v13.19.0

.dockerignore

@@ -1 +1,7 @@
 node_modules/
+.nogit/
+.git/
+.playwright-mcp/
+.vscode/
+test/
+test_watch/

.vscode/settings.json

@@ -1,7 +1,7 @@
 {
   "json.schemas": [
     {
-      "fileMatch": ["/npmextra.json"],
+      "fileMatch": ["/.smartconfig.json"],
       "schema": {
         "type": "object",
         "properties": {

AGENTS.md

@@ -0,0 +1,17 @@
+# Agent Instructions for dcrouter
+
+## Database & Migrations
+
+### Collection Names
+smartdata uses the **exact class name** as the MongoDB collection name. No lowercasing.
+- `StoredRouteDoc` → collection `StoredRouteDoc`
+- `TargetProfileDoc` → collection `TargetProfileDoc`
+- `RouteDoc` → collection `RouteDoc`
+
+When writing migrations in `ts_migrations/index.ts`, use the exact class name casing in `ctx.mongo!.collection('ClassName')` and `db.listCollections({ name: 'ClassName' })`.
+
+### Migration Rules
+- All DB schema migrations go EXCLUSIVELY in `ts_migrations/index.ts` as smartmigration steps.
+- NEVER put migration logic in application code (services, managers, startup hooks).
+- Migration step `.to()` version must match the release version so smartmigration can plan the step.
+- Steps must be idempotent — smartmigration may re-run them in skip-forward resume mode.

Dockerfile

@@ -18,9 +18,17 @@ WORKDIR /app
 COPY --from=build /app /app
 
 ENV DCROUTER_MODE=OCI_CONTAINER
+ENV DCROUTER_HEAP_SIZE=512
+ENV UV_THREADPOOL_SIZE=16
 
 RUN pnpm install -g @servezone/healthy
-HEALTHCHECK --interval=30s --timeout=30s --start-period=30s --retries=3 CMD [ "healthy" ]
+HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 CMD [ "healthy" ]
 
-EXPOSE 80
-CMD ["npm", "start"]
+LABEL org.opencontainers.image.title="dcrouter" \
+      org.opencontainers.image.description="Multi-service datacenter gateway" \
+      org.opencontainers.image.source="https://code.foss.global/serve.zone/dcrouter"
+
+# HTTP/HTTPS, SMTP/Submission/SMTPS, DNS, RADIUS, OpsServer, RemoteIngress, dynamic range
+EXPOSE 80 443 25 587 465 53/tcp 53/udp 1812/udp 1813/udp 3000 8443 29000-30000
+
+CMD ["sh", "-c", "node --max_old_space_size=${DCROUTER_HEAP_SIZE} ./cli.js"]

changelog.md

@@ -1,5 +1,861 @@
 # Changelog
 
+## 2026-04-15 - 13.19.0 - feat(routes,email)
+persist system DNS routes with runtime hydration and add reusable email ops DNS helpers
+
+- Persist seeded DNS-over-HTTPS routes with stable system keys and hydrate socket handlers at runtime instead of treating them as runtime-only routes
+- Restrict system-managed routes to toggle-only operations across the route manager, Ops API, and web UI while returning explicit mutation errors
+- Add a shared email DNS record builder and cover email queue operations and handler behavior with new tests
+
+## 2026-04-14 - 13.18.0 - feat(email)
+add persistent smartmta storage and runtime-managed email domain syncing
+
+- replace the email storage shim with a filesystem-backed SmartMtaStorageManager for DKIM and queue persistence
+- sync managed email domains from the database into runtime email config and update the active email server on create, update, delete, and restart
+- switch email queue, metrics, ops, and DNS integrations to smartmta public APIs including persisted queue stats and DKIM record generation
+
+## 2026-04-14 - 13.17.9 - fix(monitoring)
+align domain activity metrics with id-keyed route data
+
+- Use route id as a fallback canonical key when matching route metrics to configured domains in MetricsManager.
+- Add a regression test covering domain activity aggregation for routes identified only by id.
+- Update the network activity UI to show formatted total connection counts in the active connections card.
+- Bump @push.rocks/smartproxy from ^27.7.3 to ^27.7.4.
+
+## 2026-04-14 - 13.17.8 - fix(opsserver)
+align certificate status handling with the updated smartproxy response format
+
+- update opsserver certificate lookup to read expiresAt, source, and isValid from smartproxy responses
+- bump @push.rocks/smartproxy to ^27.7.3
+- enable verbose output for the test script
+
+## 2026-04-14 - 13.17.7 - fix(repo)
+no changes to commit
+
+
+## 2026-04-14 - 13.17.6 - fix(dns,routes)
+keep DoH socket-handler routes runtime-only and prune stale persisted entries
+
+- stops persisting generated DNS-over-HTTPS routes that depend on live socket handlers
+- removes stale persisted runtime-only DoH routes from RouteDoc during startup
+- applies runtime DNS routes alongside DB-backed routes through RouteConfigManager
+- updates DnsManager warning to clarify that dnsNsDomains is still required for nameserver and DoH bootstrap
+- adds tests covering runtime DoH route application, stale route pruning, and updated DNS warning behavior
+
+## 2026-04-13 - 13.17.5 - fix(vpn,target-profiles)
+normalize target profile route references and stabilize VPN host-IP client routing behavior
+
+- Normalize legacy target profile route name references to route IDs, reject ambiguous names, and display labeled route references in the UI.
+- Skip wildcard VPN domains when generating WireGuard AllowedIPs and log a deduplicated warning instead of attempting DNS resolution.
+- Normalize persisted VPN client host-IP settings, include routing fields in runtime updates, and restart in hybrid mode when a host-IP client requires it.
+- Add a repair migration for previously missed TargetProfile target host-to-ip document updates.
+
+## 2026-04-13 - 13.17.3 - fix(ops-view-routes)
+sync route filter toggle selection via component changeSubject
+
+- Replaces the inline change handler on the route filter toggle with a subscription to the component's changeSubject in firstUpdated.
+- Ensures switching between user and system routes updates the view reliably and is cleaned up through existing rxSubscriptions management.
+
+## 2026-04-13 - 13.17.2 - fix(monitoring)
+exclude unconfigured routes from domain activity aggregation
+
+- Removes fallback aggregation that reported routes without domain configuration as synthetic domain entries based on route names
+- Keeps domain activity focused on configured domain mappings when splitting connection and throughput metrics
+
+## 2026-04-13 - 13.17.1 - fix(monitoring)
+stop allocating route metrics to domains when no request data exists
+
+- Removes the equal-split fallback for shared routes in MetricsManager.
+- Sets the proportional share to zero when a route has no recorded requests, avoiding inflated per-domain connection and throughput totals.
+
+## 2026-04-13 - 13.17.0 - feat(monitoring,network-ui,routes)
+add request-based domain activity metrics and split routes into user and system views
+
+- Domain activity now includes per-domain request counts and distributes route throughput and connections using request-level metrics instead of equal route sharing.
+- Network activity UI displays request counts and updates the domain activity description to reflect request-level aggregation.
+- Routes UI adds a toggle to filter between user-created and system-generated routes, updates summary card labels, and adjusts empty states accordingly.
+
+## 2026-04-13 - 13.16.2 - fix(deps)
+bump @push.rocks/smartproxy to ^27.6.0
+
+- updates @push.rocks/smartproxy from ^27.5.0 to ^27.6.0 in package.json
+
+## 2026-04-13 - 13.16.1 - fix(migrations)
+use exact smartdata collection names in route unification migration
+
+- Update the 13.16.0 migration to rename StoredRouteDoc to RouteDoc using case-sensitive collection names
+- Apply the origin backfill against the RouteDoc collection and drop RouteOverrideDoc with matching class-name casing
+- Clarify migration description and comments to reflect smartdata's exact class-name collection mapping
+
+## 2026-04-13 - 13.16.0 - feat(routes)
+unify route storage and management across config, email, dns, and API origins
+
+- Persist config-, email-, and dns-seeded routes in the database alongside API-created routes using a single RouteDoc model with origin tracking
+- Remove hardcoded-route override handling in favor of direct route CRUD and toggle operations by route id across the API client, handlers, and web UI
+- Add a migration that renames stored route storage, sets migrated routes to origin="api", and drops obsolete route override data
+
+## 2026-04-13 - 13.15.1 - fix(monitoring)
+improve domain activity aggregation for multi-domain and wildcard routes
+
+- map route metrics across all configured domains instead of only the first domain
+- resolve wildcard domain patterns against active protocol cache entries
+- distribute shared route traffic across matched domains and preserve fallback reporting for routes without domain configuration
+
+## 2026-04-13 - 13.15.0 - feat(stats)
+add typed network stats response fields for bandwidth, domain activity, and protocol distribution
+
+- extends the network stats request interface with top IP bandwidth, domain activity, and frontend/backend protocol distribution data
+- updates app state to use a typed getNetworkStats request instead of casting the response to any
+
+## 2026-04-13 - 13.14.0 - feat(network)
+add bandwidth-ranked IP and domain activity metrics to network monitoring
+
+- Expose top IPs by bandwidth and aggregated domain activity from route metrics.
+- Replace estimated per-connection values with real per-IP throughput data in ops handlers and stats responses.
+- Update the network UI to show bandwidth-ranked IPs and domain activity while removing the recent request table.
+
+## 2026-04-13 - 13.13.0 - feat(dns)
+add domain migration between dcrouter and provider-managed DNS with unified ACME managed-domain handling
+
+- adds domain migration support in DnsManager, API handlers, request interfaces, app state, and domains UI
+- routes ACME DNS-01 challenges through managed domains using createRecord/deleteRecord for both dcrouter-hosted and provider-managed zones
+- enables immediate unregister of deleted dcrouter-hosted DNS records from the embedded DNS server
+
+## 2026-04-12 - 13.12.0 - feat(email-domains)
+support creating email domains on optional subdomains
+
+- Add optional subdomain support to email domain creation, persistence, and API interfaces.
+- Update the ops UI to collect and submit a subdomain prefix when creating an email domain.
+- Bump @design.estate/dees-catalog from ^3.78.0 to ^3.78.2.
+
+## 2026-04-12 - 13.11.0 - feat(email-domains)
+add email domain management with DNS provisioning, validation, and ops dashboard support
+
+- Introduce EmailDomainManager with persisted email domain records, DKIM configuration, DNS record generation, provisioning, and validation.
+- Add opsserver typed request handlers and shared interfaces for listing, creating, updating, deleting, validating, and provisioning email domains.
+- Add ops dashboard email domains view and app state integration for managing domains and inspecting required DNS records.
+
+## 2026-04-12 - 13.10.0 - feat(web-ui)
+standardize settings views for ACME and email security panels
+
+- replace custom ACME settings layouts with the reusable dees-settings component for configured and empty states
+- update the email security view to present settings through dees-settings and open a modal-based read-only edit dialog
+- bump @design.estate/dees-catalog to ^3.78.0 to support the updated UI components
+
+## 2026-04-12 - 13.9.2 - fix(web-ui)
+improve form field descriptions and align certificate settings with tile components
+
+- Refines labels and adds descriptive helper text across API token, DNS, domain, route, edge, target profile, and VPN forms for clearer operator input
+- Updates the DNS provider form to surface provider and credential guidance through built-in input metadata instead of custom help blocks
+- Restyles the certificates ACME settings section to use tile-based layout and improves related form wording and file upload metadata
+- Refreshes the Cloudflare DNS provider description and bumps UI-related dependencies
+
+## 2026-04-08 - 13.9.1 - fix(network-ui)
+enable flashing table updates for network activity, remote ingress, and VPN views
+
+- adds stable row keys to dees-table instances so existing rows can be diffed correctly
+- enables flash highlighting for changed rows and cells across network activity, top IPs, backends, remote ingress edges, and VPN clients
+- updates network activity request data on every refresh so live metrics like duration and byte counts visibly refresh
+
+## 2026-04-08 - 13.9.0 - feat(dns)
+add built-in dcrouter DNS provider support and rename manual domains to dcrouter-hosted/local
+
+- Expose a synthetic built-in "DcRouter" provider in provider listings and block create, edit, delete, test, and external domain listing operations for it
+- Rename domain and record source semantics from "manual" to "dcrouter" and "local" across backend, interfaces, and UI
+- Add database migrations to convert existing DomainDoc.source and DnsRecordDoc.source values to the new naming
+- Update domain creation flows and provider UI labels to reflect dcrouter-hosted authoritative domains
+
+## 2026-04-08 - 13.8.0 - feat(acme)
+add DB-backed ACME configuration management and OpsServer certificate settings UI
+
+- introduces a singleton AcmeConfig manager and document persisted in the database, with first-boot seeding from legacy tls.contactEmail and smartProxyConfig.acme options
+- updates SmartProxy startup to read live ACME settings from the database and only enable DNS-01 challenge wiring when ACME is configured and enabled
+- adds authenticated OpsServer typed request endpoints and API token scopes for reading and updating ACME configuration
+- adds web app state and a certificates view card/modal for viewing and editing ACME settings from the Domains certificate UI
+
+## 2026-04-08 - 13.7.1 - fix(repo)
+no changes to commit
+
+
+## 2026-04-08 - 13.7.0 - feat(dns-providers)
+add provider-agnostic DNS provider form metadata and reusable UI for create/edit flows
+
+- Introduce shared DNS provider type descriptors and credential field metadata to drive provider forms dynamically.
+- Add a reusable dns-provider-form component and update provider create/edit dialogs to use typed provider selection and credential handling.
+- Remove Cloudflare-specific ACME helper exposure and clarify provider-agnostic DNS manager and factory documentation for future provider implementations.
+
+## 2026-04-08 - 13.6.0 - feat(dns)
+add db-backed DNS provider, domain, and record management with ops UI support
+
+- introduce DnsManager-backed persistence for DNS providers, domains, and records with Cloudflare provider support
+- replace constructor-based ACME DNS challenge configuration with provider records stored in the database
+- add opsserver typed request handlers and API token scopes for managing DNS providers, domains, and records
+- add a new Domains section in the ops UI for providers, domains, DNS records, and certificates
+
+## 2026-04-08 - 13.5.0 - feat(opsserver-access)
+add admin user listing to the access dashboard
+
+- register a new admin-only typed request endpoint to list users with id, username, and role while excluding passwords
+- add users state management and a dedicated access dashboard view for browsing OpsServer user accounts
+- update access routing to include the new users subview and improve related table filtering and section headings
+
+## 2026-04-08 - 13.4.2 - fix(repo)
+no changes to commit
+
+
+## 2026-04-08 - 13.4.1 - fix(repo)
+no changes to commit
+
+
+## 2026-04-08 - 13.4.0 - feat(web-ui)
+reorganize dashboard views into grouped navigation with new email, access, and network subviews
+
+- Restructures the ops dashboard and router to use grouped top-level sections with subviews for overview, network, email, access, and security.
+- Adds dedicated Email Security and API Tokens views and exposes Remote Ingress and VPN under Network subnavigation.
+- Updates refresh and initial view handling to work with nested subviews, including remote ingress and VPN refresh behavior.
+- Moves overview, configuration, email, API token, and remote ingress components into feature directories and standardizes shared view styling.
+
+## 2026-04-08 - 13.3.0 - feat(web-ui)
+reorganize network and security views into tabbed subviews with route-aware navigation
+
+- add URL-based subview support in app state and router for network and security sections
+- group routes, source profiles, network targets, and target profiles under the network view with tab navigation
+- split security into dedicated overview, blocked IPs, authentication, and email security subviews
+- update configuration navigation to deep-link directly to the network routes subview
+
+## 2026-04-08 - 13.2.2 - fix(project)
+no changes to commit
+
+
+## 2026-04-08 - 13.2.1 - fix(project)
+no changes to commit
+
+
+## 2026-04-08 - 13.2.0 - feat(ops-ui)
+add column filters to operations tables across admin views
+
+- Enable table column filters for API tokens, certificates, network requests, top IPs, backends, network targets, remote ingress edges, security views, source profiles, target profiles, and VPN clients.
+- Improves filtering and exploration of operational data throughout the admin interface without changing backend behavior.
+
+## 2026-04-08 - 13.1.3 - fix(certificate-handler)
+preserve wildcard coverage during forced certificate renewals and propagate renewed certs to sibling domains
+
+- add deriveCertDomainName helper to match shared ACME certificate identities across wildcard and subdomain routes
+- pass includeWildcard when force-renewing certificates so renewed certs keep wildcard SAN coverage for sibling subdomains
+- persist renewed certificate data to all sibling route domains that share the same cert identity and clear cached certificate status entries
+- add regression tests for certificate domain derivation and force-renew wildcard handling
+
+## 2026-04-07 - 13.1.2 - fix(deps)
+bump @serve.zone/catalog to ^2.12.3
+
+- Updates @serve.zone/catalog from ^2.12.0 to ^2.12.3 in package.json
+
+## 2026-04-07 - 13.1.1 - fix(deps)
+bump catalog-related dependencies to newer patch and minor releases
+
+- update @design.estate/dees-catalog from ^3.66.0 to ^3.67.1
+- update @serve.zone/catalog from ^2.11.2 to ^2.12.0
+
+## 2026-04-07 - 13.1.0 - feat(vpn,target-profiles,migrations)
+add startup data migrations, support scoped VPN route allow entries, and rename target profile hosts to ips
+
+- runs smartmigration at startup before configuration is loaded and adds a migration for target profile targets from host to ip
+- changes VPN client routing to always force traffic through SmartProxy while allowing direct target bypasses from target profiles
+- supports domain-scoped VPN ipAllowList entries for vpnOnly routes based on matching target profile domains
+- updates certificate reprovisioning to reapply routes so renewed certificates are loaded into the running proxy
+- removes the forceDestinationSmartproxy VPN client option from API, persistence, manager, and web UI
+
+## 2026-04-06 - 13.0.11 - fix(routing)
+serialize route updates and correct VPN-gated route application
+
+- RouteConfigManager now serializes concurrent applyRoutes calls to prevent overlapping SmartProxy updates and stale route overwrites.
+- VPN-only routes deny access until VPN state is ready, then re-apply routes after VPN clients load or change to refresh ipAllowLists safely.
+- Certificate provisioning retries now go through RouteConfigManager when available so the full merged route set is reapplied consistently.
+- Reference resolution now expands network targets with multiple hosts into multiple route targets.
+- Adds rollback when VPN client persistence fails, enforces unique target profile names, and fixes maxConnections parsing in the source profiles UI.
+
+## 2026-04-06 - 13.0.10 - fix(repo)
+no changes to commit
+
+
+## 2026-04-06 - 13.0.9 - fix(repo)
+no changes to commit
+
+
+## 2026-04-06 - 13.0.8 - fix(ops-view-vpn)
+show target profile names in VPN forms and load profile candidates for autocomplete
+
+- fetch target profiles when the VPN operations view connects so profile data is available in the UI
+- replace comma-separated target profile ID inputs with a restricted autocomplete list based on available target profiles
+- map stored target profile IDs to profile names for table and detail displays, while resolving selected names back to IDs on save
+
+## 2026-04-06 - 13.0.7 - fix(vpn,target-profiles)
+refresh VPN client security when target profiles change and include profile target IPs in direct destination allow-lists
+
+- Adds direct target IP resolution from target profiles so forced SmartProxy clients can bypass rewriting for explicit profile targets.
+- Refreshes running VPN client security policies after target profile updates or deletions to keep destination access rules in sync.
+
+## 2026-04-05 - 13.0.6 - fix(certificates)
+resolve base-domain certificate lookups and route profile list inputs
+
+- Look up ACME certificate metadata by base domain first, with fallback to the exact domain, so subdomain certificate status and deletion work reliably.
+- Trigger certificate reprovisioning through SmartProxy routes and clear cached status before refresh, including force-renew cache invalidation handling.
+- Replace comma-separated target profile form fields with list inputs and route suggestions for domains, targets, and route references.
+
+## 2026-04-05 - 13.0.5 - fix(ts_web)
+replace custom section heading component with dees-heading across ops views
+
+- updates all operations dashboard views to use <dees-heading level="2"> for section titles
+- removes the unused shared ops-sectionheading component export and source file
+- bumps UI and data layer dependencies to compatible patch/minor releases
+
+## 2026-04-05 - 13.0.4 - fix(deps)
+bump @push.rocks/smartdata and @push.rocks/smartdb to the latest patch releases
+
+- Updates @push.rocks/smartdata from ^7.1.4 to ^7.1.5
+- Updates @push.rocks/smartdb from ^2.5.2 to ^2.5.4
+
+## 2026-04-05 - 13.0.3 - fix(deps)
+bump @push.rocks/smartdb to ^2.5.2
+
+- Updates @push.rocks/smartdb from ^2.5.1 to ^2.5.2 in package.json.
+
+## 2026-04-05 - 13.0.2 - fix(deps)
+bump smartdata, smartdb, and catalog dependencies
+
+- updates @push.rocks/smartdata from ^7.1.3 to ^7.1.4
+- updates @push.rocks/smartdb from ^2.4.1 to ^2.5.1
+- updates @serve.zone/catalog from ^2.11.1 to ^2.11.2
+
+## 2026-04-05 - 13.0.1 - fix(deps)
+bump @design.estate/dees-catalog and @push.rocks/smartdb dependencies
+
+- updates @design.estate/dees-catalog from ^3.55.6 to ^3.59.1
+- updates @push.rocks/smartdb from ^2.3.1 to ^2.4.1
+
+## 2026-04-05 - 13.0.0 - BREAKING CHANGE(vpn)
+replace tag-based VPN access control with source and target profiles
+
+- Renames Security Profiles to Source Profiles across APIs, persistence, route metadata, tests, and UI.
+- Adds TargetProfile management, storage, API handlers, and dashboard views to define VPN-accessible domains, targets, and route references.
+- Replaces route-level vpn configuration with vpnOnly and switches VPN clients from serverDefinedClientTags to targetProfileIds for access resolution.
+- Updates route application and VPN AllowedIPs generation to derive client access from matching target profiles instead of tags.
+
+## 2026-04-04 - 12.10.0 - feat(routes)
+add TLS configuration controls for route create and edit flows
+
+- Adds TLS mode and certificate selection to the route create and edit dialogs, including support for custom PEM key/certificate input.
+- Allows route updates to explicitly remove nested TLS settings by treating null action properties as deletions during route patch merging.
+- Bumps @design.estate/dees-catalog to ^3.55.6 and @serve.zone/catalog to ^2.11.1.
+
+## 2026-04-04 - 12.9.4 - fix(deps)
+bump @push.rocks/smartdb to ^2.3.1
+
+- updates the @push.rocks/smartdb dependency from ^2.1.1 to ^2.3.1
+
+## 2026-04-04 - 12.9.3 - fix(route-management)
+include stored VPN routes in domain resolution and align programmatic route types with dcrouter configs
+
+- Scans enabled stored/programmatic routes for VPN domain matches when resolving client access domains.
+- Replaces generic smartproxy route typings with IDcRouterRouteConfig across route management and stored route models.
+- Updates @push.rocks/smartproxy to ^27.4.0.
+
+## 2026-04-04 - 12.9.2 - fix(config-ui)
+handle missing HTTP/3 config safely and standardize overview section headings
+
+- Prevents route augmentation logic from failing when HTTP/3 configuration is undefined by using optional chaining.
+- Updates the operations overview to use dees-heading components for activity, email, DNS, RADIUS, and VPN section headings.
+- Bumps @push.rocks/smartproxy from ^27.2.0 to ^27.3.1.
+
+## 2026-04-04 - 12.9.1 - fix(monitoring)
+update SmartProxy and use direct connection protocol metrics access
+
+- bump @push.rocks/smartproxy from ^27.1.0 to ^27.2.0
+- replace fallback any-based access with direct frontend and backend protocol metric calls in MetricsManager
+
+## 2026-04-04 - 12.9.0 - feat(monitoring)
+add frontend and backend protocol distribution metrics to network stats
+
+- Expose frontend and backend protocol distribution data in monitoring metrics, stats responses, and shared interfaces.
+- Render protocol distribution donut charts in the ops network view using the new stats fields.
+- Preserve existing stored certificate IDs when updating certificate records by domain.
+- Bump @design.estate/dees-catalog to ^3.55.5 for the new chart component support.
+
+## 2026-04-04 - 12.8.1 - fix(ops-view-routes)
+correct route form dropdown selection handling for security profiles and network targets
+
+- Update route edit and create forms to use selectedOption for dropdowns backed by the newer dees-catalog version
+- Normalize submitted dropdown values to extract option keys before storing securityProfileRef and networkTargetRef
+- Refresh documentation to reflect expanded stats coverage for network, RADIUS, and VPN metrics
+
+## 2026-04-03 - 12.8.0 - feat(certificates)
+add force renew option for domain certificate reprovisioning
+
+- pass an optional forceRenew flag through certificate reprovision requests from the UI to the ops handler
+- use smartacme forceRenew support and return renewal-specific success messages
+- update the SmartAcme dependency to version ^9.4.0
+
+## 2026-04-03 - 12.7.0 - feat(opsserver)
+add RADIUS and VPN metrics to combined ops stats and overview dashboards, and stream live log buffer entries in follow mode
+
+- Expose RADIUS and VPN sections in the combined stats API and shared TypeScript interfaces
+- Populate frontend app state and overview tiles with RADIUS authentication, session, traffic, and VPN client metrics
+- Replace simulated follow-mode log events with real log buffer tailing and timestamp-based incremental streaming
+- Use commit metadata for reported server version instead of a hardcoded value
+
+## 2026-04-03 - 12.6.6 - fix(deps)
+bump @design.estate/dees-catalog to ^3.52.3
+
+- Updates @design.estate/dees-catalog from ^3.52.2 to ^3.52.3 in package.json
+
+## 2026-04-03 - 12.6.5 - fix(deps)
+bump @design.estate/dees-catalog to ^3.52.2
+
+- Updates the @design.estate/dees-catalog dependency from ^3.52.0 to ^3.52.2 in package.json.
+
+## 2026-04-03 - 12.6.4 - fix(deps)
+bump @design.estate/dees-catalog to ^3.52.0
+
+- Updates the @design.estate/dees-catalog dependency from ^3.51.2 to ^3.52.0 in package.json.
+
+## 2026-04-03 - 12.6.3 - fix(deps)
+bump @types/node and @design.estate/dees-catalog patch versions
+
+- updates @types/node from ^25.5.1 to ^25.5.2
+- updates @design.estate/dees-catalog from ^3.51.1 to ^3.51.2
+
+## 2026-04-03 - 12.6.2 - fix(deps)
+bump @design.estate/dees-catalog to ^3.51.1
+
+- Updates @design.estate/dees-catalog from ^3.51.0 to ^3.51.1 in package.json
+
+## 2026-04-03 - 12.6.1 - fix(repo)
+no changes to commit
+
+
+## 2026-04-03 - 12.6.0 - feat(certificates)
+add confirmation before force renewing valid certificates from the certificate actions menu
+
+- Expose the Reprovision action in the certificate context menu
+- Prompt for confirmation when reprovisioning a certificate that is still valid
+- Update dees-catalog and @types/node dependencies
+
+## 2026-04-03 - 12.5.2 - fix(repo)
+no changes to commit
+
+
+## 2026-04-03 - 12.5.1 - fix(ops-view-network)
+centralize traffic chart timing constants for consistent rolling window updates
+
+- Defines shared constants for the chart window, update interval, and maximum buffered data points
+- Replaces hardcoded traffic history sizes and timer intervals with derived values across initialization, history loading, and live updates
+- Keeps the chart rolling window configuration aligned with the in-memory traffic buffer
+
+## 2026-04-02 - 12.5.0 - feat(ops-view-routes)
+add priority support and list-based domain editing for routes
+
+- Adds a priority field to route create and edit forms so route matching order can be configured.
+- Replaces comma-separated domain text input with a list-based domain editor and updates form handling to persist domains as arrays.
+
+## 2026-04-02 - 12.4.0 - feat(routes)
+add route edit and delete actions to the ops routes view
+
+- introduces an update route action in web app state and refreshes merged routes after changes
+- adds edit and delete handlers with modal-based confirmation and route form inputs for programmatic routes
+- enables realtime chart window configuration in network and overview dashboards
+- bumps @serve.zone/catalog to ^2.11.0
+
+## 2026-04-02 - 12.3.0 - feat(docs,ops-dashboard)
+document unified database and reusable security profile and network target management
+
+- Update project and interface documentation to replace separate storage/cache configuration with a unified database model
+- Document new security profile and network target APIs, data models, and dashboard capabilities
+- Add a global dashboard warning when the database is disabled so unavailable management features are clearly indicated
+- Bump @design.estate/dees-catalog and @serve.zone/catalog to support the updated dashboard experience
+
+## 2026-04-02 - 12.2.6 - fix(ops-ui)
+improve operations table actions and modal form handling for profiles and network targets
+
+- adds section headings for the Security Profiles and Network Targets views
+- updates edit and delete actions to support in-row table actions in addition to context menus
+- makes create and edit dialogs query forms safely from modal content and adds early returns when forms are unavailable
+- enables the database configuration in the development watch server
+
+## 2026-04-02 - 12.2.5 - fix(dcrouter)
+sync allowed tunnel edges when merged routes change
+
+- Triggers tunnelManager.syncAllowedEdges() after route updates are applied
+- Keeps derived ports in the Rust hub binary aligned with merged route changes
+
+## 2026-04-02 - 12.2.4 - fix(routes)
+support profile and target metadata in route creation and refresh remote ingress routes after config initialization
+
+- Re-applies routes to the remote ingress manager after config managers finish to avoid missing DB-backed routes during initialization
+- Fetches profiles and targets when opening or authenticating into the routes view so route creation dropdowns are populated
+- Includes selected security profile and network target metadata when creating programmatic routes and displays that metadata in route details
+- Improves security profile forms by switching IP allow/block lists to list inputs instead of comma-separated text fields
+- Updates UI dependencies including smartdb, dees-catalog, and serve.zone catalog
+
+## 2026-04-02 - 12.2.3 - fix(repo)
+no changes to commit
+
+
+## 2026-04-02 - 12.2.2 - fix(route-config)
+sync applied routes to remote ingress manager after route updates
+
+- add an optional route-applied callback to RouteConfigManager
+- forward merged SmartProxy routes to RemoteIngressManager whenever routes are updated
+
+## 2026-04-02 - 12.2.1 - fix(web-ui)
+align dees-table props and action handlers in security profile and network target views
+
+- replace deprecated table heading prop with heading1 and heading2 in both admin views
+- rename table action callbacks from action to actionFunc for create, refresh, edit, and delete actions
+
+## 2026-04-02 - 12.2.0 - feat(config)
+add reusable security profiles and network targets with route reference resolution
+
+- introduces persisted security profile and network target models plus typed OpsServer CRUD and usage endpoints
+- adds route metadata support so routes can reference profiles and targets and be re-resolved after updates
+- supports optional seeding of default profiles and targets when the database is empty
+- adds dashboard views and state management for managing security profiles and network targets
+- includes tests for reference resolver behavior and API fallback/auth handling
+
+## 2026-04-01 - 12.1.0 - feat(vpn)
+add per-client routing controls and bridge forwarding support for VPN clients
+
+- adds persisted per-client VPN settings for SmartProxy enforcement, destination allow/block lists, host IP assignment, DHCP/static IP selection, and VLAN options
+- passes new VPN routing and bridge configuration through request handlers, app state, and the ops UI for creating, editing, and viewing clients
+- supports bridge and hybrid forwarding modes in the VPN manager, including auto-upgrading to hybrid when clients request host IP access
+- updates smartvpn and dees-catalog dependencies to support the new VPN forwarding capabilities
+
+## 2026-03-31 - 12.0.0 - BREAKING CHANGE(db)
+replace StorageManager and CacheDb with a unified smartdata-backed database layer
+
+- introduces DcRouterDb with embedded LocalSmartDb or external MongoDB support via dbConfig
+- migrates persisted routes, API tokens, VPN data, certificates, remote ingress, VLAN mappings, RADIUS accounting, and cache records to smartdata document classes
+- removes StorageManager and CacheDb modules and renames configuration from cacheConfig to dbConfig
+- updates certificate, security, remote ingress, VPN, and RADIUS components to read and write through document models
+
+## 2026-03-31 - 11.23.5 - fix(config)
+correct VPN mandatory flag default handling in route config manager
+
+- Changes the VPN mandatory check so it only applies when explicitly set to true, matching the updated default behavior of false.
+- Prevents routes from being treated as VPN-mandatory when the setting is omitted.
+
+## 2026-03-31 - 11.23.4 - fix(deps)
+bump @push.rocks/smartvpn to 1.17.1
+
+- Updates the @push.rocks/smartvpn dependency from 1.16.5 to 1.17.1.
+
+## 2026-03-31 - 11.23.3 - fix(ts_web)
+update appstate to import interfaces from source TypeScript module path
+
+- Replaces the appstate interfaces import from ../dist_ts_interfaces/index.js with ../ts_interfaces/index.js.
+- Aligns the web app state module with the source interface location instead of the built distribution path.
+
+## 2026-03-31 - 11.23.2 - fix(repo)
+no changes to commit
+
+
+## 2026-03-31 - 11.23.1 - fix(repo)
+no changes to commit
+
+
+## 2026-03-31 - 11.23.0 - feat(vpn)
+support optional non-mandatory VPN route access and align route config with enabled semantics
+
+- rename route VPN configuration from `required` to `enabled` across code, docs, and examples
+- add `vpn.mandatory` to control whether VPN allowlists replace or extend existing `security.ipAllowList` rules
+- improve VPN client status matching in the ops view by falling back to assigned IP when client IDs differ
+
+## 2026-03-31 - 11.22.0 - feat(vpn)
+add VPN client editing and connected client visibility in ops server
+
+- Adds API support to list currently connected VPN clients and update client metadata without rotating keys
+- Updates the web VPN view to show live connection status, client detail telemetry, and separate enable/disable actions
+- Refreshes documentation for smart split tunnel behavior, QR code setup/export, and storage architecture
+- Bumps @push.rocks/smartvpn from 1.16.4 to 1.16.5
+
+## 2026-03-31 - 11.21.5 - fix(routing)
+apply VPN route allowlists dynamically after VPN clients load
+
+- Moves VPN security injection for hardcoded and programmatic routes into RouteConfigManager.applyRoutes() so allowlists are generated from current VPN client state.
+- Re-applies routes after starting the VPN manager to ensure tag-based ipAllowLists are available once VPN clients are loaded.
+- Avoids caching constructor routes with stale VPN security baked in while preserving HTTP/3 route augmentation.
+
+## 2026-03-31 - 11.21.4 - fix(deps)
+bump @push.rocks/smartvpn to 1.16.4
+
+- Updates the @push.rocks/smartvpn dependency from 1.16.3 to 1.16.4 in package.json.
+
+## 2026-03-31 - 11.21.3 - fix(deps)
+bump @push.rocks/smartvpn to 1.16.3
+
+- Updates the @push.rocks/smartvpn dependency from 1.16.2 to 1.16.3.
+
+## 2026-03-31 - 11.21.2 - fix(deps)
+bump @push.rocks/smartvpn to 1.16.2
+
+- Updates the @push.rocks/smartvpn dependency from 1.16.1 to 1.16.2 in package.json.
+
+## 2026-03-31 - 11.21.1 - fix(vpn)
+resolve VPN-gated route domains into per-client AllowedIPs with cached DNS lookups
+
+- Derive WireGuard AllowedIPs from DNS A records of matched vpn.required route domains instead of only configured public proxy IPs.
+- Cache resolved domain IPs for 5 minutes and fall back to stale results on DNS lookup failures.
+- Make per-client AllowedIPs generation asynchronous throughout VPN config export and regeneration flows.
+
+## 2026-03-31 - 11.21.0 - feat(vpn)
+add tag-aware WireGuard AllowedIPs for VPN-gated routes
+
+- compute per-client WireGuard AllowedIPs from server-defined client tags and VPN-required proxy routes
+- include the server public IP in AllowedIPs when a client can access VPN-gated domains so routed traffic reaches the proxy
+- preserve and inject WireGuard private keys in generated and exported client configs for valid exports
+
+## 2026-03-31 - 11.20.1 - fix(vpn-manager)
+persist WireGuard private keys for valid client exports and QR codes
+
+- Store each client's WireGuard private key when creating and rotating keys.
+- Inject the stored private key into exported WireGuard configs so generated configs are complete and scannable.
+
+## 2026-03-30 - 11.20.0 - feat(vpn-ui)
+add QR code export for WireGuard client configurations
+
+- adds a QR code action for newly created WireGuard configs in the VPN operations view
+- adds a QR code export option for existing VPN clients alongside file downloads
+- introduces qrcode and @types/qrcode dependencies and exposes the plugin for web UI use
+
+## 2026-03-30 - 11.19.1 - fix(vpn)
+configure SmartVPN client exports with explicit server endpoint and split-tunnel allowed IPs
+
+- Pass the configured WireGuard server endpoint directly to SmartVPN instead of rewriting generated client configs in dcrouter.
+- Set client allowed IPs to the VPN subnet so generated WireGuard configs default to split-tunnel routing.
+- Update documentation to reflect SmartVPN startup, dashboard/API coverage, and the new split-tunnel behavior.
+- Bump @push.rocks/smartvpn from 1.14.0 to 1.16.1 to support the updated VPN configuration flow.
+
+## 2026-03-30 - 11.19.0 - feat(vpn)
+document tag-based VPN access control, declarative clients, and destination policy options
+
+- Adds documentation for restricting VPN-protected routes with allowedServerDefinedClientTags.
+- Documents pre-defined VPN clients in configuration via vpnConfig.clients.
+- Describes destinationPolicy behavior for forceTarget, allow, and block traffic handling.
+- Updates interface docs to reflect serverDefinedClientTags and revised VPN server status fields.
+
+## 2026-03-30 - 11.18.0 - feat(vpn-ui)
+add format selection for VPN client config exports
+
+- Show an export modal that lets operators choose between WireGuard (.conf) and SmartVPN (.json) client configs.
+- Update VPN client row actions to read the selected item from actionData for toggle, export, rotate keys, and delete handlers.
+
+## 2026-03-30 - 11.17.0 - feat(vpn)
+expand VPN operations view with client management and config export actions
+
+- adds predefined VPN clients to the dev server configuration for local testing
+- adds table actions to create clients, export WireGuard configs, rotate client keys, toggle access, and delete clients
+- updates the VPN view layout and stats grid binding to match the current component API
+
+## 2026-03-30 - 11.16.0 - feat(vpn)
+add destination-based VPN routing policy and standardize socket proxy forwarding
+
+- replace configurable VPN forwarding mode with socket-based forwarding and always enable proxy protocol support to SmartProxy from localhost
+- add destinationPolicy configuration for controlling default VPN traffic handling, including forceTarget, allow, and block rules
+- remove forwarding mode reporting from VPN status APIs, logs, and ops UI to reflect the simplified VPN runtime model
+- update @push.rocks/smartvpn to 1.14.0 to support the new VPN routing behavior
+
+## 2026-03-30 - 11.15.0 - feat(vpn)
+add tag-based VPN route access control and support configured initial VPN clients
+
+- allow VPN-protected routes to restrict access to clients with matching server-defined tags instead of always permitting the full VPN subnet
+- create configured VPN clients automatically on startup and re-apply routes when VPN clients change
+- rename VPN client tag fields to serverDefinedClientTags across APIs, interfaces, handlers, and UI with legacy tag migration on load
+- upgrade @push.rocks/smartvpn from 1.12.0 to 1.13.0
+
+## 2026-03-30 - 11.14.0 - feat(docs)
+document VPN access control and add OpsServer VPN navigation
+
+- Adds comprehensive README documentation for VPN access control, configuration, operating modes, and client management
+- Updates TypeScript interface documentation with VPN-related route, client, status, telemetry, and API request types
+- Extends web dashboard documentation and router view list to include VPN management
+
+## 2026-03-30 - 11.13.0 - feat(vpn)
+add VPN server management and route-based VPN access control
+
+- introduces a VPN manager backed by @push.rocks/smartvpn with persisted server keys and client registrations
+- adds ops API handlers and typed request interfaces for VPN client lifecycle, status, config export, and telemetry
+- adds ops dashboard VPN view and application state for managing VPN clients from the web UI
+- supports vpn.required on routes by injecting VPN subnet allowlists into static and programmatic SmartProxy routes
+- configures SmartProxy to accept proxy protocol in VPN socket forwarding mode to preserve client tunnel IPs
+
+## 2026-03-27 - 11.12.4 - fix(acme)
+use X509 certificate expiry when reporting ACME certificate validity
+
+- Parse the actual X509 validTo value from the PEM public certificate and fall back to SmartAcme's stored expiry if parsing fails
+- Update reported certificate expiry data and event communication timestamps to use the verified validity date
+- Bump @push.rocks/smartacme to ^9.3.1 and @push.rocks/smartproxy to ^27.1.0
+
+## 2026-03-27 - 11.12.3 - fix(dcrouter)
+re-trigger auto certificate provisioning after SmartAcme becomes ready
+
+- clear certificate provisioning scheduler state before retrying startup-affected routes
+- use route updates to re-run certificate provisioning for all current auto-cert routes
+- remove the unused single-route domain lookup helper
+
+## 2026-03-27 - 11.12.2 - fix(dcrouter)
+guard auto certificate reprovisioning against unnamed routes
+
+- Only re-triggers certificate provisioning for auto-cert routes when a route name is present.
+- Prevents reprovision attempts from running with an undefined route name and reduces warning noise.
+
+## 2026-03-27 - 11.12.1 - fix(dcrouter)
+retry auto certificate provisioning after SmartAcme becomes ready
+
+- detects certificates that failed during startup before the DNS-01 provider was available
+- clears provisioning backoff and failed status for affected domains before retrying
+- re-triggers auto certificate provisioning for SmartProxy routes once SmartAcme is ready
+
+## 2026-03-27 - 11.12.0 - feat(web-ui)
+pause dashboard polling, sockets, and chart updates when the tab is hidden
+
+- replace interval-based auto-refresh with scheduled actions using visibility-aware auto-pause
+- disconnect and reconnect the TypedSocket on tab visibility changes to avoid background log buildup
+- batch pushed log entries per animation frame and add an in-flight refresh guard to reduce unnecessary re-renders and overlapping requests
+- update state subscriptions to use select() and document the new tab visibility optimization behavior
+- bump smartdb, smartproxy, smartstate, remoteingress, dees-element, and tstest dependencies
+
+## 2026-03-26 - 11.11.0 - feat(docker,cache,proxy)
+improve container runtime defaults and add configurable connection limits
+
+- replace the embedded cache backend integration from smartmongo LocalTsmDb to smartdb LocalSmartDb
+- add OCI container settings for heap size, threadpool size, expanded exposed ports, image metadata, and a direct node startup command
+- introduce startup checks for file descriptor limits and warn when container nofile limits are too low for production
+- set gateway-oriented SmartProxy default limits and allow max connections, per-IP connections, and rate limits to be configured through OCI environment variables
+
+## 2026-03-26 - 11.10.7 - fix(sms)
+update sms service to use async ProjectInfo initialization
+
+- Replace direct ProjectInfo construction with the async create() factory in the SMS service startup flow
+- Bump related dependencies including @push.rocks/projectinfo, @push.rocks/smartdata, @push.rocks/smartmongo, @serve.zone/remoteingress, and @git.zone/tstest
+
+## 2026-03-26 - 11.10.6 - fix(typescript)
+tighten TypeScript null safety and error handling across backend and ops UI
+
+- add explicit unknown error typing and safe message access in logging and handler code
+- mark deferred-initialized class properties with definite assignment assertions to satisfy stricter TypeScript checks
+- harden ops web state access and action return types with non-null assertions and explicit Promise state typing
+- update storage reads to allow missing values and align license file references with the lowercase license filename
+
+## 2026-03-26 - 11.10.5 - fix(build)
+rename smart tooling config to .smartconfig.json and update package references
+
+- Moves the shared tool configuration from npmextra.json to .smartconfig.json.
+- Updates package.json published files and documentation to reference the new config file.
+- Refreshes several development and runtime dependency versions alongside the config migration.
+
+## 2026-03-24 - 11.10.4 - fix(monitoring)
+handle multiple protocol cache entries per backend in metrics output
+
+- Group detected protocol cache entries by backend host and port so multiple domain-specific records are preserved.
+- Emit one backend metrics row per cached domain and avoid dropping unmatched protocol cache entries by tracking seen entries with a composite host:port:domain key.
+- Use cached protocol values when available while keeping backend-only rows for metrics without protocol cache data.
+
+## 2026-03-23 - 11.10.3 - fix(deps)
+bump tstest, smartmetrics, and taskbuffer to latest patch releases
+
+- update @git.zone/tstest from ^3.5.0 to ^3.5.1
+- update @push.rocks/smartmetrics from ^3.0.2 to ^3.0.3
+- update @push.rocks/taskbuffer from ^8.0.0 to ^8.0.2
+
+## 2026-03-23 - 11.10.2 - fix(deps)
+bump @api.global/typedserver to ^8.4.6 and @push.rocks/smartproxy to ^26.2.1
+
+- Updates @api.global/typedserver from ^8.4.2 to ^8.4.6
+- Updates @push.rocks/smartproxy from ^26.2.0 to ^26.2.1
+
+## 2026-03-23 - 11.10.1 - fix(deps)
+bump @push.rocks/smartproxy to ^26.2.0
+
+- Updates the @push.rocks/smartproxy dependency from ^26.1.0 to ^26.2.0 in package.json.
+
+## 2026-03-23 - 11.10.0 - feat(monitoring)
+add backend protocol metrics to network stats and ops dashboard
+
+- Expose backend protocol, connection, error, and suppression metrics in stats responses.
+- Add typed backend info interfaces and app state support for backend metrics.
+- Render a new backend protocols table in the ops network view with detail modal and suppression badges.
+- Update smartproxy and lik dependencies to support backend protocol metrics collection.
+
+## 2026-03-21 - 11.9.1 - fix(lifecycle)
+clean up service subscriptions, proxy retries, and stale runtime state on shutdown
+
+- unsubscribe from ServiceManager event streams and use one-time signal handlers to avoid duplicate shutdown execution
+- reset existing SmartProxy instances before retry setup and prune expired certificate backoff cache entries
+- add periodic sweeping and shutdown cleanup for stale RADIUS accounting sessions
+
+## 2026-03-20 - 11.9.0 - feat(dcrouter)
+add service manager lifecycle orchestration and health-based ops status reporting
+
+- register dcrouter components with a taskbuffer ServiceManager using dependencies, retries, and critical/optional service roles
+- update ops stats health output to reflect aggregated service manager state and per-service error or retry details
+- add @push.rocks/taskbuffer to shared plugins and project dependencies for service lifecycle management
+
+## 2026-03-20 - 11.8.11 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.10
+
+- Updates the @push.rocks/smartproxy dependency from ^25.17.9 to ^25.17.10 in package.json
+
+## 2026-03-20 - 11.8.10 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.9
+
+- Updates @push.rocks/smartproxy from ^25.17.8 to ^25.17.9 in package.json
+
+## 2026-03-20 - 11.8.9 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.8
+
+- Updates the @push.rocks/smartproxy dependency from ^25.17.7 to ^25.17.8.
+
+## 2026-03-20 - 11.8.8 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.7
+
+- Updates the @push.rocks/smartproxy dependency from ^25.17.4 to ^25.17.7 in package.json.
+
+## 2026-03-20 - 11.8.7 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.4
+
+- updates @push.rocks/smartproxy from ^25.17.3 to ^25.17.4 in package.json
+
+## 2026-03-20 - 11.8.6 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.3
+
+- updates @push.rocks/smartproxy from ^25.17.1 to ^25.17.3 in package.json
+
+## 2026-03-20 - 11.8.5 - fix(deps)
+bump @push.rocks/smartproxy to ^25.17.1
+
+- Updates the @push.rocks/smartproxy dependency from ^25.17.0 to ^25.17.1.
+
+## 2026-03-20 - 11.8.4 - fix(deps)
+bump @serve.zone/remoteingress to ^4.14.0
+
+- Updates the @serve.zone/remoteingress dependency from ^4.13.2 to ^4.14.0 in package.json.
+
+## 2026-03-20 - 11.8.3 - fix(deps)
+bump @serve.zone/remoteingress to ^4.13.2
+
+- Updates the @serve.zone/remoteingress dependency from ^4.13.1 to ^4.13.2.
+
+## 2026-03-19 - 11.8.2 - fix(deps)
+bump smartproxy and remoteingress dependencies
+
+- updates @push.rocks/smartproxy from ^25.16.3 to ^25.17.0
+- updates @serve.zone/remoteingress from ^4.13.0 to ^4.13.1
+
+## 2026-03-19 - 11.8.1 - fix(dcrouter)
+use constructor routes for remote ingress setup and bump smartproxy dependency
+
+- Switch remote ingress initialization to use constructorRoutes instead of smartProxyConfig routes so derived edge ports are based on the active route set.
+- Update @push.rocks/smartproxy from ^25.16.2 to ^25.16.3.
+
 ## 2026-03-19 - 11.8.0 - feat(remoteingress)
 add UDP listen port derivation and edge configuration support
 

license

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Task Venture Capital GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "11.8.0",
+  "version": "13.19.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -12,8 +12,8 @@
   "author": "Task Venture Capital GmbH",
   "license": "MIT",
   "scripts": {
-    "test": "(tstest test/ --logfile --timeout 60)",
-    "start": "(node --max_old_space_size=250 ./cli.js)",
+    "test": "(tstest test/ --verbose --logfile --timeout 60)",
+    "start": "(node ./cli.js)",
     "startTs": "(node cli.ts.js)",
     "build": "(tsbuild tsfolders --allowimplicitany && npm run bundle)",
     "build:docker": "tsdocker build --verbose",
@@ -22,48 +22,53 @@
     "watch": "tswatch"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^4.3.0",
-    "@git.zone/tsbundle": "^2.9.1",
-    "@git.zone/tsrun": "^2.0.1",
-    "@git.zone/tstest": "^3.5.0",
-    "@git.zone/tswatch": "^3.3.0",
-    "@types/node": "^25.5.0"
+    "@git.zone/tsbuild": "^4.4.0",
+    "@git.zone/tsbundle": "^2.10.0",
+    "@git.zone/tsrun": "^2.0.2",
+    "@git.zone/tstest": "^3.6.3",
+    "@git.zone/tswatch": "^3.3.2",
+    "@types/node": "^25.6.0"
   },
   "dependencies": {
     "@api.global/typedrequest": "^3.3.0",
     "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^8.4.2",
+    "@api.global/typedserver": "^8.4.6",
     "@api.global/typedsocket": "^4.1.2",
     "@apiclient.xyz/cloudflare": "^7.1.0",
-    "@design.estate/dees-catalog": "^3.48.5",
-    "@design.estate/dees-element": "^2.2.3",
-    "@push.rocks/lik": "^6.3.1",
-    "@push.rocks/projectinfo": "^5.0.2",
+    "@design.estate/dees-catalog": "^3.78.2",
+    "@design.estate/dees-element": "^2.2.4",
+    "@push.rocks/lik": "^6.4.0",
+    "@push.rocks/projectinfo": "^5.1.0",
     "@push.rocks/qenv": "^6.1.3",
-    "@push.rocks/smartacme": "^9.3.0",
-    "@push.rocks/smartdata": "^7.1.0",
+    "@push.rocks/smartacme": "^9.5.0",
+    "@push.rocks/smartdata": "^7.1.7",
+    "@push.rocks/smartdb": "^2.6.2",
     "@push.rocks/smartdns": "^7.9.0",
-    "@push.rocks/smartfile": "^13.1.2",
+    "@push.rocks/smartfs": "^1.5.0",
     "@push.rocks/smartguard": "^3.1.0",
     "@push.rocks/smartjwt": "^2.2.1",
-    "@push.rocks/smartlog": "^3.2.1",
-    "@push.rocks/smartmetrics": "^3.0.2",
-    "@push.rocks/smartmongo": "^5.1.0",
-    "@push.rocks/smartmta": "^5.3.1",
-    "@push.rocks/smartnetwork": "^4.4.0",
+    "@push.rocks/smartlog": "^3.2.2",
+    "@push.rocks/smartmetrics": "^3.0.3",
+    "@push.rocks/smartmigration": "1.2.0",
+    "@push.rocks/smartmta": "^5.3.3",
+    "@push.rocks/smartnetwork": "^4.6.0",
     "@push.rocks/smartpath": "^6.0.0",
     "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartproxy": "^25.16.2",
+    "@push.rocks/smartproxy": "^27.7.4",
     "@push.rocks/smartradius": "^1.1.1",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.2.0",
+    "@push.rocks/smartstate": "^2.3.0",
     "@push.rocks/smartunique": "^3.0.9",
-    "@serve.zone/catalog": "^2.9.0",
+    "@push.rocks/smartvpn": "1.19.2",
+    "@push.rocks/taskbuffer": "^8.0.2",
+    "@serve.zone/catalog": "^2.12.4",
     "@serve.zone/interfaces": "^5.3.0",
-    "@serve.zone/remoteingress": "^4.13.0",
-    "@tsclass/tsclass": "^9.4.0",
-    "lru-cache": "^11.2.7",
+    "@serve.zone/remoteingress": "^4.15.3",
+    "@tsclass/tsclass": "^9.5.0",
+    "@types/qrcode": "^1.5.6",
+    "lru-cache": "^11.3.5",
+    "qrcode": "^1.5.4",
     "uuid": "^13.0.0"
   },
   "keywords": [
@@ -111,7 +116,7 @@
     "dist_ts_apiclient/**/*",
     "assets/**/*",
     "cli.js",
-    "npmextra.json",
+    ".smartconfig.json",
     "readme.md"
   ]
 }

readme.hints.md

@@ -133,7 +133,7 @@ The project now uses tswatch for development:
 ```bash
 pnpm run watch
 ```
-Configuration in `npmextra.json`:
+Configuration in `.smartconfig.json`:
 ```json
 {
   "@git.zone/tswatch": {

readme.storage.md

@@ -0,0 +1,84 @@
+# DCRouter Storage Overview
+
+DCRouter uses a **unified database layer** backed by `@push.rocks/smartdata` for all persistent data. All data is stored as typed document classes in a single database.
+
+## Database Modes
+
+### Embedded Mode (default)
+When no external MongoDB URL is provided, DCRouter starts an embedded `LocalSmartDb` (Rust-based MongoDB-compatible engine) via `@push.rocks/smartdb`.
+
+```
+~/.serve.zone/dcrouter/tsmdb/
+```
+
+### External Mode
+Connect to any MongoDB-compatible database by providing a connection URL.
+
+```typescript
+dbConfig: {
+  mongoDbUrl: 'mongodb://host:27017',
+  dbName: 'dcrouter',
+}
+```
+
+## Configuration
+
+```typescript
+dbConfig: {
+  enabled: true,                                    // default: true
+  mongoDbUrl: undefined,                            // default: embedded LocalSmartDb
+  storagePath: '~/.serve.zone/dcrouter/tsmdb',     // default (embedded mode only)
+  dbName: 'dcrouter',                               // default
+  cleanupIntervalHours: 1,                          // TTL cleanup interval
+}
+```
+
+## Document Classes
+
+All data is stored as smartdata document classes in `ts/db/documents/`.
+
+| Document Class | Collection | Unique Key | Purpose |
+|---|---|---|---|
+| `StoredRouteDoc` | storedRoutes | `id` | Programmatic routes (created via API) |
+| `RouteOverrideDoc` | routeOverrides | `routeName` | Hardcoded route enable/disable overrides |
+| `ApiTokenDoc` | apiTokens | `id` | API tokens (hashed secrets, scopes, expiry) |
+| `VpnServerKeysDoc` | vpnServerKeys | `configId` (singleton) | VPN server Noise + WireGuard keypairs |
+| `VpnClientDoc` | vpnClients | `clientId` | VPN client registrations |
+| `AcmeCertDoc` | acmeCerts | `domainName` | ACME certificates and keys |
+| `ProxyCertDoc` | proxyCerts | `domain` | SmartProxy TLS certificates |
+| `CertBackoffDoc` | certBackoff | `domain` | Per-domain cert provision backoff state |
+| `RemoteIngressEdgeDoc` | remoteIngressEdges | `id` | Edge node registrations |
+| `VlanMappingsDoc` | vlanMappings | `configId` (singleton) | MAC-to-VLAN mapping table |
+| `AccountingSessionDoc` | accountingSessions | `sessionId` | RADIUS accounting sessions |
+| `CachedEmail` | cachedEmails | `id` | Email metadata (TTL: 30 days) |
+| `CachedIPReputation` | cachedIPReputation | `ipAddress` | IP reputation results (TTL: 24 hours) |
+
+## Architecture
+
+```
+DcRouterDb (singleton)
+  ├── LocalSmartDb (embedded, Rust) ─── or ─── External MongoDB
+  └── SmartdataDb (ORM)
+        └── @Collection(() => getDb())
+              ├── StoredRouteDoc
+              ├── RouteOverrideDoc
+              ├── ApiTokenDoc
+              ├── VpnServerKeysDoc / VpnClientDoc
+              ├── AcmeCertDoc / ProxyCertDoc / CertBackoffDoc
+              ├── RemoteIngressEdgeDoc
+              ├── VlanMappingsDoc / AccountingSessionDoc
+              ├── CachedEmail (TTL)
+              └── CachedIPReputation (TTL)
+```
+
+### TTL Cleanup
+
+`CacheCleaner` runs on a configurable interval (default: 1 hour) and removes expired documents where `expiresAt < now()`.
+
+## Disabling
+
+For tests or lightweight deployments without persistence:
+
+```typescript
+dbConfig: { enabled: false }
+```

test/test.apiclient.ts

@@ -174,62 +174,20 @@ tap.test('Route - should hydrate from IMergedRoute data', async () => {
       match: { ports: 443, domains: 'example.com' },
       action: { type: 'forward', targets: [{ host: 'backend', port: 8080 }] },
     },
-    source: 'programmatic',
+    id: 'route-123',
     enabled: true,
-    overridden: false,
-    storedRouteId: 'route-123',
+    origin: 'api',
     createdAt: 1000,
     updatedAt: 2000,
   });
 
   expect(route.name).toEqual('test-route');
-  expect(route.source).toEqual('programmatic');
+  expect(route.id).toEqual('route-123');
   expect(route.enabled).toEqual(true);
-  expect(route.overridden).toEqual(false);
-  expect(route.storedRouteId).toEqual('route-123');
+  expect(route.origin).toEqual('api');
   expect(route.routeConfig.match.ports).toEqual(443);
 });
 
-tap.test('Route - should throw on update/delete/toggle for hardcoded routes', async () => {
-  const client = new DcRouterApiClient({ baseUrl: 'https://localhost:3000' });
-  const route = new Route(client, {
-    route: {
-      name: 'hardcoded-route',
-      match: { ports: 80 },
-      action: { type: 'forward', targets: [{ host: 'localhost', port: 8080 }] },
-    },
-    source: 'hardcoded',
-    enabled: true,
-    overridden: false,
-    // No storedRouteId for hardcoded routes
-  });
-
-  let updateError: Error | undefined;
-  try {
-    await route.update({ name: 'new-name' });
-  } catch (e) {
-    updateError = e as Error;
-  }
-  expect(updateError).toBeTruthy();
-  expect(updateError!.message).toInclude('hardcoded');
-
-  let deleteError: Error | undefined;
-  try {
-    await route.delete();
-  } catch (e) {
-    deleteError = e as Error;
-  }
-  expect(deleteError).toBeTruthy();
-
-  let toggleError: Error | undefined;
-  try {
-    await route.toggle(false);
-  } catch (e) {
-    toggleError = e as Error;
-  }
-  expect(toggleError).toBeTruthy();
-});
-
 // =============================================================================
 // Certificate resource class
 // =============================================================================

test/test.cert-renewal.ts

@@ -0,0 +1,196 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { deriveCertDomainName } from '../ts/opsserver/handlers/certificate.handler.js';
+
+// ──────────────────────────────────────────────────────────────────────────────
+// deriveCertDomainName — pure helper that mirrors smartacme's certmatcher.
+// Used by the force-renew sibling-propagation logic to identify which routes
+// share a single underlying ACME certificate.
+// ──────────────────────────────────────────────────────────────────────────────
+
+tap.test('deriveCertDomainName collapses 3-level subdomain to base', async () => {
+  expect(deriveCertDomainName('outline.task.vc')).toEqual('task.vc');
+  expect(deriveCertDomainName('pr.task.vc')).toEqual('task.vc');
+  expect(deriveCertDomainName('mtd.task.vc')).toEqual('task.vc');
+});
+
+tap.test('deriveCertDomainName returns base domain unchanged for 2-level domain', async () => {
+  expect(deriveCertDomainName('task.vc')).toEqual('task.vc');
+  expect(deriveCertDomainName('example.com')).toEqual('example.com');
+});
+
+tap.test('deriveCertDomainName strips wildcard prefix', async () => {
+  expect(deriveCertDomainName('*.task.vc')).toEqual('task.vc');
+  expect(deriveCertDomainName('*.example.com')).toEqual('example.com');
+});
+
+tap.test('deriveCertDomainName collapses subdomain and wildcard to same identity', async () => {
+  // This is the core property: outline.task.vc and *.task.vc must yield
+  // the same cert identity, otherwise sibling propagation cannot work.
+  const subdomain = deriveCertDomainName('outline.task.vc');
+  const wildcard = deriveCertDomainName('*.task.vc');
+  expect(subdomain).toEqual(wildcard);
+});
+
+tap.test('deriveCertDomainName returns undefined for 4+ level domains', async () => {
+  // Matches smartacme's "deeper domains not supported" behavior.
+  expect(deriveCertDomainName('a.b.task.vc')).toBeUndefined();
+  expect(deriveCertDomainName('one.two.three.example.com')).toBeUndefined();
+});
+
+tap.test('deriveCertDomainName returns undefined for malformed inputs', async () => {
+  expect(deriveCertDomainName('vc')).toBeUndefined();
+  expect(deriveCertDomainName('')).toBeUndefined();
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// CertificateHandler.reprovisionCertificateDomain — verify the includeWildcard
+// option is forwarded to smartAcme.getCertificateForDomain on force renew.
+//
+// This is the regression test for Bug 1: previously the call passed only
+// `{ forceRenew: true }`, causing the re-issued cert to drop the wildcard SAN
+// and break every sibling subdomain.
+// ──────────────────────────────────────────────────────────────────────────────
+
+import { CertificateHandler } from '../ts/opsserver/handlers/certificate.handler.js';
+
+// Build a minimal stub of OpsServer + DcRouter that satisfies CertificateHandler.
+// We only need: viewRouter.addTypedHandler / adminRouter.addTypedHandler (no-op),
+// dcRouterRef.smartProxy.routeManager.getRoutes(), dcRouterRef.smartAcme,
+// dcRouterRef.findRouteNamesForDomain, dcRouterRef.certificateStatusMap.
+function makeStubOpsServer(opts: {
+  routes: Array<{ name: string; domains: string[] }>;
+  smartAcmeStub: { getCertificateForDomain: (domain: string, options: any) => Promise<any> };
+}) {
+  const captured: { typedHandlers: any[] } = { typedHandlers: [] };
+  const router = {
+    addTypedHandler(handler: any) { captured.typedHandlers.push(handler); },
+  };
+
+  const routes = opts.routes.map((r) => ({
+    name: r.name,
+    match: { domains: r.domains, ports: 443 },
+    action: { type: 'forward', tls: { certificate: 'auto' } },
+  }));
+
+  const dcRouterRef: any = {
+    smartProxy: {
+      routeManager: { getRoutes: () => routes },
+    },
+    smartAcme: opts.smartAcmeStub,
+    findRouteNamesForDomain: (domain: string) =>
+      routes.filter((r) => r.match.domains.includes(domain)).map((r) => r.name),
+    certificateStatusMap: new Map<string, any>(),
+    certProvisionScheduler: null,
+    routeConfigManager: null,
+  };
+
+  const opsServerRef: any = {
+    viewRouter: router,
+    adminRouter: router,
+    dcRouterRef,
+  };
+
+  return { opsServerRef, dcRouterRef, captured };
+}
+
+tap.test('reprovisionCertificateDomain passes includeWildcard=true for non-wildcard domain', async () => {
+  const calls: Array<{ domain: string; options: any }> = [];
+
+  const { opsServerRef, dcRouterRef } = makeStubOpsServer({
+    routes: [
+      { name: 'outline-route', domains: ['outline.task.vc'] },
+      { name: 'pr-route', domains: ['pr.task.vc'] },
+      { name: 'mtd-route', domains: ['mtd.task.vc'] },
+    ],
+    smartAcmeStub: {
+      getCertificateForDomain: async (domain: string, options: any) => {
+        calls.push({ domain, options });
+        // Return a cert object shaped like SmartacmeCert
+        return {
+          id: 'test-id',
+          domainName: 'task.vc',
+          created: Date.now(),
+          validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
+          privateKey: '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----',
+          publicKey: '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----',
+          csr: '',
+        };
+      },
+    },
+  });
+
+  // Override updateRoutes/applyRoutes to no-op so the test doesn't try to talk to a real proxy
+  dcRouterRef.smartProxy.updateRoutes = async () => {};
+
+  // Construct handler — registerHandlers will run and register typed handlers on our stub router.
+  const handler = new CertificateHandler(opsServerRef);
+
+  // Invoke the private reprovision method directly. The Bug 1 fix is verified
+  // by inspecting the captured smartAcme call options regardless of whether
+  // sibling propagation succeeds (it relies on a real DB for ProxyCertDoc).
+  await (handler as any).reprovisionCertificateDomain('outline.task.vc', true);
+
+  // Sibling propagation may fail because ProxyCertDoc.findByDomain needs a real DB.
+  // The Bug 1 fix is verified by the captured smartAcme call regardless.
+  expect(calls.length).toBeGreaterThanOrEqual(1);
+  expect(calls[0].domain).toEqual('outline.task.vc');
+  expect(calls[0].options).toEqual({ forceRenew: true, includeWildcard: true });
+});
+
+tap.test('reprovisionCertificateDomain passes includeWildcard=false for wildcard domain', async () => {
+  const calls: Array<{ domain: string; options: any }> = [];
+
+  const { opsServerRef, dcRouterRef } = makeStubOpsServer({
+    routes: [
+      { name: 'wildcard-route', domains: ['*.task.vc'] },
+    ],
+    smartAcmeStub: {
+      getCertificateForDomain: async (domain: string, options: any) => {
+        calls.push({ domain, options });
+        return {
+          id: 'test-id',
+          domainName: 'task.vc',
+          created: Date.now(),
+          validUntil: Date.now() + 90 * 24 * 60 * 60 * 1000,
+          privateKey: '-----BEGIN PRIVATE KEY-----\nfake\n-----END PRIVATE KEY-----',
+          publicKey: '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----',
+          csr: '',
+        };
+      },
+    },
+  });
+
+  dcRouterRef.smartProxy.updateRoutes = async () => {};
+
+  const handler = new CertificateHandler(opsServerRef);
+  await (handler as any).reprovisionCertificateDomain('*.task.vc', true);
+
+  expect(calls.length).toBeGreaterThanOrEqual(1);
+  expect(calls[0].domain).toEqual('*.task.vc');
+  expect(calls[0].options).toEqual({ forceRenew: true, includeWildcard: false });
+});
+
+tap.test('reprovisionCertificateDomain does not call smartAcme when forceRenew is false', async () => {
+  const calls: Array<{ domain: string; options: any }> = [];
+
+  const { opsServerRef, dcRouterRef } = makeStubOpsServer({
+    routes: [{ name: 'outline-route', domains: ['outline.task.vc'] }],
+    smartAcmeStub: {
+      getCertificateForDomain: async (domain: string, options: any) => {
+        calls.push({ domain, options });
+        return {} as any;
+      },
+    },
+  });
+
+  dcRouterRef.smartProxy.updateRoutes = async () => {};
+
+  const handler = new CertificateHandler(opsServerRef);
+  await (handler as any).reprovisionCertificateDomain('outline.task.vc', false);
+
+  // forceRenew=false should NOT call getCertificateForDomain — it just triggers
+  // applyRoutes and lets the cert provisioning pipeline handle it.
+  expect(calls.length).toEqual(0);
+});
+
+export default tap.start();

test/test.dcrouter.email.ts

@@ -130,7 +130,7 @@ tap.test('DcRouter class - Email config with domains and routes', async () => {
       contactEmail: 'test@example.com'
     },
     opsServerPort: 3104,
-    cacheConfig: {
+    dbConfig: {
       enabled: false,
     }
   };
@@ -143,6 +143,9 @@ tap.test('DcRouter class - Email config with domains and routes', async () => {
 
   // Verify unified email server was initialized
   expect(router.emailServer).toBeTruthy();
+  expect((router.emailServer as any).options.hostname).toEqual('mail.example.com');
+  expect((router.emailServer as any).options.persistRoutes).toEqual(false);
+  expect((router.emailServer as any).options.queue.storageType).toEqual('disk');
 
   // Stop the router
   await router.stop();

test/test.dns-runtime-routes.node.ts

@@ -0,0 +1,262 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { DcRouter } from '../ts/classes.dcrouter.js';
+import { RouteConfigManager } from '../ts/config/index.js';
+import { DcRouterDb, DomainDoc, RouteDoc } from '../ts/db/index.js';
+import { DnsManager } from '../ts/dns/manager.dns.js';
+import { logger } from '../ts/logger.js';
+import * as plugins from '../ts/plugins.js';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-dns-runtime-routes-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-test-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const testDbPromise = createTestDb();
+
+const clearTestState = async () => {
+  for (const route of await RouteDoc.findAll()) {
+    await route.delete();
+  }
+  for (const domain of await DomainDoc.findAll()) {
+    await domain.delete();
+  }
+};
+
+tap.test('RouteConfigManager persists DoH system routes and hydrates runtime socket handlers', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const dcRouter = new DcRouter({
+    dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
+    dnsScopes: ['example.com'],
+    smartProxyConfig: { routes: [] },
+    dbConfig: { enabled: false },
+  });
+
+  const appliedRoutes: any[][] = [];
+  const smartProxy = {
+    updateRoutes: async (routes: any[]) => {
+      appliedRoutes.push(routes);
+    },
+  };
+
+  const routeManager = new RouteConfigManager(
+    () => smartProxy as any,
+    undefined,
+    undefined,
+    undefined,
+    undefined,
+    undefined,
+    (storedRoute: any) => (dcRouter as any).hydrateStoredRouteForRuntime(storedRoute),
+  );
+
+  await routeManager.initialize([], [], (dcRouter as any).generateDnsRoutes({ includeSocketHandler: false }));
+
+  const persistedRoutes = await RouteDoc.findAll();
+  expect(persistedRoutes.length).toEqual(2);
+  expect(persistedRoutes.every((route) => route.origin === 'dns')).toEqual(true);
+  expect((await RouteDoc.findByName('dns-over-https-dns-query'))?.systemKey).toEqual('dns:dns-over-https-dns-query');
+  expect((await RouteDoc.findByName('dns-over-https-resolve'))?.systemKey).toEqual('dns:dns-over-https-resolve');
+
+  const mergedRoutes = routeManager.getMergedRoutes().routes;
+  expect(mergedRoutes.length).toEqual(2);
+  expect(mergedRoutes.every((route) => route.origin === 'dns')).toEqual(true);
+  expect(mergedRoutes.every((route) => route.systemKey?.startsWith('dns:'))).toEqual(true);
+
+  expect(appliedRoutes.length).toEqual(1);
+
+  for (const routeSet of appliedRoutes) {
+    const dnsQueryRoute = routeSet.find((route) => route.name === 'dns-over-https-dns-query');
+    const resolveRoute = routeSet.find((route) => route.name === 'dns-over-https-resolve');
+
+    expect(dnsQueryRoute).toBeDefined();
+    expect(resolveRoute).toBeDefined();
+    expect(typeof dnsQueryRoute.action.socketHandler).toEqual('function');
+    expect(typeof resolveRoute.action.socketHandler).toEqual('function');
+  }
+});
+
+tap.test('RouteConfigManager backfills existing DoH system routes by name without duplicating them', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const dcRouter = new DcRouter({
+    dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
+    dnsScopes: ['example.com'],
+    smartProxyConfig: { routes: [] },
+    dbConfig: { enabled: false },
+  });
+
+  const staleDnsQueryRoute = new RouteDoc();
+  staleDnsQueryRoute.id = 'stale-doh-query';
+  staleDnsQueryRoute.route = {
+    name: 'dns-over-https-dns-query',
+    match: {
+      ports: [443],
+      domains: ['ns1.example.com'],
+      path: '/dns-query',
+    },
+    action: {
+      type: 'socket-handler' as any,
+    } as any,
+  };
+  staleDnsQueryRoute.enabled = true;
+  staleDnsQueryRoute.createdAt = Date.now();
+  staleDnsQueryRoute.updatedAt = Date.now();
+  staleDnsQueryRoute.createdBy = 'test';
+  staleDnsQueryRoute.origin = 'dns';
+  await staleDnsQueryRoute.save();
+
+  const appliedRoutes: any[][] = [];
+  const smartProxy = {
+    updateRoutes: async (routes: any[]) => {
+      appliedRoutes.push(routes);
+    },
+  };
+
+  const routeManager = new RouteConfigManager(
+    () => smartProxy as any,
+    undefined,
+    undefined,
+    undefined,
+    undefined,
+    undefined,
+    (storedRoute: any) => (dcRouter as any).hydrateStoredRouteForRuntime(storedRoute),
+  );
+  await routeManager.initialize([], [], (dcRouter as any).generateDnsRoutes({ includeSocketHandler: false }));
+
+  const remainingRoutes = await RouteDoc.findAll();
+  expect(remainingRoutes.length).toEqual(2);
+  expect(remainingRoutes.filter((route) => route.route.name === 'dns-over-https-dns-query').length).toEqual(1);
+  expect(remainingRoutes.filter((route) => route.route.name === 'dns-over-https-resolve').length).toEqual(1);
+
+  const queryRoute = await RouteDoc.findByName('dns-over-https-dns-query');
+  expect(queryRoute?.id).toEqual('stale-doh-query');
+  expect(queryRoute?.systemKey).toEqual('dns:dns-over-https-dns-query');
+
+  const resolveRoute = await RouteDoc.findByName('dns-over-https-resolve');
+  expect(resolveRoute?.systemKey).toEqual('dns:dns-over-https-resolve');
+
+  expect(appliedRoutes.length).toEqual(1);
+  expect(appliedRoutes[0].length).toEqual(2);
+  expect(appliedRoutes[0].every((route) => typeof route.action.socketHandler === 'function')).toEqual(true);
+});
+
+tap.test('RouteConfigManager only allows toggling system routes', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const smartProxy = {
+    updateRoutes: async (_routes: any[]) => {
+      return;
+    },
+  };
+
+  const routeManager = new RouteConfigManager(() => smartProxy as any);
+  await routeManager.initialize([
+    {
+      name: 'system-config-route',
+      match: {
+        ports: [443],
+        domains: ['app.example.com'],
+      },
+      action: {
+        type: 'forward',
+        targets: [{ host: '127.0.0.1', port: 8443 }],
+        tls: { mode: 'terminate' as const },
+      },
+    } as any,
+  ], [], []);
+
+  const systemRoute = routeManager.getMergedRoutes().routes.find((route) => route.route.name === 'system-config-route');
+  expect(systemRoute).toBeDefined();
+
+  const updateResult = await routeManager.updateRoute(systemRoute!.id, {
+    route: { name: 'renamed-system-route' } as any,
+  });
+  expect(updateResult.success).toEqual(false);
+  expect(updateResult.message).toEqual('System routes are managed by the system and can only be toggled');
+
+  const deleteResult = await routeManager.deleteRoute(systemRoute!.id);
+  expect(deleteResult.success).toEqual(false);
+  expect(deleteResult.message).toEqual('System routes are managed by the system and cannot be deleted');
+
+  const toggleResult = await routeManager.toggleRoute(systemRoute!.id, false);
+  expect(toggleResult.success).toEqual(true);
+  expect((await RouteDoc.findById(systemRoute!.id))?.enabled).toEqual(false);
+});
+
+tap.test('DnsManager warning keeps dnsNsDomains in scope', async () => {
+  await testDbPromise;
+  await clearTestState();
+  const originalLog = logger.log.bind(logger);
+  const warningMessages: string[] = [];
+
+  (logger as any).log = (level: 'error' | 'warn' | 'info' | 'success' | 'debug', message: string, context?: Record<string, any>) => {
+    if (level === 'warn') {
+      warningMessages.push(message);
+    }
+    return originalLog(level, message, context || {});
+  };
+
+  try {
+    const existingDomain = new DomainDoc();
+    existingDomain.id = 'existing-domain';
+    existingDomain.name = 'example.com';
+    existingDomain.source = 'dcrouter';
+    existingDomain.authoritative = true;
+    existingDomain.createdAt = Date.now();
+    existingDomain.updatedAt = Date.now();
+    existingDomain.createdBy = 'test';
+    await existingDomain.save();
+
+    const dnsManager = new DnsManager({
+      dnsNsDomains: ['ns1.example.com'],
+      dnsScopes: ['example.com'],
+      dnsRecords: [{ name: 'www.example.com', type: 'A', value: '127.0.0.1' }],
+      smartProxyConfig: { routes: [] },
+    });
+
+    await dnsManager.start();
+
+    expect(
+      warningMessages.some((message) =>
+        message.includes('ignoring legacy dnsScopes/dnsRecords constructor config')
+        && message.includes('dnsNsDomains is still required for nameserver and DoH bootstrap'),
+      ),
+    ).toEqual(true);
+    expect(
+      warningMessages.some((message) =>
+        message.includes('ignoring legacy dnsScopes/dnsRecords/dnsNsDomains constructor config'),
+      ),
+    ).toEqual(false);
+  } finally {
+    (logger as any).log = originalLog;
+  }
+});
+
+tap.test('cleanup test db', async () => {
+  await clearTestState();
+  const testDb = await testDbPromise;
+  await testDb.cleanup();
+});
+
+export default tap.start();

test/test.dns-socket-handler.ts

@@ -10,7 +10,7 @@ tap.test('should NOT instantiate DNS server when dnsNsDomains is not set', async
       routes: []
     },
     opsServerPort: 3100,
-    cacheConfig: { enabled: false }
+    dbConfig: { enabled: false }
   });
 
   await dcRouter.start();

test/test.email-dns-records.node.ts

@@ -0,0 +1,65 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { buildEmailDnsRecords } from '../ts/email/index.js';
+
+tap.test('buildEmailDnsRecords uses the configured mail hostname for MX and includes DKIM when provided', async () => {
+  const records = buildEmailDnsRecords({
+    domain: 'example.com',
+    hostname: 'mail.example.com',
+    selector: 'selector1',
+    dkimValue: 'v=DKIM1; h=sha256; k=rsa; p=abc123',
+    statuses: {
+      mx: 'valid',
+      spf: 'missing',
+      dkim: 'valid',
+      dmarc: 'unchecked',
+    },
+  });
+
+  expect(records).toEqual([
+    {
+      type: 'MX',
+      name: 'example.com',
+      value: '10 mail.example.com',
+      status: 'valid',
+    },
+    {
+      type: 'TXT',
+      name: 'example.com',
+      value: 'v=spf1 a mx ~all',
+      status: 'missing',
+    },
+    {
+      type: 'TXT',
+      name: 'selector1._domainkey.example.com',
+      value: 'v=DKIM1; h=sha256; k=rsa; p=abc123',
+      status: 'valid',
+    },
+    {
+      type: 'TXT',
+      name: '_dmarc.example.com',
+      value: 'v=DMARC1; p=none; rua=mailto:dmarc@example.com',
+      status: 'unchecked',
+    },
+  ]);
+});
+
+tap.test('buildEmailDnsRecords omits DKIM when no value is provided', async () => {
+  const records = buildEmailDnsRecords({
+    domain: 'example.net',
+    hostname: 'smtp.example.net',
+    mxPriority: 20,
+  });
+
+  expect(records.map((record) => record.name)).toEqual([
+    'example.net',
+    'example.net',
+    '_dmarc.example.net',
+  ]);
+  expect(records[0].value).toEqual('20 smtp.example.net');
+});
+
+tap.test('cleanup', async () => {
+  await tap.stopForcefully();
+});
+
+export default tap.start();

test/test.email-domain-manager.node.ts

@@ -0,0 +1,193 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { EmailDomainManager } from '../ts/email/index.js';
+import { DcRouterDb, DomainDoc } from '../ts/db/index.js';
+import { EmailDomainDoc } from '../ts/db/documents/classes.email-domain.doc.js';
+import type { IUnifiedEmailServerOptions } from '@push.rocks/smartmta';
+
+const createTestDb = async () => {
+  const storagePath = plugins.path.join(
+    plugins.os.tmpdir(),
+    `dcrouter-email-domain-manager-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  DcRouterDb.resetInstance();
+  const db = DcRouterDb.getInstance({
+    storagePath,
+    dbName: `dcrouter-email-domain-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  });
+  await db.start();
+  await db.getDb().mongoDb.createCollection('__test_init');
+
+  return {
+    async cleanup() {
+      await db.stop();
+      DcRouterDb.resetInstance();
+      await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });
+    },
+  };
+};
+
+const testDbPromise = createTestDb();
+
+const clearTestState = async () => {
+  for (const emailDomain of await EmailDomainDoc.findAll()) {
+    await emailDomain.delete();
+  }
+  for (const domain of await DomainDoc.findAll()) {
+    await domain.delete();
+  }
+};
+
+const createDomainDoc = async (id: string, name: string, source: 'dcrouter' | 'provider') => {
+  const doc = new DomainDoc();
+  doc.id = id;
+  doc.name = name;
+  doc.source = source;
+  doc.authoritative = source === 'dcrouter';
+  doc.createdAt = Date.now();
+  doc.updatedAt = Date.now();
+  doc.createdBy = 'test';
+  await doc.save();
+  return doc;
+};
+
+const createBaseEmailConfig = (): IUnifiedEmailServerOptions => ({
+  ports: [2525],
+  hostname: 'mail.example.com',
+  domains: [
+    {
+      domain: 'static.example.com',
+      dnsMode: 'external-dns',
+    },
+  ],
+  routes: [],
+});
+
+tap.test('EmailDomainManager syncs managed domains into runtime config and email server', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const linkedDomain = await createDomainDoc('provider-domain', 'example.com', 'provider');
+  const updateCalls: Array<{ domains?: any[] }> = [];
+
+  const dcRouterStub = {
+    options: {
+      emailConfig: createBaseEmailConfig(),
+    },
+    emailServer: {
+      updateOptions: (options: { domains?: any[] }) => {
+        updateCalls.push(options);
+      },
+    },
+  };
+
+  const manager = new EmailDomainManager(dcRouterStub);
+  await manager.start();
+
+  const created = await manager.createEmailDomain({
+    linkedDomainId: linkedDomain.id,
+    subdomain: 'mail',
+    dkimSelector: 'selector1',
+    rotateKeys: true,
+    rotationIntervalDays: 30,
+  });
+
+  const domainsAfterCreate = dcRouterStub.options.emailConfig.domains;
+  expect(domainsAfterCreate.length).toEqual(2);
+  expect(domainsAfterCreate.some((domain) => domain.domain === 'static.example.com')).toEqual(true);
+
+  const managedDomain = domainsAfterCreate.find((domain) => domain.domain === 'mail.example.com');
+  expect(managedDomain).toBeTruthy();
+  expect(managedDomain?.dnsMode).toEqual('external-dns');
+  expect(managedDomain?.dkim?.selector).toEqual('selector1');
+  expect(updateCalls.at(-1)?.domains?.some((domain) => domain.domain === 'mail.example.com')).toEqual(true);
+
+  await manager.updateEmailDomain(created.id, {
+    rotateKeys: false,
+    rateLimits: {
+      outbound: {
+        messagesPerMinute: 10,
+      },
+    },
+  });
+
+  const domainsAfterUpdate = dcRouterStub.options.emailConfig.domains;
+  const updatedManagedDomain = domainsAfterUpdate.find((domain) => domain.domain === 'mail.example.com');
+  expect(updatedManagedDomain?.dkim?.rotateKeys).toEqual(false);
+  expect(updatedManagedDomain?.rateLimits?.outbound?.messagesPerMinute).toEqual(10);
+
+  await manager.deleteEmailDomain(created.id);
+  expect(dcRouterStub.options.emailConfig.domains.map((domain) => domain.domain)).toEqual(['static.example.com']);
+});
+
+tap.test('EmailDomainManager rejects domains already present in static config', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const linkedDomain = await createDomainDoc('static-domain', 'static.example.com', 'provider');
+  const dcRouterStub = {
+    options: {
+      emailConfig: createBaseEmailConfig(),
+    },
+  };
+
+  const manager = new EmailDomainManager(dcRouterStub);
+
+  let error: Error | undefined;
+  try {
+    await manager.createEmailDomain({ linkedDomainId: linkedDomain.id });
+  } catch (err: unknown) {
+    error = err as Error;
+  }
+
+  expect(error?.message).toEqual('Email domain already configured for static.example.com');
+});
+
+tap.test('EmailDomainManager start merges persisted managed domains after restart', async () => {
+  await testDbPromise;
+  await clearTestState();
+
+  const linkedDomain = await createDomainDoc('local-domain', 'managed.example.com', 'dcrouter');
+  const stored = new EmailDomainDoc();
+  stored.id = 'managed-email-domain';
+  stored.domain = 'mail.managed.example.com';
+  stored.linkedDomainId = linkedDomain.id;
+  stored.subdomain = 'mail';
+  stored.dkim = {
+    selector: 'default',
+    keySize: 2048,
+    rotateKeys: false,
+    rotationIntervalDays: 90,
+  };
+  stored.dnsStatus = {
+    mx: 'unchecked',
+    spf: 'unchecked',
+    dkim: 'unchecked',
+    dmarc: 'unchecked',
+  };
+  stored.createdAt = new Date().toISOString();
+  stored.updatedAt = new Date().toISOString();
+  await stored.save();
+
+  const dcRouterStub = {
+    options: {
+      emailConfig: createBaseEmailConfig(),
+    },
+  };
+
+  const manager = new EmailDomainManager(dcRouterStub);
+  await manager.start();
+
+  const managedDomain = dcRouterStub.options.emailConfig.domains.find((domain) => domain.domain === 'mail.managed.example.com');
+  expect(managedDomain?.dnsMode).toEqual('internal-dns');
+});
+
+tap.test('cleanup', async () => {
+  const testDb = await testDbPromise;
+  await clearTestState();
+  await testDb.cleanup();
+  await tap.stopForcefully();
+});
+
+export default tap.start();

test/test.email-ops-api.ts

@@ -0,0 +1,167 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { TypedRequest } from '@api.global/typedrequest';
+import { DcRouter } from '../ts/index.js';
+import * as interfaces from '../ts_interfaces/index.js';
+
+const TEST_PORT = 3201;
+const BASE_URL = `http://localhost:${TEST_PORT}/typedrequest`;
+
+let testDcRouter: DcRouter;
+let adminIdentity: interfaces.data.IIdentity;
+let removedQueueItemId: string | undefined;
+let lastEnqueueArgs: any[] | undefined;
+
+const queueItems = [
+  {
+    id: 'failed-email-1',
+    status: 'failed',
+    attempts: 3,
+    nextAttempt: new Date('2026-04-14T10:00:00.000Z'),
+    lastError: '550 mailbox unavailable',
+    processingMode: 'mta',
+    route: undefined,
+    createdAt: new Date('2026-04-14T09:00:00.000Z'),
+    processingResult: {
+      from: 'sender@example.com',
+      to: ['recipient@example.net'],
+      cc: ['copy@example.net'],
+      subject: 'Older message',
+      text: 'hello',
+      headers: { 'x-test': '1' },
+      getMessageId: () => 'message-older',
+      getAttachmentsSize: () => 64,
+    },
+  },
+  {
+    id: 'delivered-email-1',
+    status: 'delivered',
+    attempts: 1,
+    processingMode: 'mta',
+    route: undefined,
+    createdAt: new Date('2026-04-14T11:00:00.000Z'),
+    processingResult: {
+      email: {
+        from: 'fresh@example.com',
+        to: ['new@example.net'],
+        cc: [],
+        subject: 'Newest message',
+      },
+      html: '<p>newest</p>',
+      text: 'newest',
+      headers: { 'x-fresh': 'true' },
+      getMessageId: () => 'message-newer',
+      getAttachmentsSize: () => 0,
+    },
+  },
+];
+
+tap.test('should start DCRouter with OpsServer for email API tests', async () => {
+  testDcRouter = new DcRouter({
+    opsServerPort: TEST_PORT,
+    dbConfig: { enabled: false },
+  });
+
+  await testDcRouter.start();
+  testDcRouter.emailServer = {
+    getQueueItems: () => [...queueItems],
+    getQueueItem: (id: string) => queueItems.find((item) => item.id === id),
+    getQueueStats: () => ({
+      queueSize: 2,
+      status: {
+        pending: 0,
+        processing: 1,
+        failed: 1,
+        deferred: 1,
+        delivered: 1,
+      },
+    }),
+    deliveryQueue: {
+      enqueue: async (...args: any[]) => {
+        lastEnqueueArgs = args;
+        return 'resent-queue-id';
+      },
+      removeItem: async (id: string) => {
+        removedQueueItemId = id;
+        return true;
+      },
+    },
+  } as any;
+
+  expect(testDcRouter.opsServer).toBeInstanceOf(Object);
+});
+
+tap.test('should login as admin for email API tests', async () => {
+  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+    BASE_URL,
+    'adminLoginWithUsernameAndPassword',
+  );
+
+  const response = await loginRequest.fire({
+    username: 'admin',
+    password: 'admin',
+  });
+
+  adminIdentity = response.identity;
+  expect(adminIdentity.jwt).toBeTruthy();
+});
+
+tap.test('should return queued emails through the email ops API', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_GetAllEmails>(BASE_URL, 'getAllEmails');
+  const response = await request.fire({
+    identity: adminIdentity,
+  });
+
+  expect(response.emails.map((email) => email.id)).toEqual(['delivered-email-1', 'failed-email-1']);
+  expect(response.emails[0].status).toEqual('delivered');
+  expect(response.emails[1].status).toEqual('bounced');
+});
+
+tap.test('should return email detail through the email ops API', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_GetEmailDetail>(BASE_URL, 'getEmailDetail');
+  const response = await request.fire({
+    identity: adminIdentity,
+    emailId: 'failed-email-1',
+  });
+
+  expect(response.email?.toList).toEqual(['recipient@example.net']);
+  expect(response.email?.cc).toEqual(['copy@example.net']);
+  expect(response.email?.rejectionReason).toEqual('550 mailbox unavailable');
+  expect(response.email?.headers).toEqual({ 'x-test': '1' });
+});
+
+tap.test('should expose queue status through the stats API', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_GetQueueStatus>(BASE_URL, 'getQueueStatus');
+  const response = await request.fire({
+    identity: adminIdentity,
+  });
+
+  expect(response.queues.length).toEqual(1);
+  expect(response.queues[0].size).toEqual(0);
+  expect(response.queues[0].processing).toEqual(1);
+  expect(response.queues[0].failed).toEqual(1);
+  expect(response.queues[0].retrying).toEqual(1);
+  expect(response.totalItems).toEqual(3);
+});
+
+tap.test('should resend failed email through the admin email ops API', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_ResendEmail>(BASE_URL, 'resendEmail');
+  const response = await request.fire({
+    identity: adminIdentity,
+    emailId: 'failed-email-1',
+  });
+
+  expect(response.success).toEqual(true);
+  expect(response.newQueueId).toEqual('resent-queue-id');
+  expect(removedQueueItemId).toEqual('failed-email-1');
+  expect(lastEnqueueArgs?.[0]).toEqual(queueItems[0].processingResult);
+});
+
+tap.test('should stop DCRouter after email API tests', async () => {
+  await testDcRouter.stop();
+});
+
+tap.test('cleanup', async () => {
+  await tap.stopForcefully();
+});
+
+export default tap.start();

test/test.email-ops-handlers.node.ts

@@ -0,0 +1,107 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { EmailOpsHandler } from '../ts/opsserver/handlers/email-ops.handler.js';
+import { StatsHandler } from '../ts/opsserver/handlers/stats.handler.js';
+
+const createRouterStub = () => ({
+  addTypedHandler: (_handler: unknown) => {},
+});
+
+const queueItems = [
+  {
+    id: 'older-failed',
+    status: 'failed',
+    attempts: 3,
+    nextAttempt: new Date('2026-04-14T10:00:00.000Z'),
+    lastError: '550 mailbox unavailable',
+    createdAt: new Date('2026-04-14T09:00:00.000Z'),
+    processingResult: {
+      from: 'sender@example.com',
+      to: ['recipient@example.net'],
+      cc: ['copy@example.net'],
+      subject: 'Older message',
+      text: 'hello',
+      headers: { 'x-test': '1' },
+      getMessageId: () => 'message-older',
+      getAttachmentsSize: () => 64,
+    },
+  },
+  {
+    id: 'newer-delivered',
+    status: 'delivered',
+    attempts: 1,
+    createdAt: new Date('2026-04-14T11:00:00.000Z'),
+    processingResult: {
+      email: {
+        from: 'fresh@example.com',
+        to: ['new@example.net'],
+        cc: [],
+        subject: 'Newest message',
+      },
+      html: '<p>newest</p>',
+      text: 'newest',
+      headers: { 'x-fresh': 'true' },
+      getMessageId: () => 'message-newer',
+      getAttachmentsSize: () => 0,
+    },
+  },
+];
+
+tap.test('EmailOpsHandler maps queue items using public email server APIs', async () => {
+  const opsHandler = new EmailOpsHandler({
+    viewRouter: createRouterStub(),
+    adminRouter: createRouterStub(),
+    dcRouterRef: {
+      emailServer: {
+        getQueueItems: () => queueItems,
+        getQueueItem: (id: string) => queueItems.find((item) => item.id === id),
+      },
+    },
+  } as any);
+
+  const emails = (opsHandler as any).getAllQueueEmails();
+  expect(emails.map((email: any) => email.id)).toEqual(['newer-delivered', 'older-failed']);
+  expect(emails[0].status).toEqual('delivered');
+  expect(emails[1].status).toEqual('bounced');
+  expect(emails[0].messageId).toEqual('message-newer');
+
+  const detail = (opsHandler as any).getEmailDetail('older-failed');
+  expect(detail?.toList).toEqual(['recipient@example.net']);
+  expect(detail?.cc).toEqual(['copy@example.net']);
+  expect(detail?.rejectionReason).toEqual('550 mailbox unavailable');
+  expect(detail?.headers).toEqual({ 'x-test': '1' });
+});
+
+tap.test('StatsHandler reports queue status using public email server APIs', async () => {
+  const statsHandler = new StatsHandler({
+    viewRouter: createRouterStub(),
+    dcRouterRef: {
+      emailServer: {
+        getQueueStats: () => ({
+          queueSize: 2,
+          status: {
+            pending: 0,
+            processing: 1,
+            failed: 1,
+            deferred: 1,
+            delivered: 1,
+          },
+        }),
+        getQueueItems: () => queueItems,
+      },
+    },
+  } as any);
+
+  const queueStatus = await (statsHandler as any).getQueueStatus();
+  expect(queueStatus.pending).toEqual(0);
+  expect(queueStatus.active).toEqual(1);
+  expect(queueStatus.failed).toEqual(1);
+  expect(queueStatus.retrying).toEqual(1);
+  expect(queueStatus.items.map((item: any) => item.id)).toEqual(['newer-delivered', 'older-failed']);
+  expect(queueStatus.items[1].nextRetry).toEqual(new Date('2026-04-14T10:00:00.000Z').getTime());
+});
+
+tap.test('cleanup', async () => {
+  await tap.stopForcefully();
+});
+
+export default tap.start();

test/test.jwt-auth.ts

@@ -10,7 +10,7 @@ tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
     opsServerPort: 3102,
-    cacheConfig: { enabled: false },
+    dbConfig: { enabled: false },
   });
   
   await testDcRouter.start();

test/test.metricsmanager.route-keys.node.ts

@@ -0,0 +1,120 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { MetricsManager } from '../ts/monitoring/classes.metricsmanager.js';
+
+const emptyProtocolDistribution = {
+  h1Active: 0,
+  h1Total: 0,
+  h2Active: 0,
+  h2Total: 0,
+  h3Active: 0,
+  h3Total: 0,
+  wsActive: 0,
+  wsTotal: 0,
+  otherActive: 0,
+  otherTotal: 0,
+};
+
+function createProxyMetrics(args: {
+  connectionsByRoute: Map<string, number>;
+  throughputByRoute: Map<string, { in: number; out: number }>;
+  domainRequestsByIP: Map<string, Map<string, number>>;
+  requestsTotal?: number;
+}) {
+  return {
+    connections: {
+      active: () => 0,
+      total: () => 0,
+      byRoute: () => args.connectionsByRoute,
+      byIP: () => new Map<string, number>(),
+      topIPs: () => [],
+      domainRequestsByIP: () => args.domainRequestsByIP,
+      topDomainRequests: () => [],
+      frontendProtocols: () => emptyProtocolDistribution,
+      backendProtocols: () => emptyProtocolDistribution,
+    },
+    throughput: {
+      instant: () => ({ in: 0, out: 0 }),
+      recent: () => ({ in: 0, out: 0 }),
+      average: () => ({ in: 0, out: 0 }),
+      custom: () => ({ in: 0, out: 0 }),
+      history: () => [],
+      byRoute: () => args.throughputByRoute,
+      byIP: () => new Map<string, { in: number; out: number }>(),
+    },
+    requests: {
+      perSecond: () => 0,
+      perMinute: () => 0,
+      total: () => args.requestsTotal || 0,
+    },
+    totals: {
+      bytesIn: () => 0,
+      bytesOut: () => 0,
+      connections: () => 0,
+    },
+    backends: {
+      byBackend: () => new Map<string, any>(),
+      protocols: () => new Map<string, string>(),
+      topByErrors: () => [],
+      detectedProtocols: () => [],
+    },
+  };
+}
+
+tap.test('MetricsManager joins domain activity to id-keyed route metrics', async () => {
+  const proxyMetrics = createProxyMetrics({
+    connectionsByRoute: new Map([
+      ['route-id-only', 4],
+    ]),
+    throughputByRoute: new Map([
+      ['route-id-only', { in: 1200, out: 2400 }],
+    ]),
+    domainRequestsByIP: new Map([
+      ['192.0.2.10', new Map([
+        ['alpha.example.com', 3],
+        ['beta.example.com', 1],
+      ])],
+    ]),
+    requestsTotal: 4,
+  });
+
+  const smartProxy = {
+    getMetrics: () => proxyMetrics,
+    routeManager: {
+      getRoutes: () => [
+        {
+          id: 'route-id-only',
+          match: {
+            ports: [443],
+            domains: ['alpha.example.com', 'beta.example.com'],
+          },
+          action: {
+            type: 'forward',
+            targets: [{ host: '127.0.0.1', port: 8443 }],
+          },
+        },
+      ],
+    },
+  };
+
+  const manager = new MetricsManager({ smartProxy } as any);
+  const stats = await manager.getNetworkStats();
+  const alpha = stats.domainActivity.find((item) => item.domain === 'alpha.example.com');
+  const beta = stats.domainActivity.find((item) => item.domain === 'beta.example.com');
+
+  expect(alpha).toBeDefined();
+  expect(beta).toBeDefined();
+
+  expect(alpha!.requestCount).toEqual(3);
+  expect(alpha!.routeCount).toEqual(1);
+  expect(alpha!.activeConnections).toEqual(3);
+  expect(alpha!.bytesInPerSecond).toEqual(900);
+  expect(alpha!.bytesOutPerSecond).toEqual(1800);
+
+  expect(beta!.requestCount).toEqual(1);
+  expect(beta!.routeCount).toEqual(1);
+  expect(beta!.activeConnections).toEqual(1);
+  expect(beta!.bytesInPerSecond).toEqual(300);
+  expect(beta!.bytesOutPerSecond).toEqual(600);
+});
+
+export default tap.start();

test/test.opsserver-api.ts

@@ -10,7 +10,7 @@ tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
     opsServerPort: 3101,
-    cacheConfig: { enabled: false },
+    dbConfig: { enabled: false },
   });
 
   await testDcRouter.start();

test/test.protected-endpoint.ts

@@ -10,7 +10,7 @@ tap.test('should start DCRouter with OpsServer', async () => {
   testDcRouter = new DcRouter({
     // Minimal config for testing
     opsServerPort: 3103,
-    cacheConfig: { enabled: false },
+    dbConfig: { enabled: false },
   });
 
   await testDcRouter.start();

test/test.reference-resolver.ts

@@ -0,0 +1,371 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { ReferenceResolver } from '../ts/config/classes.reference-resolver.js';
+import type { ISourceProfile, INetworkTarget, IRouteMetadata } from '../ts_interfaces/data/route-management.js';
+import type { IRouteConfig } from '@push.rocks/smartproxy';
+
+// ============================================================================
+// Helpers: access private maps for direct unit testing without DB
+// ============================================================================
+
+function injectProfile(resolver: ReferenceResolver, profile: ISourceProfile): void {
+  (resolver as any).profiles.set(profile.id, profile);
+}
+
+function injectTarget(resolver: ReferenceResolver, target: INetworkTarget): void {
+  (resolver as any).targets.set(target.id, target);
+}
+
+function makeProfile(overrides: Partial<ISourceProfile> = {}): ISourceProfile {
+  return {
+    id: 'profile-1',
+    name: 'STANDARD',
+    description: 'Test profile',
+    security: {
+      ipAllowList: ['192.168.0.0/16', '10.0.0.0/8'],
+      maxConnections: 1000,
+    },
+    createdAt: Date.now(),
+    updatedAt: Date.now(),
+    createdBy: 'test',
+    ...overrides,
+  };
+}
+
+function makeTarget(overrides: Partial<INetworkTarget> = {}): INetworkTarget {
+  return {
+    id: 'target-1',
+    name: 'INFRA',
+    description: 'Test target',
+    host: '192.168.5.247',
+    port: 443,
+    createdAt: Date.now(),
+    updatedAt: Date.now(),
+    createdBy: 'test',
+    ...overrides,
+  };
+}
+
+function makeRoute(overrides: Partial<IRouteConfig> = {}): IRouteConfig {
+  return {
+    name: 'test-route',
+    match: { ports: 443, domains: 'test.example.com' },
+    action: { type: 'forward', targets: [{ host: 'placeholder', port: 80 }] },
+    ...overrides,
+  } as IRouteConfig;
+}
+
+// ============================================================================
+// Resolution tests
+// ============================================================================
+
+let resolver: ReferenceResolver;
+
+tap.test('should create ReferenceResolver instance', async () => {
+  resolver = new ReferenceResolver();
+  expect(resolver).toBeTruthy();
+});
+
+tap.test('should list empty profiles and targets initially', async () => {
+  expect(resolver.listProfiles()).toBeArray();
+  expect(resolver.listProfiles().length).toEqual(0);
+  expect(resolver.listTargets()).toBeArray();
+  expect(resolver.listTargets().length).toEqual(0);
+});
+
+// ---- Source profile resolution ----
+
+tap.test('should resolve source profile onto a route', async () => {
+  const profile = makeProfile();
+  injectProfile(resolver, profile);
+
+  const route = makeRoute();
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  expect(result.route.security).toBeTruthy();
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
+  expect(result.route.security!.maxConnections).toEqual(1000);
+  expect(result.metadata.sourceProfileName).toEqual('STANDARD');
+  expect(result.metadata.lastResolvedAt).toBeTruthy();
+});
+
+tap.test('should merge inline route security with profile security', async () => {
+  const route = makeRoute({
+    security: {
+      ipAllowList: ['127.0.0.1'],
+      maxConnections: 5000,
+    },
+  });
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // IP lists are unioned
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
+  expect(result.route.security!.ipAllowList).toContain('127.0.0.1');
+
+  // Inline maxConnections overrides profile
+  expect(result.route.security!.maxConnections).toEqual(5000);
+});
+
+tap.test('should deduplicate IP lists during merge', async () => {
+  const route = makeRoute({
+    security: {
+      ipAllowList: ['192.168.0.0/16', '127.0.0.1'],
+    },
+  });
+  const metadata: IRouteMetadata = { sourceProfileRef: 'profile-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // 192.168.0.0/16 appears in both profile and route, should be deduplicated
+  const count = result.route.security!.ipAllowList!.filter(ip => ip === '192.168.0.0/16').length;
+  expect(count).toEqual(1);
+});
+
+tap.test('should handle missing profile gracefully', async () => {
+  const route = makeRoute();
+  const metadata: IRouteMetadata = { sourceProfileRef: 'nonexistent-profile' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // Route should be unchanged
+  expect(result.route.security).toBeUndefined();
+  expect(result.metadata.sourceProfileName).toBeUndefined();
+});
+
+// ---- Profile inheritance ----
+
+tap.test('should resolve profile inheritance (extendsProfiles)', async () => {
+  const baseProfile = makeProfile({
+    id: 'base-profile',
+    name: 'BASE',
+    security: {
+      ipAllowList: ['10.0.0.0/8'],
+      maxConnections: 500,
+    },
+  });
+  injectProfile(resolver, baseProfile);
+
+  const extendedProfile = makeProfile({
+    id: 'extended-profile',
+    name: 'EXTENDED',
+    security: {
+      ipAllowList: ['160.79.104.0/21'],
+    },
+    extendsProfiles: ['base-profile'],
+  });
+  injectProfile(resolver, extendedProfile);
+
+  const route = makeRoute();
+  const metadata: IRouteMetadata = { sourceProfileRef: 'extended-profile' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // Should have IPs from both base and extended profiles
+  expect(result.route.security!.ipAllowList).toContain('10.0.0.0/8');
+  expect(result.route.security!.ipAllowList).toContain('160.79.104.0/21');
+  // maxConnections from base (extended doesn't override)
+  expect(result.route.security!.maxConnections).toEqual(500);
+  expect(result.metadata.sourceProfileName).toEqual('EXTENDED');
+});
+
+tap.test('should detect circular profile inheritance', async () => {
+  const profileA = makeProfile({
+    id: 'circular-a',
+    name: 'A',
+    security: { ipAllowList: ['1.1.1.1'] },
+    extendsProfiles: ['circular-b'],
+  });
+  const profileB = makeProfile({
+    id: 'circular-b',
+    name: 'B',
+    security: { ipAllowList: ['2.2.2.2'] },
+    extendsProfiles: ['circular-a'],
+  });
+  injectProfile(resolver, profileA);
+  injectProfile(resolver, profileB);
+
+  const route = makeRoute();
+  const metadata: IRouteMetadata = { sourceProfileRef: 'circular-a' };
+
+  // Should not infinite loop — resolves what it can
+  const result = resolver.resolveRoute(route, metadata);
+  expect(result.route.security).toBeTruthy();
+  expect(result.route.security!.ipAllowList).toContain('1.1.1.1');
+});
+
+// ---- Network target resolution ----
+
+tap.test('should resolve network target onto a route', async () => {
+  const target = makeTarget();
+  injectTarget(resolver, target);
+
+  const route = makeRoute();
+  const metadata: IRouteMetadata = { networkTargetRef: 'target-1' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  expect(result.route.action.targets).toBeTruthy();
+  expect(result.route.action.targets![0].host).toEqual('192.168.5.247');
+  expect(result.route.action.targets![0].port).toEqual(443);
+  expect(result.metadata.networkTargetName).toEqual('INFRA');
+  expect(result.metadata.lastResolvedAt).toBeTruthy();
+});
+
+tap.test('should handle missing target gracefully', async () => {
+  const route = makeRoute();
+  const metadata: IRouteMetadata = { networkTargetRef: 'nonexistent-target' };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // Route targets should be unchanged (still the placeholder)
+  expect(result.route.action.targets![0].host).toEqual('placeholder');
+  expect(result.metadata.networkTargetName).toBeUndefined();
+});
+
+// ---- Combined resolution ----
+
+tap.test('should resolve both profile and target simultaneously', async () => {
+  const route = makeRoute();
+  const metadata: IRouteMetadata = {
+    sourceProfileRef: 'profile-1',
+    networkTargetRef: 'target-1',
+  };
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // Security from profile
+  expect(result.route.security!.ipAllowList).toContain('192.168.0.0/16');
+  expect(result.route.security!.maxConnections).toEqual(1000);
+
+  // Target from network target
+  expect(result.route.action.targets![0].host).toEqual('192.168.5.247');
+  expect(result.route.action.targets![0].port).toEqual(443);
+
+  // Both names recorded
+  expect(result.metadata.sourceProfileName).toEqual('STANDARD');
+  expect(result.metadata.networkTargetName).toEqual('INFRA');
+});
+
+tap.test('should skip resolution when no metadata refs', async () => {
+  const route = makeRoute({
+    security: { ipAllowList: ['1.2.3.4'] },
+  });
+  const metadata: IRouteMetadata = {};
+
+  const result = resolver.resolveRoute(route, metadata);
+
+  // Route should be completely unchanged
+  expect(result.route.security!.ipAllowList).toContain('1.2.3.4');
+  expect(result.route.security!.ipAllowList!.length).toEqual(1);
+  expect(result.route.action.targets![0].host).toEqual('placeholder');
+});
+
+tap.test('should be idempotent — resolving twice gives same result', async () => {
+  const route = makeRoute();
+  const metadata: IRouteMetadata = {
+    sourceProfileRef: 'profile-1',
+    networkTargetRef: 'target-1',
+  };
+
+  const first = resolver.resolveRoute(route, metadata);
+  const second = resolver.resolveRoute(first.route, first.metadata);
+
+  expect(second.route.security!.ipAllowList!.length).toEqual(first.route.security!.ipAllowList!.length);
+  expect(second.route.action.targets![0].host).toEqual(first.route.action.targets![0].host);
+  expect(second.route.action.targets![0].port).toEqual(first.route.action.targets![0].port);
+});
+
+// ---- Lookup helpers ----
+
+tap.test('should find routes by profile ref (sync)', async () => {
+  const storedRoutes = new Map<string, any>();
+  storedRoutes.set('route-a', {
+    id: 'route-a',
+    route: makeRoute({ name: 'route-a' }),
+    enabled: true,
+    metadata: { sourceProfileRef: 'profile-1' },
+  });
+  storedRoutes.set('route-b', {
+    id: 'route-b',
+    route: makeRoute({ name: 'route-b' }),
+    enabled: true,
+    metadata: { networkTargetRef: 'target-1' },
+  });
+  storedRoutes.set('route-c', {
+    id: 'route-c',
+    route: makeRoute({ name: 'route-c' }),
+    enabled: true,
+    metadata: { sourceProfileRef: 'profile-1', networkTargetRef: 'target-1' },
+  });
+
+  const profileRefs = resolver.findRoutesByProfileRefSync('profile-1', storedRoutes);
+  expect(profileRefs.length).toEqual(2);
+  expect(profileRefs).toContain('route-a');
+  expect(profileRefs).toContain('route-c');
+
+  const targetRefs = resolver.findRoutesByTargetRefSync('target-1', storedRoutes);
+  expect(targetRefs.length).toEqual(2);
+  expect(targetRefs).toContain('route-b');
+  expect(targetRefs).toContain('route-c');
+});
+
+tap.test('should get profile usage for a specific profile ID', async () => {
+  const storedRoutes = new Map<string, any>();
+  storedRoutes.set('route-x', {
+    id: 'route-x',
+    route: makeRoute({ name: 'my-route' }),
+    enabled: true,
+    metadata: { sourceProfileRef: 'profile-1' },
+  });
+
+  const usage = resolver.getProfileUsageForId('profile-1', storedRoutes);
+  expect(usage.length).toEqual(1);
+  expect(usage[0].id).toEqual('route-x');
+  expect(usage[0].routeName).toEqual('my-route');
+});
+
+tap.test('should get target usage for a specific target ID', async () => {
+  const storedRoutes = new Map<string, any>();
+  storedRoutes.set('route-y', {
+    id: 'route-y',
+    route: makeRoute({ name: 'other-route' }),
+    enabled: true,
+    metadata: { networkTargetRef: 'target-1' },
+  });
+
+  const usage = resolver.getTargetUsageForId('target-1', storedRoutes);
+  expect(usage.length).toEqual(1);
+  expect(usage[0].id).toEqual('route-y');
+  expect(usage[0].routeName).toEqual('other-route');
+});
+
+// ---- Profile/target getters ----
+
+tap.test('should get profile by name', async () => {
+  const profile = resolver.getProfileByName('STANDARD');
+  expect(profile).toBeTruthy();
+  expect(profile!.id).toEqual('profile-1');
+});
+
+tap.test('should get target by name', async () => {
+  const target = resolver.getTargetByName('INFRA');
+  expect(target).toBeTruthy();
+  expect(target!.id).toEqual('target-1');
+});
+
+tap.test('should return undefined for nonexistent profile name', async () => {
+  const profile = resolver.getProfileByName('NONEXISTENT');
+  expect(profile).toBeUndefined();
+});
+
+tap.test('should return undefined for nonexistent target name', async () => {
+  const target = resolver.getTargetByName('NONEXISTENT');
+  expect(target).toBeUndefined();
+});
+
+export default tap.start();

test/test.smartmta-storage-manager.node.ts

@@ -0,0 +1,31 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as plugins from '../ts/plugins.js';
+import { SmartMtaStorageManager } from '../ts/email/index.js';
+
+const tempDir = plugins.path.join(process.cwd(), '.nogit', 'test-smartmta-storage');
+
+tap.test('SmartMtaStorageManager persists, lists, and deletes keys', async () => {
+  await plugins.fs.promises.rm(tempDir, { recursive: true, force: true });
+
+  const storageManager = new SmartMtaStorageManager(tempDir);
+  await storageManager.set('/email/dkim/example.com/default/metadata', 'metadata');
+  await storageManager.set('/email/dkim/example.com/default/public.key', 'public');
+
+  expect(await storageManager.get('/email/dkim/example.com/default/metadata')).toEqual('metadata');
+
+  const keys = await storageManager.list('/email/dkim/example.com/');
+  expect(keys).toEqual([
+    '/email/dkim/example.com/default/metadata',
+    '/email/dkim/example.com/default/public.key',
+  ]);
+
+  await storageManager.delete('/email/dkim/example.com/default/metadata');
+  expect(await storageManager.get('/email/dkim/example.com/default/metadata')).toBeNull();
+});
+
+tap.test('cleanup', async () => {
+  await plugins.fs.promises.rm(tempDir, { recursive: true, force: true });
+  await tap.stopForcefully();
+});
+
+export default tap.start();

test/test.source-profiles-api.ts

@@ -0,0 +1,208 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { DcRouter } from '../ts/index.js';
+import { TypedRequest } from '@api.global/typedrequest';
+import * as interfaces from '../ts_interfaces/index.js';
+
+const TEST_PORT = 3200;
+const TEST_URL = `http://localhost:${TEST_PORT}/typedrequest`;
+
+let testDcRouter: DcRouter;
+let adminIdentity: interfaces.data.IIdentity;
+
+// ============================================================================
+// Setup — db disabled, handlers return graceful fallbacks
+// ============================================================================
+
+tap.test('should start DCRouter with OpsServer', async () => {
+  testDcRouter = new DcRouter({
+    opsServerPort: TEST_PORT,
+    dbConfig: { enabled: false },
+  });
+
+  await testDcRouter.start();
+  expect(testDcRouter.opsServer).toBeInstanceOf(Object);
+});
+
+tap.test('should login as admin', async () => {
+  const loginRequest = new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
+    TEST_URL,
+    'adminLoginWithUsernameAndPassword'
+  );
+
+  const response = await loginRequest.fire({
+    username: 'admin',
+    password: 'admin',
+  });
+
+  expect(response).toHaveProperty('identity');
+  adminIdentity = response.identity;
+});
+
+// ============================================================================
+// Source Profile endpoints (graceful fallbacks when resolver unavailable)
+// ============================================================================
+
+tap.test('should return empty profiles list when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfiles>(
+    TEST_URL,
+    'getSourceProfiles'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+  });
+
+  expect(response.profiles).toBeArray();
+  expect(response.profiles.length).toEqual(0);
+});
+
+tap.test('should return null for single profile when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfile>(
+    TEST_URL,
+    'getSourceProfile'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+    id: 'nonexistent',
+  });
+
+  expect(response.profile).toEqual(null);
+});
+
+tap.test('should return failure for create profile when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_CreateSourceProfile>(
+    TEST_URL,
+    'createSourceProfile'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+    name: 'TEST',
+    security: { ipAllowList: ['*'] },
+  });
+
+  expect(response.success).toBeFalse();
+  expect(response.message).toBeTruthy();
+});
+
+tap.test('should return empty profile usage when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfileUsage>(
+    TEST_URL,
+    'getSourceProfileUsage'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+    id: 'nonexistent',
+  });
+
+  expect(response.routes).toBeArray();
+  expect(response.routes.length).toEqual(0);
+});
+
+// ============================================================================
+// Network Target endpoints (graceful fallbacks when resolver unavailable)
+// ============================================================================
+
+tap.test('should return empty targets list when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTargets>(
+    TEST_URL,
+    'getNetworkTargets'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+  });
+
+  expect(response.targets).toBeArray();
+  expect(response.targets.length).toEqual(0);
+});
+
+tap.test('should return null for single target when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTarget>(
+    TEST_URL,
+    'getNetworkTarget'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+    id: 'nonexistent',
+  });
+
+  expect(response.target).toEqual(null);
+});
+
+tap.test('should return failure for create target when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_CreateNetworkTarget>(
+    TEST_URL,
+    'createNetworkTarget'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+    name: 'TEST',
+    host: '127.0.0.1',
+    port: 443,
+  });
+
+  expect(response.success).toBeFalse();
+  expect(response.message).toBeTruthy();
+});
+
+tap.test('should return empty target usage when resolver not initialized', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTargetUsage>(
+    TEST_URL,
+    'getNetworkTargetUsage'
+  );
+
+  const response = await req.fire({
+    identity: adminIdentity,
+    id: 'nonexistent',
+  });
+
+  expect(response.routes).toBeArray();
+  expect(response.routes.length).toEqual(0);
+});
+
+// ============================================================================
+// Auth rejection
+// ============================================================================
+
+tap.test('should reject unauthenticated profile requests', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetSourceProfiles>(
+    TEST_URL,
+    'getSourceProfiles'
+  );
+
+  try {
+    await req.fire({} as any);
+    expect(true).toBeFalse();
+  } catch (error) {
+    expect(error).toBeTruthy();
+  }
+});
+
+tap.test('should reject unauthenticated target requests', async () => {
+  const req = new TypedRequest<interfaces.requests.IReq_GetNetworkTargets>(
+    TEST_URL,
+    'getNetworkTargets'
+  );
+
+  try {
+    await req.fire({} as any);
+    expect(true).toBeFalse();
+  } catch (error) {
+    expect(error).toBeTruthy();
+  }
+});
+
+// ============================================================================
+// Cleanup
+// ============================================================================
+
+tap.test('should stop DCRouter', async () => {
+  await testDcRouter.stop();
+});
+
+export default tap.start();

test/test.storagemanager.ts

@@ -1,289 +0,0 @@
-import { tap, expect } from '@git.zone/tstest/tapbundle';
-import * as plugins from '../ts/plugins.js';
-import * as paths from '../ts/paths.js';
-import { StorageManager } from '../ts/storage/classes.storagemanager.js';
-import { promises as fs } from 'fs';
-import * as path from 'path';
-
-// Test data
-const testData = {
-  string: 'Hello, World!',
-  json: { name: 'test', value: 42, nested: { data: true } },
-  largeString: 'x'.repeat(10000)
-};
-
-tap.test('Storage Manager - Memory Backend', async () => {
-  // Create StorageManager without config (defaults to memory)
-  const storage = new StorageManager();
-  
-  // Test basic get/set
-  await storage.set('/test/key', testData.string);
-  const value = await storage.get('/test/key');
-  expect(value).toEqual(testData.string);
-  
-  // Test JSON helpers
-  await storage.setJSON('/test/json', testData.json);
-  const jsonValue = await storage.getJSON('/test/json');
-  expect(jsonValue).toEqual(testData.json);
-  
-  // Test exists
-  expect(await storage.exists('/test/key')).toEqual(true);
-  expect(await storage.exists('/nonexistent')).toEqual(false);
-  
-  // Test delete
-  await storage.delete('/test/key');
-  expect(await storage.exists('/test/key')).toEqual(false);
-  
-  // Test list
-  await storage.set('/items/1', 'one');
-  await storage.set('/items/2', 'two');
-  await storage.set('/other/3', 'three');
-  
-  const items = await storage.list('/items');
-  expect(items.length).toEqual(2);
-  expect(items).toContain('/items/1');
-  expect(items).toContain('/items/2');
-  
-  // Verify memory backend
-  expect(storage.getBackend()).toEqual('memory');
-});
-
-tap.test('Storage Manager - Filesystem Backend', async () => {
-  const testDir = path.join(paths.dataDir, '.test-storage');
-  
-  // Clean up test directory if it exists
-  try {
-    await fs.rm(testDir, { recursive: true, force: true });
-  } catch {}
-  
-  // Create StorageManager with filesystem path
-  const storage = new StorageManager({ fsPath: testDir });
-  
-  // Test basic operations
-  await storage.set('/test/file', testData.string);
-  const value = await storage.get('/test/file');
-  expect(value).toEqual(testData.string);
-  
-  // Verify file exists on disk
-  const filePath = path.join(testDir, 'test', 'file');
-  const fileExists = await fs.access(filePath).then(() => true).catch(() => false);
-  expect(fileExists).toEqual(true);
-  
-  // Test atomic writes (temp file should not exist)
-  const tempPath = filePath + '.tmp';
-  const tempExists = await fs.access(tempPath).then(() => true).catch(() => false);
-  expect(tempExists).toEqual(false);
-  
-  // Test nested paths
-  await storage.set('/deeply/nested/path/to/file', testData.largeString);
-  const nestedValue = await storage.get('/deeply/nested/path/to/file');
-  expect(nestedValue).toEqual(testData.largeString);
-  
-  // Test list with filesystem
-  await storage.set('/fs/items/a', 'alpha');
-  await storage.set('/fs/items/b', 'beta');
-  await storage.set('/fs/other/c', 'gamma');
-  
-  // Filesystem backend now properly supports list
-  const fsItems = await storage.list('/fs/items');
-  expect(fsItems.length).toEqual(2); // Should find both items
-  
-  // Clean up
-  await fs.rm(testDir, { recursive: true, force: true });
-});
-
-tap.test('Storage Manager - Custom Function Backend', async () => {
-  // Create in-memory storage for custom functions
-  const customStore = new Map<string, string>();
-  
-  const storage = new StorageManager({
-    readFunction: async (key: string) => {
-      return customStore.get(key) || null;
-    },
-    writeFunction: async (key: string, value: string) => {
-      customStore.set(key, value);
-    }
-  });
-  
-  // Test basic operations
-  await storage.set('/custom/key', testData.string);
-  expect(customStore.has('/custom/key')).toEqual(true);
-  
-  const value = await storage.get('/custom/key');
-  expect(value).toEqual(testData.string);
-  
-  // Test that delete sets empty value (as per implementation)
-  await storage.delete('/custom/key');
-  expect(customStore.get('/custom/key')).toEqual('');
-  
-  // Verify custom backend (filesystem is implemented as custom backend internally)
-  expect(storage.getBackend()).toEqual('custom');
-});
-
-tap.test('Storage Manager - Key Validation', async () => {
-  const storage = new StorageManager();
-  
-  // Test key normalization
-  await storage.set('test/key', 'value1'); // Missing leading slash
-  const value1 = await storage.get('/test/key');
-  expect(value1).toEqual('value1');
-  
-  // Test dangerous path elements are removed
-  await storage.set('/test/../danger/key', 'value2');
-  const value2 = await storage.get('/test/danger/key'); // .. is removed, not the whole path segment
-  expect(value2).toEqual('value2');
-  
-  // Test multiple slashes are normalized
-  await storage.set('/test///multiple////slashes', 'value3');
-  const value3 = await storage.get('/test/multiple/slashes');
-  expect(value3).toEqual('value3');
-  
-  // Test invalid keys throw errors
-  let emptyKeyError: Error | null = null;
-  try {
-    await storage.set('', 'value');
-  } catch (error) {
-    emptyKeyError = error as Error;
-  }
-  expect(emptyKeyError).toBeTruthy();
-  expect(emptyKeyError?.message).toEqual('Storage key must be a non-empty string');
-  
-  let nullKeyError: Error | null = null;
-  try {
-    await storage.set(null as any, 'value');
-  } catch (error) {
-    nullKeyError = error as Error;
-  }
-  expect(nullKeyError).toBeTruthy();
-  expect(nullKeyError?.message).toEqual('Storage key must be a non-empty string');
-});
-
-tap.test('Storage Manager - Concurrent Access', async () => {
-  const storage = new StorageManager();
-  const promises: Promise<void>[] = [];
-  
-  // Simulate concurrent writes
-  for (let i = 0; i < 100; i++) {
-    promises.push(storage.set(`/concurrent/key${i}`, `value${i}`));
-  }
-  
-  await Promise.all(promises);
-  
-  // Verify all writes succeeded
-  for (let i = 0; i < 100; i++) {
-    const value = await storage.get(`/concurrent/key${i}`);
-    expect(value).toEqual(`value${i}`);
-  }
-  
-  // Test concurrent reads
-  const readPromises: Promise<string | null>[] = [];
-  for (let i = 0; i < 100; i++) {
-    readPromises.push(storage.get(`/concurrent/key${i}`));
-  }
-  
-  const results = await Promise.all(readPromises);
-  for (let i = 0; i < 100; i++) {
-    expect(results[i]).toEqual(`value${i}`);
-  }
-});
-
-tap.test('Storage Manager - Backend Priority', async () => {
-  const testDir = path.join(paths.dataDir, '.test-storage-priority');
-  
-  // Test that custom functions take priority over fsPath
-  let warningLogged = false;
-  const originalWarn = console.warn;
-  console.warn = (message: string) => {
-    if (message.includes('Using custom read/write functions')) {
-      warningLogged = true;
-    }
-  };
-  
-  const storage = new StorageManager({
-    fsPath: testDir,
-    readFunction: async () => 'custom-value',
-    writeFunction: async () => {}
-  });
-  
-  console.warn = originalWarn;
-  
-  expect(warningLogged).toEqual(true);
-  expect(storage.getBackend()).toEqual('custom'); // Custom functions take priority
-  
-  // Clean up
-  try {
-    await fs.rm(testDir, { recursive: true, force: true });
-  } catch {}
-});
-
-tap.test('Storage Manager - Error Handling', async () => {
-  // Test filesystem errors
-  const storage = new StorageManager({
-    readFunction: async () => {
-      throw new Error('Read error');
-    },
-    writeFunction: async () => {
-      throw new Error('Write error');
-    }
-  });
-  
-  // Read errors should return null
-  const value = await storage.get('/error/key');
-  expect(value).toEqual(null);
-  
-  // Write errors should propagate
-  let writeError: Error | null = null;
-  try {
-    await storage.set('/error/key', 'value');
-  } catch (error) {
-    writeError = error as Error;
-  }
-  expect(writeError).toBeTruthy();
-  expect(writeError?.message).toEqual('Write error');
-  
-  // Test JSON parse errors
-  const jsonStorage = new StorageManager({
-    readFunction: async () => 'invalid json',
-    writeFunction: async () => {}
-  });
-  
-  // Test JSON parse errors
-  let jsonError: Error | null = null;
-  try {
-    await jsonStorage.getJSON('/invalid/json');
-  } catch (error) {
-    jsonError = error as Error;
-  }
-  expect(jsonError).toBeTruthy();
-  expect(jsonError?.message).toContain('JSON');
-});
-
-tap.test('Storage Manager - List Operations', async () => {
-  const storage = new StorageManager();
-  
-  // Populate storage with hierarchical data
-  await storage.set('/app/config/database', 'db-config');
-  await storage.set('/app/config/cache', 'cache-config');
-  await storage.set('/app/data/users/1', 'user1');
-  await storage.set('/app/data/users/2', 'user2');
-  await storage.set('/app/logs/error.log', 'errors');
-  
-  // List root
-  const rootItems = await storage.list('/');
-  expect(rootItems.length).toBeGreaterThanOrEqual(5);
-  
-  // List specific paths
-  const configItems = await storage.list('/app/config');
-  expect(configItems.length).toEqual(2);
-  expect(configItems).toContain('/app/config/database');
-  expect(configItems).toContain('/app/config/cache');
-  
-  const userItems = await storage.list('/app/data/users');
-  expect(userItems.length).toEqual(2);
-  
-  // List non-existent path
-  const emptyList = await storage.list('/nonexistent/path');
-  expect(emptyList.length).toEqual(0);
-});
-
-export default tap.start();

test_watch/devserver.ts

@@ -1,6 +1,8 @@
 import { DcRouter } from '../ts/index.js';
 
 const devRouter = new DcRouter({
+  // Server public IP (used for VPN AllowedIPs)
+  publicIp: '203.0.113.1',
   // SmartProxy routes for development/demo
   smartProxyConfig: {
     routes: [
@@ -23,10 +25,31 @@ const devRouter = new DcRouter({
           tls: { mode: 'passthrough' },
         },
       },
+      {
+        name: 'vpn-internal-app',
+        match: { ports: [18080], domains: ['internal.example.com'] },
+        action: { type: 'forward', targets: [{ host: 'localhost', port: 5000 }] },
+        vpnOnly: true,
+      },
+      {
+        name: 'vpn-eng-dashboard',
+        match: { ports: [18080], domains: ['eng.example.com'] },
+        action: { type: 'forward', targets: [{ host: 'localhost', port: 5001 }] },
+        vpnOnly: true,
+      },
+    ] as any[],
+  },
+  // VPN with pre-defined clients
+  vpnConfig: {
+    enabled: true,
+    serverEndpoint: 'vpn.dev.local',
+    clients: [
+      { clientId: 'dev-laptop', description: 'Developer laptop' },
+      { clientId: 'ci-runner', description: 'CI/CD pipeline' },
+      { clientId: 'admin-desktop', description: 'Admin workstation' },
     ],
   },
-  // Disable cache/mongo for dev
-  cacheConfig: { enabled: false },
+  dbConfig: { enabled: true },
 });
 
 console.log('Starting DcRouter in development mode...');

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.8.0',
+  version: '13.19.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/acme/index.ts

@@ -0,0 +1 @@
+export * from './manager.acme-config.js';

ts/acme/manager.acme-config.ts

@@ -0,0 +1,182 @@
+import { logger } from '../logger.js';
+import { AcmeConfigDoc } from '../db/documents/index.js';
+import type { IDcRouterOptions } from '../classes.dcrouter.js';
+import type { IAcmeConfig } from '../../ts_interfaces/data/acme-config.js';
+
+/**
+ * AcmeConfigManager — owns the singleton ACME configuration in the DB.
+ *
+ * Lifecycle:
+ *  - `start()` — loads from the DB; if empty, seeds from legacy constructor
+ *    fields (`tls.contactEmail`, `smartProxyConfig.acme.*`) on first boot.
+ *  - `getConfig()` — returns the in-memory cached `IAcmeConfig` (or null)
+ *  - `updateConfig(args, updatedBy)` — upserts and refreshes the cache
+ *
+ * Reload semantics: updates take effect on the next dcrouter restart because
+ * `SmartAcme` is instantiated once in `setupSmartProxy()`. `renewThresholdDays`
+ * applies immediately to the next renewal check. See
+ * `ts_web/elements/domains/ops-view-certificates.ts` for the UI warning.
+ */
+export class AcmeConfigManager {
+  private cached: IAcmeConfig | null = null;
+
+  constructor(private options: IDcRouterOptions) {}
+
+  public async start(): Promise<void> {
+    logger.log('info', 'AcmeConfigManager: starting');
+    let doc = await AcmeConfigDoc.load();
+
+    if (!doc) {
+      // First-boot path: seed from legacy constructor fields if present.
+      const seed = this.deriveSeedFromOptions();
+      if (seed) {
+        doc = await this.createSeedDoc(seed);
+        logger.log(
+          'info',
+          `AcmeConfigManager: seeded from constructor legacy fields (accountEmail=${seed.accountEmail}, useProduction=${seed.useProduction})`,
+        );
+      } else {
+        logger.log(
+          'info',
+          'AcmeConfigManager: no AcmeConfig in DB and no legacy constructor fields — ACME disabled until configured via Domains > Certificates > Settings.',
+        );
+      }
+    } else if (this.deriveSeedFromOptions()) {
+      logger.log(
+        'warn',
+        'AcmeConfigManager: ignoring constructor tls.contactEmail / smartProxyConfig.acme — DB already has AcmeConfigDoc. Manage via Domains > Certificates > Settings.',
+      );
+    }
+
+    this.cached = doc ? this.toPlain(doc) : null;
+    if (this.cached) {
+      logger.log(
+        'info',
+        `AcmeConfigManager: loaded ACME config (accountEmail=${this.cached.accountEmail}, enabled=${this.cached.enabled}, useProduction=${this.cached.useProduction})`,
+      );
+    }
+  }
+
+  public async stop(): Promise<void> {
+    this.cached = null;
+  }
+
+  /**
+   * Returns the current ACME config, or null if not configured.
+   * In-memory — does not hit the DB.
+   */
+  public getConfig(): IAcmeConfig | null {
+    return this.cached;
+  }
+
+  /**
+   * True if there is an enabled ACME config. Used by `setupSmartProxy()` to
+   * decide whether to instantiate SmartAcme.
+   */
+  public hasEnabledConfig(): boolean {
+    return this.cached !== null && this.cached.enabled;
+  }
+
+  /**
+   * Upsert the ACME config. All fields are optional; missing fields are
+   * preserved from the existing row (or defaulted if there is no row yet).
+   */
+  public async updateConfig(
+    args: Partial<Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'>>,
+    updatedBy: string,
+  ): Promise<IAcmeConfig> {
+    let doc = await AcmeConfigDoc.load();
+    const now = Date.now();
+
+    if (!doc) {
+      doc = new AcmeConfigDoc();
+      doc.configId = 'acme-config';
+      doc.accountEmail = args.accountEmail ?? '';
+      doc.enabled = args.enabled ?? true;
+      doc.useProduction = args.useProduction ?? true;
+      doc.autoRenew = args.autoRenew ?? true;
+      doc.renewThresholdDays = args.renewThresholdDays ?? 30;
+    } else {
+      if (args.accountEmail !== undefined) doc.accountEmail = args.accountEmail;
+      if (args.enabled !== undefined) doc.enabled = args.enabled;
+      if (args.useProduction !== undefined) doc.useProduction = args.useProduction;
+      if (args.autoRenew !== undefined) doc.autoRenew = args.autoRenew;
+      if (args.renewThresholdDays !== undefined) doc.renewThresholdDays = args.renewThresholdDays;
+    }
+
+    doc.updatedAt = now;
+    doc.updatedBy = updatedBy;
+    await doc.save();
+
+    this.cached = this.toPlain(doc);
+    return this.cached;
+  }
+
+  // ==========================================================================
+  // Internal helpers
+  // ==========================================================================
+
+  /**
+   * Build a seed object from the legacy constructor fields. Returns null
+   * if the user has not provided any of them.
+   *
+   * Supports BOTH `tls.contactEmail` (short form) and `smartProxyConfig.acme`
+   * (full form). `smartProxyConfig.acme` wins when both are present.
+   */
+  private deriveSeedFromOptions(): Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'> | null {
+    const acme = this.options.smartProxyConfig?.acme;
+    const tls = this.options.tls;
+
+    // Prefer the explicit smartProxyConfig.acme block if present.
+    if (acme?.accountEmail) {
+      return {
+        accountEmail: acme.accountEmail,
+        enabled: acme.enabled !== false,
+        useProduction: acme.useProduction !== false,
+        autoRenew: acme.autoRenew !== false,
+        renewThresholdDays: acme.renewThresholdDays ?? 30,
+      };
+    }
+
+    // Fall back to the short tls.contactEmail form.
+    if (tls?.contactEmail) {
+      return {
+        accountEmail: tls.contactEmail,
+        enabled: true,
+        useProduction: true,
+        autoRenew: true,
+        renewThresholdDays: 30,
+      };
+    }
+
+    return null;
+  }
+
+  private async createSeedDoc(
+    seed: Omit<IAcmeConfig, 'updatedAt' | 'updatedBy'>,
+  ): Promise<AcmeConfigDoc> {
+    const doc = new AcmeConfigDoc();
+    doc.configId = 'acme-config';
+    doc.accountEmail = seed.accountEmail;
+    doc.enabled = seed.enabled;
+    doc.useProduction = seed.useProduction;
+    doc.autoRenew = seed.autoRenew;
+    doc.renewThresholdDays = seed.renewThresholdDays;
+    doc.updatedAt = Date.now();
+    doc.updatedBy = 'seed';
+    await doc.save();
+    return doc;
+  }
+
+  private toPlain(doc: AcmeConfigDoc): IAcmeConfig {
+    return {
+      accountEmail: doc.accountEmail,
+      enabled: doc.enabled,
+      useProduction: doc.useProduction,
+      autoRenew: doc.autoRenew,
+      renewThresholdDays: doc.renewThresholdDays,
+      updatedAt: doc.updatedAt,
+      updatedBy: doc.updatedBy,
+    };
+  }
+}

ts/cache/classes.cachedb.ts

@@ -1,155 +0,0 @@
-import * as plugins from '../plugins.js';
-import { logger } from '../logger.js';
-import { defaultTsmDbPath } from '../paths.js';
-
-/**
- * Configuration options for CacheDb
- */
-export interface ICacheDbOptions {
-  /** Base storage path for TsmDB data (default: ~/.serve.zone/dcrouter/tsmdb) */
-  storagePath?: string;
-  /** Database name (default: dcrouter) */
-  dbName?: string;
-  /** Enable debug logging */
-  debug?: boolean;
-}
-
-/**
- * CacheDb - Wrapper around LocalTsmDb and smartdata
- *
- * Provides persistent caching using smartdata as the ORM layer
- * and LocalTsmDb as the embedded database engine.
- */
-export class CacheDb {
-  private static instance: CacheDb | null = null;
-
-  private localTsmDb: plugins.smartmongo.LocalTsmDb;
-  private smartdataDb: plugins.smartdata.SmartdataDb;
-  private options: Required<ICacheDbOptions>;
-  private isStarted: boolean = false;
-
-  constructor(options: ICacheDbOptions = {}) {
-    this.options = {
-      storagePath: options.storagePath || defaultTsmDbPath,
-      dbName: options.dbName || 'dcrouter',
-      debug: options.debug || false,
-    };
-  }
-
-  /**
-   * Get or create the singleton instance
-   */
-  public static getInstance(options?: ICacheDbOptions): CacheDb {
-    if (!CacheDb.instance) {
-      CacheDb.instance = new CacheDb(options);
-    }
-    return CacheDb.instance;
-  }
-
-  /**
-   * Reset the singleton instance (useful for testing)
-   */
-  public static resetInstance(): void {
-    CacheDb.instance = null;
-  }
-
-  /**
-   * Start the cache database
-   * - Initializes LocalTsmDb with file persistence
-   * - Connects smartdata to the LocalTsmDb via Unix socket
-   */
-  public async start(): Promise<void> {
-    if (this.isStarted) {
-      logger.log('warn', 'CacheDb already started');
-      return;
-    }
-
-    try {
-      // Ensure storage directory exists
-      await plugins.fsUtils.ensureDir(this.options.storagePath);
-
-      // Create LocalTsmDb instance
-      this.localTsmDb = new plugins.smartmongo.LocalTsmDb({
-        folderPath: this.options.storagePath,
-      });
-
-      // Start LocalTsmDb and get connection info
-      const connectionInfo = await this.localTsmDb.start();
-
-      if (this.options.debug) {
-        logger.log('debug', `LocalTsmDb started with URI: ${connectionInfo.connectionUri}`);
-      }
-
-      // Initialize smartdata with the connection URI
-      this.smartdataDb = new plugins.smartdata.SmartdataDb({
-        mongoDbUrl: connectionInfo.connectionUri,
-        mongoDbName: this.options.dbName,
-      });
-      await this.smartdataDb.init();
-
-      this.isStarted = true;
-      logger.log('info', `CacheDb started at ${this.options.storagePath}`);
-    } catch (error) {
-      logger.log('error', `Failed to start CacheDb: ${error.message}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Stop the cache database
-   */
-  public async stop(): Promise<void> {
-    if (!this.isStarted) {
-      return;
-    }
-
-    try {
-      // Close smartdata connection
-      if (this.smartdataDb) {
-        await this.smartdataDb.close();
-      }
-
-      // Stop LocalTsmDb
-      if (this.localTsmDb) {
-        await this.localTsmDb.stop();
-      }
-
-      this.isStarted = false;
-      logger.log('info', 'CacheDb stopped');
-    } catch (error) {
-      logger.log('error', `Error stopping CacheDb: ${error.message}`);
-      throw error;
-    }
-  }
-
-  /**
-   * Get the smartdata database instance
-   */
-  public getDb(): plugins.smartdata.SmartdataDb {
-    if (!this.isStarted) {
-      throw new Error('CacheDb not started. Call start() first.');
-    }
-    return this.smartdataDb;
-  }
-
-  /**
-   * Check if the database is ready
-   */
-  public isReady(): boolean {
-    return this.isStarted;
-  }
-
-  /**
-   * Get the storage path
-   */
-  public getStoragePath(): string {
-    return this.options.storagePath;
-  }
-
-  /**
-   * Get the database name
-   */
-  public getDbName(): string {
-    return this.options.dbName;
-  }
-}

ts/cache/documents/index.ts

@@ -1,2 +0,0 @@
-export * from './classes.cached.email.js';
-export * from './classes.cached.ip.reputation.js';

ts/classes.cert-provision-scheduler.ts

@@ -1,5 +1,5 @@
 import { logger } from './logger.js';
-import type { StorageManager } from './storage/index.js';
+import { CertBackoffDoc } from './db/index.js';
 
 interface IBackoffEntry {
   failures: number;
@@ -10,65 +10,86 @@ interface IBackoffEntry {
 
 /**
  * Manages certificate provisioning scheduling with:
- * - Per-domain exponential backoff persisted in StorageManager
+ * - Per-domain exponential backoff persisted via CertBackoffDoc
  *
  * Note: Serial stagger queue was removed — smartacme v9 handles
  * concurrency, per-domain dedup, and rate limiting internally.
  */
 export class CertProvisionScheduler {
-  private storageManager: StorageManager;
   private maxBackoffHours: number;
 
   // In-memory backoff cache (mirrors storage for fast lookups)
   private backoffCache = new Map<string, IBackoffEntry>();
 
   constructor(
-    storageManager: StorageManager,
     options?: { maxBackoffHours?: number }
   ) {
-    this.storageManager = storageManager;
     this.maxBackoffHours = options?.maxBackoffHours ?? 24;
   }
 
   /**
-   * Storage key for a domain's backoff entry
+   * Sanitized domain key for storage lookups
    */
-  private backoffKey(domain: string): string {
-    const clean = domain.replace(/\*/g, '_wildcard_').replace(/[^a-zA-Z0-9._-]/g, '_');
-    return `/cert-backoff/${clean}`;
+  private sanitizeDomain(domain: string): string {
+    return domain.replace(/\*/g, '_wildcard_').replace(/[^a-zA-Z0-9._-]/g, '_');
   }
 
   /**
-   * Load backoff entry from storage (with in-memory cache)
+   * Load backoff entry from database (with in-memory cache)
    */
   private async loadBackoff(domain: string): Promise<IBackoffEntry | null> {
     const cached = this.backoffCache.get(domain);
     if (cached) return cached;
 
-    const entry = await this.storageManager.getJSON<IBackoffEntry>(this.backoffKey(domain));
-    if (entry) {
+    const sanitized = this.sanitizeDomain(domain);
+    const doc = await CertBackoffDoc.findByDomain(sanitized);
+    if (doc) {
+      const entry: IBackoffEntry = {
+        failures: doc.failures,
+        lastFailure: doc.lastFailure,
+        retryAfter: doc.retryAfter,
+        lastError: doc.lastError,
+      };
       this.backoffCache.set(domain, entry);
+      return entry;
     }
-    return entry;
+    return null;
   }
 
   /**
-   * Save backoff entry to both cache and storage
+   * Save backoff entry to both cache and database
    */
   private async saveBackoff(domain: string, entry: IBackoffEntry): Promise<void> {
     this.backoffCache.set(domain, entry);
-    await this.storageManager.setJSON(this.backoffKey(domain), entry);
+    const sanitized = this.sanitizeDomain(domain);
+    let doc = await CertBackoffDoc.findByDomain(sanitized);
+    if (!doc) {
+      doc = new CertBackoffDoc();
+      doc.domain = sanitized;
+    }
+    doc.failures = entry.failures;
+    doc.lastFailure = entry.lastFailure;
+    doc.retryAfter = entry.retryAfter;
+    doc.lastError = entry.lastError || '';
+    await doc.save();
   }
 
   /**
-   * Check if a domain is currently in backoff
+   * Check if a domain is currently in backoff.
+   * Expired entries are pruned from the cache to prevent unbounded growth.
    */
   async isInBackoff(domain: string): Promise<boolean> {
     const entry = await this.loadBackoff(domain);
     if (!entry) return false;
 
     const retryAfter = new Date(entry.retryAfter);
-    return retryAfter.getTime() > Date.now();
+    if (retryAfter.getTime() > Date.now()) {
+      return true;
+    }
+
+    // Backoff has expired — prune the stale entry
+    this.backoffCache.delete(domain);
+    return false;
   }
 
   /**
@@ -100,9 +121,13 @@ export class CertProvisionScheduler {
   async clearBackoff(domain: string): Promise<void> {
     this.backoffCache.delete(domain);
     try {
-      await this.storageManager.delete(this.backoffKey(domain));
+      const sanitized = this.sanitizeDomain(domain);
+      const doc = await CertBackoffDoc.findByDomain(sanitized);
+      if (doc) {
+        await doc.delete();
+      }
     } catch {
-      // Ignore delete errors (key may not exist)
+      // Ignore delete errors (doc may not exist)
     }
   }
 
@@ -124,9 +149,12 @@ export class CertProvisionScheduler {
     const entry = await this.loadBackoff(domain);
     if (!entry) return null;
 
-    // Only return if still in backoff
+    // Only return if still in backoff — prune expired entries
     const retryAfter = new Date(entry.retryAfter);
-    if (retryAfter.getTime() <= Date.now()) return null;
+    if (retryAfter.getTime() <= Date.now()) {
+      this.backoffCache.delete(domain);
+      return null;
+    }
 
     return {
       failures: entry.failures,

ts/classes.storage-cert-manager.ts

@@ -1,46 +1,58 @@
 import * as plugins from './plugins.js';
-import { StorageManager } from './storage/index.js';
+import { AcmeCertDoc } from './db/index.js';
 
 /**
- * ICertManager implementation backed by StorageManager.
- * Persists SmartAcme certificates under a /certs/ key prefix so they
+ * ICertManager implementation backed by smartdata document classes.
+ * Persists SmartAcme certificates via AcmeCertDoc so they
  * survive process restarts without re-hitting ACME.
  */
 export class StorageBackedCertManager implements plugins.smartacme.ICertManager {
-  private keyPrefix = '/certs/';
-
-  constructor(private storageManager: StorageManager) {}
+  constructor() {}
 
   async init(): Promise<void> {}
 
   async retrieveCertificate(domainName: string): Promise<plugins.smartacme.Cert | null> {
-    const data = await this.storageManager.getJSON(this.keyPrefix + domainName);
-    if (!data) return null;
-    return new plugins.smartacme.Cert(data);
-  }
-
-  async storeCertificate(cert: plugins.smartacme.Cert): Promise<void> {
-    await this.storageManager.setJSON(this.keyPrefix + cert.domainName, {
-      id: cert.id,
-      domainName: cert.domainName,
-      created: cert.created,
-      privateKey: cert.privateKey,
-      publicKey: cert.publicKey,
-      csr: cert.csr,
-      validUntil: cert.validUntil,
+    const doc = await AcmeCertDoc.findByDomain(domainName);
+    if (!doc) return null;
+    return new plugins.smartacme.Cert({
+      id: doc.id,
+      domainName: doc.domainName,
+      created: doc.created,
+      privateKey: doc.privateKey,
+      publicKey: doc.publicKey,
+      csr: doc.csr,
+      validUntil: doc.validUntil,
     });
   }
 
+  async storeCertificate(cert: plugins.smartacme.Cert): Promise<void> {
+    let doc = await AcmeCertDoc.findByDomain(cert.domainName);
+    if (!doc) {
+      doc = new AcmeCertDoc();
+      doc.id = cert.id;
+      doc.domainName = cert.domainName;
+    }
+    doc.created = cert.created;
+    doc.privateKey = cert.privateKey;
+    doc.publicKey = cert.publicKey;
+    doc.csr = cert.csr;
+    doc.validUntil = cert.validUntil;
+    await doc.save();
+  }
+
   async deleteCertificate(domainName: string): Promise<void> {
-    await this.storageManager.delete(this.keyPrefix + domainName);
+    const doc = await AcmeCertDoc.findByDomain(domainName);
+    if (doc) {
+      await doc.delete();
+    }
   }
 
   async close(): Promise<void> {}
 
   async wipe(): Promise<void> {
-    const keys = await this.storageManager.list(this.keyPrefix);
-    for (const key of keys) {
-      await this.storageManager.delete(key);
+    const docs = await AcmeCertDoc.findAll();
+    for (const doc of docs) {
+      await doc.delete();
     }
   }
 }

ts/config/classes.api-token-manager.ts

@@ -1,19 +1,18 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import type { StorageManager } from '../storage/index.js';
+import { ApiTokenDoc } from '../db/index.js';
 import type {
   IStoredApiToken,
   IApiTokenInfo,
   TApiTokenScope,
 } from '../../ts_interfaces/data/route-management.js';
 
-const TOKENS_PREFIX = '/config-api/tokens/';
 const TOKEN_PREFIX_STR = 'dcr_';
 
 export class ApiTokenManager {
   private tokens = new Map<string, IStoredApiToken>();
 
-  constructor(private storageManager: StorageManager) {}
+  constructor() {}
 
   public async initialize(): Promise<void> {
     await this.loadTokens();
@@ -117,7 +116,8 @@ export class ApiTokenManager {
     if (!this.tokens.has(id)) return false;
     const token = this.tokens.get(id)!;
     this.tokens.delete(id);
-    await this.storageManager.delete(`${TOKENS_PREFIX}${id}.json`);
+    const doc = await ApiTokenDoc.findById(id);
+    if (doc) await doc.delete();
     logger.log('info', `API token '${token.name}' revoked (id: ${id})`);
     return true;
   }
@@ -157,17 +157,48 @@ export class ApiTokenManager {
   // =========================================================================
 
   private async loadTokens(): Promise<void> {
-    const keys = await this.storageManager.list(TOKENS_PREFIX);
-    for (const key of keys) {
-      if (!key.endsWith('.json')) continue;
-      const stored = await this.storageManager.getJSON<IStoredApiToken>(key);
-      if (stored?.id) {
-        this.tokens.set(stored.id, stored);
+    const docs = await ApiTokenDoc.findAll();
+    for (const doc of docs) {
+      if (doc.id) {
+        this.tokens.set(doc.id, {
+          id: doc.id,
+          name: doc.name,
+          tokenHash: doc.tokenHash,
+          scopes: doc.scopes,
+          createdAt: doc.createdAt,
+          expiresAt: doc.expiresAt,
+          lastUsedAt: doc.lastUsedAt,
+          createdBy: doc.createdBy,
+          enabled: doc.enabled,
+        });
       }
     }
   }
 
   private async persistToken(stored: IStoredApiToken): Promise<void> {
-    await this.storageManager.setJSON(`${TOKENS_PREFIX}${stored.id}.json`, stored);
+    const existing = await ApiTokenDoc.findById(stored.id);
+    if (existing) {
+      existing.name = stored.name;
+      existing.tokenHash = stored.tokenHash;
+      existing.scopes = stored.scopes;
+      existing.createdAt = stored.createdAt;
+      existing.expiresAt = stored.expiresAt;
+      existing.lastUsedAt = stored.lastUsedAt;
+      existing.createdBy = stored.createdBy;
+      existing.enabled = stored.enabled;
+      await existing.save();
+    } else {
+      const doc = new ApiTokenDoc();
+      doc.id = stored.id;
+      doc.name = stored.name;
+      doc.tokenHash = stored.tokenHash;
+      doc.scopes = stored.scopes;
+      doc.createdAt = stored.createdAt;
+      doc.expiresAt = stored.expiresAt;
+      doc.lastUsedAt = stored.lastUsedAt;
+      doc.createdBy = stored.createdBy;
+      doc.enabled = stored.enabled;
+      await doc.save();
+    }
   }
 }

ts/config/classes.db-seeder.ts

@@ -0,0 +1,95 @@
+import { logger } from '../logger.js';
+import type { ReferenceResolver } from './classes.reference-resolver.js';
+import type { IRouteSecurity } from '../../ts_interfaces/data/route-management.js';
+
+export interface ISeedData {
+  profiles?: Array<{
+    name: string;
+    description?: string;
+    security: IRouteSecurity;
+    extendsProfiles?: string[];
+  }>;
+  targets?: Array<{
+    name: string;
+    description?: string;
+    host: string | string[];
+    port: number;
+  }>;
+}
+
+export class DbSeeder {
+  constructor(private referenceResolver: ReferenceResolver) {}
+
+  /**
+   * Check if DB is empty and seed if configured.
+   * Called once during ConfigManagers service startup, after initialize().
+   */
+  public async seedIfEmpty(
+    seedOnEmpty?: boolean,
+    seedData?: ISeedData,
+  ): Promise<void> {
+    if (!seedOnEmpty) return;
+
+    const existingProfiles = this.referenceResolver.listProfiles();
+    const existingTargets = this.referenceResolver.listTargets();
+
+    if (existingProfiles.length > 0 || existingTargets.length > 0) {
+      logger.log('info', 'DB already contains profiles/targets, skipping seed');
+      return;
+    }
+
+    logger.log('info', 'Seeding database with initial profiles and targets...');
+
+    const profilesToSeed: NonNullable<ISeedData['profiles']> = seedData?.profiles ?? DEFAULT_PROFILES;
+    const targetsToSeed: NonNullable<ISeedData['targets']> = seedData?.targets ?? DEFAULT_TARGETS;
+
+    for (const p of profilesToSeed) {
+      await this.referenceResolver.createProfile({
+        name: p.name,
+        description: p.description,
+        security: p.security,
+        extendsProfiles: p.extendsProfiles,
+        createdBy: 'system-seed',
+      });
+    }
+
+    for (const t of targetsToSeed) {
+      await this.referenceResolver.createTarget({
+        name: t.name,
+        description: t.description,
+        host: t.host,
+        port: t.port,
+        createdBy: 'system-seed',
+      });
+    }
+
+    logger.log('info', `Seeded ${profilesToSeed.length} profile(s) and ${targetsToSeed.length} target(s)`);
+  }
+}
+
+const DEFAULT_PROFILES: Array<NonNullable<ISeedData['profiles']>[number]> = [
+  {
+    name: 'PUBLIC',
+    description: 'Allow all traffic — no IP restrictions',
+    security: {
+      ipAllowList: ['*'],
+    },
+  },
+  {
+    name: 'STANDARD',
+    description: 'Standard internal access with common private subnets',
+    security: {
+      ipAllowList: ['192.168.0.0/16', '10.0.0.0/8', '127.0.0.1', '::1'],
+      maxConnections: 1000,
+    },
+  },
+];
+
+const DEFAULT_TARGETS: Array<NonNullable<ISeedData['targets']>[number]> = [
+  {
+    name: 'LOCALHOST',
+    description: 'Local machine on port 443',
+    host: '127.0.0.1',
+    port: 443,
+  },
+];

ts/config/classes.reference-resolver.ts

@@ -0,0 +1,577 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { SourceProfileDoc, NetworkTargetDoc, RouteDoc } from '../db/index.js';
+import type {
+  ISourceProfile,
+  INetworkTarget,
+  IRouteMetadata,
+  IRoute,
+  IRouteSecurity,
+} from '../../ts_interfaces/data/route-management.js';
+
+const MAX_INHERITANCE_DEPTH = 5;
+
+export class ReferenceResolver {
+  private profiles = new Map<string, ISourceProfile>();
+  private targets = new Map<string, INetworkTarget>();
+
+  // =========================================================================
+  // Lifecycle
+  // =========================================================================
+
+  public async initialize(): Promise<void> {
+    await this.loadProfiles();
+    await this.loadTargets();
+  }
+
+  // =========================================================================
+  // Profile CRUD
+  // =========================================================================
+
+  public async createProfile(data: {
+    name: string;
+    description?: string;
+    security: IRouteSecurity;
+    extendsProfiles?: string[];
+    createdBy: string;
+  }): Promise<string> {
+    const id = plugins.uuid.v4();
+    const now = Date.now();
+
+    const profile: ISourceProfile = {
+      id,
+      name: data.name,
+      description: data.description,
+      security: data.security,
+      extendsProfiles: data.extendsProfiles,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: data.createdBy,
+    };
+
+    this.profiles.set(id, profile);
+    await this.persistProfile(profile);
+    logger.log('info', `Created source profile '${profile.name}' (${id})`);
+    return id;
+  }
+
+  public async updateProfile(
+    id: string,
+    patch: Partial<Omit<ISourceProfile, 'id' | 'createdAt' | 'createdBy'>>,
+  ): Promise<{ affectedRouteIds: string[] }> {
+    const profile = this.profiles.get(id);
+    if (!profile) {
+      throw new Error(`Source profile '${id}' not found`);
+    }
+
+    if (patch.name !== undefined) profile.name = patch.name;
+    if (patch.description !== undefined) profile.description = patch.description;
+    if (patch.security !== undefined) profile.security = patch.security;
+    if (patch.extendsProfiles !== undefined) profile.extendsProfiles = patch.extendsProfiles;
+    profile.updatedAt = Date.now();
+
+    await this.persistProfile(profile);
+    logger.log('info', `Updated source profile '${profile.name}' (${id})`);
+
+    // Find routes referencing this profile
+    const affectedRouteIds = await this.findRoutesByProfileRef(id);
+    return { affectedRouteIds };
+  }
+
+  public async deleteProfile(
+    id: string,
+    force: boolean,
+    storedRoutes?: Map<string, IRoute>,
+  ): Promise<{ success: boolean; message?: string }> {
+    const profile = this.profiles.get(id);
+    if (!profile) {
+      return { success: false, message: `Source profile '${id}' not found` };
+    }
+
+    // Check usage
+    const affectedIds = storedRoutes
+      ? this.findRoutesByProfileRefSync(id, storedRoutes)
+      : await this.findRoutesByProfileRef(id);
+
+    if (affectedIds.length > 0 && !force) {
+      return {
+        success: false,
+        message: `Profile '${profile.name}' is in use by ${affectedIds.length} route(s). Use force=true to delete.`,
+      };
+    }
+
+    // Delete from DB
+    const doc = await SourceProfileDoc.findById(id);
+    if (doc) await doc.delete();
+    this.profiles.delete(id);
+
+    // If force-deleting with referencing routes, clear refs but keep resolved values
+    if (affectedIds.length > 0) {
+      await this.clearProfileRefsOnRoutes(affectedIds);
+      logger.log('warn', `Force-deleted profile '${profile.name}'; cleared refs on ${affectedIds.length} route(s)`);
+    } else {
+      logger.log('info', `Deleted source profile '${profile.name}' (${id})`);
+    }
+
+    return { success: true };
+  }
+
+  public getProfile(id: string): ISourceProfile | undefined {
+    return this.profiles.get(id);
+  }
+
+  public getProfileByName(name: string): ISourceProfile | undefined {
+    for (const profile of this.profiles.values()) {
+      if (profile.name === name) return profile;
+    }
+    return undefined;
+  }
+
+  public listProfiles(): ISourceProfile[] {
+    return [...this.profiles.values()];
+  }
+
+  public getProfileUsage(storedRoutes: Map<string, IRoute>): Map<string, Array<{ id: string; routeName: string }>> {
+    const usage = new Map<string, Array<{ id: string; routeName: string }>>();
+    for (const profile of this.profiles.values()) {
+      usage.set(profile.id, []);
+    }
+    for (const [routeId, stored] of storedRoutes) {
+      const ref = stored.metadata?.sourceProfileRef;
+      if (ref && usage.has(ref)) {
+        usage.get(ref)!.push({ id: routeId, routeName: stored.route.name || routeId });
+      }
+    }
+    return usage;
+  }
+
+  public getProfileUsageForId(
+    profileId: string,
+    storedRoutes: Map<string, IRoute>,
+  ): Array<{ id: string; routeName: string }> {
+    const routes: Array<{ id: string; routeName: string }> = [];
+    for (const [routeId, stored] of storedRoutes) {
+      if (stored.metadata?.sourceProfileRef === profileId) {
+        routes.push({ id: routeId, routeName: stored.route.name || routeId });
+      }
+    }
+    return routes;
+  }
+
+  // =========================================================================
+  // Target CRUD
+  // =========================================================================
+
+  public async createTarget(data: {
+    name: string;
+    description?: string;
+    host: string | string[];
+    port: number;
+    createdBy: string;
+  }): Promise<string> {
+    const id = plugins.uuid.v4();
+    const now = Date.now();
+
+    const target: INetworkTarget = {
+      id,
+      name: data.name,
+      description: data.description,
+      host: data.host,
+      port: data.port,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: data.createdBy,
+    };
+
+    this.targets.set(id, target);
+    await this.persistTarget(target);
+    logger.log('info', `Created network target '${target.name}' (${id})`);
+    return id;
+  }
+
+  public async updateTarget(
+    id: string,
+    patch: Partial<Omit<INetworkTarget, 'id' | 'createdAt' | 'createdBy'>>,
+  ): Promise<{ affectedRouteIds: string[] }> {
+    const target = this.targets.get(id);
+    if (!target) {
+      throw new Error(`Network target '${id}' not found`);
+    }
+
+    if (patch.name !== undefined) target.name = patch.name;
+    if (patch.description !== undefined) target.description = patch.description;
+    if (patch.host !== undefined) target.host = patch.host;
+    if (patch.port !== undefined) target.port = patch.port;
+    target.updatedAt = Date.now();
+
+    await this.persistTarget(target);
+    logger.log('info', `Updated network target '${target.name}' (${id})`);
+
+    const affectedRouteIds = await this.findRoutesByTargetRef(id);
+    return { affectedRouteIds };
+  }
+
+  public async deleteTarget(
+    id: string,
+    force: boolean,
+    storedRoutes?: Map<string, IRoute>,
+  ): Promise<{ success: boolean; message?: string }> {
+    const target = this.targets.get(id);
+    if (!target) {
+      return { success: false, message: `Network target '${id}' not found` };
+    }
+
+    const affectedIds = storedRoutes
+      ? this.findRoutesByTargetRefSync(id, storedRoutes)
+      : await this.findRoutesByTargetRef(id);
+
+    if (affectedIds.length > 0 && !force) {
+      return {
+        success: false,
+        message: `Target '${target.name}' is in use by ${affectedIds.length} route(s). Use force=true to delete.`,
+      };
+    }
+
+    const doc = await NetworkTargetDoc.findById(id);
+    if (doc) await doc.delete();
+    this.targets.delete(id);
+
+    if (affectedIds.length > 0) {
+      await this.clearTargetRefsOnRoutes(affectedIds);
+      logger.log('warn', `Force-deleted target '${target.name}'; cleared refs on ${affectedIds.length} route(s)`);
+    } else {
+      logger.log('info', `Deleted network target '${target.name}' (${id})`);
+    }
+
+    return { success: true };
+  }
+
+  public getTarget(id: string): INetworkTarget | undefined {
+    return this.targets.get(id);
+  }
+
+  public getTargetByName(name: string): INetworkTarget | undefined {
+    for (const target of this.targets.values()) {
+      if (target.name === name) return target;
+    }
+    return undefined;
+  }
+
+  public listTargets(): INetworkTarget[] {
+    return [...this.targets.values()];
+  }
+
+  public getTargetUsageForId(
+    targetId: string,
+    storedRoutes: Map<string, IRoute>,
+  ): Array<{ id: string; routeName: string }> {
+    const routes: Array<{ id: string; routeName: string }> = [];
+    for (const [routeId, stored] of storedRoutes) {
+      if (stored.metadata?.networkTargetRef === targetId) {
+        routes.push({ id: routeId, routeName: stored.route.name || routeId });
+      }
+    }
+    return routes;
+  }
+
+  // =========================================================================
+  // Resolution
+  // =========================================================================
+
+  /**
+   * Resolve references for a single route.
+   * Materializes source profile and/or network target into the route's fields.
+   * Returns the resolved route and updated metadata.
+   */
+  public resolveRoute(
+    route: plugins.smartproxy.IRouteConfig,
+    metadata?: IRouteMetadata,
+  ): { route: plugins.smartproxy.IRouteConfig; metadata: IRouteMetadata } {
+    const resolvedMetadata: IRouteMetadata = { ...metadata };
+
+    if (resolvedMetadata.sourceProfileRef) {
+      const resolvedSecurity = this.resolveSourceProfile(resolvedMetadata.sourceProfileRef);
+      if (resolvedSecurity) {
+        const profile = this.profiles.get(resolvedMetadata.sourceProfileRef);
+        // Merge: profile provides base, route's inline values override
+        route = {
+          ...route,
+          security: this.mergeSecurityFields(resolvedSecurity, route.security),
+        };
+        resolvedMetadata.sourceProfileName = profile?.name;
+        resolvedMetadata.lastResolvedAt = Date.now();
+      } else {
+        logger.log('warn', `Source profile '${resolvedMetadata.sourceProfileRef}' not found during resolution`);
+      }
+    }
+
+    if (resolvedMetadata.networkTargetRef) {
+      const target = this.targets.get(resolvedMetadata.networkTargetRef);
+      if (target) {
+        const hosts = Array.isArray(target.host) ? target.host : [target.host];
+        route = {
+          ...route,
+          action: {
+            ...route.action,
+            targets: hosts.map((h) => ({
+              host: h,
+              port: target.port,
+            })),
+          },
+        };
+        resolvedMetadata.networkTargetName = target.name;
+        resolvedMetadata.lastResolvedAt = Date.now();
+      } else {
+        logger.log('warn', `Network target '${resolvedMetadata.networkTargetRef}' not found during resolution`);
+      }
+    }
+
+    return { route, metadata: resolvedMetadata };
+  }
+
+  // =========================================================================
+  // Reference lookup helpers
+  // =========================================================================
+
+  public async findRoutesByProfileRef(profileId: string): Promise<string[]> {
+    const docs = await RouteDoc.findAll();
+    return docs
+      .filter((doc) => doc.metadata?.sourceProfileRef === profileId)
+      .map((doc) => doc.id);
+  }
+
+  public async findRoutesByTargetRef(targetId: string): Promise<string[]> {
+    const docs = await RouteDoc.findAll();
+    return docs
+      .filter((doc) => doc.metadata?.networkTargetRef === targetId)
+      .map((doc) => doc.id);
+  }
+
+  public findRoutesByProfileRefSync(profileId: string, storedRoutes: Map<string, IRoute>): string[] {
+    const ids: string[] = [];
+    for (const [routeId, stored] of storedRoutes) {
+      if (stored.metadata?.sourceProfileRef === profileId) {
+        ids.push(routeId);
+      }
+    }
+    return ids;
+  }
+
+  public findRoutesByTargetRefSync(targetId: string, storedRoutes: Map<string, IRoute>): string[] {
+    const ids: string[] = [];
+    for (const [routeId, stored] of storedRoutes) {
+      if (stored.metadata?.networkTargetRef === targetId) {
+        ids.push(routeId);
+      }
+    }
+    return ids;
+  }
+
+  // =========================================================================
+  // Private: source profile resolution with inheritance
+  // =========================================================================
+
+  private resolveSourceProfile(
+    profileId: string,
+    visited: Set<string> = new Set(),
+    depth: number = 0,
+  ): IRouteSecurity | null {
+    if (depth > MAX_INHERITANCE_DEPTH) {
+      logger.log('warn', `Max inheritance depth (${MAX_INHERITANCE_DEPTH}) exceeded resolving profile '${profileId}'`);
+      return null;
+    }
+
+    if (visited.has(profileId)) {
+      logger.log('warn', `Circular inheritance detected for profile '${profileId}'`);
+      return null;
+    }
+
+    const profile = this.profiles.get(profileId);
+    if (!profile) return null;
+
+    visited.add(profileId);
+
+    // Start with an empty base
+    let baseSecurity: IRouteSecurity = {};
+
+    // Resolve parent profiles first (top-down, later overrides earlier)
+    if (profile.extendsProfiles?.length) {
+      for (const parentId of profile.extendsProfiles) {
+        const parentSecurity = this.resolveSourceProfile(parentId, new Set(visited), depth + 1);
+        if (parentSecurity) {
+          baseSecurity = this.mergeSecurityFields(baseSecurity, parentSecurity);
+        }
+      }
+    }
+
+    // Apply this profile's security on top
+    return this.mergeSecurityFields(baseSecurity, profile.security);
+  }
+
+  /**
+   * Merge two IRouteSecurity objects.
+   * `override` values take precedence over `base` values.
+   * For ipAllowList/ipBlockList: union arrays and deduplicate.
+   * For scalar/object fields: override wins if present.
+   */
+  private mergeSecurityFields(
+    base: IRouteSecurity | undefined,
+    override: IRouteSecurity | undefined,
+  ): IRouteSecurity {
+    if (!base && !override) return {};
+    if (!base) return { ...override };
+    if (!override) return { ...base };
+
+    const merged: IRouteSecurity = { ...base };
+
+    // IP lists: union
+    if (override.ipAllowList || base.ipAllowList) {
+      merged.ipAllowList = [...new Set([
+        ...(base.ipAllowList || []),
+        ...(override.ipAllowList || []),
+      ])];
+    }
+
+    if (override.ipBlockList || base.ipBlockList) {
+      merged.ipBlockList = [...new Set([
+        ...(base.ipBlockList || []),
+        ...(override.ipBlockList || []),
+      ])];
+    }
+
+    // Scalar/object fields: override wins
+    if (override.maxConnections !== undefined) merged.maxConnections = override.maxConnections;
+    if (override.rateLimit !== undefined) merged.rateLimit = override.rateLimit;
+    if (override.authentication !== undefined) merged.authentication = override.authentication;
+    if (override.basicAuth !== undefined) merged.basicAuth = override.basicAuth;
+    if (override.jwtAuth !== undefined) merged.jwtAuth = override.jwtAuth;
+
+    return merged;
+  }
+
+  // =========================================================================
+  // Private: persistence
+  // =========================================================================
+
+  private async loadProfiles(): Promise<void> {
+    const docs = await SourceProfileDoc.findAll();
+    for (const doc of docs) {
+      if (doc.id) {
+        this.profiles.set(doc.id, {
+          id: doc.id,
+          name: doc.name,
+          description: doc.description,
+          security: doc.security,
+          extendsProfiles: doc.extendsProfiles,
+          createdAt: doc.createdAt,
+          updatedAt: doc.updatedAt,
+          createdBy: doc.createdBy,
+        });
+      }
+    }
+    if (this.profiles.size > 0) {
+      logger.log('info', `Loaded ${this.profiles.size} source profile(s) from storage`);
+    }
+  }
+
+  private async loadTargets(): Promise<void> {
+    const docs = await NetworkTargetDoc.findAll();
+    for (const doc of docs) {
+      if (doc.id) {
+        this.targets.set(doc.id, {
+          id: doc.id,
+          name: doc.name,
+          description: doc.description,
+          host: doc.host,
+          port: doc.port,
+          createdAt: doc.createdAt,
+          updatedAt: doc.updatedAt,
+          createdBy: doc.createdBy,
+        });
+      }
+    }
+    if (this.targets.size > 0) {
+      logger.log('info', `Loaded ${this.targets.size} network target(s) from storage`);
+    }
+  }
+
+  private async persistProfile(profile: ISourceProfile): Promise<void> {
+    const existingDoc = await SourceProfileDoc.findById(profile.id);
+    if (existingDoc) {
+      existingDoc.name = profile.name;
+      existingDoc.description = profile.description;
+      existingDoc.security = profile.security;
+      existingDoc.extendsProfiles = profile.extendsProfiles;
+      existingDoc.updatedAt = profile.updatedAt;
+      await existingDoc.save();
+    } else {
+      const doc = new SourceProfileDoc();
+      doc.id = profile.id;
+      doc.name = profile.name;
+      doc.description = profile.description;
+      doc.security = profile.security;
+      doc.extendsProfiles = profile.extendsProfiles;
+      doc.createdAt = profile.createdAt;
+      doc.updatedAt = profile.updatedAt;
+      doc.createdBy = profile.createdBy;
+      await doc.save();
+    }
+  }
+
+  private async persistTarget(target: INetworkTarget): Promise<void> {
+    const existingDoc = await NetworkTargetDoc.findById(target.id);
+    if (existingDoc) {
+      existingDoc.name = target.name;
+      existingDoc.description = target.description;
+      existingDoc.host = target.host;
+      existingDoc.port = target.port;
+      existingDoc.updatedAt = target.updatedAt;
+      await existingDoc.save();
+    } else {
+      const doc = new NetworkTargetDoc();
+      doc.id = target.id;
+      doc.name = target.name;
+      doc.description = target.description;
+      doc.host = target.host;
+      doc.port = target.port;
+      doc.createdAt = target.createdAt;
+      doc.updatedAt = target.updatedAt;
+      doc.createdBy = target.createdBy;
+      await doc.save();
+    }
+  }
+
+  // =========================================================================
+  // Private: ref cleanup on force-delete
+  // =========================================================================
+
+  private async clearProfileRefsOnRoutes(routeIds: string[]): Promise<void> {
+    for (const routeId of routeIds) {
+      const doc = await RouteDoc.findById(routeId);
+      if (doc?.metadata) {
+        doc.metadata = {
+          ...doc.metadata,
+          sourceProfileRef: undefined,
+          sourceProfileName: undefined,
+        };
+        doc.updatedAt = Date.now();
+        await doc.save();
+      }
+    }
+  }
+
+  private async clearTargetRefsOnRoutes(routeIds: string[]): Promise<void> {
+    for (const routeId of routeIds) {
+      const doc = await RouteDoc.findById(routeId);
+      if (doc?.metadata) {
+        doc.metadata = {
+          ...doc.metadata,
+          networkTargetRef: undefined,
+          networkTargetName: undefined,
+        };
+        doc.updatedAt = Date.now();
+        await doc.save();
+      }
+    }
+  }
+}

ts/config/classes.route-config-manager.ts

@@ -1,69 +1,113 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import type { StorageManager } from '../storage/index.js';
+import { RouteDoc } from '../db/index.js';
 import type {
-  IStoredRoute,
-  IRouteOverride,
+  IRoute,
   IMergedRoute,
   IRouteWarning,
+  IRouteMetadata,
 } from '../../ts_interfaces/data/route-management.js';
+import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import { type IHttp3Config, augmentRouteWithHttp3 } from '../http3/index.js';
+import type { ReferenceResolver } from './classes.reference-resolver.js';
 
-const ROUTES_PREFIX = '/config-api/routes/';
-const OVERRIDES_PREFIX = '/config-api/overrides/';
+/** An IP allow entry: plain IP/CIDR or domain-scoped. */
+export type TIpAllowEntry = string | { ip: string; domains: string[] };
+
+export interface IRouteMutationResult {
+  success: boolean;
+  message?: string;
+}
+
+/**
+ * Simple async mutex — serializes concurrent applyRoutes() calls so the Rust engine
+ * never receives rapid overlapping route updates that can churn UDP/QUIC listeners.
+ */
+class RouteUpdateMutex {
+  private locked = false;
+  private queue: Array<() => void> = [];
+
+  async runExclusive<T>(fn: () => Promise<T>): Promise<T> {
+    await new Promise<void>((resolve) => {
+      if (!this.locked) {
+        this.locked = true;
+        resolve();
+      } else {
+        this.queue.push(resolve);
+      }
+    });
+    try {
+      return await fn();
+    } finally {
+      this.locked = false;
+      const next = this.queue.shift();
+      if (next) {
+        this.locked = true;
+        next();
+      }
+    }
+  }
+}
 
 export class RouteConfigManager {
-  private storedRoutes = new Map<string, IStoredRoute>();
-  private overrides = new Map<string, IRouteOverride>();
+  private routes = new Map<string, IRoute>();
   private warnings: IRouteWarning[] = [];
+  private routeUpdateMutex = new RouteUpdateMutex();
 
   constructor(
-    private storageManager: StorageManager,
-    private getHardcodedRoutes: () => plugins.smartproxy.IRouteConfig[],
     private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
     private getHttp3Config?: () => IHttp3Config | undefined,
+    private getVpnClientIpsForRoute?: (route: IDcRouterRouteConfig, routeId?: string) => TIpAllowEntry[],
+    private referenceResolver?: ReferenceResolver,
+    private onRoutesApplied?: (routes: plugins.smartproxy.IRouteConfig[]) => void,
+    private getRuntimeRoutes?: () => plugins.smartproxy.IRouteConfig[],
+    private hydrateStoredRoute?: (storedRoute: IRoute) => plugins.smartproxy.IRouteConfig | undefined,
   ) {}
 
+  /** Expose routes map for reference resolution lookups. */
+  public getRoutes(): Map<string, IRoute> {
+    return this.routes;
+  }
+
+  public getRoute(id: string): IRoute | undefined {
+    return this.routes.get(id);
+  }
+
   /**
-   * Load persisted routes and overrides, compute warnings, apply to SmartProxy.
+   * Load persisted routes, seed serializable config/email/dns routes,
+   * compute warnings, and apply the combined DB-backed + runtime route set to SmartProxy.
    */
-  public async initialize(): Promise<void> {
-    await this.loadStoredRoutes();
-    await this.loadOverrides();
+  public async initialize(
+    configRoutes: IDcRouterRouteConfig[] = [],
+    emailRoutes: IDcRouterRouteConfig[] = [],
+    dnsRoutes: IDcRouterRouteConfig[] = [],
+  ): Promise<void> {
+    await this.loadRoutes();
+    await this.seedRoutes(configRoutes, 'config');
+    await this.seedRoutes(emailRoutes, 'email');
+    await this.seedRoutes(dnsRoutes, 'dns');
     this.computeWarnings();
     this.logWarnings();
     await this.applyRoutes();
   }
 
   // =========================================================================
-  // Merged view
+  // Route listing
   // =========================================================================
 
   public getMergedRoutes(): { routes: IMergedRoute[]; warnings: IRouteWarning[] } {
     const merged: IMergedRoute[] = [];
 
-    // Hardcoded routes
-    for (const route of this.getHardcodedRoutes()) {
-      const name = route.name || '';
-      const override = this.overrides.get(name);
+    for (const route of this.routes.values()) {
       merged.push({
-        route,
-        source: 'hardcoded',
-        enabled: override ? override.enabled : true,
-        overridden: !!override,
-      });
-    }
-
-    // Programmatic routes
-    for (const stored of this.storedRoutes.values()) {
-      merged.push({
-        route: stored.route,
-        source: 'programmatic',
-        enabled: stored.enabled,
-        overridden: false,
-        storedRouteId: stored.id,
-        createdAt: stored.createdAt,
-        updatedAt: stored.updatedAt,
+        route: route.route,
+        id: route.id,
+        enabled: route.enabled,
+        origin: route.origin,
+        systemKey: route.systemKey,
+        createdAt: route.createdAt,
+        updatedAt: route.updatedAt,
+        metadata: route.metadata,
       });
     }
 
@@ -71,32 +115,43 @@ export class RouteConfigManager {
   }
 
   // =========================================================================
-  // Programmatic route CRUD
+  // Route CRUD
   // =========================================================================
 
   public async createRoute(
-    route: plugins.smartproxy.IRouteConfig,
+    route: IDcRouterRouteConfig,
     createdBy: string,
     enabled = true,
+    metadata?: IRouteMetadata,
   ): Promise<string> {
     const id = plugins.uuid.v4();
     const now = Date.now();
 
     // Ensure route has a name
     if (!route.name) {
-      route.name = `programmatic-${id.slice(0, 8)}`;
+      route.name = `route-${id.slice(0, 8)}`;
     }
 
-    const stored: IStoredRoute = {
+    // Resolve references if metadata has refs and resolver is available
+    let resolvedMetadata = metadata;
+    if (metadata && this.referenceResolver) {
+      const resolved = this.referenceResolver.resolveRoute(route, metadata);
+      route = resolved.route;
+      resolvedMetadata = resolved.metadata;
+    }
+
+    const stored: IRoute = {
       id,
       route,
       enabled,
       createdAt: now,
       updatedAt: now,
       createdBy,
+      origin: 'api',
+      metadata: resolvedMetadata,
     };
 
-    this.storedRoutes.set(id, stored);
+    this.routes.set(id, stored);
     await this.persistRoute(stored);
     await this.applyRoutes();
     return id;
@@ -104,96 +159,249 @@ export class RouteConfigManager {
 
   public async updateRoute(
     id: string,
-    patch: { route?: Partial<plugins.smartproxy.IRouteConfig>; enabled?: boolean },
-  ): Promise<boolean> {
-    const stored = this.storedRoutes.get(id);
-    if (!stored) return false;
+    patch: {
+      route?: Partial<IDcRouterRouteConfig>;
+      enabled?: boolean;
+      metadata?: Partial<IRouteMetadata>;
+    },
+  ): Promise<IRouteMutationResult> {
+    const stored = this.routes.get(id);
+    if (!stored) {
+      return { success: false, message: 'Route not found' };
+    }
+
+    const isToggleOnlyPatch = patch.enabled !== undefined
+      && patch.route === undefined
+      && patch.metadata === undefined;
+    if (stored.origin !== 'api' && !isToggleOnlyPatch) {
+      return {
+        success: false,
+        message: 'System routes are managed by the system and can only be toggled',
+      };
+    }
 
     if (patch.route) {
-      stored.route = { ...stored.route, ...patch.route } as plugins.smartproxy.IRouteConfig;
+      const mergedAction = patch.route.action
+        ? { ...stored.route.action, ...patch.route.action }
+        : stored.route.action;
+      // Handle explicit null to remove nested action properties (e.g., tls: null)
+      if (patch.route.action) {
+        for (const [key, val] of Object.entries(patch.route.action)) {
+          if (val === null) {
+            delete (mergedAction as any)[key];
+          }
+        }
+      }
+      stored.route = { ...stored.route, ...patch.route, action: mergedAction } as IDcRouterRouteConfig;
     }
     if (patch.enabled !== undefined) {
       stored.enabled = patch.enabled;
     }
+    if (patch.metadata !== undefined) {
+      stored.metadata = { ...stored.metadata, ...patch.metadata };
+    }
+
+    // Re-resolve if metadata refs exist and resolver is available
+    if (stored.metadata && this.referenceResolver) {
+      const resolved = this.referenceResolver.resolveRoute(stored.route, stored.metadata);
+      stored.route = resolved.route;
+      stored.metadata = resolved.metadata;
+    }
+
     stored.updatedAt = Date.now();
 
     await this.persistRoute(stored);
     await this.applyRoutes();
-    return true;
+    return { success: true };
   }
 
-  public async deleteRoute(id: string): Promise<boolean> {
-    if (!this.storedRoutes.has(id)) return false;
-    this.storedRoutes.delete(id);
-    await this.storageManager.delete(`${ROUTES_PREFIX}${id}.json`);
+  public async deleteRoute(id: string): Promise<IRouteMutationResult> {
+    const stored = this.routes.get(id);
+    if (!stored) {
+      return { success: false, message: 'Route not found' };
+    }
+    if (stored.origin !== 'api') {
+      return {
+        success: false,
+        message: 'System routes are managed by the system and cannot be deleted',
+      };
+    }
+
+    this.routes.delete(id);
+    const doc = await RouteDoc.findById(id);
+    if (doc) await doc.delete();
     await this.applyRoutes();
-    return true;
+    return { success: true };
   }
 
-  public async toggleRoute(id: string, enabled: boolean): Promise<boolean> {
+  public async toggleRoute(id: string, enabled: boolean): Promise<IRouteMutationResult> {
     return this.updateRoute(id, { enabled });
   }
 
   // =========================================================================
-  // Hardcoded route overrides
+  // Private: seed routes from constructor config
   // =========================================================================
 
-  public async setOverride(routeName: string, enabled: boolean, updatedBy: string): Promise<void> {
-    const override: IRouteOverride = {
-      routeName,
-      enabled,
-      updatedAt: Date.now(),
-      updatedBy,
-    };
-    this.overrides.set(routeName, override);
-    await this.storageManager.setJSON(`${OVERRIDES_PREFIX}${routeName}.json`, override);
-    this.computeWarnings();
-    await this.applyRoutes();
-  }
+  /**
+   * Upsert seed routes by name+origin. Preserves user's `enabled` state.
+   * Deletes stale DB routes whose origin matches but name is not in the seed set.
+   */
+  private async seedRoutes(
+    seedRoutes: IDcRouterRouteConfig[],
+    origin: 'config' | 'email' | 'dns',
+  ): Promise<void> {
+    const seedSystemKeys = new Set<string>();
+    const seedNames = new Set<string>();
+    let seeded = 0;
+    let updated = 0;
 
-  public async removeOverride(routeName: string): Promise<boolean> {
-    if (!this.overrides.has(routeName)) return false;
-    this.overrides.delete(routeName);
-    await this.storageManager.delete(`${OVERRIDES_PREFIX}${routeName}.json`);
-    this.computeWarnings();
-    await this.applyRoutes();
-    return true;
+    for (const route of seedRoutes) {
+      const name = route.name || '';
+      if (name) {
+        seedNames.add(name);
+      }
+      const systemKey = this.buildSystemRouteKey(origin, route);
+      if (systemKey) {
+        seedSystemKeys.add(systemKey);
+      }
+
+      const existingId = this.findExistingSeedRouteId(origin, route, systemKey);
+
+      if (existingId) {
+        // Update route config but preserve enabled state
+        const existing = this.routes.get(existingId)!;
+        existing.route = route;
+        existing.systemKey = systemKey;
+        existing.updatedAt = Date.now();
+        await this.persistRoute(existing);
+        updated++;
+      } else {
+        // Insert new seed route
+        const id = plugins.uuid.v4();
+        const now = Date.now();
+        const newRoute: IRoute = {
+          id,
+          route,
+          enabled: true,
+          createdAt: now,
+          updatedAt: now,
+          createdBy: 'system',
+          origin,
+          systemKey,
+        };
+        this.routes.set(id, newRoute);
+        await this.persistRoute(newRoute);
+        seeded++;
+      }
+    }
+
+    // Delete stale routes: same origin but name not in current seed set
+    const staleIds: string[] = [];
+    for (const [id, r] of this.routes) {
+      if (r.origin !== origin) continue;
+
+      const routeName = r.route.name || '';
+      const matchesSeedSystemKey = r.systemKey ? seedSystemKeys.has(r.systemKey) : false;
+      const matchesSeedName = routeName ? seedNames.has(routeName) : false;
+      if (!matchesSeedSystemKey && !matchesSeedName) {
+        staleIds.push(id);
+      }
+    }
+    for (const id of staleIds) {
+      this.routes.delete(id);
+      const doc = await RouteDoc.findById(id);
+      if (doc) await doc.delete();
+    }
+
+    if (seeded > 0 || updated > 0 || staleIds.length > 0) {
+      logger.log('info', `Seed routes (${origin}): ${seeded} new, ${updated} updated, ${staleIds.length} stale removed`);
+    }
   }
 
   // =========================================================================
   // Private: persistence
   // =========================================================================
 
-  private async loadStoredRoutes(): Promise<void> {
-    const keys = await this.storageManager.list(ROUTES_PREFIX);
-    for (const key of keys) {
-      if (!key.endsWith('.json')) continue;
-      const stored = await this.storageManager.getJSON<IStoredRoute>(key);
-      if (stored?.id) {
-        this.storedRoutes.set(stored.id, stored);
+  private buildSystemRouteKey(
+    origin: 'config' | 'email' | 'dns',
+    route: IDcRouterRouteConfig,
+  ): string | undefined {
+    const name = route.name?.trim();
+    if (!name) return undefined;
+    return `${origin}:${name}`;
+  }
+
+  private findExistingSeedRouteId(
+    origin: 'config' | 'email' | 'dns',
+    route: IDcRouterRouteConfig,
+    systemKey?: string,
+  ): string | undefined {
+    const routeName = route.name || '';
+
+    for (const [id, storedRoute] of this.routes) {
+      if (storedRoute.origin !== origin) continue;
+
+      if (systemKey && storedRoute.systemKey === systemKey) {
+        return id;
+      }
+
+      if (storedRoute.route.name === routeName) {
+        return id;
       }
     }
-    if (this.storedRoutes.size > 0) {
-      logger.log('info', `Loaded ${this.storedRoutes.size} programmatic route(s) from storage`);
+
+    return undefined;
+  }
+
+  private async loadRoutes(): Promise<void> {
+    const docs = await RouteDoc.findAll();
+
+    for (const doc of docs) {
+      if (!doc.id) continue;
+
+      const storedRoute: IRoute = {
+        id: doc.id,
+        route: doc.route,
+        enabled: doc.enabled,
+        createdAt: doc.createdAt,
+        updatedAt: doc.updatedAt,
+        createdBy: doc.createdBy,
+        origin: doc.origin || 'api',
+        systemKey: doc.systemKey,
+        metadata: doc.metadata,
+      };
+
+      this.routes.set(doc.id, storedRoute);
+    }
+    if (this.routes.size > 0) {
+      logger.log('info', `Loaded ${this.routes.size} route(s) from database`);
     }
   }
 
-  private async loadOverrides(): Promise<void> {
-    const keys = await this.storageManager.list(OVERRIDES_PREFIX);
-    for (const key of keys) {
-      if (!key.endsWith('.json')) continue;
-      const override = await this.storageManager.getJSON<IRouteOverride>(key);
-      if (override?.routeName) {
-        this.overrides.set(override.routeName, override);
-      }
+  private async persistRoute(stored: IRoute): Promise<void> {
+    const existingDoc = await RouteDoc.findById(stored.id);
+    if (existingDoc) {
+      existingDoc.route = stored.route;
+      existingDoc.enabled = stored.enabled;
+      existingDoc.updatedAt = stored.updatedAt;
+      existingDoc.createdBy = stored.createdBy;
+      existingDoc.origin = stored.origin;
+      existingDoc.systemKey = stored.systemKey;
+      existingDoc.metadata = stored.metadata;
+      await existingDoc.save();
+    } else {
+      const doc = new RouteDoc();
+      doc.id = stored.id;
+      doc.route = stored.route;
+      doc.enabled = stored.enabled;
+      doc.createdAt = stored.createdAt;
+      doc.updatedAt = stored.updatedAt;
+      doc.createdBy = stored.createdBy;
+      doc.origin = stored.origin;
+      doc.systemKey = stored.systemKey;
+      doc.metadata = stored.metadata;
+      await doc.save();
     }
-    if (this.overrides.size > 0) {
-      logger.log('info', `Loaded ${this.overrides.size} route override(s) from storage`);
-    }
-  }
-
-  private async persistRoute(stored: IStoredRoute): Promise<void> {
-    await this.storageManager.setJSON(`${ROUTES_PREFIX}${stored.id}.json`, stored);
   }
 
   // =========================================================================
@@ -202,33 +410,14 @@ export class RouteConfigManager {
 
   private computeWarnings(): void {
     this.warnings = [];
-    const hardcodedNames = new Set(this.getHardcodedRoutes().map((r) => r.name || ''));
 
-    // Check overrides
-    for (const [routeName, override] of this.overrides) {
-      if (!hardcodedNames.has(routeName)) {
+    for (const route of this.routes.values()) {
+      if (!route.enabled) {
+        const name = route.route.name || route.id;
         this.warnings.push({
-          type: 'orphaned-override',
-          routeName,
-          message: `Orphaned override for route '${routeName}' — hardcoded route no longer exists`,
-        });
-      } else if (!override.enabled) {
-        this.warnings.push({
-          type: 'disabled-hardcoded',
-          routeName,
-          message: `Route '${routeName}' is disabled via API override`,
-        });
-      }
-    }
-
-    // Check disabled programmatic routes
-    for (const stored of this.storedRoutes.values()) {
-      if (!stored.enabled) {
-        const name = stored.route.name || stored.id;
-        this.warnings.push({
-          type: 'disabled-programmatic',
+          type: 'disabled-route',
           routeName: name,
-          message: `Programmatic route '${name}' (id: ${stored.id}) is disabled`,
+          message: `Route '${name}' (id: ${route.id}) is disabled`,
         });
       }
     }
@@ -241,38 +430,102 @@ export class RouteConfigManager {
   }
 
   // =========================================================================
-  // Private: apply merged routes to SmartProxy
+  // Re-resolve routes after profile/target changes
   // =========================================================================
 
-  private async applyRoutes(): Promise<void> {
-    const smartProxy = this.getSmartProxy();
-    if (!smartProxy) return;
+  /**
+   * Re-resolve specific routes by ID (after a profile or target is updated).
+   * Persists each route and calls applyRoutes() once at the end.
+   */
+  public async reResolveRoutes(routeIds: string[]): Promise<void> {
+    if (!this.referenceResolver || routeIds.length === 0) return;
 
-    const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];
+    for (const routeId of routeIds) {
+      const stored = this.routes.get(routeId);
+      if (!stored?.metadata) continue;
 
-    // Add enabled hardcoded routes (respecting overrides)
-    for (const route of this.getHardcodedRoutes()) {
-      const name = route.name || '';
-      const override = this.overrides.get(name);
-      if (override && !override.enabled) {
-        continue; // Skip disabled hardcoded route
-      }
-      enabledRoutes.push(route);
+      const resolved = this.referenceResolver.resolveRoute(stored.route, stored.metadata);
+      stored.route = resolved.route;
+      stored.metadata = resolved.metadata;
+      stored.updatedAt = Date.now();
+      await this.persistRoute(stored);
     }
 
-    // Add enabled programmatic routes (with HTTP/3 augmentation if enabled)
-    const http3Config = this.getHttp3Config?.();
-    for (const stored of this.storedRoutes.values()) {
-      if (stored.enabled) {
-        if (http3Config && http3Config.enabled !== false) {
-          enabledRoutes.push(augmentRouteWithHttp3(stored.route, { enabled: true, ...http3Config }));
-        } else {
-          enabledRoutes.push(stored.route);
+    await this.applyRoutes();
+    logger.log('info', `Re-resolved ${routeIds.length} route(s) after profile/target change`);
+  }
+
+  // =========================================================================
+  // Apply routes to SmartProxy
+  // =========================================================================
+
+  public async applyRoutes(): Promise<void> {
+    await this.routeUpdateMutex.runExclusive(async () => {
+      const smartProxy = this.getSmartProxy();
+      if (!smartProxy) return;
+
+      const enabledRoutes: plugins.smartproxy.IRouteConfig[] = [];
+
+      // Add all enabled routes with HTTP/3 and VPN augmentation
+      for (const route of this.routes.values()) {
+        if (route.enabled) {
+          enabledRoutes.push(this.prepareStoredRouteForApply(route));
         }
       }
+
+      const runtimeRoutes = this.getRuntimeRoutes?.() || [];
+      for (const route of runtimeRoutes) {
+        enabledRoutes.push(this.prepareRouteForApply(route));
+      }
+
+      await smartProxy.updateRoutes(enabledRoutes);
+
+      // Notify listeners (e.g. RemoteIngressManager) of the route set
+      if (this.onRoutesApplied) {
+        this.onRoutesApplied(enabledRoutes);
+      }
+
+      logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.routes.size} total)`);
+    });
+  }
+
+  private prepareStoredRouteForApply(storedRoute: IRoute): plugins.smartproxy.IRouteConfig {
+    const hydratedRoute = this.hydrateStoredRoute?.(storedRoute);
+    return this.prepareRouteForApply(hydratedRoute || storedRoute.route, storedRoute.id);
+  }
+
+  private prepareRouteForApply(
+    route: plugins.smartproxy.IRouteConfig,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    let preparedRoute = route;
+    const http3Config = this.getHttp3Config?.();
+
+    if (http3Config?.enabled !== false) {
+      preparedRoute = augmentRouteWithHttp3(preparedRoute, { enabled: true, ...http3Config });
     }
 
-    await smartProxy.updateRoutes(enabledRoutes);
-    logger.log('info', `Applied ${enabledRoutes.length} routes to SmartProxy (${this.storedRoutes.size} programmatic, ${this.overrides.size} overrides)`);
+    return this.injectVpnSecurity(preparedRoute, routeId);
+  }
+
+  private injectVpnSecurity(
+    route: plugins.smartproxy.IRouteConfig,
+    routeId?: string,
+  ): plugins.smartproxy.IRouteConfig {
+    const vpnCallback = this.getVpnClientIpsForRoute;
+    if (!vpnCallback) return route;
+
+    const dcRoute = route as IDcRouterRouteConfig;
+    if (!dcRoute.vpnOnly) return route;
+
+    const vpnEntries = vpnCallback(dcRoute, routeId);
+    const existingEntries = route.security?.ipAllowList || [];
+    return {
+      ...route,
+      security: {
+        ...route.security,
+        ipAllowList: [...existingEntries, ...vpnEntries],
+      },
+    };
   }
 }

ts/config/classes.target-profile-manager.ts

@@ -0,0 +1,538 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { TargetProfileDoc, VpnClientDoc } from '../db/index.js';
+import type { ITargetProfile, ITargetProfileTarget } from '../../ts_interfaces/data/target-profile.js';
+import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { IRoute } from '../../ts_interfaces/data/route-management.js';
+
+/**
+ * Manages TargetProfiles (target-side: what can be accessed).
+ * TargetProfiles define what resources a VPN client can reach:
+ * domains, specific IP:port targets, and/or direct route references.
+ */
+export class TargetProfileManager {
+  private profiles = new Map<string, ITargetProfile>();
+
+  constructor(
+    private getAllRoutes?: () => Map<string, IRoute>,
+  ) {}
+
+  // =========================================================================
+  // Lifecycle
+  // =========================================================================
+
+  public async initialize(): Promise<void> {
+    await this.loadProfiles();
+  }
+
+  // =========================================================================
+  // CRUD
+  // =========================================================================
+
+  public async createProfile(data: {
+    name: string;
+    description?: string;
+    domains?: string[];
+    targets?: ITargetProfileTarget[];
+    routeRefs?: string[];
+    createdBy: string;
+  }): Promise<string> {
+    // Enforce unique profile names
+    for (const existing of this.profiles.values()) {
+      if (existing.name === data.name) {
+        throw new Error(`Target profile with name '${data.name}' already exists (id: ${existing.id})`);
+      }
+    }
+
+    const id = plugins.uuid.v4();
+    const now = Date.now();
+
+    const routeRefs = this.normalizeRouteRefs(data.routeRefs);
+    const profile: ITargetProfile = {
+      id,
+      name: data.name,
+      description: data.description,
+      domains: data.domains,
+      targets: data.targets,
+      routeRefs,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: data.createdBy,
+    };
+
+    this.profiles.set(id, profile);
+    await this.persistProfile(profile);
+    logger.log('info', `Created target profile '${profile.name}' (${id})`);
+    return id;
+  }
+
+  public async updateProfile(
+    id: string,
+    patch: Partial<Omit<ITargetProfile, 'id' | 'createdAt' | 'createdBy'>>,
+  ): Promise<void> {
+    const profile = this.profiles.get(id);
+    if (!profile) {
+      throw new Error(`Target profile '${id}' not found`);
+    }
+
+    if (patch.name !== undefined && patch.name !== profile.name) {
+      for (const existing of this.profiles.values()) {
+        if (existing.id !== id && existing.name === patch.name) {
+          throw new Error(`Target profile with name '${patch.name}' already exists (id: ${existing.id})`);
+        }
+      }
+    }
+
+    if (patch.name !== undefined) profile.name = patch.name;
+    if (patch.description !== undefined) profile.description = patch.description;
+    if (patch.domains !== undefined) profile.domains = patch.domains;
+    if (patch.targets !== undefined) profile.targets = patch.targets;
+    if (patch.routeRefs !== undefined) profile.routeRefs = this.normalizeRouteRefs(patch.routeRefs);
+    profile.updatedAt = Date.now();
+
+    await this.persistProfile(profile);
+    logger.log('info', `Updated target profile '${profile.name}' (${id})`);
+  }
+
+  public async deleteProfile(
+    id: string,
+    force?: boolean,
+  ): Promise<{ success: boolean; message?: string }> {
+    const profile = this.profiles.get(id);
+    if (!profile) {
+      return { success: false, message: `Target profile '${id}' not found` };
+    }
+
+    // Check if any VPN clients reference this profile
+    const clients = await VpnClientDoc.findAll();
+    const referencingClients = clients.filter(
+      (c) => c.targetProfileIds?.includes(id),
+    );
+
+    if (referencingClients.length > 0 && !force) {
+      return {
+        success: false,
+        message: `Profile '${profile.name}' is in use by ${referencingClients.length} VPN client(s). Use force=true to delete.`,
+      };
+    }
+
+    // Delete from DB
+    const doc = await TargetProfileDoc.findById(id);
+    if (doc) await doc.delete();
+    this.profiles.delete(id);
+
+    if (referencingClients.length > 0) {
+      // Remove profile ref from clients
+      for (const client of referencingClients) {
+        client.targetProfileIds = client.targetProfileIds?.filter((pid) => pid !== id);
+        client.updatedAt = Date.now();
+        await client.save();
+      }
+      logger.log('warn', `Force-deleted target profile '${profile.name}'; removed refs from ${referencingClients.length} client(s)`);
+    } else {
+      logger.log('info', `Deleted target profile '${profile.name}' (${id})`);
+    }
+
+    return { success: true };
+  }
+
+  public getProfile(id: string): ITargetProfile | undefined {
+    return this.profiles.get(id);
+  }
+
+  /**
+   * Normalize stored route references to route IDs when they can be resolved
+   * uniquely against the current route registry.
+   */
+  public async normalizeAllRouteRefs(): Promise<void> {
+    const allRoutes = this.getAllRoutes?.();
+    if (!allRoutes?.size) return;
+
+    for (const profile of this.profiles.values()) {
+      const normalizedRouteRefs = this.normalizeRouteRefsAgainstRoutes(
+        profile.routeRefs,
+        allRoutes,
+        'bestEffort',
+      );
+      if (this.sameStringArray(profile.routeRefs, normalizedRouteRefs)) continue;
+
+      profile.routeRefs = normalizedRouteRefs;
+      profile.updatedAt = Date.now();
+      await this.persistProfile(profile);
+      logger.log('info', `Normalized route refs for target profile '${profile.name}' (${profile.id})`);
+    }
+  }
+
+  public listProfiles(): ITargetProfile[] {
+    return [...this.profiles.values()];
+  }
+
+  /**
+   * Get which VPN clients reference a target profile.
+   */
+  public async getProfileUsage(profileId: string): Promise<Array<{ clientId: string; description?: string }>> {
+    const clients = await VpnClientDoc.findAll();
+    return clients
+      .filter((c) => c.targetProfileIds?.includes(profileId))
+      .map((c) => ({ clientId: c.clientId, description: c.description }));
+  }
+
+  // =========================================================================
+  // Direct target IPs (bypass SmartProxy)
+  // =========================================================================
+
+  /**
+   * For a set of target profile IDs, collect all explicit target IPs.
+   * These IPs bypass the SmartProxy forceTarget rewrite — VPN clients can
+   * connect to them directly through the tunnel.
+   */
+  public getDirectTargetIps(targetProfileIds: string[]): string[] {
+    const ips = new Set<string>();
+    for (const profileId of targetProfileIds) {
+      const profile = this.profiles.get(profileId);
+      if (!profile?.targets?.length) continue;
+      for (const t of profile.targets) {
+        ips.add(t.ip);
+      }
+    }
+    return [...ips];
+  }
+
+  // =========================================================================
+  // Core matching: route → client IPs
+  // =========================================================================
+
+  /**
+   * For a vpnOnly route, find all enabled VPN clients whose assigned TargetProfile
+   * matches the route. Returns IP allow entries for injection into ipAllowList.
+   *
+   * Entries are domain-scoped when a profile matches via specific domains that are
+   * a subset of the route's wildcard. Plain IPs are returned for routeRef/target matches
+   * or when profile domains exactly equal the route's domains.
+   */
+  public getMatchingClientIps(
+    route: IDcRouterRouteConfig,
+    routeId: string | undefined,
+    clients: VpnClientDoc[],
+    allRoutes: Map<string, IRoute> = new Map(),
+  ): Array<string | { ip: string; domains: string[] }> {
+    const entries: Array<string | { ip: string; domains: string[] }> = [];
+    const routeDomains: string[] = (route.match as any)?.domains || [];
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
+
+    for (const client of clients) {
+      if (!client.enabled || !client.assignedIp) continue;
+      if (!client.targetProfileIds?.length) continue;
+
+      // Collect scoped domains from all matching profiles for this client
+      let fullAccess = false;
+      const scopedDomains = new Set<string>();
+
+      for (const profileId of client.targetProfileIds) {
+        const profile = this.profiles.get(profileId);
+        if (!profile) continue;
+
+        const matchResult = this.routeMatchesProfileDetailed(
+          route,
+          routeId,
+          profile,
+          routeDomains,
+          routeNameIndex,
+        );
+        if (matchResult === 'full') {
+          fullAccess = true;
+          break; // No need to check more profiles
+        }
+        if (matchResult !== 'none') {
+          for (const d of matchResult.domains) scopedDomains.add(d);
+        }
+      }
+
+      if (fullAccess) {
+        entries.push(client.assignedIp);
+      } else if (scopedDomains.size > 0) {
+        entries.push({ ip: client.assignedIp, domains: [...scopedDomains] });
+      }
+    }
+
+    return entries;
+  }
+
+  /**
+   * For a given client (by its targetProfileIds), compute the set of
+   * domains and target IPs it can access. Used for WireGuard AllowedIPs.
+   */
+  public getClientAccessSpec(
+    targetProfileIds: string[],
+    allRoutes: Map<string, IRoute>,
+  ): { domains: string[]; targetIps: string[] } {
+    const domains = new Set<string>();
+    const targetIps = new Set<string>();
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
+
+    // Collect all access specifiers from assigned profiles
+    for (const profileId of targetProfileIds) {
+      const profile = this.profiles.get(profileId);
+      if (!profile) continue;
+
+      // Direct domain entries
+      if (profile.domains?.length) {
+        for (const d of profile.domains) {
+          domains.add(d);
+        }
+      }
+
+      // Direct target IP entries
+      if (profile.targets?.length) {
+        for (const t of profile.targets) {
+          targetIps.add(t.ip);
+        }
+      }
+
+      // Route references: scan all routes
+      for (const [routeId, route] of allRoutes) {
+        if (!route.enabled) continue;
+        if (this.routeMatchesProfile(
+          route.route as IDcRouterRouteConfig,
+          routeId,
+          profile,
+          routeNameIndex,
+        )) {
+          const routeDomains = (route.route.match as any)?.domains;
+          if (Array.isArray(routeDomains)) {
+            for (const d of routeDomains) {
+              domains.add(d);
+            }
+          }
+        }
+      }
+    }
+
+    return {
+      domains: [...domains],
+      targetIps: [...targetIps],
+    };
+  }
+
+  // =========================================================================
+  // Private: matching logic
+  // =========================================================================
+
+  /**
+   * Check if a route matches a profile (boolean convenience wrapper).
+   */
+  private routeMatchesProfile(
+    route: IDcRouterRouteConfig,
+    routeId: string | undefined,
+    profile: ITargetProfile,
+    routeNameIndex: Map<string, string[]>,
+  ): boolean {
+    const routeDomains: string[] = (route.match as any)?.domains || [];
+    const result = this.routeMatchesProfileDetailed(
+      route,
+      routeId,
+      profile,
+      routeDomains,
+      routeNameIndex,
+    );
+    return result !== 'none';
+  }
+
+  /**
+   * Detailed match: returns 'full' (plain IP, entire route), 'scoped' (domain-limited),
+   * or 'none' (no match).
+   *
+   * - routeRefs / target matches → 'full' (explicit reference = full access)
+   * - domain match where profile domains are a subset of route wildcard → 'scoped'
+   * - domain match where domains are identical or profile is a wildcard → 'full'
+   */
+  private routeMatchesProfileDetailed(
+    route: IDcRouterRouteConfig,
+    routeId: string | undefined,
+    profile: ITargetProfile,
+    routeDomains: string[],
+    routeNameIndex: Map<string, string[]>,
+  ): 'full' | { type: 'scoped'; domains: string[] } | 'none' {
+    // 1. Route reference match → full access
+    if (profile.routeRefs?.length) {
+      if (routeId && profile.routeRefs.includes(routeId)) return 'full';
+      if (routeId && route.name && profile.routeRefs.includes(route.name)) {
+        const matchingRouteIds = routeNameIndex.get(route.name) || [];
+        if (matchingRouteIds.length === 1 && matchingRouteIds[0] === routeId) {
+          return 'full';
+        }
+      }
+    }
+
+    // 2. Domain match
+    if (profile.domains?.length && routeDomains.length) {
+      const matchedProfileDomains: string[] = [];
+
+      for (const profileDomain of profile.domains) {
+        for (const routeDomain of routeDomains) {
+          if (this.domainMatchesPattern(routeDomain, profileDomain) ||
+              this.domainMatchesPattern(profileDomain, routeDomain)) {
+            matchedProfileDomains.push(profileDomain);
+            break; // This profileDomain matched, move to the next
+          }
+        }
+      }
+
+      if (matchedProfileDomains.length > 0) {
+        // Check if profile domains cover the route entirely (same wildcards = full access)
+        const isFullCoverage = routeDomains.every((rd) =>
+          matchedProfileDomains.some((pd) =>
+            rd === pd || this.domainMatchesPattern(rd, pd),
+          ),
+        );
+        if (isFullCoverage) return 'full';
+
+        // Profile domains are a subset → scoped access to those specific domains
+        return { type: 'scoped', domains: matchedProfileDomains };
+      }
+    }
+
+    // 3. Target match (host + port) → full access (precise by nature)
+    if (profile.targets?.length) {
+      const routeTargets = (route.action as any)?.targets;
+      if (Array.isArray(routeTargets)) {
+        for (const profileTarget of profile.targets) {
+          for (const routeTarget of routeTargets) {
+            const routeHost = routeTarget.host;
+            const routePort = routeTarget.port;
+            if (routeHost === profileTarget.ip && routePort === profileTarget.port) {
+              return 'full';
+            }
+          }
+        }
+      }
+    }
+
+    return 'none';
+  }
+
+  /**
+   * Check if a domain matches a pattern.
+   * - '*.example.com' matches 'sub.example.com', 'a.b.example.com'
+   * - 'example.com' matches only 'example.com'
+   */
+  private domainMatchesPattern(domain: string, pattern: string): boolean {
+    if (pattern === domain) return true;
+    if (pattern.startsWith('*.')) {
+      const suffix = pattern.slice(1); // '.example.com'
+      return domain.endsWith(suffix) && domain.length > suffix.length;
+    }
+    return false;
+  }
+
+  private normalizeRouteRefs(routeRefs?: string[]): string[] | undefined {
+    const allRoutes = this.getAllRoutes?.() || new Map<string, IRoute>();
+    return this.normalizeRouteRefsAgainstRoutes(routeRefs, allRoutes, 'strict');
+  }
+
+  private normalizeRouteRefsAgainstRoutes(
+    routeRefs: string[] | undefined,
+    allRoutes: Map<string, IRoute>,
+    mode: 'strict' | 'bestEffort',
+  ): string[] | undefined {
+    if (!routeRefs?.length) return undefined;
+    if (!allRoutes.size) return [...new Set(routeRefs)];
+
+    const routeNameIndex = this.buildRouteNameIndex(allRoutes);
+    const normalizedRefs = new Set<string>();
+
+    for (const routeRef of routeRefs) {
+      if (allRoutes.has(routeRef)) {
+        normalizedRefs.add(routeRef);
+        continue;
+      }
+
+      const matchingRouteIds = routeNameIndex.get(routeRef) || [];
+      if (matchingRouteIds.length === 1) {
+        normalizedRefs.add(matchingRouteIds[0]);
+        continue;
+      }
+
+      if (mode === 'bestEffort') {
+        normalizedRefs.add(routeRef);
+        continue;
+      }
+
+      if (matchingRouteIds.length > 1) {
+        throw new Error(`Route reference '${routeRef}' is ambiguous; use a route ID instead`);
+      }
+      throw new Error(`Route reference '${routeRef}' not found`);
+    }
+
+    return [...normalizedRefs];
+  }
+
+  private buildRouteNameIndex(allRoutes: Map<string, IRoute>): Map<string, string[]> {
+    const routeNameIndex = new Map<string, string[]>();
+    for (const [routeId, route] of allRoutes) {
+      const routeName = route.route.name;
+      if (!routeName) continue;
+      const matchingRouteIds = routeNameIndex.get(routeName) || [];
+      matchingRouteIds.push(routeId);
+      routeNameIndex.set(routeName, matchingRouteIds);
+    }
+    return routeNameIndex;
+  }
+
+  private sameStringArray(left?: string[], right?: string[]): boolean {
+    if (!left?.length && !right?.length) return true;
+    if (!left || !right || left.length !== right.length) return false;
+    return left.every((value, index) => value === right[index]);
+  }
+
+  // =========================================================================
+  // Private: persistence
+  // =========================================================================
+
+  private async loadProfiles(): Promise<void> {
+    const docs = await TargetProfileDoc.findAll();
+    for (const doc of docs) {
+      if (doc.id) {
+        this.profiles.set(doc.id, {
+          id: doc.id,
+          name: doc.name,
+          description: doc.description,
+          domains: doc.domains,
+          targets: doc.targets,
+          routeRefs: doc.routeRefs,
+          createdAt: doc.createdAt,
+          updatedAt: doc.updatedAt,
+          createdBy: doc.createdBy,
+        });
+      }
+    }
+    if (this.profiles.size > 0) {
+      logger.log('info', `Loaded ${this.profiles.size} target profile(s) from storage`);
+    }
+  }
+
+  private async persistProfile(profile: ITargetProfile): Promise<void> {
+    const existingDoc = await TargetProfileDoc.findById(profile.id);
+    if (existingDoc) {
+      existingDoc.name = profile.name;
+      existingDoc.description = profile.description;
+      existingDoc.domains = profile.domains;
+      existingDoc.targets = profile.targets;
+      existingDoc.routeRefs = profile.routeRefs;
+      existingDoc.updatedAt = profile.updatedAt;
+      await existingDoc.save();
+    } else {
+      const doc = new TargetProfileDoc();
+      doc.id = profile.id;
+      doc.name = profile.name;
+      doc.description = profile.description;
+      doc.domains = profile.domains;
+      doc.targets = profile.targets;
+      doc.routeRefs = profile.routeRefs;
+      doc.createdAt = profile.createdAt;
+      doc.updatedAt = profile.updatedAt;
+      doc.createdBy = profile.createdBy;
+      await doc.save();
+    }
+  }
+}

ts/config/index.ts

@@ -1,4 +1,7 @@
 // Export validation tools only
 export * from './validator.js';
 export { RouteConfigManager } from './classes.route-config-manager.js';
-export { ApiTokenManager } from './classes.api-token-manager.js';
+export { ApiTokenManager } from './classes.api-token-manager.js';
+export { ReferenceResolver } from './classes.reference-resolver.js';
+export { DbSeeder } from './classes.db-seeder.js';
+export { TargetProfileManager } from './classes.target-profile-manager.js';

ts/config/validator.ts

@@ -170,7 +170,7 @@ export class ConfigValidator {
                 } else if (rules.items.schema && itemType === 'object') {
                   const itemResult = this.validate(value[i], rules.items.schema);
                   if (!itemResult.valid) {
-                    errors.push(...itemResult.errors.map(err => `${key}[${i}].${err}`));
+                    errors.push(...itemResult.errors!.map(err => `${key}[${i}].${err}`));
                   }
                 }
               }
@@ -181,7 +181,7 @@ export class ConfigValidator {
             if (rules.schema) {
               const nestedResult = this.validate(value, rules.schema);
               if (!nestedResult.valid) {
-                errors.push(...nestedResult.errors.map(err => `${key}.${err}`));
+                errors.push(...nestedResult.errors!.map(err => `${key}.${err}`));
               }
               validatedConfig[key] = nestedResult.config;
             }
@@ -233,8 +233,8 @@ export class ConfigValidator {
 
       // Apply defaults to array items
       if (result[key] && rules.type === 'array' && rules.items && rules.items.schema) {
-        result[key] = result[key].map(item => 
-          typeof item === 'object' ? this.applyDefaults(item, rules.items.schema) : item
+        result[key] = result[key].map(item =>
+          typeof item === 'object' ? this.applyDefaults(item, rules.items!.schema!) : item
         );
       }
     }
@@ -255,7 +255,7 @@ export class ConfigValidator {
     
     if (!result.valid) {
       throw new ValidationError(
-        `Configuration validation failed: ${result.errors.join(', ')}`,
+        `Configuration validation failed: ${result.errors!.join(', ')}`,
         'CONFIG_VALIDATION_ERROR',
         { data: { errors: result.errors } }
       );

ts/db/classes.cache.cleaner.ts

@@ -1,6 +1,6 @@
 import * as plugins from '../plugins.js';
 import { logger } from '../logger.js';
-import { CacheDb } from './classes.cachedb.js';
+import { DcRouterDb } from './classes.dcrouter-db.js';
 
 // Import document classes for cleanup
 import { CachedEmail } from './documents/classes.cached.email.js';
@@ -26,10 +26,10 @@ export class CacheCleaner {
   private cleanupInterval: ReturnType<typeof setInterval> | null = null;
   private isRunning: boolean = false;
   private options: Required<ICacheCleanerOptions>;
-  private cacheDb: CacheDb;
+  private dcRouterDb: DcRouterDb;
 
-  constructor(cacheDb: CacheDb, options: ICacheCleanerOptions = {}) {
-    this.cacheDb = cacheDb;
+  constructor(dcRouterDb: DcRouterDb, options: ICacheCleanerOptions = {}) {
+    this.dcRouterDb = dcRouterDb;
     this.options = {
       intervalMs: options.intervalMs || 60 * 60 * 1000, // 1 hour default
       verbose: options.verbose || false,
@@ -48,14 +48,14 @@ export class CacheCleaner {
     this.isRunning = true;
 
     // Run cleanup immediately on start
-    this.runCleanup().catch((error) => {
-      logger.log('error', `Initial cache cleanup failed: ${error.message}`);
+    this.runCleanup().catch((error: unknown) => {
+      logger.log('error', `Initial cache cleanup failed: ${(error as Error).message}`);
     });
 
     // Schedule periodic cleanup
     this.cleanupInterval = setInterval(() => {
-      this.runCleanup().catch((error) => {
-        logger.log('error', `Cache cleanup failed: ${error.message}`);
+      this.runCleanup().catch((error: unknown) => {
+        logger.log('error', `Cache cleanup failed: ${(error as Error).message}`);
       });
     }, this.options.intervalMs);
 
@@ -86,8 +86,8 @@ export class CacheCleaner {
    * Run a single cleanup cycle
    */
   public async runCleanup(): Promise<void> {
-    if (!this.cacheDb.isReady()) {
-      logger.log('warn', 'CacheDb not ready, skipping cleanup');
+    if (!this.dcRouterDb.isReady()) {
+      logger.log('warn', 'DcRouterDb not ready, skipping cleanup');
       return;
     }
 
@@ -113,8 +113,8 @@ export class CacheCleaner {
           `Cache cleanup completed. Deleted ${totalDeleted} expired documents. ${summary || 'No deletions.'}`
         );
       }
-    } catch (error) {
-      logger.log('error', `Cache cleanup error: ${error.message}`);
+    } catch (error: unknown) {
+      logger.log('error', `Cache cleanup error: ${(error as Error).message}`);
       throw error;
     }
   }
@@ -138,14 +138,14 @@ export class CacheCleaner {
         try {
           await doc.delete();
           deletedCount++;
-        } catch (deleteError) {
-          logger.log('warn', `Failed to delete expired document: ${deleteError.message}`);
+        } catch (deleteError: unknown) {
+          logger.log('warn', `Failed to delete expired document: ${(deleteError as Error).message}`);
         }
       }
 
       return deletedCount;
-    } catch (error) {
-      logger.log('error', `Error cleaning collection: ${error.message}`);
+    } catch (error: unknown) {
+      logger.log('error', `Error cleaning collection: ${(error as Error).message}`);
       return 0;
     }
   }

ts/db/classes.cached.document.ts

@@ -22,7 +22,7 @@ export abstract class CachedDocument<T extends CachedDocument<T>> extends plugin
    * Timestamp when the document expires and should be cleaned up
    * NOTE: Subclasses must add @svDb() decorator
    */
-  public expiresAt: Date;
+  public expiresAt!: Date;
 
   /**
    * Timestamp of last access (for LRU-style eviction if needed)

ts/db/classes.dcrouter-db.ts

@@ -0,0 +1,179 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+import { defaultTsmDbPath } from '../paths.js';
+
+/**
+ * Configuration options for the unified DCRouter database
+ */
+export interface IDcRouterDbConfig {
+  /** External MongoDB connection URL. If absent, uses embedded LocalSmartDb. */
+  mongoDbUrl?: string;
+  /** Storage path for embedded LocalSmartDb data (default: ~/.serve.zone/dcrouter/tsmdb) */
+  storagePath?: string;
+  /** Database name (default: dcrouter) */
+  dbName?: string;
+  /** Enable debug logging */
+  debug?: boolean;
+}
+
+/**
+ * DcRouterDb - Unified database layer for DCRouter
+ *
+ * Replaces both StorageManager (flat-file key-value) and CacheDb (embedded MongoDB).
+ * All data is stored as smartdata document classes in a single database.
+ *
+ * Two modes:
+ * - **Embedded** (default): Spawns a LocalSmartDb (Rust-based MongoDB-compatible engine)
+ * - **External**: Connects to a provided MongoDB URL
+ */
+export class DcRouterDb {
+  private static instance: DcRouterDb | null = null;
+
+  private localSmartDb: plugins.smartdb.LocalSmartDb | null = null;
+  private smartdataDb!: plugins.smartdata.SmartdataDb;
+  private options: Required<IDcRouterDbConfig>;
+  private isStarted: boolean = false;
+
+  constructor(options: IDcRouterDbConfig = {}) {
+    this.options = {
+      mongoDbUrl: options.mongoDbUrl || '',
+      storagePath: options.storagePath || defaultTsmDbPath,
+      dbName: options.dbName || 'dcrouter',
+      debug: options.debug || false,
+    };
+  }
+
+  /**
+   * Get or create the singleton instance
+   */
+  public static getInstance(options?: IDcRouterDbConfig): DcRouterDb {
+    if (!DcRouterDb.instance) {
+      DcRouterDb.instance = new DcRouterDb(options);
+    }
+    return DcRouterDb.instance;
+  }
+
+  /**
+   * Reset the singleton instance (useful for testing)
+   */
+  public static resetInstance(): void {
+    DcRouterDb.instance = null;
+  }
+
+  /**
+   * Start the database
+   * - If mongoDbUrl is provided, connects directly to external MongoDB
+   * - Otherwise, starts an embedded LocalSmartDb instance
+   */
+  public async start(): Promise<void> {
+    if (this.isStarted) {
+      logger.log('warn', 'DcRouterDb already started');
+      return;
+    }
+
+    try {
+      let connectionUri: string;
+
+      if (this.options.mongoDbUrl) {
+        // External MongoDB mode
+        connectionUri = this.options.mongoDbUrl;
+        logger.log('info', `DcRouterDb connecting to external MongoDB`);
+      } else {
+        // Embedded LocalSmartDb mode
+        await plugins.fsUtils.ensureDir(this.options.storagePath);
+
+        this.localSmartDb = new plugins.smartdb.LocalSmartDb({
+          folderPath: this.options.storagePath,
+        });
+
+        const connectionInfo = await this.localSmartDb.start();
+        connectionUri = connectionInfo.connectionUri;
+
+        if (this.options.debug) {
+          logger.log('debug', `LocalSmartDb started with URI: ${connectionUri}`);
+        }
+
+        logger.log('info', `DcRouterDb started embedded instance at ${this.options.storagePath}`);
+      }
+
+      // Initialize smartdata ORM
+      this.smartdataDb = new plugins.smartdata.SmartdataDb({
+        mongoDbUrl: connectionUri,
+        mongoDbName: this.options.dbName,
+      });
+      await this.smartdataDb.init();
+
+      this.isStarted = true;
+      logger.log('info', `DcRouterDb ready (db: ${this.options.dbName})`);
+    } catch (error: unknown) {
+      logger.log('error', `Failed to start DcRouterDb: ${(error as Error).message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Stop the database
+   */
+  public async stop(): Promise<void> {
+    if (!this.isStarted) {
+      return;
+    }
+
+    try {
+      // Close smartdata connection
+      if (this.smartdataDb) {
+        await this.smartdataDb.close();
+      }
+
+      // Stop embedded LocalSmartDb if running
+      if (this.localSmartDb) {
+        await this.localSmartDb.stop();
+        this.localSmartDb = null;
+      }
+
+      this.isStarted = false;
+      logger.log('info', 'DcRouterDb stopped');
+    } catch (error: unknown) {
+      logger.log('error', `Error stopping DcRouterDb: ${(error as Error).message}`);
+      throw error;
+    }
+  }
+
+  /**
+   * Get the smartdata database instance for @Collection decorators
+   */
+  public getDb(): plugins.smartdata.SmartdataDb {
+    if (!this.isStarted) {
+      throw new Error('DcRouterDb not started. Call start() first.');
+    }
+    return this.smartdataDb;
+  }
+
+  /**
+   * Check if the database is ready
+   */
+  public isReady(): boolean {
+    return this.isStarted;
+  }
+
+  /**
+   * Whether running in embedded mode (LocalSmartDb) vs external MongoDB
+   */
+  public isEmbedded(): boolean {
+    return !this.options.mongoDbUrl;
+  }
+
+  /**
+   * Get the storage path (only relevant for embedded mode)
+   */
+  public getStoragePath(): string {
+    return this.options.storagePath;
+  }
+
+  /**
+   * Get the database name
+   */
+  public getDbName(): string {
+    return this.options.dbName;
+  }
+}

ts/db/documents/classes.accounting-session.doc.ts

@@ -0,0 +1,106 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class AccountingSessionDoc extends plugins.smartdata.SmartDataDbDoc<AccountingSessionDoc, AccountingSessionDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public sessionId!: string;
+
+  @plugins.smartdata.svDb()
+  public username!: string;
+
+  @plugins.smartdata.svDb()
+  public macAddress!: string;
+
+  @plugins.smartdata.svDb()
+  public nasIpAddress!: string;
+
+  @plugins.smartdata.svDb()
+  public nasPort!: number;
+
+  @plugins.smartdata.svDb()
+  public nasPortType!: string;
+
+  @plugins.smartdata.svDb()
+  public nasIdentifier!: string;
+
+  @plugins.smartdata.svDb()
+  public vlanId!: number;
+
+  @plugins.smartdata.svDb()
+  public framedIpAddress!: string;
+
+  @plugins.smartdata.svDb()
+  public calledStationId!: string;
+
+  @plugins.smartdata.svDb()
+  public callingStationId!: string;
+
+  @plugins.smartdata.svDb()
+  public startTime!: number;
+
+  @plugins.smartdata.svDb()
+  public endTime!: number;
+
+  @plugins.smartdata.svDb()
+  public lastUpdateTime!: number;
+
+  @plugins.smartdata.index()
+  @plugins.smartdata.svDb()
+  public status!: 'active' | 'stopped' | 'terminated';
+
+  @plugins.smartdata.svDb()
+  public terminateCause!: string;
+
+  @plugins.smartdata.svDb()
+  public inputOctets!: number;
+
+  @plugins.smartdata.svDb()
+  public outputOctets!: number;
+
+  @plugins.smartdata.svDb()
+  public inputPackets!: number;
+
+  @plugins.smartdata.svDb()
+  public outputPackets!: number;
+
+  @plugins.smartdata.svDb()
+  public sessionTime!: number;
+
+  @plugins.smartdata.svDb()
+  public serviceType!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findBySessionId(sessionId: string): Promise<AccountingSessionDoc | null> {
+    return await AccountingSessionDoc.getInstance({ sessionId });
+  }
+
+  public static async findActive(): Promise<AccountingSessionDoc[]> {
+    return await AccountingSessionDoc.getInstances({ status: 'active' });
+  }
+
+  public static async findByUsername(username: string): Promise<AccountingSessionDoc[]> {
+    return await AccountingSessionDoc.getInstances({ username });
+  }
+
+  public static async findByNas(nasIpAddress: string): Promise<AccountingSessionDoc[]> {
+    return await AccountingSessionDoc.getInstances({ nasIpAddress });
+  }
+
+  public static async findByVlan(vlanId: number): Promise<AccountingSessionDoc[]> {
+    return await AccountingSessionDoc.getInstances({ vlanId });
+  }
+
+  public static async findStoppedBefore(cutoffTime: number): Promise<AccountingSessionDoc[]> {
+    return await AccountingSessionDoc.getInstances({
+      status: { $in: ['stopped', 'terminated'] } as any,
+      endTime: { $lt: cutoffTime, $gt: 0 } as any,
+    });
+  }
+}

ts/db/documents/classes.acme-cert.doc.ts

@@ -0,0 +1,41 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class AcmeCertDoc extends plugins.smartdata.SmartDataDbDoc<AcmeCertDoc, AcmeCertDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public domainName!: string;
+
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public created!: number;
+
+  @plugins.smartdata.svDb()
+  public privateKey!: string;
+
+  @plugins.smartdata.svDb()
+  public publicKey!: string;
+
+  @plugins.smartdata.svDb()
+  public csr!: string;
+
+  @plugins.smartdata.svDb()
+  public validUntil!: number;
+
+  constructor() {
+    super();
+  }
+
+  public static async findByDomain(domainName: string): Promise<AcmeCertDoc | null> {
+    return await AcmeCertDoc.getInstance({ domainName });
+  }
+
+  public static async findAll(): Promise<AcmeCertDoc[]> {
+    return await AcmeCertDoc.getInstances({});
+  }
+}

ts/db/documents/classes.acme-config.doc.ts

@@ -0,0 +1,49 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+/**
+ * Singleton ACME configuration document. One row per dcrouter instance,
+ * keyed on the fixed `configId = 'acme-config'` following the
+ * `VpnServerKeysDoc` pattern.
+ *
+ * Replaces the legacy `tls.contactEmail` and `smartProxyConfig.acme.*`
+ * constructor fields. Managed via the OpsServer UI at
+ * **Domains > Certificates > Settings**.
+ */
+@plugins.smartdata.Collection(() => getDb())
+export class AcmeConfigDoc extends plugins.smartdata.SmartDataDbDoc<AcmeConfigDoc, AcmeConfigDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public configId: string = 'acme-config';
+
+  @plugins.smartdata.svDb()
+  public accountEmail: string = '';
+
+  @plugins.smartdata.svDb()
+  public enabled: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public useProduction: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public autoRenew: boolean = true;
+
+  @plugins.smartdata.svDb()
+  public renewThresholdDays: number = 30;
+
+  @plugins.smartdata.svDb()
+  public updatedAt: number = 0;
+
+  @plugins.smartdata.svDb()
+  public updatedBy: string = '';
+
+  constructor() {
+    super();
+  }
+
+  public static async load(): Promise<AcmeConfigDoc | null> {
+    return await AcmeConfigDoc.getInstance({ configId: 'acme-config' });
+  }
+}

ts/db/documents/classes.api-token.doc.ts

@@ -0,0 +1,56 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { TApiTokenScope } from '../../../ts_interfaces/data/route-management.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class ApiTokenDoc extends plugins.smartdata.SmartDataDbDoc<ApiTokenDoc, ApiTokenDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public tokenHash!: string;
+
+  @plugins.smartdata.svDb()
+  public scopes!: TApiTokenScope[];
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public expiresAt!: number | null;
+
+  @plugins.smartdata.svDb()
+  public lastUsedAt!: number | null;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  @plugins.smartdata.svDb()
+  public enabled!: boolean;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<ApiTokenDoc | null> {
+    return await ApiTokenDoc.getInstance({ id });
+  }
+
+  public static async findByTokenHash(tokenHash: string): Promise<ApiTokenDoc | null> {
+    return await ApiTokenDoc.getInstance({ tokenHash });
+  }
+
+  public static async findAll(): Promise<ApiTokenDoc[]> {
+    return await ApiTokenDoc.getInstances({});
+  }
+
+  public static async findEnabled(): Promise<ApiTokenDoc[]> {
+    return await ApiTokenDoc.getInstances({ enabled: true });
+  }
+}

ts/db/documents/classes.cached.email.ts

@@ -1,6 +1,6 @@
 import * as plugins from '../../plugins.js';
 import { CachedDocument, TTL } from '../classes.cached.document.js';
-import { CacheDb } from '../classes.cachedb.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
 
 /**
  * Email status in the cache
@@ -10,7 +10,7 @@ export type TCachedEmailStatus = 'pending' | 'processing' | 'delivered' | 'faile
 /**
  * Helper to get the smartdata database instance
  */
-const getDb = () => CacheDb.getInstance().getDb();
+const getDb = () => DcRouterDb.getInstance().getDb();
 
 /**
  * CachedEmail - Stores email queue items in the cache
@@ -35,55 +35,55 @@ export class CachedEmail extends CachedDocument<CachedEmail> {
    */
   @plugins.smartdata.unI()
   @plugins.smartdata.svDb()
-  public id: string;
+  public id!: string;
 
   /**
    * Email message ID (RFC 822 Message-ID header)
    */
   @plugins.smartdata.svDb()
-  public messageId: string;
+  public messageId!: string;
 
   /**
    * Sender email address (envelope from)
    */
   @plugins.smartdata.svDb()
-  public from: string;
+  public from!: string;
 
   /**
    * Recipient email addresses
    */
   @plugins.smartdata.svDb()
-  public to: string[];
+  public to!: string[];
 
   /**
    * CC recipients
    */
   @plugins.smartdata.svDb()
-  public cc: string[];
+  public cc!: string[];
 
   /**
    * BCC recipients
    */
   @plugins.smartdata.svDb()
-  public bcc: string[];
+  public bcc!: string[];
 
   /**
    * Email subject
    */
   @plugins.smartdata.svDb()
-  public subject: string;
+  public subject!: string;
 
   /**
    * Raw RFC822 email content
    */
   @plugins.smartdata.svDb()
-  public rawContent: string;
+  public rawContent!: string;
 
   /**
    * Current status of the email
    */
   @plugins.smartdata.svDb()
-  public status: TCachedEmailStatus;
+  public status!: TCachedEmailStatus;
 
   /**
    * Number of delivery attempts
@@ -101,25 +101,25 @@ export class CachedEmail extends CachedDocument<CachedEmail> {
    * Timestamp for next delivery attempt
    */
   @plugins.smartdata.svDb()
-  public nextAttempt: Date;
+  public nextAttempt!: Date;
 
   /**
    * Last error message if delivery failed
    */
   @plugins.smartdata.svDb()
-  public lastError: string;
+  public lastError!: string;
 
   /**
    * Timestamp when the email was successfully delivered
    */
   @plugins.smartdata.svDb()
-  public deliveredAt: Date;
+  public deliveredAt!: Date;
 
   /**
    * Sender domain (for querying/filtering)
    */
   @plugins.smartdata.svDb()
-  public senderDomain: string;
+  public senderDomain!: string;
 
   /**
    * Priority level (higher = more important)
@@ -131,7 +131,7 @@ export class CachedEmail extends CachedDocument<CachedEmail> {
    * JSON-serialized route data
    */
   @plugins.smartdata.svDb()
-  public routeData: string;
+  public routeData!: string;
 
   /**
    * DKIM signature status

ts/db/documents/classes.cached.ip.reputation.ts

@@ -1,11 +1,11 @@
 import * as plugins from '../../plugins.js';
 import { CachedDocument, TTL } from '../classes.cached.document.js';
-import { CacheDb } from '../classes.cachedb.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
 
 /**
  * Helper to get the smartdata database instance
  */
-const getDb = () => CacheDb.getInstance().getDb();
+const getDb = () => DcRouterDb.getInstance().getDb();
 
 /**
  * IP reputation result data
@@ -45,61 +45,61 @@ export class CachedIPReputation extends CachedDocument<CachedIPReputation> {
    */
   @plugins.smartdata.unI()
   @plugins.smartdata.svDb()
-  public ipAddress: string;
+  public ipAddress!: string;
 
   /**
    * Reputation score (0-100, higher = better)
    */
   @plugins.smartdata.svDb()
-  public score: number;
+  public score!: number;
 
   /**
    * Whether the IP is flagged as spam source
    */
   @plugins.smartdata.svDb()
-  public isSpam: boolean;
+  public isSpam!: boolean;
 
   /**
    * Whether the IP is a known proxy
    */
   @plugins.smartdata.svDb()
-  public isProxy: boolean;
+  public isProxy!: boolean;
 
   /**
    * Whether the IP is a Tor exit node
    */
   @plugins.smartdata.svDb()
-  public isTor: boolean;
+  public isTor!: boolean;
 
   /**
    * Whether the IP is a VPN endpoint
    */
   @plugins.smartdata.svDb()
-  public isVPN: boolean;
+  public isVPN!: boolean;
 
   /**
    * Country code (ISO 3166-1 alpha-2)
    */
   @plugins.smartdata.svDb()
-  public country: string;
+  public country!: string;
 
   /**
    * Autonomous System Number
    */
   @plugins.smartdata.svDb()
-  public asn: string;
+  public asn!: string;
 
   /**
    * Organization name
    */
   @plugins.smartdata.svDb()
-  public org: string;
+  public org!: string;
 
   /**
    * List of blacklists the IP appears on
    */
   @plugins.smartdata.svDb()
-  public blacklists: string[];
+  public blacklists!: string[];
 
   /**
    * Number of times this IP has been checked

ts/db/documents/classes.cert-backoff.doc.ts

@@ -0,0 +1,35 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class CertBackoffDoc extends plugins.smartdata.SmartDataDbDoc<CertBackoffDoc, CertBackoffDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public domain!: string;
+
+  @plugins.smartdata.svDb()
+  public failures!: number;
+
+  @plugins.smartdata.svDb()
+  public lastFailure!: string;
+
+  @plugins.smartdata.svDb()
+  public retryAfter!: string;
+
+  @plugins.smartdata.svDb()
+  public lastError!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findByDomain(domain: string): Promise<CertBackoffDoc | null> {
+    return await CertBackoffDoc.getInstance({ domain });
+  }
+
+  public static async findAll(): Promise<CertBackoffDoc[]> {
+    return await CertBackoffDoc.getInstances({});
+  }
+}

ts/db/documents/classes.dns-provider.doc.ts

@@ -0,0 +1,63 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type {
+  TDnsProviderType,
+  TDnsProviderStatus,
+  TDnsProviderCredentials,
+} from '../../../ts_interfaces/data/dns-provider.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class DnsProviderDoc extends plugins.smartdata.SmartDataDbDoc<DnsProviderDoc, DnsProviderDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public type!: TDnsProviderType;
+
+  /**
+   * Provider credentials, persisted as an opaque object. Shape varies by `type`.
+   * Never returned to the UI — handlers map to IDnsProviderPublic before sending.
+   */
+  @plugins.smartdata.svDb()
+  public credentials!: TDnsProviderCredentials;
+
+  @plugins.smartdata.svDb()
+  public status: TDnsProviderStatus = 'untested';
+
+  @plugins.smartdata.svDb()
+  public lastTestedAt?: number;
+
+  @plugins.smartdata.svDb()
+  public lastError?: string;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<DnsProviderDoc | null> {
+    return await DnsProviderDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<DnsProviderDoc[]> {
+    return await DnsProviderDoc.getInstances({});
+  }
+
+  public static async findByType(type: TDnsProviderType): Promise<DnsProviderDoc[]> {
+    return await DnsProviderDoc.getInstances({ type });
+  }
+}

ts/db/documents/classes.dns-record.doc.ts

@@ -0,0 +1,62 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { TDnsRecordType, TDnsRecordSource } from '../../../ts_interfaces/data/dns-record.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class DnsRecordDoc extends plugins.smartdata.SmartDataDbDoc<DnsRecordDoc, DnsRecordDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public domainId!: string;
+
+  /** FQDN of the record (e.g. 'www.example.com'). */
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public type!: TDnsRecordType;
+
+  @plugins.smartdata.svDb()
+  public value!: string;
+
+  @plugins.smartdata.svDb()
+  public ttl: number = 300;
+
+  @plugins.smartdata.svDb()
+  public proxied?: boolean;
+
+  @plugins.smartdata.svDb()
+  public source!: TDnsRecordSource;
+
+  @plugins.smartdata.svDb()
+  public providerRecordId?: string;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<DnsRecordDoc | null> {
+    return await DnsRecordDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<DnsRecordDoc[]> {
+    return await DnsRecordDoc.getInstances({});
+  }
+
+  public static async findByDomainId(domainId: string): Promise<DnsRecordDoc[]> {
+    return await DnsRecordDoc.getInstances({ domainId });
+  }
+}

ts/db/documents/classes.domain.doc.ts

@@ -0,0 +1,66 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { TDomainSource } from '../../../ts_interfaces/data/domain.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class DomainDoc extends plugins.smartdata.SmartDataDbDoc<DomainDoc, DomainDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  /** FQDN — kept lowercased on save. */
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public source!: TDomainSource;
+
+  @plugins.smartdata.svDb()
+  public providerId?: string;
+
+  @plugins.smartdata.svDb()
+  public authoritative: boolean = false;
+
+  @plugins.smartdata.svDb()
+  public nameservers?: string[];
+
+  @plugins.smartdata.svDb()
+  public externalZoneId?: string;
+
+  @plugins.smartdata.svDb()
+  public lastSyncedAt?: number;
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<DomainDoc | null> {
+    return await DomainDoc.getInstance({ id });
+  }
+
+  public static async findByName(name: string): Promise<DomainDoc | null> {
+    return await DomainDoc.getInstance({ name: name.toLowerCase() });
+  }
+
+  public static async findAll(): Promise<DomainDoc[]> {
+    return await DomainDoc.getInstances({});
+  }
+
+  public static async findByProviderId(providerId: string): Promise<DomainDoc[]> {
+    return await DomainDoc.getInstances({ providerId });
+  }
+}

ts/db/documents/classes.email-domain.doc.ts

@@ -0,0 +1,56 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type {
+  IEmailDomainDkim,
+  IEmailDomainRateLimits,
+  IEmailDomainDnsStatus,
+} from '../../../ts_interfaces/data/email-domain.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class EmailDomainDoc extends plugins.smartdata.SmartDataDbDoc<EmailDomainDoc, EmailDomainDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public domain: string = '';
+
+  @plugins.smartdata.svDb()
+  public linkedDomainId: string = '';
+
+  @plugins.smartdata.svDb()
+  public subdomain?: string;
+
+  @plugins.smartdata.svDb()
+  public dkim!: IEmailDomainDkim;
+
+  @plugins.smartdata.svDb()
+  public rateLimits?: IEmailDomainRateLimits;
+
+  @plugins.smartdata.svDb()
+  public dnsStatus!: IEmailDomainDnsStatus;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: string;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<EmailDomainDoc | null> {
+    return await EmailDomainDoc.getInstance({ id });
+  }
+
+  public static async findByDomain(domain: string): Promise<EmailDomainDoc | null> {
+    return await EmailDomainDoc.getInstance({ domain: domain.toLowerCase() });
+  }
+
+  public static async findAll(): Promise<EmailDomainDoc[]> {
+    return await EmailDomainDoc.getInstances({});
+  }
+}

ts/db/documents/classes.network-target.doc.ts

@@ -0,0 +1,48 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class NetworkTargetDoc extends plugins.smartdata.SmartDataDbDoc<NetworkTargetDoc, NetworkTargetDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public host!: string | string[];
+
+  @plugins.smartdata.svDb()
+  public port!: number;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<NetworkTargetDoc | null> {
+    return await NetworkTargetDoc.getInstance({ id });
+  }
+
+  public static async findByName(name: string): Promise<NetworkTargetDoc | null> {
+    return await NetworkTargetDoc.getInstance({ name });
+  }
+
+  public static async findAll(): Promise<NetworkTargetDoc[]> {
+    return await NetworkTargetDoc.getInstances({});
+  }
+}

ts/db/documents/classes.proxy-cert.doc.ts

@@ -0,0 +1,38 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class ProxyCertDoc extends plugins.smartdata.SmartDataDbDoc<ProxyCertDoc, ProxyCertDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public domain!: string;
+
+  @plugins.smartdata.svDb()
+  public publicKey!: string;
+
+  @plugins.smartdata.svDb()
+  public privateKey!: string;
+
+  @plugins.smartdata.svDb()
+  public ca!: string;
+
+  @plugins.smartdata.svDb()
+  public validUntil!: number;
+
+  @plugins.smartdata.svDb()
+  public validFrom!: number;
+
+  constructor() {
+    super();
+  }
+
+  public static async findByDomain(domain: string): Promise<ProxyCertDoc | null> {
+    return await ProxyCertDoc.getInstance({ domain });
+  }
+
+  public static async findAll(): Promise<ProxyCertDoc[]> {
+    return await ProxyCertDoc.getInstances({});
+  }
+}

ts/db/documents/classes.remote-ingress-edge.doc.ts

@@ -0,0 +1,54 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class RemoteIngressEdgeDoc extends plugins.smartdata.SmartDataDbDoc<RemoteIngressEdgeDoc, RemoteIngressEdgeDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public secret!: string;
+
+  @plugins.smartdata.svDb()
+  public listenPorts!: number[];
+
+  @plugins.smartdata.svDb()
+  public listenPortsUdp!: number[];
+
+  @plugins.smartdata.svDb()
+  public enabled!: boolean;
+
+  @plugins.smartdata.svDb()
+  public autoDerivePorts!: boolean;
+
+  @plugins.smartdata.svDb()
+  public tags!: string[];
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<RemoteIngressEdgeDoc | null> {
+    return await RemoteIngressEdgeDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<RemoteIngressEdgeDoc[]> {
+    return await RemoteIngressEdgeDoc.getInstances({});
+  }
+
+  public static async findEnabled(): Promise<RemoteIngressEdgeDoc[]> {
+    return await RemoteIngressEdgeDoc.getInstances({ enabled: true });
+  }
+}

ts/db/documents/classes.route.doc.ts

@@ -0,0 +1,61 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IRouteMetadata } from '../../../ts_interfaces/data/route-management.js';
+import type { IDcRouterRouteConfig } from '../../../ts_interfaces/data/remoteingress.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class RouteDoc extends plugins.smartdata.SmartDataDbDoc<RouteDoc, RouteDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public route!: IDcRouterRouteConfig;
+
+  @plugins.smartdata.svDb()
+  public enabled!: boolean;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  @plugins.smartdata.svDb()
+  public origin!: 'config' | 'email' | 'dns' | 'api';
+
+  @plugins.smartdata.svDb()
+  public systemKey?: string;
+
+  @plugins.smartdata.svDb()
+  public metadata?: IRouteMetadata;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<RouteDoc | null> {
+    return await RouteDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<RouteDoc[]> {
+    return await RouteDoc.getInstances({});
+  }
+
+  public static async findByName(name: string): Promise<RouteDoc | null> {
+    return await RouteDoc.getInstance({ 'route.name': name });
+  }
+
+  public static async findByOrigin(origin: 'config' | 'email' | 'dns' | 'api'): Promise<RouteDoc[]> {
+    return await RouteDoc.getInstances({ origin });
+  }
+
+  public static async findBySystemKey(systemKey: string): Promise<RouteDoc | null> {
+    return await RouteDoc.getInstance({ systemKey });
+  }
+}

ts/db/documents/classes.source-profile.doc.ts

@@ -0,0 +1,45 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { IRouteSecurity } from '../../../ts_interfaces/data/route-management.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class SourceProfileDoc extends plugins.smartdata.SmartDataDbDoc<SourceProfileDoc, SourceProfileDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public security!: IRouteSecurity;
+
+  @plugins.smartdata.svDb()
+  public extendsProfiles?: string[];
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<SourceProfileDoc | null> {
+    return await SourceProfileDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<SourceProfileDoc[]> {
+    return await SourceProfileDoc.getInstances({});
+  }
+}

ts/db/documents/classes.target-profile.doc.ts

@@ -0,0 +1,48 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+import type { ITargetProfileTarget } from '../../../ts_interfaces/data/target-profile.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class TargetProfileDoc extends plugins.smartdata.SmartDataDbDoc<TargetProfileDoc, TargetProfileDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public id!: string;
+
+  @plugins.smartdata.svDb()
+  public name: string = '';
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public domains?: string[];
+
+  @plugins.smartdata.svDb()
+  public targets?: ITargetProfileTarget[];
+
+  @plugins.smartdata.svDb()
+  public routeRefs?: string[];
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public createdBy!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async findById(id: string): Promise<TargetProfileDoc | null> {
+    return await TargetProfileDoc.getInstance({ id });
+  }
+
+  public static async findAll(): Promise<TargetProfileDoc[]> {
+    return await TargetProfileDoc.getInstances({});
+  }
+}

ts/db/documents/classes.vlan-mappings.doc.ts

@@ -0,0 +1,32 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+export interface IMacVlanMapping {
+  mac: string;
+  vlan: number;
+  description?: string;
+  enabled: boolean;
+  createdAt: number;
+  updatedAt: number;
+}
+
+@plugins.smartdata.Collection(() => getDb())
+export class VlanMappingsDoc extends plugins.smartdata.SmartDataDbDoc<VlanMappingsDoc, VlanMappingsDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public configId: string = 'vlan-mappings';
+
+  @plugins.smartdata.svDb()
+  public mappings!: IMacVlanMapping[];
+
+  constructor() {
+    super();
+    this.mappings = [];
+  }
+
+  public static async load(): Promise<VlanMappingsDoc | null> {
+    return await VlanMappingsDoc.getInstance({ configId: 'vlan-mappings' });
+  }
+}

ts/db/documents/classes.vpn-client.doc.ts

@@ -0,0 +1,70 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class VpnClientDoc extends plugins.smartdata.SmartDataDbDoc<VpnClientDoc, VpnClientDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public clientId!: string;
+
+  @plugins.smartdata.svDb()
+  public enabled!: boolean;
+
+  @plugins.smartdata.svDb()
+  public targetProfileIds?: string[];
+
+  @plugins.smartdata.svDb()
+  public description?: string;
+
+  @plugins.smartdata.svDb()
+  public assignedIp?: string;
+
+  @plugins.smartdata.svDb()
+  public noisePublicKey!: string;
+
+  @plugins.smartdata.svDb()
+  public wgPublicKey!: string;
+
+  @plugins.smartdata.svDb()
+  public wgPrivateKey?: string;
+
+  @plugins.smartdata.svDb()
+  public createdAt!: number;
+
+  @plugins.smartdata.svDb()
+  public updatedAt!: number;
+
+  @plugins.smartdata.svDb()
+  public expiresAt?: string;
+
+  @plugins.smartdata.svDb()
+  public destinationAllowList?: string[];
+
+  @plugins.smartdata.svDb()
+  public destinationBlockList?: string[];
+
+  @plugins.smartdata.svDb()
+  public useHostIp?: boolean;
+
+  @plugins.smartdata.svDb()
+  public useDhcp?: boolean;
+
+  @plugins.smartdata.svDb()
+  public staticIp?: string;
+
+  @plugins.smartdata.svDb()
+  public forceVlan?: boolean;
+
+  @plugins.smartdata.svDb()
+  public vlanId?: number;
+
+  constructor() {
+    super();
+  }
+
+  public static async findAll(): Promise<VpnClientDoc[]> {
+    return await VpnClientDoc.getInstances({});
+  }
+}

ts/db/documents/classes.vpn-server-keys.doc.ts

@@ -0,0 +1,31 @@
+import * as plugins from '../../plugins.js';
+import { DcRouterDb } from '../classes.dcrouter-db.js';
+
+const getDb = () => DcRouterDb.getInstance().getDb();
+
+@plugins.smartdata.Collection(() => getDb())
+export class VpnServerKeysDoc extends plugins.smartdata.SmartDataDbDoc<VpnServerKeysDoc, VpnServerKeysDoc> {
+  @plugins.smartdata.unI()
+  @plugins.smartdata.svDb()
+  public configId: string = 'vpn-server-keys';
+
+  @plugins.smartdata.svDb()
+  public noisePrivateKey!: string;
+
+  @plugins.smartdata.svDb()
+  public noisePublicKey!: string;
+
+  @plugins.smartdata.svDb()
+  public wgPrivateKey!: string;
+
+  @plugins.smartdata.svDb()
+  public wgPublicKey!: string;
+
+  constructor() {
+    super();
+  }
+
+  public static async load(): Promise<VpnServerKeysDoc | null> {
+    return await VpnServerKeysDoc.getInstance({ configId: 'vpn-server-keys' });
+  }
+}

ts/db/documents/index.ts

@@ -0,0 +1,37 @@
+// Cached/TTL document classes
+export * from './classes.cached.email.js';
+export * from './classes.cached.ip.reputation.js';
+
+// Config document classes
+export * from './classes.route.doc.js';
+export * from './classes.api-token.doc.js';
+export * from './classes.source-profile.doc.js';
+export * from './classes.target-profile.doc.js';
+export * from './classes.network-target.doc.js';
+
+// VPN document classes
+export * from './classes.vpn-server-keys.doc.js';
+export * from './classes.vpn-client.doc.js';
+
+// Certificate document classes
+export * from './classes.acme-cert.doc.js';
+export * from './classes.proxy-cert.doc.js';
+export * from './classes.cert-backoff.doc.js';
+
+// Remote ingress document classes
+export * from './classes.remote-ingress-edge.doc.js';
+
+// RADIUS document classes
+export * from './classes.vlan-mappings.doc.js';
+export * from './classes.accounting-session.doc.js';
+
+// DNS / Domain management document classes
+export * from './classes.dns-provider.doc.js';
+export * from './classes.domain.doc.js';
+export * from './classes.dns-record.doc.js';
+
+// ACME configuration (singleton)
+export * from './classes.acme-config.doc.js';
+
+// Email domain management
+export * from './classes.email-domain.doc.js';

ts/db/index.ts

@@ -1,6 +1,10 @@
-// Core cache infrastructure
-export * from './classes.cachedb.js';
+// Unified database manager
+export * from './classes.dcrouter-db.js';
+
+// TTL base class and constants
 export * from './classes.cached.document.js';
+
+// Cache cleaner
 export * from './classes.cache.cleaner.js';
 
 // Document classes

ts/dns/index.ts

@@ -0,0 +1,2 @@
+export * from './manager.dns.js';
+export * from './providers/index.js';

ts/dns/providers/cloudflare.provider.ts

@@ -0,0 +1,131 @@
+import * as plugins from '../../plugins.js';
+import { logger } from '../../logger.js';
+import type {
+  IDnsProviderClient,
+  IConnectionTestResult,
+  IProviderRecord,
+  IProviderRecordInput,
+} from './interfaces.js';
+import type { IProviderDomainListing } from '../../../ts_interfaces/data/dns-provider.js';
+import type { TDnsRecordType } from '../../../ts_interfaces/data/dns-record.js';
+
+/**
+ * Cloudflare implementation of IDnsProviderClient.
+ *
+ * Wraps `@apiclient.xyz/cloudflare`. Records at Cloudflare are addressed by
+ * an internal record id, which we surface as `providerRecordId` so the rest
+ * of the system can issue updates and deletes without ambiguity (Cloudflare
+ * can have multiple records of the same name+type).
+ */
+export class CloudflareDnsProvider implements IDnsProviderClient {
+  private cfAccount: plugins.cloudflare.CloudflareAccount;
+
+  constructor(apiToken: string) {
+    if (!apiToken) {
+      throw new Error('CloudflareDnsProvider: apiToken is required');
+    }
+    this.cfAccount = new plugins.cloudflare.CloudflareAccount(apiToken);
+  }
+
+  public async testConnection(): Promise<IConnectionTestResult> {
+    try {
+      // Listing zones is the lightest-weight call that proves the token works.
+      await this.cfAccount.zoneManager.listZones();
+      return { ok: true };
+    } catch (err: unknown) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.log('warn', `CloudflareDnsProvider testConnection failed: ${message}`);
+      return { ok: false, error: message };
+    }
+  }
+
+  public async listDomains(): Promise<IProviderDomainListing[]> {
+    const zones = await this.cfAccount.zoneManager.listZones();
+    return zones.map((zone) => ({
+      name: zone.name,
+      externalId: zone.id,
+      nameservers: zone.name_servers ?? [],
+    }));
+  }
+
+  public async listRecords(domain: string): Promise<IProviderRecord[]> {
+    const records = await this.cfAccount.recordManager.listRecords(domain);
+    return records
+      .filter((r) => this.isSupportedType(r.type))
+      .map((r) => ({
+        providerRecordId: r.id,
+        name: r.name,
+        type: r.type as TDnsRecordType,
+        value: r.content,
+        ttl: r.ttl,
+        proxied: r.proxied,
+      }));
+  }
+
+  public async createRecord(
+    domain: string,
+    record: IProviderRecordInput,
+  ): Promise<IProviderRecord> {
+    const zoneId = await this.cfAccount.zoneManager.getZoneId(domain);
+    const apiRecord: any = {
+      zone_id: zoneId,
+      type: record.type,
+      name: record.name,
+      content: record.value,
+      ttl: record.ttl ?? 1, // 1 = automatic
+    };
+    if (record.proxied !== undefined) {
+      apiRecord.proxied = record.proxied;
+    }
+    const created = await (this.cfAccount as any).apiAccount.dns.records.create(apiRecord);
+    return {
+      providerRecordId: created.id,
+      name: created.name,
+      type: created.type as TDnsRecordType,
+      value: created.content,
+      ttl: created.ttl,
+      proxied: created.proxied,
+    };
+  }
+
+  public async updateRecord(
+    domain: string,
+    providerRecordId: string,
+    record: IProviderRecordInput,
+  ): Promise<IProviderRecord> {
+    const zoneId = await this.cfAccount.zoneManager.getZoneId(domain);
+    const apiRecord: any = {
+      zone_id: zoneId,
+      type: record.type,
+      name: record.name,
+      content: record.value,
+      ttl: record.ttl ?? 1,
+    };
+    if (record.proxied !== undefined) {
+      apiRecord.proxied = record.proxied;
+    }
+    const updated = await (this.cfAccount as any).apiAccount.dns.records.edit(
+      providerRecordId,
+      apiRecord,
+    );
+    return {
+      providerRecordId: updated.id,
+      name: updated.name,
+      type: updated.type as TDnsRecordType,
+      value: updated.content,
+      ttl: updated.ttl,
+      proxied: updated.proxied,
+    };
+  }
+
+  public async deleteRecord(domain: string, providerRecordId: string): Promise<void> {
+    const zoneId = await this.cfAccount.zoneManager.getZoneId(domain);
+    await (this.cfAccount as any).apiAccount.dns.records.delete(providerRecordId, {
+      zone_id: zoneId,
+    });
+  }
+
+  private isSupportedType(type: string): boolean {
+    return ['A', 'AAAA', 'CNAME', 'MX', 'TXT', 'NS', 'SOA', 'CAA'].includes(type);
+  }
+}

ts/dns/providers/factory.ts

@@ -0,0 +1,59 @@
+import type { IDnsProviderClient } from './interfaces.js';
+import type {
+  TDnsProviderType,
+  TDnsProviderCredentials,
+} from '../../../ts_interfaces/data/dns-provider.js';
+import { CloudflareDnsProvider } from './cloudflare.provider.js';
+
+/**
+ * Instantiate a runtime DNS provider client from a stored DnsProviderDoc.
+ *
+ * @throws if the provider type is not supported.
+ *
+ * ## Adding a new provider (e.g. Route53)
+ *
+ * 1. **Type union** — extend `TDnsProviderType` in
+ *    `ts_interfaces/data/dns-provider.ts` (e.g. `'cloudflare' | 'route53'`).
+ * 2. **Credentials interface** — add `IRoute53Credentials` and append it to
+ *    the `TDnsProviderCredentials` discriminated union.
+ * 3. **Descriptor** — append a new entry to `dnsProviderTypeDescriptors` so
+ *    the OpsServer UI picks up the new type and renders the right credential
+ *    form fields automatically.
+ * 4. **Provider class** — create `ts/dns/providers/route53.provider.ts`
+ *    implementing `IDnsProviderClient`.
+ * 5. **Factory case** — add a new `case 'route53':` below. The
+ *    `_exhaustive: never` line will fail to compile until you do.
+ * 6. **Index** — re-export the new class from `ts/dns/providers/index.ts`.
+ */
+export function createDnsProvider(
+  type: TDnsProviderType,
+  credentials: TDnsProviderCredentials,
+): IDnsProviderClient {
+  switch (type) {
+    case 'cloudflare': {
+      if (credentials.type !== 'cloudflare') {
+        throw new Error(
+          `createDnsProvider: type mismatch — provider type is 'cloudflare' but credentials.type is '${credentials.type}'`,
+        );
+      }
+      return new CloudflareDnsProvider(credentials.apiToken);
+    }
+    case 'dcrouter': {
+      // The built-in DcRouter pseudo-provider has no runtime client — dcrouter
+      // itself serves the records via the embedded smartdns.DnsServer. This
+      // case exists only to satisfy the exhaustive switch; it should never
+      // actually run because the handler layer rejects any CRUD that would
+      // result in a DnsProviderDoc with type: 'dcrouter'.
+      throw new Error(
+        `createDnsProvider: 'dcrouter' is a built-in pseudo-provider — no runtime client exists. ` +
+          `This call indicates a DnsProviderDoc with type: 'dcrouter' was persisted, which should never happen.`,
+      );
+    }
+    default: {
+      // If you see a TypeScript error here after extending TDnsProviderType,
+      // add a `case` for the new type above. The `never` enforces exhaustiveness.
+      const _exhaustive: never = type;
+      throw new Error(`createDnsProvider: unsupported provider type: ${_exhaustive}`);
+    }
+  }
+}

ts/dns/providers/index.ts

@@ -0,0 +1,3 @@
+export * from './interfaces.js';
+export * from './cloudflare.provider.js';
+export * from './factory.js';

ts/dns/providers/interfaces.ts

@@ -0,0 +1,67 @@
+import type { TDnsRecordType } from '../../../ts_interfaces/data/dns-record.js';
+import type { IProviderDomainListing } from '../../../ts_interfaces/data/dns-provider.js';
+
+/**
+ * A DNS record as seen at a provider's API. The `providerRecordId` field
+ * is the provider's internal identifier, used for subsequent updates and
+ * deletes (since providers can have multiple records of the same name+type).
+ */
+export interface IProviderRecord {
+  providerRecordId: string;
+  name: string;
+  type: TDnsRecordType;
+  value: string;
+  ttl: number;
+  proxied?: boolean;
+}
+
+/**
+ * Input shape for creating / updating a DNS record at a provider.
+ */
+export interface IProviderRecordInput {
+  name: string;
+  type: TDnsRecordType;
+  value: string;
+  ttl?: number;
+  proxied?: boolean;
+}
+
+/**
+ * Outcome of a connection test against a provider's API.
+ */
+export interface IConnectionTestResult {
+  ok: boolean;
+  error?: string;
+}
+
+/**
+ * Pluggable DNS provider client interface. One implementation per provider type
+ * (Cloudflare, Route53, …). Implementations live in ts/dns/providers/ and are
+ * instantiated by `createDnsProvider()` in factory.ts.
+ *
+ * NOT a smartdata interface — this is the *runtime* client. The persisted
+ * representation is in `IDnsProvider` (ts_interfaces/data/dns-provider.ts).
+ */
+export interface IDnsProviderClient {
+  /** Lightweight check that credentials are valid and the API is reachable. */
+  testConnection(): Promise<IConnectionTestResult>;
+
+  /** List all DNS zones visible to this provider account. */
+  listDomains(): Promise<IProviderDomainListing[]>;
+
+  /** List all DNS records for a zone (FQDN). */
+  listRecords(domain: string): Promise<IProviderRecord[]>;
+
+  /** Create a new DNS record at the provider; returns the created record (with id). */
+  createRecord(domain: string, record: IProviderRecordInput): Promise<IProviderRecord>;
+
+  /** Update an existing record by provider id; returns the updated record. */
+  updateRecord(
+    domain: string,
+    providerRecordId: string,
+    record: IProviderRecordInput,
+  ): Promise<IProviderRecord>;
+
+  /** Delete a record by provider id. */
+  deleteRecord(domain: string, providerRecordId: string): Promise<void>;
+}

ts/email/classes.email-domain.manager.ts

@@ -0,0 +1,406 @@
+import * as plugins from '../plugins.js';
+import type { IEmailDomainConfig } from '@push.rocks/smartmta';
+import { logger } from '../logger.js';
+import { EmailDomainDoc } from '../db/documents/classes.email-domain.doc.js';
+import { DomainDoc } from '../db/documents/classes.domain.doc.js';
+import { DnsRecordDoc } from '../db/documents/classes.dns-record.doc.js';
+import type { DnsManager } from '../dns/manager.dns.js';
+import type { IEmailDomain, IEmailDnsRecord, TDnsRecordStatus } from '../../ts_interfaces/data/email-domain.js';
+import { buildEmailDnsRecords } from './email-dns-records.js';
+
+/**
+ * EmailDomainManager — orchestrates email domain setup.
+ *
+ * Wires smartmta's DKIMCreator (key generation) with dcrouter's DnsManager
+ * (record creation for dcrouter-hosted and provider-managed zones) to provide
+ * a single entry point for setting up an email domain from A to Z.
+ */
+export class EmailDomainManager {
+  private dcRouter: any; // DcRouter — avoids circular import
+  private readonly baseEmailDomains: IEmailDomainConfig[];
+
+  constructor(dcRouterRef: any) {
+    this.dcRouter = dcRouterRef;
+    this.baseEmailDomains = ((this.dcRouter.options?.emailConfig?.domains || []) as IEmailDomainConfig[])
+      .map((domainConfig) => JSON.parse(JSON.stringify(domainConfig)) as IEmailDomainConfig);
+  }
+
+  private get dnsManager(): DnsManager | undefined {
+    return this.dcRouter.dnsManager;
+  }
+
+  private get dkimCreator(): any | undefined {
+    return this.dcRouter.emailServer?.dkimCreator;
+  }
+
+  private get emailHostname(): string {
+    return this.dcRouter.options?.emailConfig?.hostname || this.dcRouter.options?.tls?.domain || 'localhost';
+  }
+
+  public async start(): Promise<void> {
+    await this.syncManagedDomainsToRuntime();
+  }
+
+  public async stop(): Promise<void> {}
+
+  // ---------------------------------------------------------------------------
+  // CRUD
+  // ---------------------------------------------------------------------------
+
+  public async getAll(): Promise<IEmailDomain[]> {
+    const docs = await EmailDomainDoc.findAll();
+    return docs.map((d) => this.docToInterface(d));
+  }
+
+  public async getById(id: string): Promise<IEmailDomain | null> {
+    const doc = await EmailDomainDoc.findById(id);
+    return doc ? this.docToInterface(doc) : null;
+  }
+
+  public async createEmailDomain(opts: {
+    linkedDomainId: string;
+    subdomain?: string;
+    dkimSelector?: string;
+    dkimKeySize?: number;
+    rotateKeys?: boolean;
+    rotationIntervalDays?: number;
+  }): Promise<IEmailDomain> {
+    // Resolve the linked DNS domain
+    const domainDoc = await DomainDoc.findById(opts.linkedDomainId);
+    if (!domainDoc) {
+      throw new Error(`DNS domain not found: ${opts.linkedDomainId}`);
+    }
+    const baseDomain = domainDoc.name;
+    const subdomain = opts.subdomain?.trim() || undefined;
+    const domainName = subdomain ? `${subdomain}.${baseDomain}` : baseDomain;
+
+    // Check for duplicates
+    if (this.isDomainAlreadyConfigured(domainName)) {
+      throw new Error(`Email domain already configured for ${domainName}`);
+    }
+    const existing = await EmailDomainDoc.findByDomain(domainName);
+    if (existing) {
+      throw new Error(`Email domain already exists for ${domainName}`);
+    }
+
+    const selector = opts.dkimSelector || 'default';
+    const keySize = opts.dkimKeySize || 2048;
+    const now = new Date().toISOString();
+
+    // Generate DKIM keys
+    let publicKey: string | undefined;
+    if (this.dkimCreator) {
+      try {
+        await this.dkimCreator.handleDKIMKeysForSelector(domainName, selector, keySize);
+        const dnsRecord = await this.dkimCreator.getDNSRecordForDomain(domainName, selector);
+        // Extract public key from the DNS record value
+        const match = dnsRecord?.value?.match(/p=([A-Za-z0-9+/=]+)/);
+        publicKey = match ? match[1] : undefined;
+        logger.log('info', `DKIM keys generated for ${domainName} (selector: ${selector})`);
+      } catch (err: unknown) {
+        logger.log('warn', `DKIM key generation failed for ${domainName}: ${(err as Error).message}`);
+      }
+    }
+
+    // Create the document
+    const doc = new EmailDomainDoc();
+    doc.id = plugins.smartunique.shortId();
+    doc.domain = domainName.toLowerCase();
+    doc.linkedDomainId = opts.linkedDomainId;
+    doc.subdomain = subdomain;
+    doc.dkim = {
+      selector,
+      keySize,
+      publicKey,
+      rotateKeys: opts.rotateKeys ?? false,
+      rotationIntervalDays: opts.rotationIntervalDays ?? 90,
+    };
+    doc.dnsStatus = {
+      mx: 'unchecked',
+      spf: 'unchecked',
+      dkim: 'unchecked',
+      dmarc: 'unchecked',
+    };
+    doc.createdAt = now;
+    doc.updatedAt = now;
+    await doc.save();
+    await this.syncManagedDomainsToRuntime();
+
+    logger.log('info', `Email domain created: ${domainName}`);
+    return this.docToInterface(doc);
+  }
+
+  public async updateEmailDomain(
+    id: string,
+    changes: {
+      rotateKeys?: boolean;
+      rotationIntervalDays?: number;
+      rateLimits?: IEmailDomain['rateLimits'];
+    },
+  ): Promise<void> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+
+    if (changes.rotateKeys !== undefined) doc.dkim.rotateKeys = changes.rotateKeys;
+    if (changes.rotationIntervalDays !== undefined) doc.dkim.rotationIntervalDays = changes.rotationIntervalDays;
+    if (changes.rateLimits !== undefined) doc.rateLimits = changes.rateLimits;
+    doc.updatedAt = new Date().toISOString();
+    await doc.save();
+    await this.syncManagedDomainsToRuntime();
+  }
+
+  public async deleteEmailDomain(id: string): Promise<void> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+    await doc.delete();
+    await this.syncManagedDomainsToRuntime();
+    logger.log('info', `Email domain deleted: ${doc.domain}`);
+  }
+
+  // ---------------------------------------------------------------------------
+  // DNS record computation
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Compute the 4 required DNS records for an email domain.
+   */
+  public async getRequiredDnsRecords(id: string): Promise<IEmailDnsRecord[]> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+
+    const domain = doc.domain;
+    const selector = doc.dkim.selector;
+    const hostname = this.emailHostname;
+    let dkimValue = `v=DKIM1; h=sha256; k=rsa; p=${doc.dkim.publicKey || ''}`;
+
+    if (this.dkimCreator) {
+      try {
+        const dnsRecord = await this.dkimCreator.getDNSRecordForDomain(domain, selector);
+        dkimValue = dnsRecord.value;
+      } catch (err: unknown) {
+        logger.log('warn', `Failed to load DKIM DNS record for ${domain}: ${(err as Error).message}`);
+      }
+    }
+
+    return buildEmailDnsRecords({
+      domain,
+      hostname,
+      selector,
+      dkimValue,
+      statuses: doc.dnsStatus,
+    });
+  }
+
+  // ---------------------------------------------------------------------------
+  // DNS provisioning
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Auto-create missing DNS records via the linked domain's DNS path.
+   */
+  public async provisionDnsRecords(id: string): Promise<number> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+    if (!this.dnsManager) throw new Error('DnsManager not available');
+
+    const requiredRecords = await this.getRequiredDnsRecords(id);
+    const domainId = doc.linkedDomainId;
+
+    // Get existing DNS records for the linked domain
+    const existingRecords = await DnsRecordDoc.findByDomainId(domainId);
+    let provisioned = 0;
+
+    for (const required of requiredRecords) {
+      // Check if a matching record already exists
+      const exists = existingRecords.some((r) => this.recordMatchesRequired(r, required));
+
+      if (!exists) {
+        try {
+          await this.dnsManager.createRecord({
+            domainId,
+            name: required.name,
+            type: required.type as any,
+            value: required.value,
+            ttl: 3600,
+            createdBy: 'email-domain-manager',
+          });
+          provisioned++;
+          logger.log('info', `Provisioned ${required.type} record for ${required.name}`);
+        } catch (err: unknown) {
+          logger.log('warn', `Failed to provision ${required.type} for ${required.name}: ${(err as Error).message}`);
+        }
+      }
+    }
+
+    // Re-validate after provisioning
+    await this.validateDns(id);
+
+    return provisioned;
+  }
+
+  // ---------------------------------------------------------------------------
+  // DNS validation
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Validate DNS records via live lookups.
+   */
+  public async validateDns(id: string): Promise<IEmailDnsRecord[]> {
+    const doc = await EmailDomainDoc.findById(id);
+    if (!doc) throw new Error(`Email domain not found: ${id}`);
+
+    const domain = doc.domain;
+    const selector = doc.dkim.selector;
+    const resolver = new plugins.dns.promises.Resolver();
+
+    // MX check
+    const requiredRecords = await this.getRequiredDnsRecords(id);
+
+    const mxRecord = requiredRecords.find((record) => record.type === 'MX');
+    const spfRecord = requiredRecords.find((record) => record.name === domain && record.value.startsWith('v=spf1'));
+    const dkimRecord = requiredRecords.find((record) => record.name === `${selector}._domainkey.${domain}`);
+    const dmarcRecord = requiredRecords.find((record) => record.name === `_dmarc.${domain}`);
+
+    doc.dnsStatus.mx = await this.checkMx(resolver, domain, mxRecord?.value);
+
+    // SPF check
+    doc.dnsStatus.spf = await this.checkTxtRecord(resolver, domain, spfRecord?.value);
+
+    // DKIM check
+    doc.dnsStatus.dkim = await this.checkTxtRecord(resolver, `${selector}._domainkey.${domain}`, dkimRecord?.value);
+
+    // DMARC check
+    doc.dnsStatus.dmarc = await this.checkTxtRecord(resolver, `_dmarc.${domain}`, dmarcRecord?.value);
+
+    doc.dnsStatus.lastCheckedAt = new Date().toISOString();
+    doc.updatedAt = new Date().toISOString();
+    await doc.save();
+
+    return this.getRequiredDnsRecords(id);
+  }
+
+  private recordMatchesRequired(record: DnsRecordDoc, required: IEmailDnsRecord): boolean {
+    if (record.type !== required.type || record.name.toLowerCase() !== required.name.toLowerCase()) {
+      return false;
+    }
+    return record.value.trim() === required.value.trim();
+  }
+
+  private async checkMx(
+    resolver: plugins.dns.promises.Resolver,
+    domain: string,
+    expectedValue?: string,
+  ): Promise<TDnsRecordStatus> {
+    try {
+      const records = await resolver.resolveMx(domain);
+      if (!records || records.length === 0) {
+        return 'missing';
+      }
+      if (!expectedValue) {
+        return 'valid';
+      }
+      const found = records.some((record) => `${record.priority} ${record.exchange}`.trim() === expectedValue.trim());
+      return found ? 'valid' : 'invalid';
+    } catch {
+      return 'missing';
+    }
+  }
+
+  private async checkTxtRecord(
+    resolver: plugins.dns.promises.Resolver,
+    name: string,
+    expectedValue?: string,
+  ): Promise<TDnsRecordStatus> {
+    try {
+      const records = await resolver.resolveTxt(name);
+      const flat = records.map((r) => r.join(''));
+      if (flat.length === 0) {
+        return 'missing';
+      }
+      if (!expectedValue) {
+        return 'valid';
+      }
+      const found = flat.some((record) => record.trim() === expectedValue.trim());
+      return found ? 'valid' : 'invalid';
+    } catch {
+      return 'missing';
+    }
+  }
+
+  // ---------------------------------------------------------------------------
+  // Helpers
+  // ---------------------------------------------------------------------------
+
+  private docToInterface(doc: EmailDomainDoc): IEmailDomain {
+    return {
+      id: doc.id,
+      domain: doc.domain,
+      linkedDomainId: doc.linkedDomainId,
+      subdomain: doc.subdomain,
+      dkim: doc.dkim,
+      rateLimits: doc.rateLimits,
+      dnsStatus: doc.dnsStatus,
+      createdAt: doc.createdAt,
+      updatedAt: doc.updatedAt,
+    };
+  }
+
+  private isDomainAlreadyConfigured(domainName: string): boolean {
+    const configuredDomains = ((this.dcRouter.options?.emailConfig?.domains || []) as IEmailDomainConfig[])
+      .map((domainConfig) => domainConfig.domain.toLowerCase());
+    return configuredDomains.includes(domainName.toLowerCase());
+  }
+
+  private async buildManagedDomainConfigs(): Promise<IEmailDomainConfig[]> {
+    const docs = await EmailDomainDoc.findAll();
+    const managedConfigs: IEmailDomainConfig[] = [];
+
+    for (const doc of docs) {
+      const linkedDomain = await DomainDoc.findById(doc.linkedDomainId);
+      if (!linkedDomain) {
+        logger.log('warn', `Skipping managed email domain ${doc.domain}: linked domain missing`);
+        continue;
+      }
+
+      managedConfigs.push({
+        domain: doc.domain,
+        dnsMode: linkedDomain.source === 'dcrouter' ? 'internal-dns' : 'external-dns',
+        dkim: {
+          selector: doc.dkim.selector,
+          keySize: doc.dkim.keySize,
+          rotateKeys: doc.dkim.rotateKeys,
+          rotationInterval: doc.dkim.rotationIntervalDays,
+        },
+        rateLimits: doc.rateLimits,
+      });
+    }
+
+    return managedConfigs;
+  }
+
+  private async syncManagedDomainsToRuntime(): Promise<void> {
+    if (!this.dcRouter.options?.emailConfig) {
+      return;
+    }
+
+    const mergedDomains = new Map<string, IEmailDomainConfig>();
+    for (const domainConfig of this.baseEmailDomains) {
+      mergedDomains.set(domainConfig.domain.toLowerCase(), JSON.parse(JSON.stringify(domainConfig)) as IEmailDomainConfig);
+    }
+
+    for (const managedConfig of await this.buildManagedDomainConfigs()) {
+      const key = managedConfig.domain.toLowerCase();
+      if (mergedDomains.has(key)) {
+        logger.log('warn', `Managed email domain ${managedConfig.domain} duplicates a configured domain; keeping the configured definition`);
+        continue;
+      }
+      mergedDomains.set(key, managedConfig);
+    }
+
+    const domains = Array.from(mergedDomains.values());
+    this.dcRouter.options.emailConfig.domains = domains;
+    if (this.dcRouter.emailServer) {
+      this.dcRouter.emailServer.updateOptions({ domains });
+    }
+  }
+}

ts/email/classes.smartmta-storage-manager.ts

@@ -0,0 +1,108 @@
+import * as plugins from '../plugins.js';
+import type { IStorageManagerLike } from '@push.rocks/smartmta';
+
+export class SmartMtaStorageManager implements IStorageManagerLike {
+  private readonly resolvedRootDir: string;
+
+  constructor(private rootDir: string) {
+    this.resolvedRootDir = plugins.path.resolve(rootDir);
+    plugins.fsUtils.ensureDirSync(this.resolvedRootDir);
+  }
+
+  private normalizeKey(key: string): string {
+    return key.replace(/^\/+/, '').replace(/\\/g, '/');
+  }
+
+  private resolvePathForKey(key: string): string {
+    const normalizedKey = this.normalizeKey(key);
+    const resolvedPath = plugins.path.resolve(this.resolvedRootDir, normalizedKey);
+    if (
+      resolvedPath !== this.resolvedRootDir
+      && !resolvedPath.startsWith(`${this.resolvedRootDir}${plugins.path.sep}`)
+    ) {
+      throw new Error(`Storage key escapes root directory: ${key}`);
+    }
+    return resolvedPath;
+  }
+
+  private toStorageKey(filePath: string): string {
+    const relativePath = plugins.path.relative(this.resolvedRootDir, filePath).split(plugins.path.sep).join('/');
+    return `/${relativePath}`;
+  }
+
+  public async get(key: string): Promise<string | null> {
+    const filePath = this.resolvePathForKey(key);
+    try {
+      return await plugins.fs.promises.readFile(filePath, 'utf8');
+    } catch (error: unknown) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return null;
+      }
+      throw error;
+    }
+  }
+
+  public async set(key: string, value: string): Promise<void> {
+    const filePath = this.resolvePathForKey(key);
+    await plugins.fs.promises.mkdir(plugins.path.dirname(filePath), { recursive: true });
+    await plugins.fs.promises.writeFile(filePath, value, 'utf8');
+  }
+
+  public async list(prefix: string): Promise<string[]> {
+    const prefixPath = this.resolvePathForKey(prefix);
+    try {
+      const stat = await plugins.fs.promises.stat(prefixPath);
+      if (stat.isFile()) {
+        return [this.toStorageKey(prefixPath)];
+      }
+    } catch (error: unknown) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return [];
+      }
+      throw error;
+    }
+
+    const results: string[] = [];
+    const walk = async (currentPath: string): Promise<void> => {
+      const entries = await plugins.fs.promises.readdir(currentPath, { withFileTypes: true });
+      for (const entry of entries) {
+        const entryPath = plugins.path.join(currentPath, entry.name);
+        if (entry.isDirectory()) {
+          await walk(entryPath);
+        } else if (entry.isFile()) {
+          results.push(this.toStorageKey(entryPath));
+        }
+      }
+    };
+
+    await walk(prefixPath);
+    return results.sort();
+  }
+
+  public async delete(key: string): Promise<void> {
+    const targetPath = this.resolvePathForKey(key);
+    try {
+      const stat = await plugins.fs.promises.stat(targetPath);
+      if (stat.isDirectory()) {
+        await plugins.fs.promises.rm(targetPath, { recursive: true, force: true });
+      } else {
+        await plugins.fs.promises.unlink(targetPath);
+      }
+    } catch (error: unknown) {
+      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+        return;
+      }
+      throw error;
+    }
+
+    let currentDir = plugins.path.dirname(targetPath);
+    while (currentDir.startsWith(this.resolvedRootDir) && currentDir !== this.resolvedRootDir) {
+      const entries = await plugins.fs.promises.readdir(currentDir);
+      if (entries.length > 0) {
+        break;
+      }
+      await plugins.fs.promises.rmdir(currentDir);
+      currentDir = plugins.path.dirname(currentDir);
+    }
+  }
+}

ts/email/email-dns-records.ts

@@ -0,0 +1,53 @@
+import type {
+  IEmailDnsRecord,
+  TDnsRecordStatus,
+} from '../../ts_interfaces/data/email-domain.js';
+
+type TEmailDnsStatusKey = 'mx' | 'spf' | 'dkim' | 'dmarc';
+
+export interface IBuildEmailDnsRecordsOptions {
+  domain: string;
+  hostname: string;
+  selector?: string;
+  dkimValue?: string;
+  mxPriority?: number;
+  dmarcPolicy?: string;
+  dmarcRua?: string;
+  statuses?: Partial<Record<TEmailDnsStatusKey, TDnsRecordStatus>>;
+}
+
+export function buildEmailDnsRecords(options: IBuildEmailDnsRecordsOptions): IEmailDnsRecord[] {
+  const statusFor = (key: TEmailDnsStatusKey): TDnsRecordStatus => options.statuses?.[key] ?? 'unchecked';
+  const selector = options.selector || 'default';
+  const records: IEmailDnsRecord[] = [
+    {
+      type: 'MX',
+      name: options.domain,
+      value: `${options.mxPriority ?? 10} ${options.hostname}`,
+      status: statusFor('mx'),
+    },
+    {
+      type: 'TXT',
+      name: options.domain,
+      value: 'v=spf1 a mx ~all',
+      status: statusFor('spf'),
+    },
+    {
+      type: 'TXT',
+      name: `_dmarc.${options.domain}`,
+      value: `v=DMARC1; p=${options.dmarcPolicy ?? 'none'}; rua=mailto:${options.dmarcRua ?? `dmarc@${options.domain}`}`,
+      status: statusFor('dmarc'),
+    },
+  ];
+
+  if (options.dkimValue) {
+    records.splice(2, 0, {
+      type: 'TXT',
+      name: `${selector}._domainkey.${options.domain}`,
+      value: options.dkimValue,
+      status: statusFor('dkim'),
+    });
+  }
+
+  return records;
+}

ts/email/index.ts

@@ -0,0 +1,3 @@
+export * from './classes.email-domain.manager.js';
+export * from './classes.smartmta-storage-manager.js';
+export * from './email-dns-records.js';

ts/errors/base.errors.ts

@@ -227,7 +227,7 @@ export class PlatformError extends Error {
     const { retry } = this.context;
     if (!retry) return false;
     
-    return retry.currentRetry < retry.maxRetries;
+    return (retry.currentRetry ?? 0) < (retry.maxRetries ?? 0);
   }
 
   /**

ts/index.ts

@@ -35,6 +35,6 @@ export const runCli = async () => {
     await dcRouter.stop();
     process.exit(0);
   };
-  process.on('SIGINT', shutdown);
-  process.on('SIGTERM', shutdown);
+  process.once('SIGINT', shutdown);
+  process.once('SIGTERM', shutdown);
 };

ts/monitoring/classes.metricsmanager.ts

@@ -296,11 +296,11 @@ export class MetricsManager {
       const proxyMetrics = this.dcRouter.smartProxy ? this.dcRouter.smartProxy.getMetrics() : null;
       
       if (!proxyMetrics) {
-        return [];
+        return [] as Array<{ type: string; count: number; source: string; lastActivity: Date }>;
       }
-      
+
       const connectionsByRoute = proxyMetrics.connections.byRoute();
-      const connectionInfo = [];
+      const connectionInfo: Array<{ type: string; count: number; source: string; lastActivity: Date }> = [];
       
       for (const [routeName, count] of connectionsByRoute) {
         connectionInfo.push({
@@ -553,11 +553,14 @@ export class MetricsManager {
           connectionsByIP: new Map<string, number>(),
           throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
           topIPs: [] as Array<{ ip: string; count: number }>,
+          topIPsByBandwidth: [] as Array<{ ip: string; count: number; bwIn: number; bwOut: number }>,
           totalDataTransferred: { bytesIn: 0, bytesOut: 0 },
           throughputHistory: [] as Array<{ timestamp: number; in: number; out: number }>,
           throughputByIP: new Map<string, { in: number; out: number }>(),
           requestsPerSecond: 0,
           requestsTotal: 0,
+          backends: [] as Array<any>,
+          domainActivity: [] as Array<{ domain: string; bytesInPerSecond: number; bytesOutPerSecond: number; activeConnections: number; routeCount: number; requestCount: number }>,
         };
       }
 
@@ -571,7 +574,7 @@ export class MetricsManager {
         bytesOutPerSecond: instantThroughput.out
       };
 
-      // Get top IPs
+      // Get top IPs by connection count
       const topIPs = proxyMetrics.connections.topIPs(10);
 
       // Get total data transferred
@@ -590,15 +593,258 @@ export class MetricsManager {
       const requestsPerSecond = proxyMetrics.requests.perSecond();
       const requestsTotal = proxyMetrics.requests.total();
 
+      // Get frontend/backend protocol distribution
+      const frontendProtocols = proxyMetrics.connections.frontendProtocols() ?? null;
+      const backendProtocols = proxyMetrics.connections.backendProtocols() ?? null;
+
+      // Collect backend protocol data
+      const backendMetrics = proxyMetrics.backends.byBackend();
+      const protocolCache = proxyMetrics.backends.detectedProtocols();
+
+      // Group protocol cache entries by host:port so we can match them to backend metrics.
+      // The protocol cache is keyed by (host, port, domain) in Rust, so the same host:port
+      // can have multiple entries for different domains.
+      const cacheByBackend = new Map<string, (typeof protocolCache)[number][]>();
+      for (const entry of protocolCache) {
+        const backendKey = `${entry.host}:${entry.port}`;
+        let entries = cacheByBackend.get(backendKey);
+        if (!entries) {
+          entries = [];
+          cacheByBackend.set(backendKey, entries);
+        }
+        entries.push(entry);
+      }
+
+      const backends: Array<any> = [];
+      const seenCacheKeys = new Set<string>();
+
+      for (const [key, bm] of backendMetrics) {
+        const cacheEntries = cacheByBackend.get(key);
+        if (!cacheEntries || cacheEntries.length === 0) {
+          // No protocol cache entry — emit one row with backend metrics only
+          backends.push({
+            backend: key,
+            domain: null,
+            protocol: bm.protocol,
+            activeConnections: bm.activeConnections,
+            totalConnections: bm.totalConnections,
+            connectErrors: bm.connectErrors,
+            handshakeErrors: bm.handshakeErrors,
+            requestErrors: bm.requestErrors,
+            avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
+            poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
+            h2Failures: bm.h2Failures,
+            h2Suppressed: false,
+            h3Suppressed: false,
+            h2CooldownRemainingSecs: null,
+            h3CooldownRemainingSecs: null,
+            h2ConsecutiveFailures: null,
+            h3ConsecutiveFailures: null,
+            h3Port: null,
+            cacheAgeSecs: null,
+          });
+        } else {
+          // One row per domain, each enriched with the shared backend metrics
+          for (const cache of cacheEntries) {
+            const compositeKey = `${cache.host}:${cache.port}:${cache.domain ?? ''}`;
+            seenCacheKeys.add(compositeKey);
+            backends.push({
+              backend: key,
+              domain: cache.domain ?? null,
+              protocol: cache.protocol ?? bm.protocol,
+              activeConnections: bm.activeConnections,
+              totalConnections: bm.totalConnections,
+              connectErrors: bm.connectErrors,
+              handshakeErrors: bm.handshakeErrors,
+              requestErrors: bm.requestErrors,
+              avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
+              poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
+              h2Failures: bm.h2Failures,
+              h2Suppressed: cache.h2Suppressed,
+              h3Suppressed: cache.h3Suppressed,
+              h2CooldownRemainingSecs: cache.h2CooldownRemainingSecs,
+              h3CooldownRemainingSecs: cache.h3CooldownRemainingSecs,
+              h2ConsecutiveFailures: cache.h2ConsecutiveFailures,
+              h3ConsecutiveFailures: cache.h3ConsecutiveFailures,
+              h3Port: cache.h3Port,
+              cacheAgeSecs: cache.ageSecs,
+            });
+          }
+        }
+      }
+
+      // Include protocol cache entries with no matching backend metric
+      for (const entry of protocolCache) {
+        const compositeKey = `${entry.host}:${entry.port}:${entry.domain ?? ''}`;
+        if (!seenCacheKeys.has(compositeKey)) {
+          backends.push({
+            backend: `${entry.host}:${entry.port}`,
+            domain: entry.domain,
+            protocol: entry.protocol,
+            activeConnections: 0,
+            totalConnections: 0,
+            connectErrors: 0,
+            handshakeErrors: 0,
+            requestErrors: 0,
+            avgConnectTimeMs: 0,
+            poolHitRate: 0,
+            h2Failures: 0,
+            h2Suppressed: entry.h2Suppressed,
+            h3Suppressed: entry.h3Suppressed,
+            h2CooldownRemainingSecs: entry.h2CooldownRemainingSecs,
+            h3CooldownRemainingSecs: entry.h3CooldownRemainingSecs,
+            h2ConsecutiveFailures: entry.h2ConsecutiveFailures,
+            h3ConsecutiveFailures: entry.h3ConsecutiveFailures,
+            h3Port: entry.h3Port,
+            cacheAgeSecs: entry.ageSecs,
+          });
+        }
+      }
+
+      // Build top 10 IPs by bandwidth (sorted by total throughput desc)
+      const allIPData = new Map<string, { count: number; bwIn: number; bwOut: number }>();
+      for (const [ip, count] of connectionsByIP) {
+        allIPData.set(ip, { count, bwIn: 0, bwOut: 0 });
+      }
+      for (const [ip, tp] of throughputByIP) {
+        const existing = allIPData.get(ip);
+        if (existing) {
+          existing.bwIn = tp.in;
+          existing.bwOut = tp.out;
+        } else {
+          allIPData.set(ip, { count: 0, bwIn: tp.in, bwOut: tp.out });
+        }
+      }
+      const topIPsByBandwidth = Array.from(allIPData.entries())
+        .sort((a, b) => (b[1].bwIn + b[1].bwOut) - (a[1].bwIn + a[1].bwOut))
+        .slice(0, 10)
+        .map(([ip, data]) => ({ ip, count: data.count, bwIn: data.bwIn, bwOut: data.bwOut }));
+
+      // Build domain activity using per-IP domain request counts from Rust engine
+      const connectionsByRoute = proxyMetrics.connections.byRoute();
+      const throughputByRoute = proxyMetrics.throughput.byRoute();
+
+      // Aggregate per-IP domain request counts into per-domain totals
+      const domainRequestTotals = new Map<string, number>();
+      const domainRequestsByIP = proxyMetrics.connections.domainRequestsByIP();
+      for (const [, domainMap] of domainRequestsByIP) {
+        for (const [domain, count] of domainMap) {
+          domainRequestTotals.set(domain, (domainRequestTotals.get(domain) || 0) + count);
+        }
+      }
+
+      // Map canonical route key → domains from route config
+      const routeDomains = new Map<string, string[]>();
+      if (this.dcRouter.smartProxy) {
+        for (const route of this.dcRouter.smartProxy.routeManager.getRoutes()) {
+          const routeKey = route.name || route.id;
+          if (!routeKey || !route.match.domains) continue;
+          const domains = Array.isArray(route.match.domains)
+            ? route.match.domains
+            : [route.match.domains];
+          if (domains.length > 0) {
+            routeDomains.set(routeKey, domains);
+          }
+        }
+      }
+
+      // Resolve wildcards using domains seen in request metrics
+      const allKnownDomains = new Set<string>(domainRequestTotals.keys());
+      for (const entry of protocolCache) {
+        if (entry.domain) allKnownDomains.add(entry.domain);
+      }
+
+      // Build reverse map: concrete domain → canonical route key(s)
+      const domainToRoutes = new Map<string, string[]>();
+      for (const [routeKey, domains] of routeDomains) {
+        for (const pattern of domains) {
+          if (pattern.includes('*')) {
+            const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '[^.]+') + '$');
+            for (const knownDomain of allKnownDomains) {
+              if (regex.test(knownDomain)) {
+                const existing = domainToRoutes.get(knownDomain);
+                if (existing) { existing.push(routeKey); }
+                else { domainToRoutes.set(knownDomain, [routeKey]); }
+              }
+            }
+          } else {
+            const existing = domainToRoutes.get(pattern);
+            if (existing) { existing.push(routeKey); }
+            else { domainToRoutes.set(pattern, [routeKey]); }
+          }
+        }
+      }
+
+      // For each route, compute the total request count across all its resolved domains
+      // so we can distribute throughput/connections proportionally
+      const routeTotalRequests = new Map<string, number>();
+      for (const [domain, routeKeys] of domainToRoutes) {
+        const reqs = domainRequestTotals.get(domain) || 0;
+        for (const routeKey of routeKeys) {
+          routeTotalRequests.set(routeKey, (routeTotalRequests.get(routeKey) || 0) + reqs);
+        }
+      }
+
+      // Aggregate metrics per domain using request-count-proportional splitting
+      const domainAgg = new Map<string, {
+        activeConnections: number;
+        bytesInPerSec: number;
+        bytesOutPerSec: number;
+        routeCount: number;
+        requestCount: number;
+      }>();
+
+      for (const [domain, routeKeys] of domainToRoutes) {
+        const domainReqs = domainRequestTotals.get(domain) || 0;
+        let totalConns = 0;
+        let totalIn = 0;
+        let totalOut = 0;
+
+        for (const routeKey of routeKeys) {
+          const conns = connectionsByRoute.get(routeKey) || 0;
+          const tp = throughputByRoute.get(routeKey) || { in: 0, out: 0 };
+          const routeTotal = routeTotalRequests.get(routeKey) || 0;
+
+          const share = routeTotal > 0 ? domainReqs / routeTotal : 0;
+          totalConns += conns * share;
+          totalIn += tp.in * share;
+          totalOut += tp.out * share;
+        }
+
+        domainAgg.set(domain, {
+          activeConnections: Math.round(totalConns),
+          bytesInPerSec: totalIn,
+          bytesOutPerSec: totalOut,
+          routeCount: routeKeys.length,
+          requestCount: domainReqs,
+        });
+      }
+
+      const domainActivity = Array.from(domainAgg.entries())
+        .map(([domain, data]) => ({
+          domain,
+          bytesInPerSecond: data.bytesInPerSec,
+          bytesOutPerSecond: data.bytesOutPerSec,
+          activeConnections: data.activeConnections,
+          routeCount: data.routeCount,
+          requestCount: data.requestCount,
+        }))
+        .sort((a, b) => (b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond));
+
       return {
         connectionsByIP,
         throughputRate,
         topIPs,
+        topIPsByBandwidth,
         totalDataTransferred,
         throughputHistory,
         throughputByIP,
         requestsPerSecond,
         requestsTotal,
+        backends,
+        frontendProtocols,
+        backendProtocols,
+        domainActivity,
       };
     }, 1000); // 1s cache — matches typical dashboard poll interval
   }
@@ -745,4 +991,4 @@ export class MetricsManager {
 
     return { queries };
   }
-}
+}

ts/opsserver/classes.opsserver.ts

@@ -7,7 +7,7 @@ import { requireValidIdentity, requireAdminIdentity } from './helpers/guards.js'
 
 export class OpsServer {
   public dcRouterRef: DcRouter;
-  public server: plugins.typedserver.utilityservers.UtilityWebsiteServer;
+  public server!: plugins.typedserver.utilityservers.UtilityWebsiteServer;
 
   // Main TypedRouter — unauthenticated endpoints (login/logout/verify) and own-auth handlers
   public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -17,17 +17,27 @@ export class OpsServer {
   public adminRouter = new plugins.typedrequest.TypedRouter<{ request: { identity: interfaces.data.IIdentity } }>();
 
   // Handler instances
-  public adminHandler: handlers.AdminHandler;
-  private configHandler: handlers.ConfigHandler;
-  private logsHandler: handlers.LogsHandler;
-  private securityHandler: handlers.SecurityHandler;
-  private statsHandler: handlers.StatsHandler;
-  private radiusHandler: handlers.RadiusHandler;
-  private emailOpsHandler: handlers.EmailOpsHandler;
-  private certificateHandler: handlers.CertificateHandler;
-  private remoteIngressHandler: handlers.RemoteIngressHandler;
-  private routeManagementHandler: handlers.RouteManagementHandler;
-  private apiTokenHandler: handlers.ApiTokenHandler;
+  public adminHandler!: handlers.AdminHandler;
+  private configHandler!: handlers.ConfigHandler;
+  private logsHandler!: handlers.LogsHandler;
+  private securityHandler!: handlers.SecurityHandler;
+  private statsHandler!: handlers.StatsHandler;
+  private radiusHandler!: handlers.RadiusHandler;
+  private emailOpsHandler!: handlers.EmailOpsHandler;
+  private certificateHandler!: handlers.CertificateHandler;
+  private remoteIngressHandler!: handlers.RemoteIngressHandler;
+  private routeManagementHandler!: handlers.RouteManagementHandler;
+  private apiTokenHandler!: handlers.ApiTokenHandler;
+  private vpnHandler!: handlers.VpnHandler;
+  private sourceProfileHandler!: handlers.SourceProfileHandler;
+  private targetProfileHandler!: handlers.TargetProfileHandler;
+  private networkTargetHandler!: handlers.NetworkTargetHandler;
+  private usersHandler!: handlers.UsersHandler;
+  private dnsProviderHandler!: handlers.DnsProviderHandler;
+  private domainHandler!: handlers.DomainHandler;
+  private dnsRecordHandler!: handlers.DnsRecordHandler;
+  private acmeConfigHandler!: handlers.AcmeConfigHandler;
+  private emailDomainHandler!: handlers.EmailDomainHandler;
 
   constructor(dcRouterRefArg: DcRouter) {
     this.dcRouterRef = dcRouterRefArg;
@@ -39,7 +49,7 @@ export class OpsServer {
   public async start() {
     this.server = new plugins.typedserver.utilityservers.UtilityWebsiteServer({
       domain: 'localhost',
-      feedMetadata: null,
+      feedMetadata: undefined,
       serveDir: paths.distServe,
     });
     
@@ -86,6 +96,16 @@ export class OpsServer {
     this.remoteIngressHandler = new handlers.RemoteIngressHandler(this);
     this.routeManagementHandler = new handlers.RouteManagementHandler(this);
     this.apiTokenHandler = new handlers.ApiTokenHandler(this);
+    this.vpnHandler = new handlers.VpnHandler(this);
+    this.sourceProfileHandler = new handlers.SourceProfileHandler(this);
+    this.targetProfileHandler = new handlers.TargetProfileHandler(this);
+    this.networkTargetHandler = new handlers.NetworkTargetHandler(this);
+    this.usersHandler = new handlers.UsersHandler(this);
+    this.dnsProviderHandler = new handlers.DnsProviderHandler(this);
+    this.domainHandler = new handlers.DomainHandler(this);
+    this.dnsRecordHandler = new handlers.DnsRecordHandler(this);
+    this.acmeConfigHandler = new handlers.AcmeConfigHandler(this);
+    this.emailDomainHandler = new handlers.EmailDomainHandler(this);
 
     console.log('✅ OpsServer TypedRequest handlers initialized');
   }

ts/opsserver/handlers/acme-config.handler.ts

@@ -0,0 +1,94 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD handler for the singleton `AcmeConfigDoc`.
+ *
+ * Auth: same dual-mode pattern as other handlers — admin JWT or API token
+ * with `acme-config:read` / `acme-config:write` scope.
+ */
+export class AcmeConfigHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get current ACME config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAcmeConfig>(
+        'getAcmeConfig',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'acme-config:read');
+          const mgr = this.opsServerRef.dcRouterRef.acmeConfigManager;
+          if (!mgr) return { config: null };
+          return { config: mgr.getConfig() };
+        },
+      ),
+    );
+
+    // Update (upsert) the ACME config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateAcmeConfig>(
+        'updateAcmeConfig',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'acme-config:write');
+          const mgr = this.opsServerRef.dcRouterRef.acmeConfigManager;
+          if (!mgr) {
+            return {
+              success: false,
+              message: 'AcmeConfigManager not initialized (DB disabled?)',
+            };
+          }
+          try {
+            const updated = await mgr.updateConfig(
+              {
+                accountEmail: dataArg.accountEmail,
+                enabled: dataArg.enabled,
+                useProduction: dataArg.useProduction,
+                autoRenew: dataArg.autoRenew,
+                renewThresholdDays: dataArg.renewThresholdDays,
+              },
+              userId,
+            );
+            return { success: true, config: updated };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/admin.handler.ts

@@ -12,7 +12,7 @@ export class AdminHandler {
   public typedrouter = new plugins.typedrequest.TypedRouter();
   
   // JWT instance
-  public smartjwtInstance: plugins.smartjwt.SmartJwt<IJwtData>;
+  public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
   
   // Simple in-memory user storage (in production, use proper database)
   private users = new Map<string, {
@@ -52,6 +52,18 @@ export class AdminHandler {
       role: 'admin',
     });
   }
+
+  /**
+   * Return a safe projection of the users Map — excludes password fields.
+   * Used by UsersHandler to serve the admin-only listUsers endpoint.
+   */
+  public listUsers(): Array<{ id: string; username: string; role: string }> {
+    return Array.from(this.users.values()).map((user) => ({
+      id: user.id,
+      username: user.username,
+      role: user.role,
+    }));
+  }
   
   private registerHandlers(): void {
     // Admin Login Handler

ts/opsserver/handlers/certificate.handler.ts

@@ -1,6 +1,29 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
+import { AcmeCertDoc, ProxyCertDoc } from '../../db/index.js';
+import { logger } from '../../logger.js';
+
+/**
+ * Mirrors `SmartacmeCertMatcher.getCertificateDomainNameByDomainName` from
+ * @push.rocks/smartacme. Inlined here because the original is `private` on
+ * SmartAcme. The cert identity ('task.vc' for both 'outline.task.vc' and
+ * '*.task.vc') is what AcmeCertDoc is keyed by, so two route domains with
+ * the same identity share the same underlying ACME cert.
+ *
+ * Returns undefined for domains with 4+ levels (matching smartacme's
+ * "deeper domains not supported" behavior) and for malformed inputs.
+ *
+ * Exported for unit testing.
+ */
+export function deriveCertDomainName(domain: string): string | undefined {
+  if (domain.startsWith('*.')) {
+    return domain.slice(2);
+  }
+  const parts = domain.split('.');
+  if (parts.length < 2 || parts.length > 3) return undefined;
+  return parts.slice(-2).join('.');
+}
 
 export class CertificateHandler {
   constructor(private opsServerRef: OpsServer) {
@@ -42,7 +65,7 @@ export class CertificateHandler {
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ReprovisionCertificateDomain>(
         'reprovisionCertificateDomain',
         async (dataArg) => {
-          return this.reprovisionCertificateDomain(dataArg.domain);
+          return this.reprovisionCertificateDomain(dataArg.domain, dataArg.forceRenew);
         }
       )
     );
@@ -175,42 +198,43 @@ export class CertificateHandler {
         try {
           const rustStatus = await smartProxy.getCertificateStatus(info.routeNames[0]);
           if (rustStatus) {
-            if (rustStatus.expiryDate) expiryDate = rustStatus.expiryDate;
-            if (rustStatus.issuer) issuer = rustStatus.issuer;
-            if (rustStatus.issuedAt) issuedAt = rustStatus.issuedAt;
-            if (rustStatus.status === 'valid' || rustStatus.status === 'expired') {
-              status = rustStatus.status;
+            if (rustStatus.expiresAt > 0) {
+              expiryDate = new Date(rustStatus.expiresAt).toISOString();
             }
+            if (rustStatus.source) issuer = rustStatus.source;
+            status = rustStatus.isValid ? 'valid' : 'expired';
           }
         } catch {
           // Rust bridge may not support this command yet — ignore
         }
       }
 
-      // Check persisted cert data from StorageManager
+      // Check persisted cert data from smartdata document classes
       if (status === 'unknown') {
         const cleanDomain = domain.replace(/^\*\.?/, '');
-        let certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
-        if (!certData) {
-          // Also check certStore path (proxy-certs)
-          certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${domain}`);
-        }
-        if (certData?.validUntil) {
-          expiryDate = new Date(certData.validUntil).toISOString();
-          if (certData.created) {
-            issuedAt = new Date(certData.created).toISOString();
+        // SmartAcme stores certs under the base domain (e.g. example.com for api.example.com)
+        const parts = cleanDomain.split('.');
+        const baseDomain = parts.length > 2 ? parts.slice(-2).join('.') : cleanDomain;
+        const acmeDoc = await AcmeCertDoc.findByDomain(baseDomain)
+          || (baseDomain !== cleanDomain ? await AcmeCertDoc.findByDomain(cleanDomain) : null);
+        const proxyDoc = !acmeDoc ? await ProxyCertDoc.findByDomain(domain) : null;
+
+        if (acmeDoc?.validUntil) {
+          expiryDate = new Date(acmeDoc.validUntil).toISOString();
+          if (acmeDoc.created) {
+            issuedAt = new Date(acmeDoc.created).toISOString();
           }
           issuer = 'smartacme-dns-01';
-        } else if (certData?.publicKey) {
+        } else if (proxyDoc?.publicKey) {
           // certStore has the cert — parse PEM for expiry
           try {
-            const x509 = new plugins.crypto.X509Certificate(certData.publicKey);
+            const x509 = new plugins.crypto.X509Certificate(proxyDoc.publicKey);
             expiryDate = new Date(x509.validTo).toISOString();
             issuedAt = new Date(x509.validFrom).toISOString();
           } catch { /* PEM parsing failed */ }
           status = 'valid';
           issuer = 'cert-store';
-        } else if (certData) {
+        } else if (acmeDoc || proxyDoc) {
           status = 'valid';
           issuer = 'cert-store';
         }
@@ -292,7 +316,12 @@ export class CertificateHandler {
   }
 
   /**
-   * Legacy route-based reprovisioning
+   * Legacy route-based reprovisioning. Kept for backward compatibility with
+   * older clients that send `reprovisionCertificate` typed-requests.
+   *
+   * Like reprovisionCertificateDomain, this triggers the full route apply
+   * pipeline rather than smartProxy.provisionCertificate(routeName) — which
+   * is a no-op when certProvisionFunction is set (Rust ACME disabled).
    */
   private async reprovisionCertificateByRoute(routeName: string): Promise<{ success: boolean; message?: string }> {
     const dcRouter = this.opsServerRef.dcRouterRef;
@@ -302,24 +331,39 @@ export class CertificateHandler {
       return { success: false, message: 'SmartProxy is not running' };
     }
 
+    // Clear event-based status for domains in this route so the
+    // certificate-issued event can refresh them
+    for (const [domain, entry] of dcRouter.certificateStatusMap) {
+      if (entry.routeNames.includes(routeName)) {
+        dcRouter.certificateStatusMap.delete(domain);
+      }
+    }
+
     try {
-      await smartProxy.provisionCertificate(routeName);
-      // Clear event-based status for domains in this route
-      for (const [domain, entry] of dcRouter.certificateStatusMap) {
-        if (entry.routeNames.includes(routeName)) {
-          dcRouter.certificateStatusMap.delete(domain);
-        }
+      if (dcRouter.routeConfigManager) {
+        await dcRouter.routeConfigManager.applyRoutes();
+      } else {
+        await smartProxy.updateRoutes(smartProxy.routeManager.getRoutes());
       }
       return { success: true, message: `Certificate reprovisioning triggered for route '${routeName}'` };
-    } catch (err) {
-      return { success: false, message: err.message || 'Failed to reprovision certificate' };
+    } catch (err: unknown) {
+      return { success: false, message: (err as Error).message || 'Failed to reprovision certificate' };
     }
   }
 
   /**
-   * Domain-based reprovisioning — clears backoff first, then triggers provision
+   * Domain-based reprovisioning — clears backoff first, refreshes the smartacme
+   * cert (when forceRenew is set), then re-applies routes so the running Rust
+   * proxy actually picks up the new cert.
+   *
+   * Why applyRoutes (not smartProxy.provisionCertificate)?
+   *   smartProxy.provisionCertificate(routeName) routes through the Rust ACME
+   *   path, which is forcibly disabled whenever certProvisionFunction is set
+   *   (smart-proxy.ts:168-171). The only path that re-invokes
+   *   certProvisionFunction → bridge.loadCertificate is updateRoutes(), which
+   *   we trigger via routeConfigManager.applyRoutes().
    */
-  private async reprovisionCertificateDomain(domain: string): Promise<{ success: boolean; message?: string }> {
+  private async reprovisionCertificateDomain(domain: string, forceRenew?: boolean): Promise<{ success: boolean; message?: string }> {
     const dcRouter = this.opsServerRef.dcRouterRef;
     const smartProxy = dcRouter.smartProxy;
 
@@ -332,31 +376,143 @@ export class CertificateHandler {
       await dcRouter.certProvisionScheduler.clearBackoff(domain);
     }
 
-    // Clear status map entry so it gets refreshed
+    // Find routes matching this domain — fail early if none exist
+    const routeNames = dcRouter.findRouteNamesForDomain(domain);
+    if (routeNames.length === 0) {
+      return { success: false, message: `No routes found for domain '${domain}'` };
+    }
+
+    // If forceRenew, order a fresh cert from ACME now so it's already in
+    // AcmeCertDoc by the time certProvisionFunction is invoked below.
+    //
+    // includeWildcard: when forcing a non-wildcard subdomain renewal, we still
+    // want the wildcard SAN in the order so the new cert keeps covering every
+    // sibling. Without this, smartacme defaults to includeWildcard: false and
+    // the re-issued cert would have only the base domain as SAN, breaking every
+    // sibling subdomain that was previously covered by the same wildcard cert.
+    if (forceRenew && dcRouter.smartAcme) {
+      let newCert: plugins.smartacme.Cert;
+      try {
+        newCert = await dcRouter.smartAcme.getCertificateForDomain(domain, {
+          forceRenew: true,
+          includeWildcard: !domain.startsWith('*.'),
+        });
+      } catch (err: unknown) {
+        return { success: false, message: `Failed to renew certificate for ${domain}: ${(err as Error).message}` };
+      }
+
+      // Propagate the freshly-issued cert PEM to every sibling route domain that
+      // shares the same cert identity. Without this, the rust hot-swap (keyed by
+      // exact domain in `loaded_certs`) only fires for the clicked route via the
+      // fire-and-forget cert provisioning path, leaving siblings serving the
+      // stale in-memory cert until the next background reload completes.
+      try {
+        await this.propagateCertToSiblings(domain, newCert);
+      } catch (err: unknown) {
+        // Best-effort: failure here doesn't undo the cert issuance, just log.
+        logger.log('warn', `Failed to propagate force-renewed cert to siblings of ${domain}: ${(err as Error).message}`);
+      }
+    }
+
+    // Clear status map entry so it gets refreshed by the certificate-issued event
     dcRouter.certificateStatusMap.delete(domain);
 
-    // Try to provision via SmartAcme directly
-    if (dcRouter.smartAcme) {
-      try {
-        await dcRouter.smartAcme.getCertificateForDomain(domain);
-        return { success: true, message: `Certificate reprovisioning triggered for domain '${domain}'` };
-      } catch (err) {
-        return { success: false, message: err.message || `Failed to reprovision certificate for ${domain}` };
+    // Trigger the full route apply pipeline:
+    //   applyRoutes → updateRoutes → provisionCertificatesViaCallback →
+    //   certProvisionFunction(domain) → smartAcme.getCertificateForDomain →
+    //   bridge.loadCertificate → Rust hot-swaps `loaded_certs` →
+    //   certificate-issued event → certificateStatusMap updated
+    try {
+      if (dcRouter.routeConfigManager) {
+        await dcRouter.routeConfigManager.applyRoutes();
+      } else {
+        // Fallback when DB is disabled and there is no RouteConfigManager
+        await smartProxy.updateRoutes(smartProxy.routeManager.getRoutes());
+      }
+      return { success: true, message: forceRenew ? `Certificate force-renewed for domain '${domain}'` : `Certificate reprovisioning triggered for domain '${domain}'` };
+    } catch (err: unknown) {
+      return { success: false, message: (err as Error).message || `Failed to reprovision certificate for ${domain}` };
+    }
+  }
+
+  /**
+   * After a force-renew, walk every route in the smartproxy that resolves to
+   * the same cert identity as `forcedDomain` and write the freshly-issued cert
+   * PEM into ProxyCertDoc for each. This guarantees that the next applyRoutes
+   * → provisionCertificatesViaCallback iteration will hot-swap every sibling's
+   * rust loaded_certs entry with the new (correct) PEM, rather than relying on
+   * the in-memory cert returned by smartacme's per-domain cache.
+   *
+   * Why this is necessary:
+   *   Rust's `loaded_certs` is a HashMap<domain, TlsCertConfig>. Each
+   *   bridge.loadCertificate(domain, ...) only swaps that one entry. The
+   *   fire-and-forget cert provisioning path triggered by updateRoutes does
+   *   eventually iterate every auto-cert route, but it returns the cached
+   *   (broken pre-fix) cert from smartacme's per-domain mutex. With this
+   *   helper, ProxyCertDoc is updated synchronously to the correct PEM before
+   *   applyRoutes runs, so even the transient window stays consistent.
+   */
+  private async propagateCertToSiblings(
+    forcedDomain: string,
+    newCert: plugins.smartacme.Cert,
+  ): Promise<void> {
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    const smartProxy = dcRouter.smartProxy;
+    if (!smartProxy) return;
+
+    const certIdentity = deriveCertDomainName(forcedDomain);
+    if (!certIdentity) return;
+
+    // Collect every route domain whose cert identity matches.
+    const affected = new Set<string>();
+    for (const route of smartProxy.routeManager.getRoutes()) {
+      if (!route.match.domains) continue;
+      const routeDomains = Array.isArray(route.match.domains)
+        ? route.match.domains
+        : [route.match.domains];
+      for (const routeDomain of routeDomains) {
+        if (deriveCertDomainName(routeDomain) === certIdentity) {
+          affected.add(routeDomain);
+        }
       }
     }
 
-    // Fallback: try provisioning via the first matching route
-    const routeNames = dcRouter.findRouteNamesForDomain(domain);
-    if (routeNames.length > 0) {
+    if (affected.size === 0) return;
+
+    // Parse expiry from PEM (defense-in-depth — same pattern as
+    // ts/classes.dcrouter.ts:988-995 and the existing certStore.save callback).
+    let validUntil = newCert.validUntil;
+    let validFrom: number | undefined;
+    if (newCert.publicKey) {
       try {
-        await smartProxy.provisionCertificate(routeNames[0]);
-        return { success: true, message: `Certificate reprovisioning triggered for domain '${domain}' via route '${routeNames[0]}'` };
-      } catch (err) {
-        return { success: false, message: err.message || `Failed to reprovision certificate for ${domain}` };
-      }
+        const x509 = new plugins.crypto.X509Certificate(newCert.publicKey);
+        validUntil = new Date(x509.validTo).getTime();
+        validFrom = new Date(x509.validFrom).getTime();
+      } catch { /* fall back to smartacme's value */ }
     }
 
-    return { success: false, message: `No routes found for domain '${domain}'` };
+    // Persist new cert PEM under each affected route domain
+    for (const routeDomain of affected) {
+      let doc = await ProxyCertDoc.findByDomain(routeDomain);
+      if (!doc) {
+        doc = new ProxyCertDoc();
+        doc.domain = routeDomain;
+      }
+      doc.publicKey = newCert.publicKey;
+      doc.privateKey = newCert.privateKey;
+      doc.ca = '';
+      doc.validUntil = validUntil || 0;
+      doc.validFrom = validFrom || 0;
+      await doc.save();
+
+      // Clear status so the next event refresh shows the new cert
+      dcRouter.certificateStatusMap.delete(routeDomain);
+    }
+
+    logger.log(
+      'info',
+      `Propagated force-renewed cert for ${forcedDomain} (cert identity '${certIdentity}') to ${affected.size} sibling route domain(s): ${[...affected].join(', ')}`,
+    );
   }
 
   /**
@@ -365,19 +521,21 @@ export class CertificateHandler {
   private async deleteCertificate(domain: string): Promise<{ success: boolean; message?: string }> {
     const dcRouter = this.opsServerRef.dcRouterRef;
     const cleanDomain = domain.replace(/^\*\.?/, '');
+    const parts = cleanDomain.split('.');
+    const baseDomain = parts.length > 2 ? parts.slice(-2).join('.') : cleanDomain;
 
-    // Delete from all known storage paths
-    const paths = [
-      `/proxy-certs/${domain}`,
-      `/proxy-certs/${cleanDomain}`,
-      `/certs/${cleanDomain}`,
-    ];
+    // Delete from smartdata document classes (try base domain first, then exact)
+    const acmeDoc = await AcmeCertDoc.findByDomain(baseDomain)
+      || (baseDomain !== cleanDomain ? await AcmeCertDoc.findByDomain(cleanDomain) : null);
+    if (acmeDoc) {
+      await acmeDoc.delete();
+    }
 
-    for (const path of paths) {
-      try {
-        await dcRouter.storageManager.delete(path);
-      } catch {
-        // Path may not exist — ignore
+    // Try both original domain and clean domain for proxy certs
+    for (const d of [domain, cleanDomain]) {
+      const proxyDoc = await ProxyCertDoc.findByDomain(d);
+      if (proxyDoc) {
+        await proxyDoc.delete();
       }
     }
 
@@ -408,43 +566,41 @@ export class CertificateHandler {
     };
     message?: string;
   }> {
-    const dcRouter = this.opsServerRef.dcRouterRef;
     const cleanDomain = domain.replace(/^\*\.?/, '');
 
-    // Try SmartAcme /certs/ path first (has full ICert fields)
-    let certData = await dcRouter.storageManager.getJSON(`/certs/${cleanDomain}`);
-    if (certData && certData.publicKey && certData.privateKey) {
+    // Try AcmeCertDoc first (has full ICert fields)
+    const acmeDoc = await AcmeCertDoc.findByDomain(cleanDomain);
+    if (acmeDoc && acmeDoc.publicKey && acmeDoc.privateKey) {
       return {
         success: true,
         cert: {
-          id: certData.id || plugins.crypto.randomUUID(),
-          domainName: certData.domainName || domain,
-          created: certData.created || Date.now(),
-          validUntil: certData.validUntil || 0,
-          privateKey: certData.privateKey,
-          publicKey: certData.publicKey,
-          csr: certData.csr || '',
+          id: acmeDoc.id || plugins.crypto.randomUUID(),
+          domainName: acmeDoc.domainName || domain,
+          created: acmeDoc.created || Date.now(),
+          validUntil: acmeDoc.validUntil || 0,
+          privateKey: acmeDoc.privateKey,
+          publicKey: acmeDoc.publicKey,
+          csr: acmeDoc.csr || '',
         },
       };
     }
 
-    // Fallback: try /proxy-certs/ with original domain
-    certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${domain}`);
-    if (!certData || !certData.publicKey) {
-      // Try with clean domain
-      certData = await dcRouter.storageManager.getJSON(`/proxy-certs/${cleanDomain}`);
+    // Fallback: try ProxyCertDoc with original domain, then clean domain
+    let proxyDoc = await ProxyCertDoc.findByDomain(domain);
+    if (!proxyDoc || !proxyDoc.publicKey) {
+      proxyDoc = await ProxyCertDoc.findByDomain(cleanDomain);
     }
 
-    if (certData && certData.publicKey && certData.privateKey) {
+    if (proxyDoc && proxyDoc.publicKey && proxyDoc.privateKey) {
       return {
         success: true,
         cert: {
           id: plugins.crypto.randomUUID(),
           domainName: domain,
-          created: certData.validFrom || Date.now(),
-          validUntil: certData.validUntil || 0,
-          privateKey: certData.privateKey,
-          publicKey: certData.publicKey,
+          created: proxyDoc.validFrom || Date.now(),
+          validUntil: proxyDoc.validUntil || 0,
+          privateKey: proxyDoc.privateKey,
+          publicKey: proxyDoc.publicKey,
           csr: '',
         },
       };
@@ -476,26 +632,32 @@ export class CertificateHandler {
     const dcRouter = this.opsServerRef.dcRouterRef;
     const cleanDomain = cert.domainName.replace(/^\*\.?/, '');
 
-    // Save to /certs/ (SmartAcme-compatible path)
-    await dcRouter.storageManager.setJSON(`/certs/${cleanDomain}`, {
-      id: cert.id,
-      domainName: cert.domainName,
-      created: cert.created,
-      validUntil: cert.validUntil,
-      privateKey: cert.privateKey,
-      publicKey: cert.publicKey,
-      csr: cert.csr || '',
-    });
+    // Save to AcmeCertDoc (SmartAcme-compatible)
+    let acmeDoc = await AcmeCertDoc.findByDomain(cleanDomain);
+    if (!acmeDoc) {
+      acmeDoc = new AcmeCertDoc();
+      acmeDoc.domainName = cleanDomain;
+    }
+    acmeDoc.id = cert.id;
+    acmeDoc.created = cert.created;
+    acmeDoc.validUntil = cert.validUntil;
+    acmeDoc.privateKey = cert.privateKey;
+    acmeDoc.publicKey = cert.publicKey;
+    acmeDoc.csr = cert.csr || '';
+    await acmeDoc.save();
 
-    // Also save to /proxy-certs/ (proxy-cert format)
-    await dcRouter.storageManager.setJSON(`/proxy-certs/${cert.domainName}`, {
-      domain: cert.domainName,
-      publicKey: cert.publicKey,
-      privateKey: cert.privateKey,
-      ca: undefined,
-      validUntil: cert.validUntil,
-      validFrom: cert.created,
-    });
+    // Also save to ProxyCertDoc (proxy-cert format)
+    let proxyDoc = await ProxyCertDoc.findByDomain(cert.domainName);
+    if (!proxyDoc) {
+      proxyDoc = new ProxyCertDoc();
+      proxyDoc.domain = cert.domainName;
+    }
+    proxyDoc.publicKey = cert.publicKey;
+    proxyDoc.privateKey = cert.privateKey;
+    proxyDoc.ca = '';
+    proxyDoc.validUntil = cert.validUntil;
+    proxyDoc.validFrom = cert.created;
+    await proxyDoc.save();
 
     // Update in-memory status map
     dcRouter.certificateStatusMap.set(cert.domainName, {

ts/opsserver/handlers/config.handler.ts

@@ -33,11 +33,9 @@ export class ConfigHandler {
     const resolvedPaths = dcRouter.resolvedPaths;
 
     // --- System ---
-    const storageBackend: 'filesystem' | 'custom' | 'memory' = opts.storage?.readFunction
+    const storageBackend: 'filesystem' | 'custom' | 'memory' = opts.dbConfig?.mongoDbUrl
       ? 'custom'
-      : opts.storage?.fsPath
-        ? 'filesystem'
-        : 'memory';
+      : 'filesystem';
 
     // Resolve proxy IPs: fall back to SmartProxy's runtime proxyIPs if not in opts
     let proxyIps = opts.proxyIps || [];
@@ -55,7 +53,7 @@ export class ConfigHandler {
       proxyIps,
       uptime: Math.floor(process.uptime()),
       storageBackend,
-      storagePath: opts.storage?.fsPath || null,
+      storagePath: opts.dbConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
     };
 
     // --- SmartProxy ---
@@ -125,6 +123,15 @@ export class ConfigHandler {
       ttl: r.ttl,
     }));
 
+    // dnsChallenge: true when at least one DnsProviderDoc exists in the DB
+    // (replaces the legacy `dnsChallenge.cloudflareApiKey` constructor field).
+    let dnsChallengeEnabled = false;
+    try {
+      dnsChallengeEnabled = (await dcRouter.dnsManager?.hasAnyManagedDomain()) ?? false;
+    } catch {
+      dnsChallengeEnabled = false;
+    }
+
     const dns: interfaces.requests.IConfigData['dns'] = {
       enabled: !!dcRouter.dnsServer,
       port: 53,
@@ -132,7 +139,7 @@ export class ConfigHandler {
       scopes: opts.dnsScopes || [],
       recordCount: dnsRecords.length,
       records: dnsRecords,
-      dnsChallenge: !!opts.dnsChallenge?.cloudflareApiKey,
+      dnsChallenge: dnsChallengeEnabled,
     };
 
     // --- TLS ---
@@ -151,15 +158,15 @@ export class ConfigHandler {
       keyPath: opts.tls?.keyPath || null,
     };
 
-    // --- Cache ---
-    const cacheConfig = opts.cacheConfig;
+    // --- Database ---
+    const dbConfig = opts.dbConfig;
     const cache: interfaces.requests.IConfigData['cache'] = {
-      enabled: cacheConfig?.enabled !== false,
-      storagePath: cacheConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
-      dbName: cacheConfig?.dbName || 'dcrouter',
-      defaultTTLDays: cacheConfig?.defaultTTLDays || 30,
-      cleanupIntervalHours: cacheConfig?.cleanupIntervalHours || 1,
-      ttlConfig: cacheConfig?.ttlConfig ? { ...cacheConfig.ttlConfig } as Record<string, number> : {},
+      enabled: dbConfig?.enabled !== false,
+      storagePath: dbConfig?.storagePath || resolvedPaths.defaultTsmDbPath,
+      dbName: dbConfig?.dbName || 'dcrouter',
+      defaultTTLDays: 30,
+      cleanupIntervalHours: dbConfig?.cleanupIntervalHours || 1,
+      ttlConfig: {},
     };
 
     // --- RADIUS ---
@@ -185,7 +192,8 @@ export class ConfigHandler {
       tlsMode = 'custom';
     } else if (riCfg?.hubDomain) {
       try {
-        const stored = await dcRouter.storageManager.getJSON(`/proxy-certs/${riCfg.hubDomain}`);
+        const { ProxyCertDoc } = await import('../../db/index.js');
+        const stored = await ProxyCertDoc.findByDomain(riCfg.hubDomain);
         if (stored?.publicKey && stored?.privateKey) {
           tlsMode = 'acme';
         }

ts/opsserver/handlers/dns-provider.handler.ts

@@ -0,0 +1,197 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD + connection-test handlers for DnsProviderDoc.
+ *
+ * Auth: same dual-mode pattern as TargetProfileHandler — admin JWT or
+ * API token with the appropriate `dns-providers:read|write` scope.
+ */
+export class DnsProviderHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all providers — prepends the built-in DcRouter pseudo-provider
+    // so operators see a uniform "who serves this?" list that includes the
+    // authoritative dcrouter alongside external accounts.
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsProviders>(
+        'getDnsProviders',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-providers:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          const synthetic: interfaces.data.IDnsProviderPublic = {
+            id: interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID,
+            name: 'DcRouter',
+            type: 'dcrouter',
+            status: 'ok',
+            createdAt: 0,
+            updatedAt: 0,
+            createdBy: 'system',
+            hasCredentials: false,
+            builtIn: true,
+          };
+          const real = dnsManager ? await dnsManager.listProviders() : [];
+          return { providers: [synthetic, ...real] };
+        },
+      ),
+    );
+
+    // Get single provider
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsProvider>(
+        'getDnsProvider',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-providers:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { provider: null };
+          return { provider: await dnsManager.getProvider(dataArg.id) };
+        },
+      ),
+    );
+
+    // Create provider
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDnsProvider>(
+        'createDnsProvider',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.type === 'dcrouter') {
+            return {
+              success: false,
+              message: 'cannot create built-in provider',
+            };
+          }
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) {
+            return { success: false, message: 'DnsManager not initialized (DB disabled?)' };
+          }
+          const id = await dnsManager.createProvider({
+            name: dataArg.name,
+            type: dataArg.type,
+            credentials: dataArg.credentials,
+            createdBy: userId,
+          });
+          return { success: true, id };
+        },
+      ),
+    );
+
+    // Update provider
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateDnsProvider>(
+        'updateDnsProvider',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return { success: false, message: 'cannot edit built-in provider' };
+          }
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          const ok = await dnsManager.updateProvider(dataArg.id, {
+            name: dataArg.name,
+            credentials: dataArg.credentials,
+          });
+          return ok ? { success: true } : { success: false, message: 'Provider not found' };
+        },
+      ),
+    );
+
+    // Delete provider
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteDnsProvider>(
+        'deleteDnsProvider',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-providers:write');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return { success: false, message: 'cannot delete built-in provider' };
+          }
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.deleteProvider(dataArg.id, dataArg.force ?? false);
+        },
+      ),
+    );
+
+    // Test provider connection
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TestDnsProvider>(
+        'testDnsProvider',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-providers:read');
+          if (dataArg.id === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return {
+              ok: false,
+              error: 'built-in provider has no external connection to test',
+              testedAt: Date.now(),
+            };
+          }
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) {
+            return { ok: false, error: 'DnsManager not initialized', testedAt: Date.now() };
+          }
+          return await dnsManager.testProvider(dataArg.id);
+        },
+      ),
+    );
+
+    // List domains visible to a provider's account (without importing them)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListProviderDomains>(
+        'listProviderDomains',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-providers:read');
+          if (dataArg.providerId === interfaces.data.DCROUTER_BUILTIN_PROVIDER_ID) {
+            return {
+              success: false,
+              message: 'built-in provider has no external domain listing — use "Add DcRouter Domain" instead',
+            };
+          }
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          try {
+            const domains = await dnsManager.listProviderDomains(dataArg.providerId);
+            return { success: true, domains };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/dns-record.handler.ts

@@ -0,0 +1,127 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD handlers for DnsRecordDoc.
+ */
+export class DnsRecordHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get records by domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsRecords>(
+        'getDnsRecords',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-records:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { records: [] };
+          const docs = await dnsManager.listRecordsForDomain(dataArg.domainId);
+          return { records: docs.map((d) => dnsManager.toPublicRecord(d)) };
+        },
+      ),
+    );
+
+    // Get single record
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDnsRecord>(
+        'getDnsRecord',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-records:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { record: null };
+          const doc = await dnsManager.getRecord(dataArg.id);
+          return { record: doc ? dnsManager.toPublicRecord(doc) : null };
+        },
+      ),
+    );
+
+    // Create record
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDnsRecord>(
+        'createDnsRecord',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'dns-records:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.createRecord({
+            domainId: dataArg.domainId,
+            name: dataArg.name,
+            type: dataArg.type,
+            value: dataArg.value,
+            ttl: dataArg.ttl,
+            proxied: dataArg.proxied,
+            createdBy: userId,
+          });
+        },
+      ),
+    );
+
+    // Update record
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateDnsRecord>(
+        'updateDnsRecord',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-records:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.updateRecord({
+            id: dataArg.id,
+            name: dataArg.name,
+            value: dataArg.value,
+            ttl: dataArg.ttl,
+            proxied: dataArg.proxied,
+          });
+        },
+      ),
+    );
+
+    // Delete record
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteDnsRecord>(
+        'deleteDnsRecord',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'dns-records:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.deleteRecord(dataArg.id);
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/domain.handler.ts

@@ -0,0 +1,179 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD handlers for DomainDoc.
+ */
+export class DomainHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all domains
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDomains>(
+        'getDomains',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { domains: [] };
+          const docs = await dnsManager.listDomains();
+          return { domains: docs.map((d) => dnsManager.toPublicDomain(d)) };
+        },
+      ),
+    );
+
+    // Get single domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetDomain>(
+        'getDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { domain: null };
+          const doc = await dnsManager.getDomain(dataArg.id);
+          return { domain: doc ? dnsManager.toPublicDomain(doc) : null };
+        },
+      ),
+    );
+
+    // Create dcrouter-hosted domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateDomain>(
+        'createDomain',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          try {
+            const id = await dnsManager.createDcrouterDomain({
+              name: dataArg.name,
+              description: dataArg.description,
+              createdBy: userId,
+            });
+            return { success: true, id };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Import domains from a provider
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ImportDomain>(
+        'importDomain',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          try {
+            const importedIds = await dnsManager.importDomainsFromProvider({
+              providerId: dataArg.providerId,
+              domainNames: dataArg.domainNames,
+              createdBy: userId,
+            });
+            return { success: true, importedIds };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Update domain metadata
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateDomain>(
+        'updateDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          const ok = await dnsManager.updateDomain(dataArg.id, {
+            description: dataArg.description,
+          });
+          return ok ? { success: true } : { success: false, message: 'Domain not found' };
+        },
+      ),
+    );
+
+    // Delete domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteDomain>(
+        'deleteDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          const ok = await dnsManager.deleteDomain(dataArg.id);
+          return ok ? { success: true } : { success: false, message: 'Domain not found' };
+        },
+      ),
+    );
+
+    // Force-resync provider domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncDomain>(
+        'syncDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.syncDomain(dataArg.id);
+        },
+      ),
+    );
+
+    // Migrate domain between dcrouter-hosted and provider-managed
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MigrateDomain>(
+        'migrateDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'domains:write');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { success: false, message: 'DnsManager not initialized' };
+          return await dnsManager.migrateDomain({
+            id: dataArg.id,
+            targetSource: dataArg.targetSource,
+            targetProviderId: dataArg.targetProviderId,
+            deleteExistingProviderRecords: dataArg.deleteExistingProviderRecords,
+          });
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/email-domain.handler.ts

@@ -0,0 +1,195 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+/**
+ * CRUD + DNS provisioning handler for email domains.
+ *
+ * Auth: admin JWT or API token with `email-domains:read` / `email-domains:write` scope.
+ */
+export class EmailDomainHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private get manager() {
+    return this.opsServerRef.dcRouterRef.emailDomainManager;
+  }
+
+  private registerHandlers(): void {
+    // List all email domains
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDomains>(
+        'getEmailDomains',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) return { domains: [] };
+          return { domains: await this.manager.getAll() };
+        },
+      ),
+    );
+
+    // Get single email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDomain>(
+        'getEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) return { domain: null };
+          return { domain: await this.manager.getById(dataArg.id) };
+        },
+      ),
+    );
+
+    // Create email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateEmailDomain>(
+        'createEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            const domain = await this.manager.createEmailDomain({
+              linkedDomainId: dataArg.linkedDomainId,
+              subdomain: dataArg.subdomain,
+              dkimSelector: dataArg.dkimSelector,
+              dkimKeySize: dataArg.dkimKeySize,
+              rotateKeys: dataArg.rotateKeys,
+              rotationIntervalDays: dataArg.rotationIntervalDays,
+            });
+            return { success: true, domain };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Update email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateEmailDomain>(
+        'updateEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            await this.manager.updateEmailDomain(dataArg.id, {
+              rotateKeys: dataArg.rotateKeys,
+              rotationIntervalDays: dataArg.rotationIntervalDays,
+              rateLimits: dataArg.rateLimits,
+            });
+            return { success: true };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Delete email domain
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteEmailDomain>(
+        'deleteEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            await this.manager.deleteEmailDomain(dataArg.id);
+            return { success: true };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Validate DNS records
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ValidateEmailDomain>(
+        'validateEmailDomain',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            const records = await this.manager.validateDns(dataArg.id);
+            const domain = await this.manager.getById(dataArg.id);
+            return { success: true, domain: domain ?? undefined, records };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+
+    // Get required DNS records
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetEmailDomainDnsRecords>(
+        'getEmailDomainDnsRecords',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:read' as any);
+          if (!this.manager) return { records: [] };
+          return { records: await this.manager.getRequiredDnsRecords(dataArg.id) };
+        },
+      ),
+    );
+
+    // Auto-provision DNS records
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ProvisionEmailDomainDns>(
+        'provisionEmailDomainDns',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'email-domains:write' as any);
+          if (!this.manager) {
+            return { success: false, message: 'EmailDomainManager not initialized' };
+          }
+          try {
+            const provisioned = await this.manager.provisionDnsRecords(dataArg.id);
+            return { success: true, provisioned };
+          } catch (err: unknown) {
+            return { success: false, message: (err as Error).message };
+          }
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/email-ops.handler.ts

@@ -48,7 +48,7 @@ export class EmailOpsHandler {
           }
 
           const queue = emailServer.deliveryQueue;
-          const item = queue.getItem(dataArg.emailId);
+          const item = emailServer.getQueueItem(dataArg.emailId);
 
           if (!item) {
             return { success: false, error: 'Email not found in queue' };
@@ -82,22 +82,10 @@ export class EmailOpsHandler {
    */
   private getAllQueueEmails(): interfaces.requests.IEmail[] {
     const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-    if (!emailServer?.deliveryQueue) {
+    if (!emailServer) {
       return [];
     }
-
-    const queue = emailServer.deliveryQueue;
-    const queueMap = (queue as any).queue as Map<string, any>;
-
-    if (!queueMap) {
-      return [];
-    }
-
-    const emails: interfaces.requests.IEmail[] = [];
-
-    for (const [id, item] of queueMap.entries()) {
-      emails.push(this.mapQueueItemToEmail(item));
-    }
+    const emails = emailServer.getQueueItems().map((item) => this.mapQueueItemToEmail(item));
 
     // Sort by createdAt descending (newest first)
     emails.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
@@ -110,12 +98,10 @@ export class EmailOpsHandler {
    */
   private getEmailDetail(emailId: string): interfaces.requests.IEmailDetail | null {
     const emailServer = this.opsServerRef.dcRouterRef.emailServer;
-    if (!emailServer?.deliveryQueue) {
+    if (!emailServer) {
       return null;
     }
-
-    const queue = emailServer.deliveryQueue;
-    const item = queue.getItem(emailId);
+    const item = emailServer.getQueueItem(emailId);
 
     if (!item) {
       return null;

ts/opsserver/handlers/index.ts

@@ -8,4 +8,14 @@ export * from './email-ops.handler.js';
 export * from './certificate.handler.js';
 export * from './remoteingress.handler.js';
 export * from './route-management.handler.js';
-export * from './api-token.handler.js';
+export * from './api-token.handler.js';
+export * from './vpn.handler.js';
+export * from './source-profile.handler.js';
+export * from './target-profile.handler.js';
+export * from './network-target.handler.js';
+export * from './users.handler.js';
+export * from './dns-provider.handler.js';
+export * from './domain.handler.js';
+export * from './dns-record.handler.js';
+export * from './acme-config.handler.js';
+export * from './email-domain.handler.js';

ts/opsserver/handlers/logs.handler.ts

@@ -255,7 +255,7 @@ export class LogsHandler {
   } {
     let intervalId: NodeJS.Timeout | null = null;
     let stopped = false;
-    let logIndex = 0;
+    let lastTimestamp = Date.now();
 
     const stop = () => {
       stopped = true;
@@ -284,53 +284,65 @@ export class LogsHandler {
         return;
       }
 
-      // For follow mode, simulate real-time log streaming
+      // For follow mode, tail real log entries from the in-memory buffer
       intervalId = setInterval(async () => {
         if (stopped) {
-          // Guard: clear interval if stop() was called between ticks
           clearInterval(intervalId!);
           intervalId = null;
           return;
         }
 
-        const categories: Array<'smtp' | 'dns' | 'security' | 'system' | 'email'> = ['smtp', 'dns', 'security', 'system', 'email'];
-        const levels: Array<'debug' | 'info' | 'warn' | 'error'> = ['info', 'warn', 'error', 'debug'];
+        // Fetch new entries since last poll
+        const rawEntries = logBuffer.getEntries({
+          since: lastTimestamp,
+          limit: 50,
+        });
 
-        const mockCategory = categories[Math.floor(Math.random() * categories.length)];
-        const mockLevel = levels[Math.floor(Math.random() * levels.length)];
+        if (rawEntries.length === 0) return;
 
-        // Filter by requested criteria
-        if (levelFilter && !levelFilter.includes(mockLevel)) return;
-        if (categoryFilter && !categoryFilter.includes(mockCategory)) return;
+        for (const raw of rawEntries) {
+          const mappedLevel = LogsHandler.mapLogLevel(raw.level);
+          const mappedCategory = LogsHandler.deriveCategory(
+            (raw as any).context?.zone,
+            raw.message,
+          );
 
-        const logEntry = {
-          timestamp: Date.now(),
-          level: mockLevel,
-          category: mockCategory,
-          message: `Real-time log ${logIndex++} from ${mockCategory}`,
-          metadata: {
-            requestId: plugins.uuid.v4(),
-          },
-        };
+          // Apply filters
+          if (levelFilter && !levelFilter.includes(mappedLevel)) continue;
+          if (categoryFilter && !categoryFilter.includes(mappedCategory)) continue;
 
-        const logData = JSON.stringify(logEntry);
-        const encoder = new TextEncoder();
-        try {
-          // Use a timeout to detect hung streams (sendData can hang if the
-          // VirtualStream's keepAlive loop has ended)
-          let timeoutHandle: ReturnType<typeof setTimeout>;
-          await Promise.race([
-            virtualStream.sendData(encoder.encode(logData)).then((result) => {
-              clearTimeout(timeoutHandle);
-              return result;
-            }),
-            new Promise<never>((_, reject) => {
-              timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
-            }),
-          ]);
-        } catch {
-          // Stream closed, errored, or timed out — clean up
-          stop();
+          const logEntry = {
+            timestamp: raw.timestamp || Date.now(),
+            level: mappedLevel,
+            category: mappedCategory,
+            message: raw.message,
+            metadata: (raw as any).data,
+          };
+
+          const logData = JSON.stringify(logEntry);
+          const encoder = new TextEncoder();
+          try {
+            let timeoutHandle: ReturnType<typeof setTimeout>;
+            await Promise.race([
+              virtualStream.sendData(encoder.encode(logData)).then((result) => {
+                clearTimeout(timeoutHandle);
+                return result;
+              }),
+              new Promise<never>((_, reject) => {
+                timeoutHandle = setTimeout(() => reject(new Error('stream send timeout')), 10_000);
+              }),
+            ]);
+          } catch {
+            // Stream closed, errored, or timed out — clean up
+            stop();
+            return;
+          }
+        }
+
+        // Advance the watermark past all entries we just processed
+        const newest = rawEntries[rawEntries.length - 1];
+        if (newest.timestamp && newest.timestamp >= lastTimestamp) {
+          lastTimestamp = newest.timestamp + 1;
         }
       }, 2000);
     };

ts/opsserver/handlers/network-target.handler.ts

@@ -0,0 +1,167 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class NetworkTargetHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all network targets
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargets>(
+        'getNetworkTargets',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { targets: [] };
+          }
+          return { targets: resolver.listTargets() };
+        },
+      ),
+    );
+
+    // Get a single network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTarget>(
+        'getNetworkTarget',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { target: null };
+          }
+          return { target: resolver.getTarget(dataArg.id) || null };
+        },
+      ),
+    );
+
+    // Create a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNetworkTarget>(
+        'createNetworkTarget',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'targets:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { success: false, message: 'Reference resolver not initialized' };
+          }
+          const id = await resolver.createTarget({
+            name: dataArg.name,
+            description: dataArg.description,
+            host: dataArg.host,
+            port: dataArg.port,
+            createdBy: userId,
+          });
+          return { success: true, id };
+        },
+      ),
+    );
+
+    // Update a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNetworkTarget>(
+        'updateNetworkTarget',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const { affectedRouteIds } = await resolver.updateTarget(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            host: dataArg.host,
+            port: dataArg.port,
+          });
+
+          if (affectedRouteIds.length > 0) {
+            await manager.reResolveRoutes(affectedRouteIds);
+          }
+
+          return { success: true, affectedRouteCount: affectedRouteIds.length };
+        },
+      ),
+    );
+
+    // Delete a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNetworkTarget>(
+        'deleteNetworkTarget',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const result = await resolver.deleteTarget(
+            dataArg.id,
+            dataArg.force ?? false,
+            manager.getRoutes(),
+          );
+
+          if (result.success && dataArg.force) {
+            await manager.applyRoutes();
+          }
+
+          return result;
+        },
+      ),
+    );
+
+    // Get routes using a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargetUsage>(
+        'getNetworkTargetUsage',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { routes: [] };
+          }
+          const usage = resolver.getTargetUsageForId(dataArg.id, manager.getRoutes());
+          return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/radius.handler.ts

@@ -52,8 +52,8 @@ export class RadiusHandler {
           try {
             await radiusServer.addClient(dataArg.client);
             return { success: true };
-          } catch (error) {
-            return { success: false, message: error.message };
+          } catch (error: unknown) {
+            return { success: false, message: (error as Error).message };
           }
         }
       )
@@ -144,8 +144,8 @@ export class RadiusHandler {
                 updatedAt: mapping.updatedAt,
               },
             };
-          } catch (error) {
-            return { success: false, message: error.message };
+          } catch (error: unknown) {
+            return { success: false, message: (error as Error).message };
           }
         }
       )

ts/opsserver/handlers/route-management.handler.ts

@@ -71,8 +71,8 @@ export class RouteManagementHandler {
           if (!manager) {
             return { success: false, message: 'Route management not initialized' };
           }
-          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true);
-          return { success: true, storedRouteId: id };
+          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true, dataArg.metadata);
+          return { success: true, routeId: id };
         },
       ),
     );
@@ -87,11 +87,12 @@ export class RouteManagementHandler {
           if (!manager) {
             return { success: false, message: 'Route management not initialized' };
           }
-          const ok = await manager.updateRoute(dataArg.id, {
+          const result = await manager.updateRoute(dataArg.id, {
             route: dataArg.route as any,
             enabled: dataArg.enabled,
+            metadata: dataArg.metadata,
           });
-          return { success: ok, message: ok ? undefined : 'Route not found' };
+          return result;
         },
       ),
     );
@@ -106,45 +107,12 @@ export class RouteManagementHandler {
           if (!manager) {
             return { success: false, message: 'Route management not initialized' };
           }
-          const ok = await manager.deleteRoute(dataArg.id);
-          return { success: ok, message: ok ? undefined : 'Route not found' };
+          return manager.deleteRoute(dataArg.id);
         },
       ),
     );
 
-    // Set override on a hardcoded route
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetRouteOverride>(
-        'setRouteOverride',
-        async (dataArg) => {
-          const userId = await this.requireAuth(dataArg, 'routes:write');
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!manager) {
-            return { success: false, message: 'Route management not initialized' };
-          }
-          await manager.setOverride(dataArg.routeName, dataArg.enabled, userId);
-          return { success: true };
-        },
-      ),
-    );
-
-    // Remove override from a hardcoded route
-    this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveRouteOverride>(
-        'removeRouteOverride',
-        async (dataArg) => {
-          await this.requireAuth(dataArg, 'routes:write');
-          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
-          if (!manager) {
-            return { success: false, message: 'Route management not initialized' };
-          }
-          const ok = await manager.removeOverride(dataArg.routeName);
-          return { success: ok, message: ok ? undefined : 'Override not found' };
-        },
-      ),
-    );
-
-    // Toggle programmatic route
+    // Toggle route
     this.typedrouter.addTypedHandler(
       new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ToggleRoute>(
         'toggleRoute',
@@ -154,8 +122,7 @@ export class RouteManagementHandler {
           if (!manager) {
             return { success: false, message: 'Route management not initialized' };
           }
-          const ok = await manager.toggleRoute(dataArg.id, dataArg.enabled);
-          return { success: ok, message: ok ? undefined : 'Route not found' };
+          return manager.toggleRoute(dataArg.id, dataArg.enabled);
         },
       ),
     );

ts/opsserver/handlers/security.handler.ts

@@ -51,8 +51,8 @@ export class SecurityHandler {
             startTime: conn.startTime,
             protocol: conn.type === 'http' ? 'https' : conn.type as any,
             state: conn.status as any,
-            bytesReceived: Math.floor(conn.bytesTransferred / 2),
-            bytesSent: Math.floor(conn.bytesTransferred / 2),
+            bytesReceived: (conn as any)._throughputIn || 0,
+            bytesSent: (conn as any)._throughputOut || 0,
           }));
           
           const summary = {
@@ -96,11 +96,14 @@ export class SecurityHandler {
               connectionsByIP: Array.from(networkStats.connectionsByIP.entries()).map(([ip, count]) => ({ ip, count })),
               throughputRate: networkStats.throughputRate,
               topIPs: networkStats.topIPs,
+              topIPsByBandwidth: networkStats.topIPsByBandwidth,
               totalDataTransferred: networkStats.totalDataTransferred,
               throughputHistory: networkStats.throughputHistory || [],
               throughputByIP,
+              domainActivity: networkStats.domainActivity || [],
               requestsPerSecond: networkStats.requestsPerSecond || 0,
               requestsTotal: networkStats.requestsTotal || 0,
+              backends: networkStats.backends || [],
             };
           }
 
@@ -109,11 +112,14 @@ export class SecurityHandler {
             connectionsByIP: [],
             throughputRate: { bytesInPerSecond: 0, bytesOutPerSecond: 0 },
             topIPs: [],
+            topIPsByBandwidth: [],
             totalDataTransferred: { bytesIn: 0, bytesOut: 0 },
             throughputHistory: [],
             throughputByIP: [],
+            domainActivity: [],
             requestsPerSecond: 0,
             requestsTotal: 0,
+            backends: [],
           };
         }
       )
@@ -249,31 +255,31 @@ export class SecurityHandler {
       const connectionInfo = await this.opsServerRef.dcRouterRef.metricsManager.getConnectionInfo();
       const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
       
-      // Use IP-based connection data from the new metrics API
+      // One aggregate row per IP with real throughput data
       if (networkStats.connectionsByIP && networkStats.connectionsByIP.size > 0) {
         let connIndex = 0;
         const publicIp = this.opsServerRef.dcRouterRef.options.publicIp || 'server';
-        
+
         for (const [ip, count] of networkStats.connectionsByIP) {
-          // Create a connection entry for each active IP connection
-          for (let i = 0; i < Math.min(count, 5); i++) { // Limit to 5 connections per IP for UI performance
-            connections.push({
-              id: `conn-${connIndex++}`,
-              type: 'http',
-              source: {
-                ip: ip,
-                port: Math.floor(Math.random() * 50000) + 10000, // High port range
-              },
-              destination: {
-                ip: publicIp,
-                port: 443,
-                service: 'proxy',
-              },
-              startTime: Date.now() - Math.floor(Math.random() * 3600000), // Within last hour
-              bytesTransferred: Math.floor(networkStats.totalDataTransferred.bytesIn / networkStats.connectionsByIP.size),
-              status: 'active',
-            });
-          }
+          const tp = networkStats.throughputByIP?.get(ip);
+          connections.push({
+            id: `ip-${connIndex++}`,
+            type: 'http',
+            source: {
+              ip: ip,
+              port: 0,
+            },
+            destination: {
+              ip: publicIp,
+              port: 443,
+              service: 'proxy',
+            },
+            startTime: 0,
+            bytesTransferred: count, // Store connection count here
+            status: 'active',
+            // Attach real throughput for the handler mapping
+            ...(tp ? { _throughputIn: tp.in, _throughputOut: tp.out } : {}),
+          } as any);
         }
       } else if (connectionInfo.length > 0) {
         // Fallback to route-based connection info if no IP data available

ts/opsserver/handlers/source-profile.handler.ts

@@ -0,0 +1,169 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class SourceProfileHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all source profiles
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfiles>(
+        'getSourceProfiles',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'source-profiles:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { profiles: [] };
+          }
+          return { profiles: resolver.listProfiles() };
+        },
+      ),
+    );
+
+    // Get a single source profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfile>(
+        'getSourceProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'source-profiles:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { profile: null };
+          }
+          return { profile: resolver.getProfile(dataArg.id) || null };
+        },
+      ),
+    );
+
+    // Create a source profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSourceProfile>(
+        'createSourceProfile',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'source-profiles:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { success: false, message: 'Reference resolver not initialized' };
+          }
+          const id = await resolver.createProfile({
+            name: dataArg.name,
+            description: dataArg.description,
+            security: dataArg.security,
+            extendsProfiles: dataArg.extendsProfiles,
+            createdBy: userId,
+          });
+          return { success: true, id };
+        },
+      ),
+    );
+
+    // Update a source profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSourceProfile>(
+        'updateSourceProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'source-profiles:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const { affectedRouteIds } = await resolver.updateProfile(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            security: dataArg.security,
+            extendsProfiles: dataArg.extendsProfiles,
+          });
+
+          // Propagate to affected routes
+          if (affectedRouteIds.length > 0) {
+            await manager.reResolveRoutes(affectedRouteIds);
+          }
+
+          return { success: true, affectedRouteCount: affectedRouteIds.length };
+        },
+      ),
+    );
+
+    // Delete a source profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSourceProfile>(
+        'deleteSourceProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'source-profiles:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const result = await resolver.deleteProfile(
+            dataArg.id,
+            dataArg.force ?? false,
+            manager.getRoutes(),
+          );
+
+          // If force-deleted with affected routes, re-apply
+          if (result.success && dataArg.force) {
+            await manager.applyRoutes();
+          }
+
+          return result;
+        },
+      ),
+    );
+
+    // Get routes using a source profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfileUsage>(
+        'getSourceProfileUsage',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'source-profiles:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { routes: [] };
+          }
+          const usage = resolver.getProfileUsageForId(dataArg.id, manager.getRoutes());
+          return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
+        },
+      ),
+    );
+  }
+}