIC) -- QUIC tunnels benefit from connection migration, so a node changing IP addresses (e.g., DHCP renewal) doesn't drop active connections.
PROXY Protocol v2 -- Injected when forwarding traffic from edge to origin so backends see the true client IP, not the tunnel endpoint.
STUN-Based IP Discovery -- Origin nodes use STUN to discover their public IP and NAT type, informing the edge node whether direct UDP connectivity is feasible or whether a relay fallback is needed.
Three-Tier QoS -- Traffic classified into priority tiers (control plane, interactive, bulk) with weighted fair queuing to prevent starvation.
onebox: Single-Server Hosting Platform
@serve.zone/onebox saw intensive development in March, rapidly iterating on the single-server hosting platform that bundles dcrouter's gateway capabilities into a turnkey deployment for smaller infrastructure. Onebox packages HTTP/HTTPS routing, automatic TLS, email handling, and DNS into a single managed service that can be deployed on a single VPS or bare-metal host.
smartmta: Rust Networking for Email
@push.rocks/smartmta added a Rust-implemented SMTP transport layer beneath its existing TypeScript mail processing pipeline:
- Connection handling -- TCP accept, STARTTLS upgrade, and SMTP command parsing run in Rust using tokio, handling thousands of concurrent SMTP sessions without blocking the TypeScript event loop
- DKIM signing -- RSA and Ed25519 DKIM signatures are computed in Rust for throughput-sensitive outbound queues
- SPF and DMARC -- Policy evaluation runs in TypeScript where complex decision logic (alignment modes, reporting) benefits from higher-level abstractions, while DNS lookups for SPF records are dispatched through the Rust DNS resolver
smartvm: Firecracker MicroVM Management
@push.rocks/smartvm wraps Amazon's Firecracker VMM with a typed TypeScript API for microVM lifecycle management:
- Configure guest vCPU count, memory, and kernel boot parameters
- Attach block devices and network interfaces with TAP backend configuration
- Start, pause, snapshot, and resume VMs programmatically
- Retrieve VM metadata and resource utilization via the Firecracker API socket
This provides the foundation for serve.zone's sandbox infrastructure, where untrusted workloads run in isolated microVMs rather than containers.
dees-catalog-geo: Voice-Guided Navigation in Web Components
@design.estate/dees-catalog-geo shipped features that push what's expected from a Web Component:
Traffic Visualization -- Integration with the HERE Traffic API overlays real-time traffic flow data on the map canvas, with color-coded segments for congestion severity.
Voice-Guided Turn-by-Turn Navigation -- Using the Web Speech API's SpeechSynthesis interface, the component announces upcoming turns, lane guidance, and route recalculations. Navigation state is managed internally, tracking the user's position against the route polyline and triggering voice prompts at calculated distances before each maneuver.
OSRM Routing -- Route calculation uses the Open Source Routing Machine, supporting car, bicycle, and pedestrian profiles with alternative route generation.
Mock GPS Simulator -- A development tool that replays GPX traces or generates synthetic position updates along a route, enabling developers to test navigation UX without leaving their desk.
dees-catalog: Component Library Evolution
@design.estate/dees-catalog and @design.estate/dees-element both shipped updates in March. dees-catalog, the LitElement-based Web Component library, continued expanding its component set -- these components power the UIs across lossless.zone/objectstorage, stack.gallery/registry, and the dcrouter OpsServer dashboard.
Additional Infrastructure
@push.rocks/smartacme -- The ACME client gained improvements in March, supporting the Cloudflare DNS-01 challenge flow used by dcrouter for wildcard certificate provisioning.
@push.rocks/smartradius -- Full RADIUS server and client implementation supporting PAP, CHAP, accounting start/stop/interim-update messages, MAC-based authentication, VLAN assignment, and vendor-specific attribute encoding for network equipment integration.
@push.rocks/smartagent -- Reached a new major version in March, providing an agentic AI framework built on the Vercel AI SDK for building autonomous agent workflows.
@push.rocks/taskbuffer -- Reached a new major version in March, overhauling the flexible TypeScript task management library used across the ecosystem for job scheduling, buffered execution, and dependency graphs.
@apiclient.xyz/unifi -- A typed TypeScript client covering the UniFi Controller API: device adoption, port profile management, client blocking, firmware upgrades, camera motion event subscriptions, and door access control.
@serve.zone/spark -- The Deno-powered systemd service for node lifecycle management. Features Docker secret injection (mounting secrets as tmpfs volumes into containers), self-update with rollback on health check failure, and cron-style task scheduling.
@push.rocks/smartsecret -- Unified secret storage with platform-specific backends: macOS Keychain via the Security framework, Linux Secret Service over D-Bus, and a fallback encrypted file vault using AES-256-GCM with a key derived via Argon2id.
What's Next
- serve.zone/containerarchive (backup and restore for container-based services)
- serve.zone/edgedevicehub (edge device control and management) -- signaling the next areas of infrastructure development.
The Rust-hybrid architecture is no longer experimental. With dcrouter running HTTP, SMTP, DNS, RADIUS, and edge networking in a single gateway, smartproxy forwarding packets at kernel level via NFTables, smartstorage providing erasure-coded object storage with self-healing, smartvpn encrypting tunnels with modern cryptographic primitives, and lossless.zone/objectstorage packaging it all into a single Docker image with a web UI -- the stack is production-ready. The focus now shifts from building the primitives to operating them at scale.
Questions? Ask them at https://community.foss.global/